Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My laptop has been taken over by a trojan


  • Please log in to reply
12 replies to this topic

#1 bventure

bventure

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 19 December 2008 - 07:47 PM

Dell Vostro 1500 laptop, Windows XP Pro SP3

Please help, I need this system back for an urgent task on Monday. I got infected (McAfee didn't stop it) yesterday. Started with a message warning that Windows Update was disabled. Tried to re-enable but it was permanently disabled and ignored all my attempts to restart. Then started getting typical Vundo-type web pages about virus removal tools. It has since got worse. It also prevented me running regedit (I got round this, I think via Group Policy, not sure now, seems so long ago!) It also hid folder properties so I couldn't set to see hidden files. Got round this by doing it from the control panel folder options facility.

But now it's got much much worse. IE just flicks up & closes immediately. I downloaded MLAM on another machine & tried to copy it via a stick. Couldn't drag or copy/paste (paste greyed out). Managed to get mbam-setup to run from the stick by changing .exe to .com, but when I try to run mbam.exe nothing happens (tried renaming, no difference). Some exes will run. 'Right click/run as' fails too. As I can't connect to the internet and can't copy/paste I can't even get anything else on there to try to help.

Files present in system32 were a number of randomly named dlls (e.g. rXbcefii.dll, tyshb36rfjdf.dll), and 3 .exes (prunnet, winloggn, csrssc) set to run at startup. I've taken these out via msconfig & renamed the exes, but i think it's only made matters worse. Booting in safe mode doesn't help - in fact I just get a blank screen with safe mode in each corner and that's it. In normal startup I now don't even get the start bar - I got this back by putting the cursor below the bottom of the screen, right clicking, and got the properties, set the start bar to Classic and at least I can now Run... things. But it's doing me no good.

I'm really desperate - where do I go from here? Did I mention System Restore says 'system restore can't protect your sytem. Please reboot and select system restore again'.

Very depressed, been at this for 12 hours solid now. Decided when in a hole stop digging. Anybody - please?

Martin Davies

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:51 PM

Posted 20 December 2008 - 03:54 PM

Let's see if SDFix can run...

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 21 December 2008 - 05:15 AM

Couple of problems here. First, I can't connect my infected laptop to the internet (IE won't load) so I tried to download SDFix onto the functioning desktop I'm using now. Trying to save to desktop, got messgae 'Cannot copy SDFix[1] Access denied. I'm guessing this is a conseqence of Norton saying 'Auto protect blocked W32.Spybot.Worm. Your computr is safe'. Whter this is a genuine message or not I'm not sure, but under the circumstances I wasn't going to risk trashing my remauning fuctional machine. Please advise - and thank for getting back to me, I am grtaeful for some assistance, don't feel quite so alone now!

The other problem I'm going to have is that if/when I download it I have no means of getting oit on to the damaged machine. All external access is shut off. The only way I managed to get MalwareBytes installed was to copy it onto a stick and run the install from the stick after changing the installer name - but the insatlled app won't run. I can't copy/paste or therwise get files on or off the machine. This means I can't even back up my data and reinstall XP (even if I had an install disc, which I don't). Maybe the same metod will work for SDFix, but please confirm it is safe to download.

Thanks again
Martin

#4 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 21 December 2008 - 05:19 AM

Quick afterthought here - even if I can get SDFix on the laptop & run it I have no way of getting Report.txt off the laptop so I can post it, unless you can tell me what I might tweak (presumably somewhere in the regsistry) to allow me to drag or paste to a usb stick. The only alternative I can think of is to list it on the creen and post photographs of it (or retype manually)!

Martin

Edited by bventure, 21 December 2008 - 05:20 AM.


#5 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 21 December 2008 - 07:46 AM

OK, thanks for that Lost Boy. We now have some more information, if little actual progress.

I checked device manager as you suggested and found TDSServe (note - not TDSSServe - is this as expected?) and disables it.

If you check my rather long introductory explanation you will see that I had already managed to install Malwarebytes by running a renamed installation file off a flash drive, but although it seems installed OK it wouldn't run. After restarting in safe mode after disabling TDSServe I now get this message instead 'Failed to load control VbalGrid from vbalsgrid6.ocx....'. If this is part of MalwareBytes itself then I guess the installation didn't actually complete properly, although the folder looks identical to one on a working PC. Probably the regsitry didn't get updated properly, or has been changed since? However, this is progress from before disabling TDSServe, as nothing whatever happened at that stage.

Thanks again for your much-appreciated help, and any further suggestions very welocme
Martin

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:51 PM

Posted 21 December 2008 - 04:25 PM

Running Combofix is more recommended instead of scanning the computer with malwarebytes anti-malware

Not in this forum - See the note in blue at the top of this forum.

Note : It is adviced to run Combofix with the help of a Professional.

Amen.

A quick note about ComboFix from its creator...

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Mod edit: LostBoy's post was edited from this string.

Did TDSSxxxx (xxxx represents any string of characters) show up in the devices listing? If so, we need to take a different path here.

Edited by rigel, 21 December 2008 - 04:27 PM.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 21 December 2008 - 04:50 PM

Thanks for the update rigel, I had seen the warning and wasn't about to run combofix unaided anyway. I know too little about the low-level details we're into here. Chances of me running anything seem pretty slim at the moment!

In answer to your question, yes, TDSServe was there (see my reply to LostBoy). I disabled it & rebooted into safe mode but haven't attempted to delete it. It remains disabled.

Some other pieces of info:
1. MalwareBytes now consistently provides this message 'Failed to load control VbalGrid from vbalsgrid6.ocx....'. I get the same message if I try to renistall it. I have checked the registry entries for vbalgrid against a PC where malwarebytes runs OK and they look identical. I also registered vbalsgrid6.ocx successfully via Regsvr32, it made no differemce.

2. I have discovered that I can copy files to/from my flash drive with copy or xcopy from command prompt. Can't copy/paste in Explorer though, paste is still greyed out.

3. The one dodgy dll in System32 that I can't manipulate (e.g. rename) is urqQjjgd.dll. This looks like the earliest of the trojan dlls, and I guess it is the one that hooks in to Explorer. rXbcefii.ini & ini2 are hooked into IE as helpers. I disabled them in IE properties via control panel, but it's made no difference.

I have to go off to London to do a (SQL Server) support task for a client now, will not be back home for 24 hours, but will be checking this forum regularly for any updates.

Thanks again for your very welcome assistance, I am hopeful we can recover the machine, It would take forever to put it back together. I don't like giving in to these things.

Kind regards
Martin

Edited by bventure, 21 December 2008 - 04:54 PM.


#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:51 PM

Posted 21 December 2008 - 07:49 PM

Hi Martin,

Decision time. TDSS is a part of a very nasty rootkit. The following warning applies.

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed. It sounds like you want to attempt a cleaning. Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

Season's Greetings
rigel

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 22 December 2008 - 04:31 AM

Well, that wasn't what I wanted to hear, but thanks for the warning anyway. I don't think the risk is very high fortunately, as I only use this machine for development, never been used for online purchases or banking. It does have a copy of an access database with my accounts on it however, but no bank details are included (it does have a table with card details but these are fake details, hope someone tries to use them!). Also as soon as I got the initial infection (last Thursday afternoon) I disabled the wireless card, and have only connected momentarily since to check whether or not IE was working. It's been in safe mode with the card disabled ever since. However, given the type of infection, on the whole I feel it is going to be safer (and probably quicker) to reinstall. Two questions:-
1. How did this thing get in? I got a warning from McAfee (which was up to date) at the time that a couple of trojans had been detected and destroyed, but it clearly has allowed the real nasty one in. What do I do to prevent it recurring?
2. I will want to copy files off there to copy back after reinstall. Is this safe? The only way I have to copy is via command prompt to an extrenal USB drive. How can I check if this has also been infected?

I have to go and try to concentrate ion a tricky support issue on a client's database now, which isn't going to be easy! I will get back to you later with a final decision, but I'm already pretty sure I'm going for a reinstall.

Thanks again
Martin

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:51 PM

Posted 22 December 2008 - 02:21 PM

1. How did this thing get in? I got a warning from McAfee (which was up to date) at the time that a couple of trojans had been detected and destroyed, but it clearly has allowed the real nasty one in. What do I do to prevent it recurring?

No matter how advertised, one product cannot defend against all threats. This was possibly a "drive by" infection from visiting a site that may have been hacked. It could have been from a Peer to peer site. Music downloads and crackz come with malware guests a lot. It looks like your copy of Windows is up to date.

You need at least a good antivirus that is kept updated
A good antiMalware program. I like Malwarebytes as we use it here. They have a paid version, but that would be your choice to purchase. I do not have the paid version on my computer.
You need a good firewall - I use Comodo Professional - It's free
I use a HOSTS file - check that out here.
Keep your computer updated. That includes Java, and Adobe products (Like Adobe Reader)
Surf safe - make good surfing choices.

2. I will want to copy files off there to copy back after reinstall. Is this safe? The only way I have to copy is via command prompt to an extrenal USB drive. How can I check if this has also been infected?

Some would say don't take anything with you... Others say to clean as best you can, move the needed files, then scan then with Anti-virus and Malware programs before replacement.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 30 December 2008 - 07:46 AM

Hi rigel, sorry about the delay, Christmas etc. I wasn't going to bother trying to clean the machine, just reformat, but your comments above have given me pause. I have a single folder I need to retrieve, I can let the rest go, reluctantly. I have a copy of this foilder on CD I took right after the first sign of a virus appeared (when I could still write to CD via Nero & virtually everything was still running OK). The folder consists mainly of loads of sql scripts (i.e. text files) and a few office files and a couple of visual studio projects. I have checked the CD with malwarebytes, MS Defender, McAfee & Norton and all say it is clean. Is there anything else I can check it with to be 100% sure it's safe (OK, let's say as sure as possible since 100% is never attainable)? Most of the nastiness on the laptop appeared the day after I took this backup, and I'm concerend that attempting to clean and then taking a copy will give me a less safe version rather than a safer one.

Given that the only way I can get stuff on or off the infected machine is via command line to/from a USB stick, and I can't run anything on there anyway, even getting a log created, never mind getting it off there and onto this site safely, is fraught with problems.

Lastly, the machine is a Dell laptop and I should be able to return it to it's original 'as bought' state by hitting CTRL & F11 (I think) on reboot at the Dell ssplash, which is supposed to restore the original image from a hidden partituon. Is this safe to do or should I try to restore from original media (which of course I don't have as it was OEM)?

Thanks for your help
Martin

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:51 PM

Posted 30 December 2008 - 10:24 AM

Hi Martin - Happy New Year :thumbsup:

If the CD has all your needed files, I would go with it. Using original media would be better, but if you don't have it, it won't hurt to try the hidden partition. After you have everything restored, run a quick scan to see if anything is discovered.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 30 December 2008 - 06:49 PM

Thanks, I'll try that and let you know, hopefully all will be well and I can close the topic.

The only upside of all this is that I've learned a great deal. I now have a hosts file in place on my other machines, have set up IE restricted zone sites with SpywareBlaster, run daily scans with MalwareBytes and Defender etc. Of course, all this means that anything that gets through will be pretty nasty, but there seems little option than to live with that. The thing I got seems about as nasty as it gets, and it's also the first virus I have ever had in more years computing than I care to recall - I could have started with something simpler!

Happy new year to you too, and many thanks for your help, it has really been appreciated. It's a lonely and terrifying business trying to sort out this sort of thing in isolation, and your assistance has been absolutely invaluable and incredibly welcome. Thank you.

Martin




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users