Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv Request II


  • This topic is locked This topic is locked
5 replies to this topic

#1 mocha427

mocha427

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 05 June 2010 - 09:01 AM

Every fifteen minutes or so I get a message from Norton saying that my computer is being attacked, which I read is the main symptom of this virus. I have more or less disabled my internet except for creating the logs and such. My firefox also crashes a lot, and my computer will randomly freeze and I cannot bring up the tasks my computer is running when connected to the internet. Once while restarting my computer also said that it removed infected files from the D drive.

I have attached my GMER log. However, the DDS scan will not work properly. I tried to run it twice and get the initial screen but it will not go beyond that phase other than adding "::"s every minute or two.

I would appreciate any help that you could provide. Thanks in advance.

Chris

Here is the log:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-04 18:35:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxtdqpod.sys


---- System - GMER 1.0.15 ----

SSDT 82D83208 ZwAlertResumeThread
SSDT 82D85CF0 ZwAlertThread
SSDT 82C0D6E8 ZwAllocateVirtualMemory
SSDT 82D85D98 ZwAssignProcessToJobObject
SSDT 82BFABA8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB22A3130]
SSDT 82B9F118 ZwCreateMutant
SSDT 82F77E40 ZwCreateProcess
SSDT 82F77DC8 ZwCreateProcessEx
SSDT 82BC01F0 ZwCreateSymbolicLinkObject
SSDT 82D99C50 ZwCreateThread
SSDT 82D82E60 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB22A33B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB22A3910]
SSDT 82C15930 ZwDuplicateObject
SSDT 82BE8D38 ZwFreeVirtualMemory
SSDT 82C16DE8 ZwImpersonateAnonymousToken
SSDT 82C2FDE8 ZwImpersonateThread
SSDT 82C13DA0 ZwLoadDriver
SSDT 82D95008 ZwMapViewOfSection
SSDT 82D090A8 ZwOpenEvent
SSDT 82C0EAF0 ZwOpenProcess
SSDT 82DB1C40 ZwOpenProcessToken
SSDT 82D980C0 ZwOpenSection
SSDT 82B9C2D8 ZwOpenThread
SSDT 82DAF008 ZwProtectVirtualMemory
SSDT 82F77990 ZwQueueApcThread
SSDT 82F77828 ZwReadVirtualMemory
SSDT 82F87610 ZwRenameKey
SSDT 82DCAE30 ZwResumeThread
SSDT 82DAC910 ZwSetContextThread
SSDT 82F77FA8 ZwSetInformationKey
SSDT 82CDE980 ZwSetInformationProcess
SSDT 82F77AF8 ZwSetInformationThread
SSDT 82CD59F8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB22A3B60]
SSDT 82DD3560 ZwSuspendProcess
SSDT 82D9A5B8 ZwSuspendThread
SSDT 82DEA950 ZwTerminateProcess
SSDT 82DAA2E0 ZwTerminateThread
SSDT 82DB0FD0 ZwUnmapViewOfSection
SSDT 82BE8AA8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 90 804E26FC 4 Bytes CALL 97D0E7D7
.text ntoskrnl.exe!_abnormal_termination + 1B0 804E281C 4 Bytes CALL 3AD0E98E
.text ntoskrnl.exe!_abnormal_termination + 1B8 804E2824 4 Bytes CALL 66D0EB26
.text ntoskrnl.exe!_abnormal_termination + 234 804E28A0 8 Bytes JMP 1C4082C0
.rsrc C:\WINDOWS\system32\drivers\ql1240.sys entry point in ".rsrc" section [0xF862C894]
? SYMEFA.SYS The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF7351ABF]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[680] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044EDF9 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper Engine/Webroot Software, Inc.)
.text C:\WINDOWS\Explorer.EXE[800] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A2000A
.text C:\WINDOWS\Explorer.EXE[800] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A8000A
.text C:\WINDOWS\Explorer.EXE[800] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007C000A
.text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007A000C
.text C:\WINDOWS\System32\svchost.exe[1568] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02D3000A
.text C:\WINDOWS\System32\svchost.exe[1568] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00C3000A
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[2900] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044E9BD C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SSFS041A.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 82BE8B30

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp 82BE8B30

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp 82BE8B30

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp 82BE8B30

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST 82BE8B30

AttachedDevice \FileSystem\Fastfat \Fat SSFS041A.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 82EE0D01

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\00000CC6d01 23489 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\00B19115d01 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\00D45492d01 48963 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\01030A39d01 59818 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\0218E64Ed01 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\0223BA11d01 36228 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\02F022AEd01 42753 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\0427C7EDd01 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\04F6E309d01 88069 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\0534C811d01 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\05662DB5d01 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\057FFF90d01 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\05CCFE23d01 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\06D19012d01 95334 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\08127076d01 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\0865F6B4d01 60584 bytes
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uqh5i8b3.default\Cache.Trash\Trash\Cache\08EB8E62d01 0 bytes
File C:\WINDOWS\system32\drivers\ql1240.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Merged 2 posts. ~ OB

Attached Files


Edited by Orange Blossom, 05 June 2010 - 06:36 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:28 PM

Posted 07 June 2010 - 06:32 PM

Hi mocha427,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes.

Your computer is infected with a rootkit.
  1. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.

  2. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. Now please run DDS and attach the logs it creates and also tell me how is your computer running.


#3 mocha427

mocha427
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 07 June 2010 - 07:55 PM

Hi farbar-

Thank you for your help with the rootkit. It is much appreciated.
Below Anti-Malware scan. Attached both DDS logs as well as TDSS log.
Computer seems to be running better. No longer getting alerts and the like.

Anti-Malware Scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4177

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/7/2010 8:26:22 PM
mbam-log-2010-06-07 (20-26-22).txt

Scan type: Quick scan
Objects scanned: 125964
Time elapsed: 17 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\udqeeisd (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:28 PM

Posted 08 June 2010 - 02:54 AM

It looks good. thumbup2.gif
  1. We need to repair some broken file associations.
    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    ftype inifile=%SystemRoot%\System32\NOTEPAD.EXE %1
    ftype piffile="%1" %*

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate fix.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A window flashes, this is normal.

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  3. Please download OTC and save it to Desktop.
    • Make sure you have internet connection.
    • Double-click OTC. In Windows Vista right-click to run it as administrator.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.

  4. You may delete any tool or log we used from your computer.

  5. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.


Happy Surfing Chris. smile.gif


#5 mocha427

mocha427
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 08 June 2010 - 10:33 AM

Thanks again for the help. Everything looks good on my end.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:28 PM

Posted 08 June 2010 - 08:21 PM

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users