Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSSserve Infection on XP


  • This topic is locked This topic is locked
6 replies to this topic

#1 Jim N

Jim N

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 21 February 2009 - 09:11 AM

I've apparently got a TDSSserve.sys infection on my XP machine.
Below are the logs from DDS. I have the TDSSserve.sys driver disabled right now. How do I disinfect?


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 9:06:26.68 on Sat 02/21/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1021.672 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\bigfix.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.worldnet.att.net
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gatewaybiz.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PBlockHelper Class: {4115122b-85ff-4dd3-9515-f075bede5eb5} - c:\progra~1\netsca~1\netsca~1\pbhelper.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [<NO NAME>]
mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\netscape internet service\netscape web accelerator\sliplsp.dll
Trusted Zone: accountonline.com\www
Trusted Zone: amazon.com\www
Trusted Zone: andera.com
Trusted Zone: att.net\memberservices
Trusted Zone: bitsandpieces.com\www
Trusted Zone: chase.com
Trusted Zone: comcast.com\www
Trusted Zone: comcastsupport.com
Trusted Zone: hewitt.com
Trusted Zone: mandtbank.com
Trusted Zone: paypal.com
Trusted Zone: rewardsnetwork.com\usairways
Trusted Zone: speedpass.com\www
Trusted Zone: state.pa.us\pa.direct.file
Trusted Zone: troweprice.com\www3
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141514881140
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145585816593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
TCP: {1B1BA62B-DF8D-45B1-A925-FA1D5CC71AB3} = 204.127.129.4 204.127.160.4
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

S2 EZUSB;Cypress General Purpose USB Driver (ezusb.sys);c:\windows\system32\drivers\ezusb.sys [2002-9-16 27507]

=============== Created Last 30 ================

2009-02-21 02:24 <DIR> --d----- c:\program files\Trend Micro
2009-02-20 23:48 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-07 19:28 <DIR> --d----- C:\Temp
2009-02-01 16:20 2,382 a------- c:\windows\system32\TDSSvhct.dll
2009-02-01 16:20 61,440 a------- c:\windows\system32\TDSScjmk.dll
2009-02-01 16:20 31,232 a------- c:\windows\system32\TDSSvtux.dll
2009-02-01 16:20 29,696 a------- c:\windows\system32\TDSSarfe.dll
2009-02-01 16:19 441 a------- c:\windows\system32\TDSSnnme.dat
2009-02-01 16:19 60,416 a------- c:\windows\system32\drivers\TDSScbjr.sys
2009-02-01 16:19 35,840 a------- c:\windows\system32\TDSSecbl.dll

==================== Find3M ====================

2008-11-29 21:33 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 9:06:52.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:02 AM

Posted 21 February 2009 - 12:16 PM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Jim N

Jim N
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 21 February 2009 - 05:20 PM

Combofix has been run. Here is the log:
(How did it do?)


ComboFix 09-02-19.01 - Owner 2009-02-21 16:55:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1021.672 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - system32: deleted 12 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\TDSScbjr.sys
c:\windows\system32\FM20(2).DLL
c:\windows\system32\TDSSarfe.dll
c:\windows\system32\TDSSbfno.log
c:\windows\system32\TDSScjmk.dll
c:\windows\system32\TDSSecbl.dll
c:\windows\system32\TDSSnnme.dat
c:\windows\system32\TDSSvtux.dll
c:\windows\Temp\scsE.tmp
c:\windows\Temp\scsF.tmp
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-21 02:24 . 2009-02-21 02:24 <DIR> d-------- c:\program files\Trend Micro
2009-02-20 23:48 . 2009-02-20 23:58 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-07 19:28 . 2009-02-07 19:28 <DIR> d-------- C:\Temp
2009-02-01 16:20 . 2009-02-21 05:45 2,382 --a------ c:\windows\system32\TDSSvhct.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 10:49 --------- d-----w c:\program files\Google
2009-02-08 00:26 --------- d-----w c:\documents and settings\Owner\Application Data\Lavasoft
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-01 118784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-15 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-15 98304]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-03-24 2168360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S2 EZUSB;Cypress General Purpose USB Driver (ezusb.sys);c:\windows\system32\drivers\ezusb.sys [2002-09-16 27507]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2006-02-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
mStart Page = hxxp://www.gatewaybiz.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll
Trusted Zone: accountonline.com\www
Trusted Zone: amazon.com\www
Trusted Zone: andera.com
Trusted Zone: att.net\memberservices
Trusted Zone: bitsandpieces.com\www
Trusted Zone: chase.com
Trusted Zone: comcast.com\www
Trusted Zone: comcastsupport.com
Trusted Zone: hewitt.com
Trusted Zone: mandtbank.com
Trusted Zone: paypal.com
Trusted Zone: rewardsnetwork.com\usairways
Trusted Zone: speedpass.com\www
Trusted Zone: state.pa.us\pa.direct.file
Trusted Zone: troweprice.com\www3
TCP: {1B1BA62B-DF8D-45B1-A925-FA1D5CC71AB3} = 204.127.129.4 204.127.160.4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 17:00:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4013355677-223623042-3106863383-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(916)
c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Netscape Internet Service\ncupdatesvc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2009-02-21 17:02:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-21 22:02:36

Pre-Run: 64,534,077,440 bytes free
Post-Run: 64,743,817,216 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

145 --- E O F --- 2009-02-15 23:17:30

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:02 AM

Posted 21 February 2009 - 06:53 PM

Hi,

This looks OK again.

Just navigate to and delete the following file:

c:\windows\system32\TDSSvhct.dll

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Jim N

Jim N
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 21 February 2009 - 07:10 PM

No problems. The TDS stuff is no longer in the driver list, the browser is working fine.

Thank you very much for the quick help!

A question - how did this infernal thing get in here?
Thanks again!

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:02 AM

Posted 21 February 2009 - 07:15 PM

Hi,

This one is getting installed in most of the cases via illegal software (hacks/cracks sites) or via P2P software.
However, in some cases it may getting installed via an infected legitimate website as well.
In anyway, you need to install an Antivirus and make sure it runs as a realtime shield, this to prevent this in the future.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:02 AM

Posted 24 February 2009 - 08:42 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users