Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.trojan bundle and random songs/ads on desktop


  • This topic is locked This topic is locked
22 replies to this topic

#16 tyler987

tyler987
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, NV
  • Local time:10:55 AM

Posted 04 December 2008 - 04:35 AM

Hello again OldTimer,

I downloaded and installed SUPERAntiSpyware Free Edition on my computer last night. After the last OTScanIt2 fix I rebooted my computer and ran a SUPERAntiSpyware scan, just to be sure if it was clean. I don't know if I incorrectly set the "Scanner Options," or if the anti-virus is catching legitimate and safe programs, or even if there is still possible traces of bad stuff left over after the reboot, but SUPERAntiSpyware detected some 53 registry and file threats. I posted the log if you want to check it out.

I am pretty sure that the files listed under "Malware.Installer-Pkg/Gen" are not harmful as they are just Wildtangent Dell game downloads, but I'm not so sure of the supposed rootkits and tracking cookies. I think the Rogue.XP AntiSpyware 2009 might be a threat but SUPERAntiSpyware recognized it only as suspicious.

Under "Scanner Control" in Scanner Options, I checked everything EXCEPT for four things:
  • Ignore files larger than 4MB (recommended)
  • Ignore non-executable files (recommended)
  • Ignore System Restore/Volume Information on ME/XP
  • Scan only known file types (.exe, .com, .dll, etc.)
The items are still in quarantine and I can restore them if they are harmless, or delete if harmful. I'll wait for your advice though. Sorry to bother you so soon!


SUPERAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/03/2008 at 11:12 PM

Application Version : 4.22.1014

Core Rules Database Version : 3662
Trace Rules Database Version: 1642

Scan type : Complete Scan
Total Scan Time : 01:22:24

Memory items scanned : 715
Memory threats detected : 0
Registry items scanned : 7446
Registry threats detected : 24
File items scanned : 95759
File threats detected : 29

Adware.Tracking Cookie
C:\Documents and Settings\Tyler\Cookies\tyler@tribalfusion[2].txt
C:\Documents and Settings\Tyler\Cookies\tyler@fastclick[1].txt
C:\Documents and Settings\Tyler\Cookies\tyler@atdmt[2].txt
C:\Documents and Settings\Tyler\Cookies\tyler@media.adrevolver[1].txt
C:\Documents and Settings\Tyler\Cookies\tyler@doubleclick[1].txt
C:\Documents and Settings\Tyler\Cookies\tyler@adopt.specificclick[1].txt
C:\Documents and Settings\Tyler\Cookies\tyler@adrevolver[2].txt

Rogue.XP AntiSpyware 2009
HKU\S-1-5-21-1987986097-3446227131-2950338395-1006\Control Panel\don't load#wscui.cpl [ No ]

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-1987986097-3446227131-2950338395-1006\SOFTWARE\Microsoft\fias4013

Rootkit.TDSServ
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSserv
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSl
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssservers
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssmain
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsslog
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssadw
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssinit
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssurls
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsspanels
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssserf
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsserrors
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSproc
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#INITSTARTFAILED

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH BEJEWELED 2 DELUXE.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH CHUZZLE DELUXE.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH BLACKHAWK STRIKER 2.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH FATE.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH BLASTERBALL 2.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH SCRABBLE.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH DINER DASH.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH POLAR BOWLER.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH POLAR GOLFER.LNK
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL GAMES\LAUNCH TRADEWINDS.LNK

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSMTPW.DAT
C:\WINDOWS\SYSTEM32\TDSSXYYI.DAT

Edited by tyler987, 04 December 2008 - 04:38 AM.


BC AdBot (Login to Remove)

 


#17 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:55 PM

Posted 04 December 2008 - 09:06 PM

Hi tyler987. Yeah, those could be left-over. The files are all gone so just let SAS remove what it finds. Different scanners look at different things. Run a different scanner and you might find other remnants as well. Just let them remove them.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#18 tyler987

tyler987
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, NV
  • Local time:10:55 AM

Posted 07 December 2008 - 02:19 AM

Hi OldTimer,

It's been a few days and everything seems to be working great. No problems with random ads or music or pop-ups whatsoever. Also I ran my other scanners, Malwarebytes, McAfee, Windows Defender, and they found nothing. SUPERAntiSpyware seems to be the only scanner finding things. I've run four scans and the same four TDSSserv objects are always found. After SAS reboots my computer to remove the objects, I run a scan and the same objects are found. I do not know if it's a problem or not because nothing seems to be negatively affected. Below is the log of those TDSS objects. Anyway I think we can do the final cleanup if TDSS is not a problem. Thank you!


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/06/2008 at 10:18 PM

Application Version : 4.22.1014

Core Rules Database Version : 3665
Trace Rules Database Version: 1645

Scan type : Complete Scan
Total Scan Time : 01:21:00

Memory items scanned : 875
Memory threats detected : 0
Registry items scanned : 7436
Registry threats detected : 4
File items scanned : 96180
File threats detected : 0

Rootkit.TDSServ
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#imagepath

#19 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:55 PM

Posted 07 December 2008 - 10:21 AM

Hi tyler987. With the files gone those entries won't hurt anything but let's see if we can remove them:

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Custom Items]
:reg
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
:end

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#20 tyler987

tyler987
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, NV
  • Local time:10:55 AM

Posted 07 December 2008 - 06:19 PM

Hi OldTimer,

Ran the fix:

[Custom Items]
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\ not found.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.2.1 fix logfile created on 12072008_151217


Everything seems good, and I think I'm ready for the final cleanup whenever you are ready.

#21 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:55 PM

Posted 07 December 2008 - 06:56 PM

Hi tyler987. It looks like SAS might have just been having "issues" lol.

Now let's do some final cleanup to reset the System Restore points and remove all of the tools we used during the fix and then you are all set.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Step #2

To remove all of the tools we used and the files and folders they created do the following:
  • Start OTScanIt2
    Click the CleanUp button
  • OTScanIt2 will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.
After that you are good to go.

Cheers and Happy Computing!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#22 tyler987

tyler987
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, NV
  • Local time:10:55 AM

Posted 07 December 2008 - 10:20 PM

Hi OldTimer,

System Restore and OTScanIt2 are clean. Thank you again for your patience and skill with handling this malware. Absolutely could not have done this by myself. Good luck with future cleaning!

#23 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:55 PM

Posted 07 December 2008 - 11:03 PM

You are very welcome tyler987, I'm glad that we could help.

I will now close this topic. If there are any future malware-related issues please start a new topic.

Cheers and Happy Computing!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users