Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS and Backdoor.Tidserv!inf ……and probably other nasties.


  • This topic is locked This topic is locked
15 replies to this topic

#1 OldDosGuy

OldDosGuy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 13 March 2010 - 01:28 PM

BackGround:

1. Running Win XP / Sp3, IE 7

2. Several viruses-trojans over the past year. Usually able to kill them.

3. Practice very safe surfing. Scan all email attachments. Only suspects are myspace and windows messaging.

4. Running Malewarebytes, SAS, AdAware, Spybot, and McAfee.

What's happening: (also can't attach gmer log - see below)

1. Started getting browser redirects 4-5 days ago.

2. Ran all scans. Turned up a FakeAlert trojan (I think with Spybot) and removed.

3. Browser redirects started again.

4. Tried to update maleware programs but sites were blocked.

5. Did a system restore to 5 days ago. Then Maleware websites were unblocked. Updated all programs.

6. Ran all scans. All clean. But website redirects continued.

7. Downloaded and ran HiJack and reviewed results (Nothing suspicious to me - untrained eye)

8. Tried to reboot to safemode but can't.

9. Uninstalled McAfee and Installed Norton…... Nothing on the Norton Scan.

10. Did more research and found the suspect might be TDSS.

11. Downloaded and ran TDSSKiller from Kasperski. Found a TDSS infection in c:\Windows\Sys32|drivers\iastor.sys.
but….cure failed. 1Memory object infected and 1 File object infected.

12. Norton then detected and Blocked "Backdoor.Tidserv!inf".

13. GMER won't run. First time the system locked up half way thru scan. Next two times system crashed. Got a page fault in nonpaged area caused by "pwtoapob.sys". Searched computer and internet for this file name - no hits.
Can't attach gmer log.

HELP!!!!!!!!!!!!!!

Need to cure this and get some help on why this keeps happening.

Really appreciate your help.
DDS Scan:


DDS (Ver_09-12-01.01) - NTFSx86
Run by David Osburn at 0:58:36.46 on Sat 03/13/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2234 [GMT -5:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\DOCUME~1\DAVIDO~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
svchost.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Osburn\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\davido~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-8 64288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-3-12 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-3-12 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-3-12 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100310.001\IDSXpx86.sys [2010-3-12 329592]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-12 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-3-12 117640]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-12 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100312.022\NAVENG.SYS [2010-3-12 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100312.022\NAVEX15.SYS [2010-3-12 1324720]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-12 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-12 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-12 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-12 40552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]

=============== Created Last 30 ================

2010-03-13 04:49:00 0 ----a-w- c:\documents and settings\david osburn\defogger_reenable
2010-03-12 17:40:03 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-12 11:17:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-03-12 05:16:36 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-03-12 05:16:23 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-12 05:16:23 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-12 05:16:23 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-12 05:16:23 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-12 05:16:23 0 d-----w- c:\program files\Symantec
2010-03-12 05:16:23 0 d-----w- c:\program files\common files\Symantec Shared
2010-03-12 05:15:45 0 d-----w- c:\windows\system32\drivers\N360
2010-03-12 05:15:43 0 d-----w- c:\program files\Norton Security Suite
2010-03-12 05:15:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-03-12 05:13:37 0 d-----w- c:\program files\NortonInstaller
2010-03-12 05:13:37 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-03-11 23:43:08 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-03-12 05:16:16 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-12 05:16:09 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-01-28 18:49:40 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-08-23 19:45:21 25740144 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2009-06-03 00:52:36 2886432 ----a-w- c:\program files\PrintKey-Pro-v105.exe
2007-01-06 05:02:56 1424396 ------w- c:\program files\sbwsetup.exe
2009-11-08 06:08:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009110820091109\index.dat

============= FINISH: 1:00:04.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:14 PM

Posted 16 March 2010 - 08:52 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#3 OldDosGuy

OldDosGuy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 17 March 2010 - 07:25 PM

Thanks for the response.

OK, all the details are in the original post.

I turned off all Maleware protection and re-ran the requested scans and posted them.

The only new event is that I can't install the latest Microsoft security update - KB977165.

GMER - I was finally able to run GMER (that was painful). Took about 9 hours to run and then the system crashed when I tried to save it. Had to run it again for 9 hours. Something is eating my memory. Took me a long time to respond to your note….

Waiting for your further instructions.

Thanks.

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 PM

Posted 18 March 2010 - 12:29 PM

Hello there.

I'm Extremeboy and I will continue to help you out.

Seems that you're infected with the TDL3. There's a few things we can take care of here.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue, please follow the instructions below please...

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Then, we'll continue from there. Any problems, please let me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 OldDosGuy

OldDosGuy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 18 March 2010 - 03:56 PM



Hello Extremeboy,

Thanks for the response. Let's go. ComboFix file is attached.

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 PM

Posted 19 March 2010 - 11:46 AM

Looking good so far.

Let's get a Malwarebytes scan + a new DDS scan.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 OldDosGuy

OldDosGuy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 19 March 2010 - 01:39 PM

Hello extremeboy,

I'm not at my computer right now so I won't be able to rune Mbytes for a couple more hours.

But, when I botted the machine this morning I got a Norton Security alert:

High Risk,

backdoor.tidservlinf

Requires manual removal.

Should I proceed with Mbytes

Thanks

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 PM

Posted 19 March 2010 - 02:07 PM

Yes, please continue.

Let me know what the file is that Norton detected, it's probably just what we already quarantined so it's nothing to worry about.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 OldDosGuy

OldDosGuy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 19 March 2010 - 07:47 PM

Extremeboy,

THE GOOD NEWS:
1. Mbytes came up clean. Posted the scan along with the DDS scans.

2. Google results are no longer redirecting, also able to boot to Safe Mode, also able to install the latest Windows security patch.

QUESTIONABLE:
1. Norton found the backdoor.tidservl!nf this morning and shows it in C:\system volume information\_restore {###.....}\rp903\a0072405.sys. Says to manually remove, but this file isn't accessible. ReRan a quick Norton Scan and it didn't find anything

ADVICE AND QUESTIONS:
Got a couple minutes to look at my questions and give me some answers/opinions other than the "canned" ones?

I have had several infections over the last year and I can't figure out why. Again, practice real safe surfing (but the family uses my space and/or facebook and they aren't as careful).

I was running Mcafee and now I'm running Norton. Also running Adaware and doing scans with Mbytes, Spybot, and SAS. But…I'm still getting infected. Any ideas?????

I found a security hole in my router where I wasn't blocking open wireless access. I fixed it but I don't think it's likely that I'm getting infected there?

I have an old,old,old computer connected to my router that only gets used occasionally. Is this connection opening the door to my other computer as if I was on an open "network"?

Are there settings in my AV and Firewall programs that will block all file downloads or registry changes without my permission?

Is my computer really unsafe without being wiped if I am doing secure transactions on encrypted websites (unless I have a keylogger)? Wiping my computer would be a HUGE effort. If I got an additional computer just for secure transactions would it be isolated if plugged to the same computer?

And..last, but not least, I have an external hard drive that is turned off now but could have gotten infected. Am I safe to turn it on? Should I delete all data on it? Should I reformat it?

Really appreciate your help and any other answers you can send.

Thanks, Thanks.

p.s. Do you guys do donations through PayPal?

Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 PM

Posted 20 March 2010 - 11:52 AM

Hello.

QUOTE
Norton found the backdoor.tidservl!nf this morning and shows it in C:\system volume information\_restore {###.....}\rp903\a0072405.sys. Says to manually remove, but this file isn't accessible. ReRan a quick Norton Scan and it didn't find anything

Yes, those are fine. They are just infected system restore points that are physically no harm unless you restore your system to that time period, don't remove it as we will do that at the end once we flush your system restore cache and set a new one. ;)

QUOTE
I have had several infections over the last year and I can't figure out why. Again, practice real safe surfing (but the family uses my space and/or facebook and they aren't as careful).

Well, without knowing what your family or you do I have no way of telling you how you got the infections. Infections spread in various ways including: p2p, removable drives, downloading/installing executables, warz. cracks, keygenes, porn, underground web pages, pirated software sites, not up to date softwares etc... I will provide some prevention tips at the end once we're done to further help you.

One of the infection you had on board was called the TDL3 infection. IF you want to read more about it, please visit this page: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html -> Very good read.

You can read some more information on how malware spreads etc... here: http://www.bleepingcomputer.com/forums/ind...howtopic=287710


QUOTE
I was running Mcafee and now I'm running Norton. Also running Adaware and doing scans with Mbytes, Spybot, and SAS. But…I'm still getting infected. Any ideas?????

Don't just rely on security programs to help protect you and that they can find everything. Sometimes infections when run with administrative previliages they can hide or be undetectable and thus other tools are needed. I suggest reading the TDL3 article which will help give you a better understanding of it.

You should ONLY have 1 Anti-virus software installed. I don't recommend Spybot or Ad-Aware anymore. Having MBAm and SAS is already enough however, please note that:

QUOTE(Quietman7)
No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

As a general rule, using more than one anti-spyware program like Malwarebytes' Anti-Malware, SuperAntispyware, Spybot S&D, Ad-Aware, etc will not conflict with each other or your anti-virus if using only one of them for real time protection and others as stand-alone scanners. In fact, doing so increases your protection coverage without causing the same kind of conflicts or affecting the stability of your system that can occur when using more than one anti-virus. The overlap of protection from using different signature databases will aid in detection and removal of more threats when scanning your system for malware. However, if using all their real-time resident shields (TeaTimer, Ad-Watch, MBAM Protection Module, Spyware Terminator Shields, etc) together at the same time, there can be conflicts when each application tries to compete for resources and exclusive rights to perform an action. Additionally, competing tools may even provide redundant alerts which can be anoying and/or confusing.


QUOTE
I found a security hole in my router where I wasn't blocking open wireless access. I fixed it but I don't think it's likely that I'm getting infected there?

The scans won't look at the router itself, so I don't know, but probably unlikely.

QUOTE
I have an old,old,old computer connected to my router that only gets used occasionally. Is this connection opening the door to my other computer as if I was on an open "network"?

Possible, don't know if that computer is infected or not. Worms are usually ones that travel through networks etc...

QUOTE
Are there settings in my AV and Firewall programs that will block all file downloads or registry changes without my permission?

You will have to check your configuration settings of your AV + Firewall about that as each AV + Firewall is different and can be configured differently as well. However, usually they would ask for your permission first. smile.gif

QUOTE
Is my computer really unsafe without being wiped if I am doing secure transactions on encrypted websites (unless I have a keylogger)? Wiping my computer would be a HUGE effort. If I got an additional computer just for secure transactions would it be isolated if plugged to the same computer?

Keylogger, none that I see. I would read that TDL3 article above to have a better understanding of the infection. We already have removed the infection now so it's clean now. I understand how wiping and doing a clean install is a HUGE effort (been to it myself). It's not just up to you whether you feel safe. If you have good surfing habits and with some prevention tips I provide later on you should be good. If you do decide to get another computer for secure transactions, that is fine, but that doesn't guarantee that you will be 100% clean.

QUOTE
And..last, but not least, I have an external hard drive that is turned off now but could have gotten infected. Am I safe to turn it on? Should I delete all data on it? Should I reformat it?

I would run this tool first to disable autorun in case of one of those autorun infections. You should be safe to turn it on and use it. Data files are safe and malware don't "inject" or "infect" it unless there are executable files which they usually target but in this case it should be good. smile.gif

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

You're very welcome. I'm glad I could help out. smile.gif

QUOTE
p.s. Do you guys do donations through PayPal?

Yes, just simply click the "Donate" button under my signature and it will lead to the donation page. Thanks for considering a donation, it's appreciated.



Now with all that said ( hope I didn't rant on too much tongue.gif ), let's continue.

The logs are looking good now, any problems left with your computer? If not, we can wrap up and clean up next post. smile.gif

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 OldDosGuy

OldDosGuy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 20 March 2010 - 09:44 PM

Extremeboy,
Right now everything is running good. Read your advice and articles. Norton didn't like me visiting that rootkit blogspot. I guess that's a good thing. I've caught two infections this year just from visiting a legit website and opening a legit email attachment. I was able to kill those pretty easily. But ones like this are a mystery. I'm blaming facebook, myspace, and messaging.

As to my multiple malware products, I'm only running Norton actively and the adAware Adwatch piece. Should I turn that off? The rest I use for weekly or bi-weekly scans.

As to the external hard drive, there were several executables so I went ahead and reformatted the drive.

Anyway I think we're ready for final cleanup instructions.

Thanks

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 PM

Posted 21 March 2010 - 12:58 PM

Hello.

QUOTE
As to my multiple malware products, I'm only running Norton actively and the adAware Adwatch piece. Should I turn that off? The rest I use for weekly or bi-weekly scans.

Nope, that's fine. Malwarebytes + Super Anti-spyware may be better, but since you have that on subscription or you bought the Ad-Watch, that's fine.

QUOTE
Anyway I think we're ready for final cleanup instructions.

Let's go.

Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips below.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
---
If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks smile.gif

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 OldDosGuy

OldDosGuy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 21 March 2010 - 02:43 PM

Extremeboy,

Well, cleanup didn't go so well but I don't think it's a problem. Couldn't get combofix uninstall to go. System kept asking me to Run combofix.
OTC didn't really clean up much. And my system said startup lite was not a valid Win32 application.

Any problem leaving this stuff on my computer or should I go thru and delete everything?

Sorry to keep this going, but shouldn't I be doing something with my restart points, cache, temp files, and recycle bin?

Thanks

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 PM

Posted 21 March 2010 - 03:04 PM

QUOTE
Well, cleanup didn't go so well but I don't think it's a problem. Couldn't get combofix uninstall to go. System kept asking me to Run combofix.

Yes, that's how it "looks". Just accept and follow the prompts, it WILL be uninstalled at the end. Trust me. ;)

QUOTE
OTC didn't really clean up much. And my system said startup lite was not a valid Win32 application.

OTC just cleans out some of the stuff. You can manually delete the other tools if they are still there. Not sure about StartupLite, I wouldn't worry about it. If you want you can try some of the steps on the other link. As long as your computer is fine, you don't have to go through those steps it's just part of my all-clean speech in case for those who mention about slowness. ;)

QUOTE
Any problem leaving this stuff on my computer or should I go thru and delete everything?

As said above, uninstall Combofix FIRST. Once you're done that, feel free to delete the other tools on your desktop/folders/files accompanied to it. smile.gif

QUOTE
Sorry to keep this going, but shouldn't I be doing something with my restart points, cache, temp files, and recycle bin?

Once you uninstall Combofix, it does most of that. For Recycling Bin + temp files, you can do that yourself or run something like ATFCleaner.

ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are receiving help.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Hope that helps.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 OldDosGuy

OldDosGuy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 21 March 2010 - 04:19 PM

Extremeboy,

Thanks Again. I think we finished.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users