Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.tdss trojan???


  • This topic is locked This topic is locked
9 replies to this topic

#1 Smithy25

Smithy25

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 03 January 2010 - 02:27 PM

Hi there, i turned my computer on the other day to find my Norton does not start up. When i start it it says Norton has stopped working. My windows defender has stopped working aswell, everytime i go to open that it says windows defender has stopped. Same thing happens when i load up Malwares anti malware program. None of my anti spyware/malware prgrams seem to run exept dr.webs cure it.

I ran dr.webs cure it and it came up with backdoor.tdss.565 but has no option to cure or remove the suspected trojan. it only says 'Eradicated'

Any of you guys care to help please??

Thanks in advance!! :thumbsup:

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:55 PM

Posted 03 January 2010 - 04:18 PM

Hello ,please run.. TDDS Killer
  • Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop
  • Doubleclick tdsskiller.exe to run it.
  • When it finished press any key to continue.
  • If needed reboot the computer.
Let me know if after a reboot you are still having redirects.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Smithy25

Smithy25
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 03 January 2010 - 07:54 PM

Thanks for the reply.

However i downloaded the tdss trojan killer, extracted it to my desktop ran it, came up with nothing found. I then downloaded malware anti bytes which i already had, installed the new one. Went to run it, and it didnt run at all.

I use mozilla firefox so dont get redirects. I just get internet explorer trying to pop up every so often and some random audio adverts running from somewhere on my computer.

Any ofter info or help would be great.

Thanks.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:55 PM

Posted 03 January 2010 - 07:58 PM

OK then run RKill.. firs. Then quickly run MBAM

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Smithy25

Smithy25
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 04 January 2010 - 11:47 AM

Tried every one of thoese rkill links, and it still dont let me run malware afterwards.

Any other suggestions??

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:55 PM

Posted 04 January 2010 - 12:18 PM

Try this... When you get to the download page and it says...Run or save select RUN..

Or run this first then try MBAM again
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Smithy25

Smithy25
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 04 January 2010 - 12:27 PM

Still cant get Mbam to work.

Heres the tdss log.

23:15:46:946 1328 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
23:15:46:946 1328 ================================================================================
23:15:46:946 1328 SystemInfo:

23:15:46:946 1328 OS Version: 6.0.6001 ServicePack: 1.0
23:15:46:946 1328 Product type: Workstation
23:15:46:946 1328 ComputerName: BYRON
23:15:46:946 1328 UserName: Byron Smith
23:15:46:946 1328 Windows directory: C:\Windows
23:15:46:946 1328 Processor architecture: Intel x86
23:15:46:946 1328 Number of processors: 2
23:15:46:946 1328 Page size: 0x1000
23:15:46:962 1328 Boot type: Normal boot
23:15:46:962 1328 ================================================================================
23:15:46:962 1328 ForceUnloadDriver: NtUnloadDriver error 2
23:15:46:962 1328 ForceUnloadDriver: NtUnloadDriver error 2
23:15:46:962 1328 ForceUnloadDriver: NtUnloadDriver error 2
23:15:46:962 1328 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\Drivers\KLMD.sys) returned status 0
23:15:46:962 1328 main: Driver KLMD successfully dropped
23:15:46:962 1328 main: Driver KLMD successfully loaded
23:15:46:962 1328
Scanning Registry ...
23:15:46:977 1328 ScanServices: Searching service UACd.sys
23:15:46:977 1328 ScanServices: Open/Create key error 2
23:15:46:977 1328 ScanServices: Searching service TDSSserv.sys
23:15:46:977 1328 ScanServices: Open/Create key error 2
23:15:46:977 1328 ScanServices: Searching service gaopdxserv.sys
23:15:46:977 1328 ScanServices: Open/Create key error 2
23:15:46:977 1328 ScanServices: Searching service gxvxcserv.sys
23:15:46:977 1328 ScanServices: Open/Create key error 2
23:15:46:977 1328 ScanServices: Searching service MSIVXserv.sys
23:15:46:977 1328 ScanServices: Open/Create key error 2
23:15:46:977 1328 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntoskrnl.exe, base addr: 8283C000
23:15:46:977 1328 UnhookRegistry: Kernel local addr: 1C80000
23:15:46:977 1328 UnhookRegistry: KeServiceDescriptorTable addr: 1DAC8C0
23:15:46:977 1328 UnhookRegistry: KiServiceTable addr: 1CED8D0
23:15:46:977 1328 UnhookRegistry: NtEnumerateKey service number (local): 85
23:15:46:977 1328 UnhookRegistry: NtEnumerateKey local addr: 1E53598
23:15:46:977 1328 KLMD_OpenDevice: Trying to open KLMD device
23:15:46:977 1328 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
23:15:46:977 1328 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
23:15:46:977 1328 KLMD_ReadMem: Trying to ReadMemory 0x828919ED[0x4]
23:15:46:977 1328 UnhookRegistry: NtEnumerateKey service number (kernel): 85
23:15:46:977 1328 KLMD_ReadMem: Trying to ReadMemory 0x828A9AE4[0x4]
23:15:46:977 1328 UnhookRegistry: NtEnumerateKey real addr: 82A0F598
23:15:46:977 1328 UnhookRegistry: NtEnumerateKey calc addr: 82A0F598
23:15:46:977 1328 UnhookRegistry: No SDT hooks found on NtEnumerateKey
23:15:46:977 1328 KLMD_ReadMem: Trying to ReadMemory 0x82A0F598[0xA]
23:15:46:977 1328 UnhookRegistry: No splicing found on NtEnumerateKey
23:15:46:993 1328
Scanning Kernel memory ...
23:15:46:993 1328 KLMD_OpenDevice: Trying to open KLMD device
23:15:46:993 1328 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
23:15:46:993 1328 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
23:15:46:993 1328 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85857608
23:15:46:993 1328 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
23:15:46:993 1328 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 863358B0
23:15:46:993 1328 KLMD_GetLowerDeviceObject: Trying to get lower device object for 863358B0
23:15:46:993 1328 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8585C028
23:15:46:993 1328 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8585C028
23:15:46:993 1328 KLMD_ReadMem: Trying to ReadMemory 0x8585C028[0x38]
23:15:46:993 1328 DetectCureTDL3: DRIVER_OBJECT addr: 858795D0
23:15:46:993 1328 KLMD_ReadMem: Trying to ReadMemory 0x858795D0[0xA8]
23:15:46:993 1328 KLMD_ReadMem: Trying to ReadMemory 0x8585F198[0x208]
23:15:46:993 1328 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
23:15:46:993 1328 DetectCureTDL3: IrpHandler (0) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (1) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (2) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (3) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (4) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (5) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (6) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (7) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (8) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (9) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (10) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (11) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (12) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (13) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (14) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (15) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (16) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (17) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (18) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (19) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (20) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (21) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (22) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (23) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (24) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (25) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (26) addr: 828CB827
23:15:46:993 1328 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
23:15:46:993 1328 KLMD_ReadMem: DeviceIoControl error 1
23:15:46:993 1328 TDL3_StartIoHookDetect: Unable to get StartIo handler code
23:15:46:993 1328 TDL3_FileDetect: Processing driver: iaStor
23:15:46:993 1328 TDL3_FileDetect: Parameters: C:\Windows\system32\drivers\iastor.sys, C:\Windows\system32\Drivers\iastor.tsk, SYSTEM\CurrentControlSet\Services\iaStor, system32\Drivers\iastor.tsk
23:15:46:993 1328 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\iastor.sys
23:15:46:993 1328 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\iastor.sys
23:15:47:009 1328
Completed

Results:
23:15:47:009 1328 Infected objects in memory: 0
23:15:47:009 1328 Cured objects in memory: 0
23:15:47:009 1328 Infected objects on disk: 0
23:15:47:009 1328 Objects on disk cured on reboot: 0
23:15:47:009 1328 Objects on disk deleted on reboot: 0
23:15:47:009 1328 Registry nodes deleted on reboot: 0
23:15:47:009 1328

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:55 PM

Posted 04 January 2010 - 12:33 PM

It looks like there is a rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.


Download this Utility and save it to your Desktop.
Double-click the Utility to run it and and let it finish.
When it states Finished! Press any key to exit, press any key to close the program.
It will save a .txt file to your desktop automatically. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as part of the reply in the topic you will create below..

Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.

Let me know how that went.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Smithy25

Smithy25
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 04 January 2010 - 12:45 PM

Ok thanks, i created a thread in that forum.

Ill keep you posted as what happens.

Thanks for your help though in this thread.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:55 PM

Posted 04 January 2010 - 12:56 PM

Your welcome. That is a nasty rootkit and it will come back if not properly removed.. it'll be a day or so but you will be answered.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users