Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible TDL3 rootkit infection, plus Backdoor.Tidserv!inf


  • This topic is locked This topic is locked
2 replies to this topic

#1 UncleWillie

UncleWillie

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 10 December 2009 - 11:46 PM

Hi, folks. I was referred here by some people over on a Norton Forum. Here is the thread if anyone is interested:

hxxp://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=90685&view=by_date_ascending&page=1

I am performing tech support on my wife's laptop. Saturday Nov. 28 she apparently got infected by a drive-by malware attack. She got some popup warning about a virus infection. She doesn't think she clicked on anthing, but hse has been having browser hijacks taking her to random sites ever since, both with Mozilla and IE. I see Microsoft just released a bunch of security patches. A little late for us.

Anyway, McAfee was running when it got infected. I since uninstalled McAfee, installed Norton Internet Security 2010, superantispyware, malwarebytes. MRT and ran online scans from F-Secure and Trend Micro. Ocasionally something will turn up, but the redirects keep coming back. Norton has quarantined atapi.sys (Backdoor.Tidserv!inf) a couple of times today. GMER also previously identified c:\WINDOWS\system32\drivers\atapi.sys as having a suspicious modification.

I tried all the usual suggestions, but since the scans aren't finding much and there is some indication of suspicious activity, it has been suggested that we have a TDL3 rootkit.

Unfortunately, I don't think the laptop (Toshiba Satellite M1215 S3094) came with Windows install discs.

Here is the output from DDS:

DDS (Ver_09-12-01.01) - NTFSx86
Run by MA at 22:20:05.84 on Thu 12/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.900 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Utilities 14\nu.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\MySoftware\McAfee\McafeeRootkitDetective\Rootkit_Detective.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\MySoftware\DDS\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.1.0.19\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.1.0.19\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.1.0.19\coIEPlg.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NortonUtilities] c:\program files\norton utilities 14\nu.exe /H
uRun: [AOL Fast Start] "c:\program files\america online 9.0\AOL.EXE" -b
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162772332838
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260405740656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ma\applic~1\mozilla\firefox\profiles\vaiioodi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1101000.013\SymDS.sys [2009-12-7 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1101000.013\SymEFA.sys [2009-12-7 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20091104.001\BHDrvx86.sys [2009-11-4 524848]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1101000.013\cchpx86.sys [2009-12-7 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1101000.013\Ironx86.sys [2009-12-7 114736]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2009-12-7 126392]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.1.246\ccSvcHst.exe [2009-11-28 126392]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-8-13 6016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-7 102448]
R3 f7aACF;f7aACF;c:\windows\system32\f7aACF.sys [2009-12-10 54624]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20091111.001\IDSXpx86.sys [2009-12-7 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20091210.023\NAVENG.SYS [2009-12-10 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20091210.023\NAVEX15.SYS [2009-12-10 1323568]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S?4 EraserSvc10923;Symantec Eraser Service;c:\program files\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2009-12-7 126392]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\ma\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\ma\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 NIKIBP;NIKIBP;c:\docume~1\ma\locals~1\temp\nikibp.exe --> c:\docume~1\ma\locals~1\temp\NIKIBP.exe [?]
S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [2009-3-19 91392]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]
S4 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\engine\2.0.1.246\SymcPCCULaunchSvc.exe [2009-11-28 123248]

=============== Created Last 30 ================

2009-12-11 03:04:50 54624 ----a-w- c:\windows\system32\f7aACF.sys
2009-12-11 03:04:32 2335270 ----a-w- c:\windows\system32\d1bACE.mht
2009-12-10 12:20:22 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-10 12:02:05 219 ----a-w- c:\windows\system32\MRT.INI
2009-12-10 04:47:10 0 d-----w- c:\windows\system32\CatRoot2
2009-12-10 03:51:26 0 d-----w- c:\program files\Microsoft Easy Assist
2009-12-10 03:51:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Applications
2009-12-09 04:11:04 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-09 04:11:04 0 d-----w- c:\documents and settings\ma\log
2009-12-09 02:49:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-09 02:49:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-08 03:32:01 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-08 03:32:01 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-08 03:32:01 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-08 03:32:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-08 03:32:01 0 d-----w- c:\program files\Symantec
2009-12-08 03:30:31 0 d-----w- c:\windows\system32\drivers\NIS
2009-12-08 03:30:28 0 d-----w- c:\program files\Norton Internet Security
2009-12-08 02:04:12 0 d-----w- c:\program files\Trend Micro
2009-12-06 19:47:17 5771264 ----a-w- c:\documents and settings\ma\s-1-5-21-1516350078-377577214-2716412152-1005.rrr
2009-12-06 17:37:06 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2009-12-06 17:37:06 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2009-12-06 17:37:05 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2009-12-06 17:37:02 0 d-----w- c:\program files\Norton Utilities 14
2009-12-02 01:13:00 0 d-----w- C:\My Music
2009-12-01 16:48:31 0 dc----w- c:\windows\system32\dllcache\cache
2009-12-01 16:38:38 98816 ----a-w- c:\windows\sed.exe
2009-12-01 16:38:38 161792 ----a-w- c:\windows\SWREG.exe
2009-11-29 05:47:07 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-29 05:47:04 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-29 05:46:54 0 d-----w- c:\windows\system32\drivers\NortonPCCheckup
2009-11-29 05:46:16 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2009-11-29 04:15:13 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-29 04:15:13 0 d-----w- c:\docume~1\ma\applic~1\SUPERAntiSpyware.com
2009-11-29 00:05:37 262144 ---ha-w- c:\documents and settings\ma\ntuser.dat.LOG1
2009-11-29 00:05:37 0 ---ha-w- c:\documents and settings\ma\ntuser.dat.LOG2
2009-11-28 18:57:51 0 d-----w- c:\program files\common files\Symantec Shared
2009-11-28 18:51:38 0 d-----w- c:\docume~1\ma\applic~1\Tific
2009-11-28 18:51:14 0 d-----w- c:\program files\Norton PC Checkup
2009-11-28 18:51:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2009-11-28 18:50:34 0 d-----w- c:\program files\NortonInstaller
2009-11-28 18:50:34 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-11-28 17:39:32 0 d-sh--w- c:\documents and settings\ma\IECompatCache
2009-11-28 17:38:50 0 d-sh--w- c:\documents and settings\ma\PrivacIE
2009-11-28 17:34:40 0 d-sh--w- c:\documents and settings\ma\IETldCache
2009-11-28 17:26:58 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-28 17:26:36 0 d-----w- c:\windows\ie8updates
2009-11-28 17:25:04 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-28 17:25:03 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-28 17:21:56 0 dc-h--w- c:\windows\ie8
2009-11-28 15:11:58 0 d-----w- c:\docume~1\ma\applic~1\Malwarebytes
2009-11-28 15:11:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 15:11:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 15:11:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 15:11:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-28 13:03:40 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-12-10 17:17:06 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-17 16:38:02 48248 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 22:21:50.25 ===============

I will attach the attach.txt and the RootRepeal log. The forum instructions said to attach these, but the attach file said not to. I won't have access to the laptop during the day, so I will attach them. Sorry if that is a problem.

Thanks in advance for any help you can provide.

Uncle Willie

Attached Files


Edited by Orange Blossom, 11 December 2009 - 08:08 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 UncleWillie

UncleWillie
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 12 December 2009 - 12:13 PM

Well, never mind. Norton Internet Security found something it didn't like and told me to restart to finish the cleanup process. After that Windows wouldn't boot up. BSOD.

The first time it happened I was able to boot with the last known good configuration. Then even that wouldn't work. I just found the system restore disc and restored it to its original configuration. :(

Luckily we backed up all the data.

Not to anyone with similar problems: Back up your data ASAP. Consider saving time by restoring to start with instead of trying to alleviate a rootkit infection.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:54 PM

Posted 18 December 2009 - 02:32 PM

Sorry to hear that, but indeed, backup can save you much trouble!

This topic is now closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users