Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with BackDoor.Tdss.565


  • Please log in to reply
47 replies to this topic

#1 annmeris

annmeris

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 13 June 2010 - 02:26 AM

All three computers are infected with this trojan. I've tried Dr. Web cureit, then Malwarebytes. It did get rid of the virus only to return when I rebooted. System restore was turned off at that time. I've tried other software; Spyware Doctor and a few more. AV Security Suite also tried to install on this computer, even though I would not allow through McAfee, it did get in. I used Spyware Doctor and I believe I did get that removed. When I open a browser another one opens with seach.google-analytics.com is in the address box. I tried running GMER a number of times and it always crashed (computer turned off and back on). The log I included one run that I stopped just before the crash. If it didn't crash before, then it always crashed when scanning Program Files, Java or Javasoft.

Thes computers are on a home network McAfee virus protection software provided by the cable company, was running on all the computers. I've been working on this problem for over a week and haven't gotten anywhere. I really need help desperately especially because it is on all of our computers. I won't send email from the computers for fear of sending the trojan with it.

Help please,
Ann

BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:55 AM

Posted 17 June 2010 - 03:57 PM

hi annmeris,

Your logs are a few days old. If you still need help simply reply to my post.

How Can I Reduce My Risk to Malware?


#3 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 27 June 2010 - 05:03 PM

I believe BackDoor.Tdss.565 is gone. Google doesn't seem to be redirecting. But Yahoo still does. I've attached new text files. For Gmer, Malwarebytes and OTL. Can somone help me with this. It is in all our computers.
Thanks...Ann

#4 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:55 AM

Posted 27 June 2010 - 08:57 PM

You can download and run Combofix. There is a guide to read first. Read the guide then apply the directions in the guide on your own computer. Post the log in your reply:

Guide to using Combofix


How Can I Reduce My Risk to Malware?


#5 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 28 June 2010 - 02:27 PM

Combofix locked up at Don't run any programs until combofix is finished. After an hour, I rebooted. In directory c:/combofix is a list of individual files, very nicely separated by individual processes. Is this usable, can I upload the whole directory?

#6 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:55 AM

Posted 28 June 2010 - 06:29 PM

Do you see a .txt file in the C:Combofix folder(s) That would be the log that combofix generated after the run.
You can also run TDSSkiller. Link and directions:


Please download TDSS Killer.zip and save it to your desktop
Extract the zip file to your desktop. double click to launch the utility. Follow the prompts.

Please post the report.txt that will be generated in your root drive C:

the file is labeled: TDSSKiller verison_date_time_log.txt


How Can I Reduce My Risk to Malware?


#7 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 29 June 2010 - 01:07 AM

There are many txt files. ComboFix.txt
It's 3 lines and states Microsoft Security Essentials disable, Norton worm protection enabled

Did combofix install Norton worm protection?? Or do you have any idea where it is coming from?

I ran TDSS killer a few procedures ago. I think it's gone, because dr.web cureit doesn't find it anymore. I'll run it again and post.

#8 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 29 June 2010 - 02:38 AM

I re-ran combofix. I attached the log. I pretty sure I'm seeing hooks and url's in the registry. Please let me know what you see.



#9 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:55 AM

Posted 29 June 2010 - 04:23 PM

That combofix log is from the 2nd time combofix had been run and looks ok. did you have a Norton product installed at one time? Whats the status on the redirects? Gone now?

How Can I Reduce My Risk to Malware?


#10 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 29 June 2010 - 10:26 PM

No, it's not OK, still have them. I looked over the file, although I have no clue as to what it is showing, I think there are suspicious things in it and looks like the registery to me. Well maybe a clue. Please look at the entries directly after:
(Reg Loading Points
*Note* empty entries & legit default enteries are not shown)

and let me know what you think. All of them that I see have to do with Internet explorer, Safari and Browser Help.

Thanks...Ann

#11 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:55 AM

Posted 30 June 2010 - 06:47 PM

Hi Ann,

Rerun TDSSKiller and post the log, I know you already ran it. I would delete your copy and get a new one in case it has been recently updated.

Please download TDSS Killer.zip and save it to your desktop
Extract the zip file to your desktop. double click to launch the utility. Follow the prompts

Please post the report.txt that will be generated on your desktop after running the utility.

labeled: TDSSKiller verison_date_time_log.txt

Next we will use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

CODE
File::
C:\xiwej3fs.exe
c:\documents and settings\Ann Weiser\Local Settings\Application Data\sxuagkjne\pjbgnxrtssd.exe
c:\documents and settings\Ann Weiser\Local Settings\Application Data\sxuagkjne
c:\docume~1\ANNWEI~1\LOCALS~1\Temp\Oxr.exe
c:\documents and settings\Ann Weiser\Local Settings\Application Data\sxuagkjne\pjbgnxrtssd.exe
c:\docume~1\ANNWEI~1\LOCALS~1\Temp\FQJNWTMHEJK.exe
c:\docume~1\ANNWEI~1\LOCALS~1\Temp\RFHIINTUDE.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M5T8QL3YW3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wmiufklt]

Driver::
FQJNWTMHEJK
RFHIINTUDE


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.




How Can I Reduce My Risk to Malware?


#12 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 01 July 2010 - 02:42 AM

OK, here they are
I hope we are close. I still have redirects If I start with a google search and don't change to yahoo, it doesn't redirect. If I use a yahoo search it redirects. Once I use a yahoo search all searches including google redirect from there forward, as long as I don't reboot.



#13 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:55 AM

Posted 01 July 2010 - 09:02 PM

hi,

ok. Thanks for the info. To help show all files, do this:

FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

Next using explorer navigate to:
c:\documents and settings\Ann Weiser\Application Data
and delete tjhese folders named:
Kilei and Oqulgo

You can also do a online scan here;
ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

please repeat the Gmer scan. See step #8 here and post the log.


How Can I Reduce My Risk to Malware?


#14 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 02 July 2010 - 12:58 PM

Here is the log from eset:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=204ed873e92c1947a15fa6eb1310e6c9
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-02 04:31:19
# local_time=2010-07-01 09:31:19 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776533 100 100 0 7544687 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=26874
# found=1
# cleaned=1
# scan_time=971
C:\Documents and Settings\Ann Weiser\DoctorWeb\Quarantine\Morph2021.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C


I've loaded the last gmer log.

R we close???



#15 annmeris

annmeris
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 02 July 2010 - 01:09 PM

yahoo searches are still redirecting




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users