Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.TDSS


  • This topic is locked This topic is locked
5 replies to this topic

#1 MissM

MissM

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:22 AM

Posted 04 December 2009 - 05:36 PM

Hello to the wonderful BC community!
I have had a couple problems solved here before, and I am confident that you will be able to be of great help to me again. (I couldn't remember my exact user name and password because it's been so long, so I had to start a new account - sorry!)

Before I begin, here are the basics of the computer:

It is my dad's computer, in his office at work. I and the other employees (there are only a few of us) use it as well.
It is a Dell desktop computer, and we have Windows XP with Service Pack 3.
For AV, we have Norton Internet Security. We also have MBAM and SAS, and I recently downloaded ATF Cleaner as well. There is also Spybot S&D on here, but we never use it anymore, and I believe the TeaTimer has been disabled.

Now, onto the symptoms:

In the middle of last week, my dad called from work and said the computer was running very, very slowly. The next day, I ran an MBAM scan and it came back clean. Then, I ran a full scan using SAS, but it wasn't over when I had to go home for the night, so I left the scan on overnight. When my dad came in the next morning, SAS had been shut down. I found that odd.

I tried logging into SafeMode so I could run SAS from there, as I have been told that it is more effective in SafeMode. However, something curious happened:

After tapping F8, the usual list of options (Normal Mode, Safe Mode, Safe Mode with Networking, etc.) came up strangely - it was as if the list had been cut in half, and the bottom half was spliced above the top half. Then, when I tried Safe Mode With Networking, I got a blue screen with the following message:

A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first tmie you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to be sure you have adequate disk space. If a driver is identified in the Stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS udpates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press 58 to select Advanced Startup Options, and then select Safe Mode.

Technical information:
STOP: 0x0000007E (0xC0000005, 0x80537009, 0xF7b64508, 0xF7b64204)


I restarted and tried just doing regular Safe Mode, and got the same message.

The next day, we had a friend who is a computer techie for a living come in, and he did a few things, though I can't say I really understood what he did. It was something to do with the video driver being set to "Auto" or some other option. Then, we opened up MSConfig and took out a bunch of non-essential processes. He also downloaded Mozilla FF for us to use as our principal browser.

Although SafeMode would still not boot, the computer went a lot faster after that, and scans with MBAM and SAS continued to show up clean, other than tracking cookies. I also scanned with F-Secure and the report was clean as well.

However, the next time my dad used the computer, it was slow as molasses again. Then, yesterday, I was working again so I tried it out, and it was back to its normal speed. Again, I scanned with MBAM and SAS and the logs were both spotless.

Today, when I got to work, the computer was back to being slow again. I thought this cycle of fine-slow-fine-slow was very strange. Also, I looked in the registry under his HKCU\.....CurrentVersion\Run and found an entry that was not there any of the other times I looked (I check this folder every month or two to make sure that nothing odd has been added). This newly added file was "ctfmon.exe".

So, given the inconsistent performance and Safe Mode failure despite clean logs, I wondered if we might have a hard-to-detect rootkit. I downloaded RootRepeal and ran it this afternoon. However, I realized I cannot make heads or tails of the log, so I also downloaded and ran DrWebCureIt, and it has detected a few instances of Backdoor.TDSS, which I understand to be a rootkit.

Here are the two logs:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/12/04 16:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA17C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7306000 Size: 323584 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x85cad050

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x85d27050

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x85c5c480

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8684f050

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86939428

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa4ed130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x85c53b40

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x85c4e9f8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x868502b0

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x86851050

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa4ed3b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa4ed910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x85c5c718

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x85c5bd38

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x86878050

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86852050

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x86900dc0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x85c5bbd8

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86766050

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x85c5ca38

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86768050

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x86764050

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x85c5c868

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x85c4f2b0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x868bf6d8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86853050

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x85c5b8c0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x85d26050

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa4edb60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86765050

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86767050

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xaa4080b0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86879050

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x85d28050

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x85c5c130

==EOF==

As for Dr Web CureIt, I don't know if I should post the whole log since it is so huge, but here are the "highlights":

Process in memory: C:\WINDOWS\Explorer.EXE:156 infected with BackDoor.Tdss.565 - eradicated
C:\WINDOWS\system32\drivers\atapi.sys infected with BackDoor.Tdss.1365 - cured

If you want me to post the whole thing, let me know.

Not sure if this last bit of info might be helpful, but there really have only been two "changes" to our computer lately. One is that at the end of September, we got rid of our old printer and installed an HP Officejet All-in-One printer/fax/scanner. Then, about 3-4 weeks ago, my dad bought an iPod Touch and installed iTunes on this computer, and has been uploading lots of songs to it.

EDITING TO ADD: As of yesterday, using Mozilla to access Yahoo or this site has led to a strange visual display. To be brief, the usual backgrounds are not there and all the text is sort of pushed close together. IE displays things fine, however. Also, when I went to Zone MSN to play my daily jigsaw puzzle, I got a message saying that it was possibly a fake version of the site so I should browse away. I use this website every day at home, too, and have never had a problem so I was unnverved and clicked away quickly.

Well, I think that's about it. Sorry to be so long-winded, but I just want to be thorough. Please advise me as to what I should do next.

Thank you! :thumbsup:
Karen

Edited by MissM, 04 December 2009 - 05:50 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:22 AM

Posted 06 December 2009 - 05:21 PM

Status: Hooked by "<unknown>" at address 0x85cad050


Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 MissM

MissM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:22 AM

Posted 07 December 2009 - 09:02 AM

Hello, Mark. Thank you very much for your reply!

As this is my dad's computer, I will have to ask him before I do any reformatting or reinstalling. He does not really know anything technical about computers, and I know a bit, but not a great deal, so if you could answer a couple of questions for me before I talk to him about this, I would really appreciate it.

1. Would reformatting/reinstalling totally wipe all files off of the computer? I know one reason that my dad did not want to take the computer in to a tech store was because he was afraid they would wipe the computer and he would lose the couple thousand songs he just spent 3 weeks uploading to iTunes. , as (It is his newest hobby, lol). Also, as it is a work computer, we have contacts for our customers and some important spreadsheets.

2. If a total wipe is in the cards, would there be any way to transfer the important files to a USB or something? Or would plugging in a USB thus transfer the infection to it?

3. Would there be any way to exactly pinpoint when this rootkit was contracted? It really just started being slow around November 25 or so, but I don't know if it might have gotten in before that. The reason that I ask is that I set up an Amazon account for myself on the 11th and doing so involved entering my credit card number into their site. Could the person behind this have my credit card number? I have not used my account on that computer since that day.

4. Is there any way to tell where this might have come from? I have read that this kind of virus can come from porn websites or sites offering illegal downloads. I would sincerely hope that no employees are visiting porn sites during work hours, but I guess you never know...


Thanks for any answers you can give me to these questions, even if they are not the answers I want to hear, lol.

Also, I should let you know the latest symptom of the computer, in case that helps in any way.

Later Friday night, I decided to do a search on Backdoor.TDSS to see if I could find any more info, perhaps about where it came from. I believe I used Yahoo for the search. The second result that came up said it was an explanation from the F Secure website, and it had a green check mark next to it, so I assumed it to be okay. Well, when I clicked on it, first the URL in the address bar changed to something about a search engine or portal or something, and then it changed again to something I believe to be pornographic. I clicked the X right away but it took about 2 or 3 minutes for the window to actually close. Luckily in that time, nothing actually appeared on the screen: it was just blank white. However, when I clicked ctrl-alt-del, the computer usage was 100%, and processes that usually don't take much space, i.e., maybe a few thousand, were in the range of about 20 or 30,000 k.

I haven't been at work since, so that is the last I saw of it. I will be back in tomorrow morning.

Editing to add: Would HJT be of any help to me? I saw that some other users in this forum who have the Backdoor TDSS were instructed to use it. Or, is it shown that my dad's computer is more deeply infected? I don't really know what the RootRepeal log means. Thanks!

Thank you so much for your help,
Karen :thumbsup:

Edited by MissM, 07 December 2009 - 09:50 AM.


#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:22 AM

Posted 07 December 2009 - 06:52 PM

Would reformatting/reinstalling totally wipe all files off of the computer?

Yes, but you can fairly safely back up the music

If a total wipe is in the cards, would there be any way to transfer the important files to a USB or something? Or would plugging in a USB thus transfer the infection to it?

Written text files. yes there is a good chance

Would there be any way to exactly pinpoint when this rootkit was contracted?

Exactly, no. P2P and music download sites are the main culprits Also opening email attachments

You can try our HJT forum. Since this is a business computer. I just wanted to let you know that we won't be able to 100% guarantee that you will be virus-free
The HJT forum is very busy and you might not get a response for up to a week



Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

You will also be instructed to create a Root Repeal Log

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 MissM

MissM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:22 AM

Posted 07 December 2009 - 09:05 PM

Thank you very much, Mark, for all of your help and information! I greatly appreciate it.

To my knowledge, there has never been a P2P/music downloading program on our computer. As for an email attachment, I suppose that with four people checking emails, one bad attachment may have been accidentally opened. Norton does seem to have a really good email scanner, though, as it has picked up on lots of infected attachments over the past 2 years.

Well, in any case, I gave my dad the spiel about what types of websites to never, ever go on and he relayed it to our other employees so hopefully this will not happen again.

As for fixing the current problem, however, my dad says he needs to get it taken care of as soon as possible, so he has decided to take our computer in to Best Buy's Geek Squad. They are going to attempt to clean it completely, but will reformat/reinstall if they aren't satisfied with the cleaning. I am going into work tomorrow morning for a few hours, to check in on things, but I'm sure that's not enough time for me to do everything that would be required of me in the HJT forum.

So, I suppose, this topic can be closed.

Thank you again, ever so much!

Happy holidays!
Karen :thumbsup:

Edited by MissM, 07 December 2009 - 09:07 PM.


#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:22 AM

Posted 08 December 2009 - 06:50 PM

Same to you
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users