Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSServ rootkit plus other issues?


  • This topic is locked This topic is locked
2 replies to this topic

#1 eBanzai

eBanzai

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 16 January 2009 - 04:58 PM

I was using Firefox--surfing reputable sites, I swear!!--when the browser seized up and shut itself down. My whole OS went into the shutdown sequence.

When I rebooted, the computer started up as usual. There was a ton of disk access, but since I rarely reboot my server it's hard to say if that was abnormal. But after about 30 seconds the screen went blank. At the same time the disk stopped accessing. Everything just goes quiet, but the computer is still running.

Now every time I reboot it does this--goes dead within 30 seconds of logging in to my Windows user account.

It'll boot up okay in Safe Mode. Both IE and Firefox are redirected to various ad sites and I can't access any of the online anti-virus scanners.

In safe mode I ran HiJackThis and saw a svchost listing that was the same as someone had posted in their own thread. I followed some of the advice in that thread to run SDFix.

SDFix runs fine in Safe Mode and reboots the machine as expected. When it boots into normal Windows, SDFix then detects TDSServ and asks me to reboot. If I allow the system to reboot into normal mode, SDFix cannot complete its final scan because of the 30-sec crash that now always occurs.

I've tried to run DDS in the 30-secs that I have before the system goes dead but it can't complete in time. Instead I've included the DDS scan that results from running it within Safe Mode.

I've disconnected my data drives and unplugged the machine from my network to isolate it.

Any help would be GREATLY, GREATLY appreciated!!


DDS (Ver_09-01-07.01) - NTFSx86 MINIMAL
Run by kdmukai at 15:51:28.31 on Fri 01/16/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3310 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: CutePDF Form Filler Helper: {d41289f2-69c6-417b-897e-c653d677cbaf} - c:\program files\acro software\cutepdf filler evaluation\CPFillerCoE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [EasyTuneV] c:\program files\gigabyte\et5\ETcall.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [OSSelectorReinstall] c:\program files\common files\acronis\acronis disk director\oss_reinstall.exe
mRun: [Phase One Media Reader] c:\progra~1\phaseo~1\captur~1\DCIMImp.exe /noscan /CheckAutoStart
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\kdmukai\startm~1\programs\startup\monito~1.lnk - d:\apache\tomcat5.0\bin\tomcat5w.exe
StartupFolder: c:\docume~1\kdmukai\startm~1\programs\startup\no-ipd~1.lnk - c:\program files\no-ip\DUC20.exe
StartupFolder: c:\docume~1\kdmukai\startm~1\programs\startup\wincol~1.lnk - c:\program files\pro imaging powertoys\microsoft color control panel applet for windows xp\WinColor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\profil~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\ProfileReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\squeez~1.lnk - c:\program files\squeezecenter\SqueezeTray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
Trusted Zone: imageshack.us\toolbar
Trusted Zone: turbotax.com
TCP: {11436C35-CB47-40D9-8B0A-FB1ACE58EF2D} = 68.94.156.1,151.164.8.201
Notify: AtiExtEvent - Ati2evxx.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kdmukai\applic~1\mozilla\firefox\profiles\iuho4230.default\
FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/
FF - plugin: c:\documents and settings\kdmukai\application data\mozilla\firefox\profiles\iuho4230.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll

============= SERVICES / DRIVERS ===============

S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\eyeonedp.sys --> c:\windows\system32\drivers\eyeonedp.sys [?]
S3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [2007-8-21 44344]
S4 Apache2.2;Apache2.2;d:\apache\apache2.2\bin\httpd.exe [2007-9-5 24635]
S4 MSSEARCH;Microsoft Search;c:\program files\common files\system\mssearch\bin\mssearch.exe [2007-3-25 69632]
S4 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\drivers\p1c1394.sys [2008-5-29 23808]
S4 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2007-3-27 14416]
S4 Plbvcmvprasb;Plbvcmvprasb;c:\windows\system32\drivers\netbios.sys [2006-2-28 34688]
S4 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf squeezemysql --> c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf SqueezeMySQL [?]
S4 squeezesvc;SqueezeCenter;c:\program files\squeezecenter\server\squeezecenter.exe [2008-8-19 8400983]
S4 Tomcat5;Apache Tomcat;d:\apache\tomcat5.0\bin\tomcat5.exe [2004-8-28 94208]

=============== Created Last 30 ================

2009-01-16 15:18 <DIR> --d----- C:\DDS-antivirus
2009-01-16 13:33 <DIR> --d----- C:\SDFix
2009-01-16 13:24 <DIR> --d----- c:\windows\ERUNT
2009-01-16 12:48 <DIR> --d----- C:\HiJackThis
2009-01-16 12:28 2,639,879 a------- c:\temp\stinger10000482.exe
2008-12-31 10:07 <DIR> --d----- c:\docume~1\kdmukai\applic~1\MPEG Streamclip
2008-12-31 10:07 <DIR> --d----- c:\program files\MPEG_Streamclip-1.2
2008-12-29 10:53 <DIR> --d----- c:\program files\DGAVCDec-1.0.7
2008-12-29 10:38 <DIR> --d----- c:\program files\VirtualDubMod-1.5.10.2

==================== Find3M ====================

2008-08-30 00:54 301,667,231 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:51:40.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 eBanzai

eBanzai
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 17 January 2009 - 07:12 PM

Problem resolved.

Luckily I had a recent sys drive backup image and was able to restore from there. The image was clean enough to allow me to run a virus scanner. It did find a few things: A Kryptick.FB trojan and a Agent.ODG virus in my Windows Temp dir. Not sure if that's what triggered my above problem or if it was something that just landed as I was surfing.

Anyway, please disregard this thread.

#3 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:13 PM

Posted 18 January 2009 - 02:59 PM

Anyway, please disregard this thread.

Thanks for letting us know. :thumbup2:

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users