Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor Tidserv!inf virus lingering


  • This topic is locked This topic is locked
24 replies to this topic

#1 deloria

deloria

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 22 November 2008 - 08:34 PM

Hi there,
While using all my normal protection against viruses (Norton, Spybot, Windows Firewall, on Nov. 14 I was surfing the net and spybot gave me a messsage that google wanted to change my startup page. I denied the request and it came up a few more times. I denied each time, then my computer shut down and rebooted. When it came up I had a fake alert in the task bar, all my antivirus apps were unavailable, and my firewall was disabled. I knew I had a virus. I tried to do a restore to go back to the day before this happened, with no luck, then go to every site I could think of to help me find some way to get help from this malware/virus. Eventually, I typed in the search engine hijack this and the computer automatically directed me to a site and downloaded something into my computer and directed me to restart. I couldn't get out of this process. When I restarted, the computer setting wouldn't work at all. I couldn't get into system restore, safe mode, anything. So I spent the next several hours recovering my applications, and eventually reinstalling my Norton. I ran a scan and found several viruses and they were removed. I ended up with two that I was told needed to manually removed. I knew which paths they were in and what they were. So, my next step was to look for other people with a similar problem. I found one with very similar info on your website and followed the same instructions. I ran SuperAntiSpy and it found no issues. MBAM found and removed the Trojan Knowedel in my docs and settings through a quick scan and removed it. After rebooting, I then ran a full scan to remove the Backdoor.Tideserv!inf within my windows\system32\config\local settings\temp\tdssdf8f file that I knew was still lingering. Unfortunately, the scan didn't find this to be a problem. I thought maybe by removing the first virus and rebooting, the virus was gone. I ran a scan on Norton and it is still there telling me it needs manual removal. I don't know enough about the registry to try to fix it myself. I am including the log from MBAM (see below) which removed the first problem. I'm hoping there is a fix for this issue as I am into recovering my computer at about 30 man hours already. I'm not an experienced computer user, but I follow instructions well. Thanks for any help you can provide.

Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 5.1.2600 Service Pack 3

11/21/2008 7:41:43 AM
mbam-log-2008-11-21 (07-41-43).txt

Scan type: Quick Scan
Objects scanned: 67447
Time elapsed: 13 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Default User\Local Settings\Temp\TDSSdf8f.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

A similar post to the above was sent to a bleeping computer forum and a moderator worked with me to try to clean out the 2nd virus. Topic located here: http://www.bleepingcomputer.com/forums/t/181279/backdoor-tidservinf-virus-lingering/ ~ OB I've done a number of steps with numerous downloads and scans to eradicate this nasty little bugger from my computer, with no luck. I've scanned with super antispy, spy bot search and destroy, MBAM, AdAware 2007, McAfee Avert Stinger, and Norton still finds this backdoor tidserv!inf virus in path: c:\windows\system32\config\system profile\local settings\temp\tdssdf8f. It tells me it must be manually removed. When I follow Norton's instructions to scan in safe mode and remove that way, it still won't go away (at least 3 times). Since he helped all he could, the moderator, Gamanma, directed me to send a hijack this log to this forum to see if I can get help to remove the remnants of this virus from my almost recovered computer. Thanks for any suggestions you can provide. Here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:54 PM, on 11/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldaccessnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O15 - Trusted Zone: http://help.incredimail.com
O15 - Trusted Zone: mail.worldaccessnet.com
O15 - Trusted Zone: http://www.worldaccessnet.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1226978247375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

--
End of file - 8293 bytes

Edited by Orange Blossom, 22 November 2008 - 08:46 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 29 November 2008 - 08:02 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

I will do my best to communicate clearly to you so that we can resolve your issues as quickly as possible. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to fix your computer. Please communicate freely with me about how your computer is reacting and behaving as we work through this process.


Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 29 November 2008 - 09:20 PM

SDFix: Version 1.240
Run by Owner on Sat 11/29/2008 at 05:36 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 17:55:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Enabled:BackWeb-137903"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe:*:Enabled:Norton Removal Tool"
"C:\\Program Files\\IncrediMail\\bin\\ImNotfy.exe"="C:\\Program Files\\IncrediMail\\bin\\ImNotfy.exe:*:Enabled:ImNotfy"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:ImpCnt"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:ImApp"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Disabled:BearShare"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Sat 15 Nov 2008 196 A.SHR --- "C:\BOOT.BAK"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Thu 1 Jan 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Sun 19 Nov 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 22 Dec 2006 27,136 ...H. --- "C:\Documents and Settings\Tom\My Documents\~WRL0004.tmp"
Wed 4 Apr 2001 28,738 A..H. --- "C:\Program Files\MICROSOFT_OFFICE_XP\MSDE2000\SQLRESLD.DLL"
Wed 4 Oct 2006 4 ..SH. --- "C:\Documents and Settings\Tom\Local Settings\Temp\qpgishs23dl5.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 25 Aug 2008 636,416 A..H. --- "C:\Documents and Settings\Default User\Application Data\Microsoft\Word\~WRL1991.tmp"
Mon 25 Aug 2008 636,416 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1991.tmp"
Wed 1 Nov 2006 15,521,072 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e1d28f3ec9f99caa5b1bda08fdda444b\BIT21.tmp"
Mon 25 Aug 2008 636,416 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\~WRL1991.tmp"

Finished!

After I ran this application, I went into and scanned with Norton in the area where it says the Backdoor Tidserv!inf virus is located and it shows that it is still there, and that it must be manually removed. In addition, while running the DSfix, it told me to make sure that protective files such as MUPs/HP hosts should be reapplied. I'm not sure what that means. It looks like my issue is still lingering. What should I do now? Thanks for your help here. I really do appreciate it, especially on this holiday weekend.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 30 November 2008 - 02:05 PM

SDFix normally picks up on that infection if it's present, so I'm curious now what Norton is finding. Can you post that information?
I'd like to see if it's already quarantined or in your system restore.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 30 November 2008 - 03:26 PM

Happy Sunday Sam,

I'm uploading 5 attachments to show you what I see when I scan with Norton. It says I have an unresolved virus that needs to be manually removed. When I click "get help", it sends me to the following site:
http://securityresponse.symantec.com/secur...-99&tabid=3

I followed the directions by scanning in safe mode, but it says it's still there.

The first attachment show the results of the scan I ran at 11:50 today. The second attachment shows what the virus is. The third attachment shows the detailed results of the scan (nothing??). The 4th shows a more detailed history of the scan, and the fifth shows you two screens from the scan on the 15th of November and the path where the virus resided (after I got my computer up and running again).

I must have a registry key or something still hanging around in the background. When I got the virus on the 14th of Nov., I had to recover my system with the recovery disk because the computer was not working at all. I then reinstalled the bulk of my applications and reconfigured everything along with all the windows updates. No matter what I try, when I run my virus scan, I still have this message telling me I still have the virus. Please let me know if you are unable to view my attachments and I'll figure out something else to show you what I see. My computer seems to be running okay, but I'm worried that this "left over thing" will infect something else. I've done all I know how to do. Again, I do appreciate you helping me with the situation.

*I can't seem to get the files to upload (they are bmp's and too big). I think 1 can come through, and it shows the actual name of the virus. If you know of another way I can get the picture of the screen to you, let me know.

attachment=8903:scan_virus_2.bmp]

Attached Files



#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 30 November 2008 - 03:51 PM

What I really need to see if the actual file path that will show me the location of the malware that Norton is detecting.
Can you determine that and just copy it back here?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 30 November 2008 - 06:15 PM

Hey Sam,

The path is C:\windows\system 32\config\system profile\local settings\temp\tdssdf8f.tmp

There is a choice on Norton to review the virus info. that directs me to the URL I sent you in the last post, which is the recommended fix (and doesn't work). There is a remove button that is supposed to send the virus to quarantine. I selected that as a last resort, it appeared to be processing the file, and then it told me it couldn't be removed. There were two backdoor tidserv virus files removed between 11/15 & 11/22, and the file that was in this same pathway had a different tdssd***.tmp extension. I don't know if that means anything. Suggestions??

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 30 November 2008 - 06:23 PM

Yes, very helpful. We need to run Combofix.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 30 November 2008 - 07:11 PM

Okay Sam, I followed your directions, but we may have a different problem. After the Combo fix file ran (I noticed it deleted a number of "rave" files and made a number of changes to my system) the text file was there, but a message box came up saying "system settings encountered a problem a needs to close". I tried to save the file to the clipboard, but the only way I could get anything to happen after the message box came up was to restart my computer. I didn't have access to any other applications. After I restarted my computer, the text file was gone. I couldn't find it by doing a search. 'Spybot came back up on the reboot and I allowed several changes it requested that I make assuming that they were supposed to be changed with the new settings. Now what?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 30 November 2008 - 07:18 PM

Did you check here to see if a log was created?

C:\ComboFix.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 30 November 2008 - 08:25 PM

Yes, I did a search for any combofix files and the only one it found was on the desktop, and that's the application file. It said it would create a txt file in C:\combofix.txt just as the application was finishing, but there is nothing there. The error box must have prevented it from happening. Should I go back to a restore point before I ran Combofix and run it again? I did do a scan in the path where the problem has been and all the tmp files in that area are gone. I just have no idea what else was changed or deleted.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 01 December 2008 - 02:42 PM

Don't use System Restore to back right now. Let's just work with what we have currently.

Did you disable Norton before you ran Combofix?
Here's some info on how to do that if you're unsure.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/


Go ahead and try to run Combofix again once you've disabled Norton.


==============


Regardless of whether Combofix runs or not, follow this next step.

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\windows\system 32\config\system profile\local settings\temp\tdss????.tmp
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 01 December 2008 - 07:55 PM

Hi Sam,
I disabled Norton, Spybot, search indexing, screen saver, and all other applications in the task bar before running the Combofix application. It worked fine until the very end. I was watching the screen while the application was running and it showed that it was deleting some start up and or auto run files (one in the D drive which is my recovery area). I have no idea what Combofix does, but I do have a concern that it changed settings it shouldn't have and we'll never know. My biggest concern was for the D drive since that is the backup for recovering my computer. Should I be concerned, or is that change pretty normal with Combofix.

I did run a Norton scan after my machine rebooted, and it was all clear. It no longer shows the virus file. So before I do the above processes, I just wanted to let you know that all the temp files in C:\windows\system 32\config\system profile\local settings\temp are gone. I know that path well from previous custom scans.

I'm sending this message from a different computer or I would also send you a copy of the changes spybot asked me to allow or deny (on restart). It shows some of my setting changes (that I allowed assuming I should). If you would like me to send that info. to you, I can do that later.

I'll await your reply before I do anything more in case it isn't needed. Thanks for your help in all this. It appears the original problem has been resolved. I'm just concerned there may be new issues because we don't know what Combofix changed. Please advise next steps if any.

#14 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 01 December 2008 - 10:20 PM

Sam, I'm back at my computer now and am forwarding the spybot log changes I referred to in my earlier post:
11/30/2008 3:56:15 PM Allowed (based on user decision) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
11/30/2008 3:56:31 PM Allowed (based on user decision) value "Search Bar" (new data: "") deleted in Browser page!
11/30/2008 3:56:40 PM Allowed (based on user decision) value "AutoRun" (new data: "") deleted in Command processor!
11/30/2008 3:56:47 PM Allowed (based on user decision) value "load" (new data: "") deleted in NT startup!

In case my earlier messge isn't clear, I have not run Combofix since the last log failure. When I was referring to disabling all apps. before running the program, I was simply answering the question in your last post. Looking forward to hearing from you.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 AM

Posted 02 December 2008 - 01:31 AM

Well without seeing a log from Combofix I can't really tell what it was trying to remove. I can tell you that there are many infections very prevalent right now that are infecting the autorun files on secondary drives. Combofix looks for these infections and targets them along with many others. My concern right now is that Spybot is actually restoring the registry values that Combofix is trying to remove because they are malicious.

Let's see if we can get some more information without making any more changes.

Please download random's system information tool (RSIT) and save it to your desktop.
  • Double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users