Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WIN32RootkitTDSS Is Messing With Me


  • Please log in to reply
8 replies to this topic

#1 SpeedOfLate

SpeedOfLate

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 22 March 2009 - 09:50 AM

My apologies in advance for a long post. Get yourself something to drink then settle in for a read.

I’m running Windows XP Professional Edition with Security Pack 3. Online, I use Firefox 3.0 99% of the time, opening Internet Explorer less than once a month. I have Trend Micro PC-Cillin Internet Security 14 with automatic updates. I have automatic updates on Windows.

A little background, since my problem started earlier in March. I had three pop-ups all related to the same scam, Spyware Protect 2009 insisting I needed their product, plus a new icon in the tray. Trend’s Micro PC-Cillin’s scan found evidence of a virus but its quarantine failed on C:\WINDOWS\svcho.exe and on C:\Documents and Settings\Mim\Local Settings\Temporary Internet Files\Content.IE5\DRFDHWHB\bok[1].gif I contacted them and was advised to manually delete both.

However, both subverted the search function, changing the document name’s character string when I attempted a search from Explorer. Listing the files did not show either.

I did a fix based on the instructions at www.securitytango.com, which instructed me to delete all temporary internet files as best I was able, empty the recycle bin, delete all temp files, turn off system restore, reboot in safe mode, then download and/or update these programs:
AdAware, the free version
SpyBot Search & Destroy
SuperAntiApyware
CW Shredder
Stinger
My own antivirus software and firewall software (Trend Micro PC-Cillin 14, Windows)

Last, I was to run the programs in this order:
CW Shredder
Stinger
Trend Micro PC-Cillin 14
AdAware
Spybot Search & Destroy
Windows firewall

After a lot of hang-ups, frozen screens, etc. I ran everything and the pop-ups stopped. Success?

Not quite.

Somewhat paranoid, I started each day running Trend, AdAware, and Spybot. They found:

AdAware:
Redirect\.\le entry qty: 1 TAI: 4 (threat analysis index)
SpywareProtect2009 entry qty: 2 TIA: 3
Win32TrojanAgent entry qty: 2 TIA: 10 (highest level)

Spybot:
AdRevolver, 4 entries, Browser
Doubleclick, 1 entry, browser
Fastclick, 1 entry, browser
HitBox, 6 entries, browser
MediaPlex, 1 entry, browser
WebTrendsLive, 1 entry, browser
WildTangent, 108 entries, PUPS
Win32.Agent.pz, 3 entries, malware
Win32.Banker.xe, 2 entries, Trojans
Win32.TDSS.rtk, 6 entries, MalwareC (notice this one; a version comes up later)
WnSpywareProtect, 1 entry, MalwareC
Zedo, 5 entries, Browser

Okay, so the computer seems to be running okay in normal mode until a week later, when I had my home page (yahoo.com) and several Yahoo Answers tabs open, I started hearing an ad for Octane TV. It stopped when I closed yahoo.com without looking, but a minute later it started up again. I closed all the tabs, shutting down Firefox, but it continued. I closed Word (which had no open documents), so I was running nothing at all, and it still continued.

Windows Task Manager showed an .exe application (damn, I should have jotted it down; it mimicked internetexplorer.exe, which I did not have open) taking up 96,000 units, far more than any other application. When I ended it, the sound stopped. I immediately ran AdAware, which had done its automatic scan earlier in the day, and it found WIN32RootkitTDSS (plus some cookies) with a Threat Analysis Index of 10. It was able to quarantine it and said to reboot, which I did. The reboot got hung up. I used the on-off button to reboot again.

My second reboot seemed to work, but when I tried to run the full scan of AdAware, I got frozen again. I rebooted yet again, in safe mode this time, and the full scan of AdAware showed the same malware, WIN32RootkitTDSS. Again it was quarantined. Again I was told to reboot. Again the reboot started normally, then got hung up on a black screen. Using the on-off button, I did a manual reboot and I seem to be okay again.

But the next day (today), my PC can’t boot up in normal mode. First attempt gets me my usual wallpaper but no icons, no tray, and no quick launch. All subsequent attempts get me the wallpaper, icons, tray and quick launch, but double-clicking on icons does not open their applications, and the tray and quick launch icons seem to be on hourglass status indefinitely.

I am able to boot in safe mode with networking. And that’s how I got here.

I apologize for such a long post, but being less than knowledgeable about computers, I don’t know which detail(s) will provide the “Ah-hah!” for those attempting to help me out.

Speed Of Late

Edited by SpeedOfLate, 22 March 2009 - 09:53 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 AM

Posted 22 March 2009 - 12:33 PM

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 SpeedOfLate

SpeedOfLate
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 22 March 2009 - 04:21 PM

Thanks for the reply, boopme. As soon as I finish typing this answer, I'll be undoing the physical wiring connecting this computer to the network serving the house. I'll use one of the others to change passwords at sensitive sites like banking. Do I also want to change passwords at all places I make online purchases, like Amazon?

I need to get an external hard drive to back up my files (tomorrow!).

I have to warn you, as a low-tech person I'll probably require real basic instruction in reformatting and reinstalling my OS. (Hey, at least I know what OS stands for. A start, yes?)

Speed, grateful for all assistance

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 AM

Posted 22 March 2009 - 06:38 PM

Good job. i can'yt tell you what info the Bot did NOT get,so I would change all. Here's some formatting info. By the way if it's any consolation...that's the choice I'd have made on my machine.

Reformatting

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
==============================
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 SpeedOfLate

SpeedOfLate
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 23 March 2009 - 07:24 AM

Gotcha. When I log out of here, I'm heading to Best Buy for an external hard drive with more capacity than my computer's hard drive. Then I guess I'll be spending my day copying my files from the computer to the external drive--and hunting the installation disks, which I fear I put in the Kingdom of the Spiders, in the deep shadows behind the desk. Have you seen my pith helmet anywhere?

Speed, up for an adventure :thumbsup::

#6 SpeedOfLate

SpeedOfLate
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 23 March 2009 - 04:16 PM

Progress Report I

I got an external hard drive with a greater capacity than my hard drive for under a hundred bucks. Plugging it in to the USB port in the back of the computer was less than fun--you all missed some great physical comedy involving a hand mirror, a miniature Mag-Lite, and ultimately, a fairly good-sized woman crawling into the space occupied by a drawer only moment before, Mag-Lite in her mouth, Mission Impossible style. (Why aren't I cool and capable, damn it?)

Flush with my success, I waited for the installation to open automatically as promised. Nada. But it wasn't too hard to find it and get it installed, although you all might have laughed at that, too, since this stuff is no doubt second nature to you.

Anyway, that was the hard part. I quickly copied all of My Documents (no executable files there), My Music, and My Pictures without a hitch, and did not accept the external drive's prompt to automatically back up everything, since it would presumably back up executable files, too.

What remains on my computer are programs I've installed or downloaded, and a bunch of stuff I have no idea what it is, presumably much of it pre-installed by Dell when I bought it. I don't know if the completely unfamiliar folders in Program Files contains only executable files or if it has other components I could--should?--be copying to the external drive.

Could I really be done backing up what I should so quickly?

FWIW, the unfamiliar folders in C:\Program Files include Common Files, ComPlus Applications, Illiminable, InstallShield Installation Information, Learn2, Messenger (Yahoo's?), MSXML 4.0, NetZero Installers (I don't use Net Zero, never have), Online Services, Real, Sigmatel, Sonic, Viewpoint, WildTangent, and Xerox.

Am I correct when I assume I do not need/want to back up anything in the Program Files?

Speed, working slowly and carefully (maybe I have a future in bomb disposal)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 AM

Posted 23 March 2009 - 06:39 PM

Ha ha keep it up and remsmber we will probably want a tutorial :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 SpeedOfLate

SpeedOfLate
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 25 March 2009 - 08:15 AM

I was talking (okay, whining) to my husband about my computer problems when he said fine, just pay somebody to fix it, now that your data is backed up. However, our daughter insists that it's silly to pay someone (except in a broader sense of spending money helping the economy) to sit there clicking 'OK' every now and then, and to reinstall the programs I still have to hunt down, when both are so easy. She knows what she's talking about, since this site helped her reformat her desktop not all that long ago, with complete success.

So I've decided to soldier on and do it myself. I started out reading the tutorial you linked, Reformatting Windows XP, and got into a bit of confusion right off the top, trying to determine if javascript is enabled (the infected computer is not online; do I want the one I'm using to have javascript enabled, or the 'sick' one?) and whether I have an IDE or a SATA drive so my instructions can be customized for my computer. ("Uh... neither?")

Should I pose my questions here (seems the poorest choice, since it's just us two), at the XP Forum (which isn't specific to reformatting issues, I presume), or someplace else at this site?

Speed, taking it slow and easy

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 AM

Posted 25 March 2009 - 09:57 AM

Hi,yes please ask these in the Xp. We have people there that are excellent at this.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users