Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTP Tidserv Request & Tidserv 2 attacks


  • This topic is locked This topic is locked
13 replies to this topic

#1 JOHNCWILD1

JOHNCWILD1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 10 June 2010 - 12:41 AM

Hello. I would like your help to remove a Backdoor Trojan. On May 25,2010 I started receiving attempted intrusion attack notifications from Norton 360. These notifications can occur at random times. However, the notifications always occur when I execute an internet search from Google, Norton or Bing.

I have contacted Symantec technical support and was told that my computer was not infected. However, after researching on the web, I see that many other users are having the same issue. Also, Symantec notifications indicate that it is a serious threat. NOTE: Recently I sent a web page using IE to my wife's email, and now she is having the same issue. She has Norton antivirus supplied by Comcast on her laptop. I suspect I may have infected her laptop.

Norton history logs indicate that Norton is blocking the following intrusion attacks:
- identified by Norton 360 as "HTTP Tidserv Request" from url 7gafd33ja90a.com at ip addresses 85.12.46.155, 85.12.46.159 and url j00k877x.cc at ip address 192.212.226.130

- identified by Norton 360 as "HTTP Tidserv Request 2" from ip addresses 91.212.226.67 and 202.157.171.207.

NOTES:

- I have Norton 360 Firewall. Do I still need to activate the MS Windows Firewall as stated in the Preparation Guide?

- Cannot run GMER logs. Each time I try after approximateloy 35 minutes of scanning system reboots.

DDS logs

DDS (Ver_10-03-17.01) - NTFSx86
Run by John Wild at 22:42:15.80 on Wed 06/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.75 [GMT -4:00]

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\MCUI32.EXE
C:\Documents and Settings\John Wild\Local Settings\Temporary Internet Files\Content.IE5\VHVDU61N\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLD
uDefault_Page_URL = hxxp://www.msn.com
uSearch Bar = hxxp://my.netzero.net/s/search?r=minisearch
mDefault_Search_URL = hxxp://my.netzero.net/s/search?r=minisearch
mSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
mSearchAssistant = hxxp://my.netzero.net/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
uWinlogon: Shell=c:\program files\pcenter\pc.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Pop-up Blocker: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\X1IEBHO.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360 premier edition\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360 premier edition\engine\4.2.0.12\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0989.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0989.0\msneshellx.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360 premier edition\engine\4.2.0.12\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [HKSERV.EXE] c:\program files\sony\hotkey utility\HKserv.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [DetectorApp] c:\program files\roxio\mydvd\mydvd\DetectorApp.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mlbtvn~1.lnk - c:\program files\autobahn\mlb-nexdef-autobahn.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: Display All Images with Full Quality - "c:\program files\netzero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\netzero\qsacc\appres.dll/227"
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxps://vapwdb.ops.placeware.com/etc/place/DESK/VADpws-b3s/5.1.8.511/lib/quicksilver.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://kpmg.webex.com/client/T25L10NSP41EP15-kpmg/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-5-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-5-24 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-5-24 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-5-24 116784]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2006-1-10 3744]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-29 54752]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2006-1-10 3904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100604.004\IDSXpx86.sys [2010-6-8 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100609.022\NAVENG.SYS [2010-6-9 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100609.022\NAVEX15.SYS [2010-6-9 1347504]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2004-3-31 37040]

=============== Created Last 30 ================

2010-06-10 02:19:22 0 ----a-w- c:\documents and settings\john wild\defogger_reenable
2010-06-08 01:37:05 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-06-05 04:41:59 0 d-sh--w- c:\documents and settings\john wild\IECompatCache
2010-05-28 00:35:38 3512 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-05-28 00:06:21 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-05-28 00:05:41 3084288 ---ha-w- C:\SZKGFS.dat
2010-05-28 00:02:38 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!

==================== Find3M ====================

2010-04-11 03:18:58 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-11 03:18:58 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-11 03:18:58 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-11 03:18:58 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-16 22:07:15 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-16 22:07:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2006-12-19 13:11:34 354 -csh--w- c:\windows\security\nwidcm.ini2
2005-02-12 15:00:50 56 -csh--r- c:\windows\system32\127A8360F2.sys
2008-11-11 07:49:19 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111120081112\index.dat

============= FINISH: 22:47:30.46 ===============

tried GMER again and was successful.


NOTES:

- My wife's computer has now gone to Blue Screen need suggestion on how to proceed on that.

Merged 2 topics then posts removing redundant content. ~ OB

Attached Files


Edited by Orange Blossom, 10 June 2010 - 07:58 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:57 PM

Posted 14 June 2010 - 05:54 AM

Hi JOHNCWILD1,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum.

If the issue is not resolved please update me on the current condition of your computer and post the following log.

Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

CODE
@echo off
if exist mbr.log del mbr.log
mbr.exe -t
ping 1.1.1.1 -n 1 -w 1000 >nul
start mbr.log

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: dirlook.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Double-click to run it.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#3 JOHNCWILD1

JOHNCWILD1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 14 June 2010 - 09:44 AM

Hello farbar,
Thanks for your reply.
Issue continues.

My laptop received automatic Microsoft updates since I reported issue.
Microsoft Malware removal tool MRT.exe reported Malware detected. It reported that it partially removed Windows32 alureon,H

NOTE:
Wife's computer, Dell Inspiron 6000 with XP Media Center Edition had exhibited same attacks reported by Norton with attacks from possible Trojan. It received automatic Microsoft updates for May and June. On next bootup went BSOD. Won't boot on any of the F8 menu options. Get BSOD with the following:
STOP: c00021a {Fatal System Error}
The session Manager Initialization system process terminatede unexpectedly with a status of 0x000026c (0x00000000 0x00000000).
The system has been shut down.

Should I be concerned that on next bootup I may get BSOD?


See MBR results below:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83157D01]<<
kernel: MBR read successfully
user & kernel MBR OK

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:57 PM

Posted 14 June 2010 - 10:21 AM

I don't think the driver that is patched by the malware will be updated by Windows but I'm not sure. You have to reboot anyway before we do anything as if we run a tool that requires a reboot and Windows finalizes the update on reboot it will be more complicated. Also it is better to turn off Windows automatic update until we are done.




#5 JOHNCWILD1

JOHNCWILD1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 14 June 2010 - 11:34 PM

Ok Thanks.
I had to reboot to load software update for backup harddrive. Windows came up successfully.

I am backing up 40 GB of data now. Should take about 4 or 5 hours at the rate this software is copying.

Have found anything in the logs that were copied to you?

What is next?

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:57 PM

Posted 15 June 2010 - 05:14 AM

The system is infected with a rootkit that as I mentioned has patched a keyboard driver.
  1. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
    • Disable real-time protection of you security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Close all the open windows.
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      kbdclass
    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.

  2. Let me know if the issue is resolved.


#7 JOHNCWILD1

JOHNCWILD1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 15 June 2010 - 01:03 PM

farbar:

Problem appears to be cleared. Thank you very much!

Now I am getting message alert from Norton spyware virus protection about a file on newly loaded software for backup drive.

Message is as follows:
kbdclass.sys.old contained threat
Backdoor.Tidserv!inf
File: h:\wd smartware.swstor\johncwild\
volume.8f9f6080.48df.11d9.bb3d.806d6172696f\vir\kbdclass.sys.old
Blocked

Western Digital required virus protection be turned off during software update download. Possibly the virus attached itself while I was loading software for backup drive or the backed up file has the virus in the C: drive file as well. As this is "kbdclass.sys.old" can I delete this file or do we need to do this a different way?

Also, is there any recommended virus/spyware/antimalware software that could have prevented this. Apparently Symantec (Norton 360) protection didn't work.



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:57 PM

Posted 15 June 2010 - 01:48 PM

Don't worry about the found file. C:\vir the quarantine folder made by TDLfix as the tool renamed the file to kbclass.sys.old. When the rootkit is active most of antiviruses can't detect it. When we remove the infection the resident AV finds the removed and inactive file. We don't nee the file any more. And we would have removed it anyway.

At the end I'll give some recommendations but no antivirus is able to prevent this malware. The users should be more vigilant about the sites they are visiting and the downloads. Also opening email (of even friends) with attachment should be done with caution.
  1. Run TDLfix, type del and press Enter. This was suppose to delete the quarantined infected file and mbr.exe. Delete the tool from your desktop.

  2. Update your Java to the latest version (Java 6 update 20).

  3. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  4. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



#9 JOHNCWILD1

JOHNCWILD1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 15 June 2010 - 07:47 PM

Thank you again. All seems to be OK now.

File kbdclass.sys.old is deleted.

Successfully used Cleaner.

MBAM ran successfully.

One last question - is there anyway to get malwarebytes to run on D:\ partition of harddisk. Drive was partitioned, when I purchased PC Japan. I will be removing partition as soon as I am sure that all my data is recoverable from portable backup drive. Files are pictures, music, movies and other documents. Some of these files I suspect are infected and the source of some of what was on the c:\ drive partition.

MBAM LOG Below:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4201

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/15/2010 7:57:58 PM
mbam-log-2010-06-15 (19-57-58).txt

Scan type: Quick scan
Objects scanned: 143563
Time elapsed: 27 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 41
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 7
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{f10587e9-0e47-4cbe-abcd-7dd20b862223} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{013a653b-49a6-4f76-8b68-e4875ea6ba54} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1daefcb9-06c8-47c6-8f20-3fb54b244daa} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{35f7813a-af74-4474-b1dc-7ee6fb6c43c6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3fd6b99c-a275-46ea-8fd1-3d63986e51e4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{46a4e9d9-b30e-452a-8157-dbbec8573b03} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{74dd705d-6834-439c-a735-a6dbe2677452} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{93c6313c-9db4-4694-8bd0-e378c573a9ad} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{f18f04b0-9cf1-4b93-b004-77a288bee28b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f10587e9-0e47-4cbe-abcd-7dd20b862223} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{013a653b-49a6-4f76-8b68-e4875ea6ba54} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1daefcb9-06c8-47c6-8f20-3fb54b244daa} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35f7813a-af74-4474-b1dc-7ee6fb6c43c6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3fd6b99c-a275-46ea-8fd1-3d63986e51e4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46a4e9d9-b30e-452a-8157-dbbec8573b03} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{74dd705d-6834-439c-a735-a6dbe2677452} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{93c6313c-9db4-4694-8bd0-e378c573a9ad} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f18f04b0-9cf1-4b93-b004-77a288bee28b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Online Add-on (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Program Files\PCenter\pc.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\John Wild\Application Data\searchtoolbarcorp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\John Wild\Application Data\searchtoolbarcorp\Toolbar Vision (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Online Add-on (Trojan.Zlob) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\John Wild\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\John Wild\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\1CE142AF.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Online Add-on\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Online Add-on\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:57 PM

Posted 15 June 2010 - 07:59 PM

Firstly thank you for the donation. smile.gif

To scan D partition when you use Malwarebyte use "Perform full scan" and make sure all the drive listed are selected.

I would like to have a full system scan to make sure no leftover is on the system. I'll see the log tomorrow as it is too late here.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

#11 JOHNCWILD1

JOHNCWILD1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 16 June 2010 - 08:33 AM

farbar:
Thanks for everything. Let me know if there is anything else. I will be traveleing for the next few days, so I may not respond as quickly.

Here is log from ESET Online scan:
C:\WINDOWS\security\nwidcm.ini2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\security\nwidcm.tmp Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\ddwekuhj.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\vvycf.tmp Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:57 PM

Posted 16 June 2010 - 12:49 PM

Hi John,

Thanks for letting me know, have a good journey.

It looks good. thumbup2.gif
  1. You may delete the logs and any tool we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

Recommendations:
  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.


Do you have any question before closing the topic?

#13 JOHNCWILD1

JOHNCWILD1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 16 June 2010 - 10:08 PM

farbar:
Thanks again for all your help and recommendations.

I will take all the other actions you have recommended.

No more questions for now. The topic can be closed.

Just one note for you, though. PayPal will list "farbar0" on the billing statement for the donation. However, when they sent the confirmation email to me, they included your full name. Not sure if your anonymity is important in these activities. If it is, you may want to let them know about this.

I hope if I have trouble in the future, I get someone as good as you have been on this issue. Your instructions have been very clear and concise. I have enjoyed learning from you.

Sincerely,
John

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:57 PM

Posted 17 June 2010 - 01:03 AM

You are most welcome John and thank you for your kind words. I enjoyed working on this with you too. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users