Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Shake BackDoor.tdss.565 or Access Safe Mode


  • Please log in to reply
5 replies to this topic

#1 Grrrrrrrr

Grrrrrrrr

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 16 December 2009 - 05:37 PM

---I was running Iobit's Advanced SystemCare Free and Security 360. I had been using Avast Pro, but there was an error in the program that would report every startup file as a virus and they suggested in their FAQs when something of this nature happens, it is an error in teh program and to uninstall the program until they fix the error (because it could damage the OS eventually), so I grabbed a free AVP for the time being. No one on the PC but myself has admitted/made mention of any false reports to update programs like Flash Player, so I believe, since this infection has been noted to come from forums and such, that it either came from Craigslist, MySpace or EVONY forums. Those AFAIK are the only places anyone visits with exception to the normal email clients and such, which no one has preview plane activated and everyone knows to avoid suspicious eMails, as this has been the normal practice for the past 10+ years.

---I got up early this morning and logged into my desktop. While rubbing my eyes, I clicked the Okay for the Flash Player Update that I knew better than to click due to warnings 3 months ago, then I clicked the okay for restarting Firefox so the installation of the plug-in could finish and low and behold, when I restarted firefox, search result pages had been hijacked (obvious by the different font) and the browser was redirected to sites such as realsimple dot come, hxxp://64.21.20.248, hxxp/wwwmoevenpickhotels dot com, filterchemical. dot com and from the beginning, which most infected people's systems are showing most often, local-news-online dot com.

---I can't access Safe Mode to try and perform the usual procedures for disinfecting either. When I tried safe mode originally, the system rebooted after loading Windows drivers. I disabled reboot on errors (via F8) and on the next attempt to boot to Safe Mode, received the address 0x0000007E (0xC0000005, 0x0122C000, 0x0122C000, 0xF789E504, 0xF789E200)... If anyone sees anything there.

---Searching Google for local-news-online dot com led me to Dr.Web Scanner and results show BackDoor.tdss.565 in C:\WINDOWS\system32\svchost.exe:1204 (earlier is was 1608 IIRC). Dr.Web Scanner shows it was eradicated, so I guess that is why the Select All | Cure | Rename | Move | Delete buttons are grayed out, but even changing settings to delete the infected file prove futile, restart system and it's there again. System Restore is disabled.

---Oh yeah, no C: or D: drive is visible in Disk Management and they were before. They are not hidden when looking in Explorer though. C: is OS and D: is storage.

---My PC seems to be locking up when performing the RootRepeal scan, cursor/pointer freezes and active HDD LED is steady glow, so I am going to post the first 2/3 of the requested logs (DDS & Attach) while I let it sit and finish. Maybe it's something to do with over-abundance of drivers or maybe it is* locking up.

---Preempt Thank Yous also.

edit:
---Okay, no luck with RootRepeal. Left it running since just* after I posted the topic and it was locked up tight. Sysinternal's RootkitRevealer is running now JIC that will do.


edit morning of 12/17/09:
---Still can't get RootRepeal to run without the system locking up. Reinstalled Avast, ran thorough boot scan and came back to run Dr.Web again and find :
setupyaheh.zip\{app}\YMSG12ENCRYPT.dll;V:\Old PC\Desktop\My_Stuff\Images\Scout\setupyaheh.zip;BackDoor.Spy.76;;
setupyaheh.zip;V:\Old PC\Desktop\My_Stuff\Images\Scout;Archive contains infected objects;;
setupyaheh.exe\{app}\YMSG12ENCRYPT.dll;V:\Old PC\Desktop\My_Stuff\Images\Scout\setupyaheh.exe;BackDoor.Spy.76;;
setupyaheh.exe;V:\Old PC\Desktop\My_Stuff\Images\Scout;Archive contains infected objects;;
Process in memory: C:\WINDOWS\system32\svchost.exe:1200;;BackDoor.Tdss.565;Eradicated.

---Is this yahelite.new/exe a so-called "false positive" like everyone is claiming or is this program infected and laying dormant? Does this forum explain the possibility or is it another "guess" that this is a false positive? I have no clue how viruses work so reading the results is like Navajo to me.

Edited by Grrrrrrrr, 17 December 2009 - 05:52 AM.


BC AdBot (Login to Remove)

 


#2 Grrrrrrrr

Grrrrrrrr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 16 December 2009 - 07:09 PM

This is all I got in the report from RootkitReveal.

HKLM\SECURITY\Policy\Secrets\SAC* 6/28/2009 11:59 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 6/28/2009 11:59 PM 0 bytes Key name contains embedded nulls (*)

#3 Grrrrrrrr

Grrrrrrrr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 17 December 2009 - 10:24 AM

http://support.kaspersky.com/viruses/solutions?qid=208280684

DLed and ran TDSSKiller tool from Kaspersky and not only is system up and running from boot in about 80 seconds (20 seconds from sign-in), like this system should be, but I can see my C: and D: drives again under Disk Management. Infected driver. Let me know if you want me to perform any other scans. I will now try rebooting in Safe Mode and then running RootRepeal. Hopefully both will work. :(

edit afternoon of 12/17/09:
---So far wife has been online and reports no browser redirects & son is about to make some audio tracks. I was able to install two inner tie rods on the Mustang and set the alignment :( so all is well at this time. Hoping you can help me make sure the workstation is clean and maybe even speed it up like it's suppose to be.

---RootRepeal still locks up PC but not as suddenly. Does this program do this sort of thing or is it abnormal? Awaiting response before trying again or DLing another program that might be worthless in your helping.

---Again, preempt Thank Yous (many thanks) and hope you're doing well for others... ~waits patiently~ :)

Edited by Grrrrrrrr, 17 December 2009 - 05:08 PM.


#4 Grrrrrrrr

Grrrrrrrr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 24 December 2009 - 11:56 AM

---Did you forget about me?

edit:
---Attachments have been deleted because I don't know what info they contain and do not like info just sitting around. Paranoid yes and I am sure you can understand.

---If you need the attachments I had posted, DDS.txt and Attach.txt, I can offer the originals and/or new when that time comes.

---Merry Christmas/Happy Holidays to all.


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 25 December 2009 - 07:14 AM.


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:46 PM

Posted 28 December 2009 - 11:59 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 Grrrrrrrr

Grrrrrrrr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 04 January 2010 - 10:36 AM

-Thank you. My Apologies for adding to the thread and possibly confusing anyone.

---I haven't done anything other than what was stated in the previous posts with the exception of trying RootRepeal again. The system still locks up tight.

---In case it makes any difference at all, it is an MSI K8N Master2-FAR (MS 9620) mainboard, 2 AMD Opteron 875, BFG nVidia 7600GT OC, 2 GB Crucial ECC RAM, running windows XP Pro. The Chipset is nForce4, as well as South & North Bridge.

---I rid of all other AVPs and installed my Avast again. I run the DTSSKiller tool from Kaspersky and HJT now and then to make sure nothing new appears. Nothing has changed since my last post other than that.

---DDS and Attack (the originals) have been ULed again along with the latest scan results (2).

---Thank you again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users