Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seems Worse than 6 months ago


  • This topic is locked This topic is locked
12 replies to this topic

#1 zeero3

zeero3

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 30 December 2008 - 06:44 PM

About 6 months ago I was infected w Trojan/Vundo and the BC gang helped me get back on my feet. I ran ComboFix, use Ad-Aware, AVG, Malwarebytes, Spybot, Spyware Blaster.

I enjoyed 6 worry-free months and now I'm stuck again. Windows will not complete loading--freezes. I tried to use my windows recovery in safe mode and clicking "next" prompts no further action after I've chosen a previous date. I have done a HJT log in safe mode only.

Symptoms when windows was working still:

Google results were links to other ad sites.
IE would not allow me to go to BC.com and other helpful forums but would allow me to go to youtube, google, yahoo, etc.
Updating Ad-Aware, Spybot, and AVG was not allowed.
Malwarebytes would no longer load (would show to load in the Task Manager but nothing further.)

So I feel frustrated because I can't use any malware/virus programs to clean. And I can't load windows in anything but safe mode.

Any advice would be extremely appreciated. Thank you in advance!!

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:02 PM

Posted 30 December 2008 - 07:11 PM

Hi and welcome back.

I am sending you a private message with instructions. Please follow those first and then run malwarebytes according to these instructions.

On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 30 December 2008 - 08:43 PM

After having computer frozen, I was helped by BC.com member rigel. I was instructed to disable "TDSSserv.sys" on the device manager. After this, the computer seemed to run. Malwarebytes was unable to run before (even when computer wasn't frozen malwarebytes would not open when commanded, but it would showup as a new process in the Task Manager.) Now it run and these are the results I was instructed to post by rigel. Thank you so much rigel for your help. If there is something I should do as a next step, please advise.

Thank you in advance everyone!



Malwarebytes' Anti-Malware 1.31
Database version: 1580
Windows 5.1.2600 Service Pack 3

12/30/2008 5:35:03 PM
mbam-log-2008-12-30 (17-35-03).txt

Scan type: Quick Scan
Objects scanned: 67984
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\TDSSbe6d.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\TDSSbe3e.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSShtpx.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSrhok.log (Trojan.TDSS) -> Quarantined and deleted successfully.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,106 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:02 PM

Posted 30 December 2008 - 09:51 PM

Hello zeero3,

I have merged your latest topic which you posted in the HiJack This forum to your topic here in the Am I Infected forum. Please keep all posts regarding this issue to this thread by using the Add Reply button at the bottom of the topic unless you are directed to post in the HiJack This forum.

If you are, you will be provided specific instructions to follow before hand and will be asked to produce a different kind of log to post there.

Back to those who know more about malware removal than I do.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#5 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 31 December 2008 - 01:11 AM

Malwarebytes' Anti-Malware 1.31
Database version: 1580
Windows 5.1.2600 Service Pack 3

12/30/2008 10:09:37 PM
mbam-log-2008-12-30 (22-09-37).txt

Scan type: Quick Scan
Objects scanned: 68021
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 31 December 2008 - 04:16 PM

Computer runs much much smoother now. I've scanned the C:\ with AVG Free 8.0 and Spybot S&D and no threats were found. I just finished running Malwarebytes again and nothing was found. However, AVG's system tray virus scanner will find a Trojan every once in a while (has found 3 in the past 24 hours). I've "healed" them and am about to empty the virus vault. Here are the three Trojans found.

Trojan horse Downloader.Agent.APNF
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP174\A0019612.dll

Trojan horse Agent.AKYE
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP174\A0019624.dll

Trojan Horse Agent.AHAS
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP174\A0019625.dll


I would think I'm almost out of the woods? Any preventative measures to take from here on out?

Thank you ALL in advance!!!

Edited by Orange Blossom, 31 December 2008 - 04:18 PM.
Edited out HiJack This log. ~ OB


#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,106 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:02 PM

Posted 31 December 2008 - 04:22 PM

Hello zeero3,

I'm glad that your computer is functioning better.

I've edited out your HiJack This log in order that you may continue receiving assistance in this forum.

What AVG has flagged are files in the System Restore. As long as you don't use system restore you will be fine.

I will provide directions later, when I get home, for flushing the restore points.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:02 PM

Posted 31 December 2008 - 04:59 PM

I would continue with a few scans if I were you...

Lets see if anything is left out there.

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 01 January 2009 - 03:32 AM

Followed the steps and this is the resulting scan log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/01/2009 at 00:17 AM

Application Version : 4.24.1004

Core Rules Database Version : 3692
Trace Rules Database Version: 1668

Scan type : Complete Scan
Total Scan Time : 07:45:10

Memory items scanned : 155
Memory threats detected : 0
Registry items scanned : 7779
Registry threats detected : 5
File items scanned : 132601
File threats detected : 1

Rogue.Component/Trace
HKLM\Software\Microsoft\54058378
HKLM\Software\Microsoft\54058378#54058378
HKLM\Software\Microsoft\54058378#Version
HKLM\Software\Microsoft\54058378#red_srv
HKLM\Software\Microsoft\54058378#red_srv_bckp

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSJEGM.DAT


I feel much much better now (especially that it's a brand new year!! Happy New Year everyone!!)

Any other suggestions?? Thank you again.....

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:02 PM

Posted 01 January 2009 - 10:27 AM

Rootkit.TDSServ-Trace

This item is part of the TDSS rootkit...

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed. If you wish to proceed, we need to refer you to the HJT forums where stronger removal tools maybe used.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 01 January 2009 - 03:47 PM

Thank you so much rigel. This is very scary sounding news. This computer has never been used for online banking, credit cards, and anything of the sort. It is mostly used for web browsing and college work. That's the bright side. I would wish to proceed to NOT reformat. However, your advice is DEFINITELY not taken lightly. I appreciate the warning and the insistance that the computer may never be thought of as secure.

The computer seems to be running fine, EXCEPT for the backdoor in the c:\system volume information

AVG's background scanner seems to automatically realize it when Spybot is running its scan of the computer.

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:02 PM

Posted 01 January 2009 - 06:37 PM

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,106 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:02 PM

Posted 01 January 2009 - 08:53 PM

Hello zeero3,

I see that you now have your log posted here: http://www.bleepingcomputer.com/forums/t/191276/rootkitbackdoor-tds/ Please note that you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users