Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Tdss.565 & IE8 Redirecting issue


  • This topic is locked This topic is locked
5 replies to this topic

#1 OregonSNOB

OregonSNOB

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 AM

Posted 11 November 2009 - 02:46 AM

Hello Everyone. I originally posted this in the HJT Forum but I think that was in error. I think it more approprirate for this forum. If I am wrong please accept my appologies.

I started getting virus/malware notices from McAfee Total Protection 2009 this week. I've tried all of the tools below, and all had a similar result. The virus would be found and removed, but would come back usually after I opened up IE8 and clicked on any link either from my “Favorites List” or from “Google” or after rebooting.

With the IE8 or after I had rolled back IE8 to IE7 or IE6, I would still have the issue of IE6, IE7, or IE8 “Redirecting” to another website. Consecutive scans would not find the virus, and then trying another tool would find it.


Things that I've tried:
-----------
McAfee Total Protection v.9.15 (Found "Backdoor.Tdss.565, & GenericFakeAlert!.cw and deleted them)
Ad-Aware Free Anti-Malware 8.1.0 (Found Nothing)
MalwareBytes v. 1.41 (Found Trojans and deleted them but they came back.)
VundoFix v. 7.0.6 (Found nothing)
SuperAntiSpamware v.4.29.1004 (Found Trojans and removed)
ATF Cleaner (Cleaned all areas of temp files and such)
Dr. Web v.5.00 (Found and Deleted Vundo Trojan, Found Backdoor.Tdss.565 in Memory and eradicated...always comes back.)
DDS (Ver_09-10-26.01) - NTFSx86

I also tried to boot into “Safe Mode”, with all of the same results as before. IE8 still “Redirects” but virus is gone. I've had different combinations of the programs listed above installed simultaneously, but for the past 24 hours I've had only McAfee, SuperAntiSpamware, and MalwareBytes installed. I've run all three of these programs in Full Scan mode several times. They come back with no viruses but IE8 still “Redirects”.

The identified malware has varied. I've seen numerous randomly named .dll's. I've seen: usiqazej.dll (Trojan.Vundo), stonenp.dll (Trojan.Agent.U), ofotohije (Trojan.Vundo), etinewipezupewa (Trojan.Agent.U) which was inmy Registry. I've seen Vundo, Vundo.H, Vundo.II and others.

I will really appreciate any help resolving this. Please let me know what additional information you need. I listed my DDS.txt file and DDS.zip file as requested.

Thanks in advance for your help.
--------------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 3131
Windows 6.1.7600

11/8/2009 11:13:54 PM
mbam-log-2009-11-08 (23-13-54).txt

Scan type: Quick Scan
Objects scanned: 96030
Time elapsed: 5 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\Joseph\AppData\Local\usiqazej.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ofotohije (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\etinewipezupewa (Trojan.Agent.U) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\etinewipezupewa (Trojan.Agent.U) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Joseph\AppData\Local\usiqazej.dll (Trojan.Vundo) -> Delete on reboot.
C:\Users\Joseph\AppData\Local\stonenp.dll (Trojan.Agent.U) -> Delete on reboot.
------------------------------

Still no matter what it seems, the Trojan keeps coming back. Any help?

OregonSNOB

BC AdBot (Login to Remove)

 


#2 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:11 AM

Posted 11 November 2009 - 03:00 AM

hello OregonSNOB
Try this http://vundofix.atribune.org/
Regards


D_N_M

#3 OregonSNOB

OregonSNOB
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 AM

Posted 11 November 2009 - 03:20 AM

hello OregonSNOB
Try this http://vundofix.atribune.org/
Regards


D_N_M


As stated in my post above, I have VundoFix v. 7.0.6 and it finds nothing.

Thank you

#4 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:11 AM

Posted 11 November 2009 - 03:25 AM

Hello OregonSNOB
Please let me contact an Malware expert to further assist you

Regards

D_N_M

#5 OregonSNOB

OregonSNOB
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 AM

Posted 11 November 2009 - 07:52 PM

I think that you can close this thread. After a ton of leg work on my part and running through just about every forum on Bleepingcomputers.com, I found some helpful tips. I ran everything in Safe Mode and then ran ComboFix. That is what did the trick. I no longer have issues with my IE8 Redirecting me to other websites such as www.free-video-dictionary.com everytime I selected a link either from my Favorites or from inside of a Google Search.

Thank you all for your help.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:11 AM

Posted 11 November 2009 - 10:43 PM

Hello,

Please note:

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for general public or personal use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.

. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.

Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help--that is what we're here for.


From: http://www.bleepingcomputer.com/forums/ind...t&p=1159014

Also please note: Just because symptoms are gone does not mean the infection is gone. Given that TDSS is a rootkit, chances are strong that there are still infections aboard. I advise leaving the topic in the HiJack This forum open. I shall remove your response to it as it is the same as the one above here. Please retain the Combofix log in case they ask you for it.

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/270643/trojan-virus-or-ie8-redirect-or-root/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users