Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv Trojan Infection? (HTTPS Tidserv Request 2)


  • This topic is locked This topic is locked
49 replies to this topic

#1 RyanW.

RyanW.

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 09 April 2010 - 01:07 PM

Howdy, let me first say THANK YOU to this forum, and the folks that post help. I have used this forum in the past to help my neighbors, and the information has been helpful. Unfortunately, it is now apparently my turn, as my wife's computer is infected.

The Story

Yesterday (4/8), my wife comes in my office claiming that her computer is in trouble. When I get there, I see that she has windows coming and going, and it appears that she is infected with Antimalware Doctor (appreg70700.exe). I also notice that Norton 360 is not currently running, now sure why it had stopped, but thought I'd mention it.

What I did

After finding the application that was causing the problems, I killed it, and installed a recommended program, Malwarebyte's Anti-Malware. It found several issues, and I followed the cleaning process. I also found registry entries for Antimalware Doctor (using regedit), and removed them. Furthermore, I removed it from the start-up entries. Also, I installed and ran SuperAntispyware, but it only found 3 cookies that were problems.

Current Issue

I then got Norton 360 running again (updated defs, ran a new scan, etc). Norton isn't finding any issues. However, going through the logs, I am finding multiple entries for:

QUOTE
HIGH - An intrusion attempt by 61.21.20.132 was blocked. Application path \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE
Norton Risk Name: HTTPS Tidserv Request 2


Other IP that it lists is 112.121.181.26

And, while doing Google searches, I started to get "redirected" to various ad sites, and then this popped in the log:

QUOTE
HIGH - An intrusion attempt by 213.163.89.106 was blocked. Application path \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
Norton Risk Name: HTTPS Tidserv Request 2


I am behind a Linksys router, and have the most current firmware installed. Looking through the limited logs, and I not seeing any inbound connections, but I am see outbound port 80 requests to those above IPs. I guess the Trojan is hijacking those outbound requests?

At this point, I am beyond my knowledge, and thus unplugged the Ethernet cable, and started this help thread.

I have attached the DDS files.

However, I tried running the GMER tool as directed, but it kept hanging on the following entry "\DEVICE\NTPNP_PCI0012". Only a hard reboot would work, no keystroke sequences would help. Is there another tool I can run?

Thank you in advance for helping.

Ryan

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:35 PM

Posted 12 April 2010 - 12:53 PM


Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 RyanW.

RyanW.
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 12 April 2010 - 02:09 PM


Thanks. I had attached the DDS reports in the original post. However, the GMER tool is hanging. I've tried several times, but it continues to lock the computer up, where only a "hard" reset will work. Is there another tool that I can run besides GMER?

Ryan

#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:35 PM

Posted 14 April 2010 - 08:03 AM

Hi, Ryan W.-

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

There may be a delay in my response to your posts as I am still currently in training. I will be helping you with supervision of the teachers and they will approve every posts before I present them to you.

Please don't make any further changes or run any other tools unless instructed to. Additional changes may hinder the cleaning of your machine.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Please give me some time to look over your log. I will post the reply as soon as possible.

Shannon

#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:35 PM

Posted 14 April 2010 - 01:04 PM

Hi-

Let's try for the GMER report again with a slight change - we will disable one of its checks. If it still won't run to completion, try it in Safe Mode.

Run GMER from wherever you installed it earlier.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • On the menu on the right side of the window, uncheck the Devices by clicking on it.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

If it still won't run, then we will move on to RootRepeal.
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
In your next reply, please copy in the GMER report or the RootRepeal report.

Thanks.
Shannon

#6 RyanW.

RyanW.
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 15 April 2010 - 05:27 PM

Thank you for your help. Things have not gone well.

At first, I retried GMER, and it hung again. I then downloaded an ran the Root Repeal tool, and it gave me errors (see attached root repeal log, Error Message was "Error - end of index is past block!" ). After that, I found some obscure Norton 360 settings, and disabled them. Then I re-ran the GMER tool. It ran for nearly 24 hours, and then caused a system reboot. sad.gif

I have since restarted the Root Repeal tool, and it is currently running again, no errors at this point. If Root Repeal completes, I will update with a new log file.

I posted my reply now incase you could notice anything in the original error file.

Thanks again for your help.

Ryan

Attached Files


Edited by RyanW., 15 April 2010 - 05:29 PM.


#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:35 PM

Posted 15 April 2010 - 05:53 PM

Hi-

Did you try GMER without Devices checked?
Shannon

#8 RyanW.

RyanW.
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 15 April 2010 - 05:58 PM


Yes, and it was going through the motion of what appeared to be scanning the entire C: drive when I last left it. When I came to check on it again, the computer had rebooted.

Estimated Start Time: 4pm 4/14
Estimated Reboot Time: 3pm 4/15

Further info: On the next Root Repeal run, it gave me the following error:

"Error - on-disk corruption detected, run chkdsk!"

I have since run chkdsk, and have rebooted, and retrying Root Repeal.

Ryan

Ryan

#9 RyanW.

RyanW.
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 15 April 2010 - 09:34 PM


I have run "chkdsk /f", and chksk /p from recovery mode, and nothing I do seems to make Root Repeal run without erroring. I keep getting the following error:

"Error - on-disk corruption detected, run chkdsk!"

I have attached the log that was created, but I'm not sure how helpful it is.

Let me know if you think we can do anything, or if we're "toast". Thanks.

Ryan

Attached Files



#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:35 PM

Posted 16 April 2010 - 12:34 PM

Hi-

Important - The infection identified by Norton is a backdoor trojan. A backdoor trojan can allow hackers to remotely control your computer, steal critical system information and download and execute files. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be to reformat the hard drive and reinstall the operating system. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
If you wish to continue, let's get started on cleaning up your machine.

Download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


If you decided to go forward with a cleanup, please copy in to your reply the ComboFix log.

Thanks

Shannon

#11 RyanW.

RyanW.
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 16 April 2010 - 03:18 PM


Thanks again for your help.

While ComboFix was running, I got the "chkdsk" error when it said it was trying to delete "c:\recycler\NPROTECT". ComboFix seemed to finish ok, and here is the log file.

Ryan

Attached Files



#12 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:35 PM

Posted 18 April 2010 - 05:58 AM

Hi-

We need to run a Malwarebytes' Anti-Malware run and get an OTL listing. You will also need to copy in the log of your previous run.

Please run Malwarebytes' Anti-Malware
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 or 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

While you still have Malwarebytes' Anti-Malware open, click on the Logs tab. Open and copy into your reply the MBAM-log-yyyymmdd that you ran after the computer was infected.

We need to create an OTL Report
  • Please download OTL from here if you have not done so already:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Under the Custom Scan box paste in the contents of the CODE box.
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.exe
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
  • Push the button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
In your reply, you will have copied the MBAM logs and the OTL logs.

Thanks.
Shannon

#13 RyanW.

RyanW.
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 19 April 2010 - 05:06 PM


Here are the scan files, thanks again for your help.

Ryan

Attached Files



#14 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:35 PM

Posted 19 April 2010 - 06:46 PM

Hi-

Thanks for the scan outputs. I'll look at them later this evening or first thing in the morning.

Don't forget the other request -

QUOTE
While you still have Malwarebytes' Anti-Malware open, click on the Logs tab. Open and copy into your reply the MBAM-log-yyyymmdd that you ran after the computer was infected.


How is the machine running? What problems are you still experiencing?


Shannon

#15 RyanW.

RyanW.
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 19 April 2010 - 07:01 PM

Oops, here's the earliest I could find. I thought I had run it on the 8th, but I can't find that log, it isn't listed.

As for the computer, I've been leaving it mostly off, and the ethernet cable unplugged. I've got my wife using a laptop for the time being, as I just didn't trust the infected desktop yet, waiting for the "all clear". smile.gif I've been transferring files with my flash drive, that I scan before using it on the laptop. smile.gif

Ryan

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users