Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTPS Tidserv, 19js810300z.com rootkit removal


  • This topic is locked This topic is locked
12 replies to this topic

#1 Stoneway

Stoneway

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 03 July 2010 - 12:14 PM

Good afternoon,

I have been working on my computer for 3 days now and have cleaned some items that are obvious viruses, but I now notice that my computer will establish a connection to the malware website, and then I get hit with the worm attempt from that website. Norton blocks the worm attempt, but I'm already infected badly. Windows Update also does not work.

I have performed the activities per the Malware removal guidance and have posted my DDS ang GMER log files.

I would very much appreciate any help as this appears to be the most professional and knowledgable web-site on this topic I have yet found.

Thanks,
Kevin

Attached Files

  • Attached File  DDS.txt   17.32KB   6 downloads
  • Attached File  ark.txt   142.98KB   8 downloads


BC AdBot (Login to Remove)

 


#2 Stoneway

Stoneway
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 05 July 2010 - 04:12 PM

Here is some more information regarding my viruses/rootkit on my computer.

I was able to trace the root portion of the virus to using the msfeedssync.exe to communicate out to the 19js810300z.com destination. The root sends 70 bytes and receives 640 bytes in return, at which point the 19js810300z.com source begins attempting to send the HTTPS Tidserv to my computer. Norton blocks that particular attack.

I renamed msfeedssync.exe and rebooted and the root did not succeed in connecting to the virus site. Named it back to normal and rebooted and virus connected again. I also had run MalwareBytes earlier and numerous other viruses were detected and removed, but subsequent scans do not detect any viruses.

In addition, another virus that uses chrome/firefox was on my computer, but I successfully removed the DLL and registry keys and that virus does no re-appear in the registry or application data.

I probably should have looked here first before working on the problem first and not done anything because it would be easier to trace. I know better if something like this happens again in the future.

Thanks ahead of time for any help.

#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:41 AM

Posted 06 July 2010 - 09:05 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



====================================


Did you created the folder r190 on your desktop and moved some legitimate files there?


====================================


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.




~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 Stoneway

Stoneway
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 07 July 2010 - 12:07 PM

I have run Combofix per the instructions and attached the log file.

Regarding the question about the folder r190 on the desktop, I do recall creating that directory and downloading sound card files back in 2008, but I no longer have a need for those files and cannot rule out that they were altered or hijacked since I downloaded them.

Attached Files



#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:41 AM

Posted 08 July 2010 - 05:54 AM

Hi,

Please do not attach logs unless instructed.


==================================


1. Please go to http://virscan.org/
  • Copy and paste or navigate the following file path into the "Suspicious files to scan" box on the top of the page:
    C:\qpmd8377.bin
    c:\windows\system32\regsvr32.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 Stoneway

Stoneway
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 08 July 2010 - 11:25 AM

Here are the results from the virusorg scan for the first file (C:\qpmd8377.bin), yet I could not locate the file c:\windows\system32\regsvr32.exe in that directory.

VirSCAN.org Scanned Report :
Scanned time : 2010/07/08 23:42:53 (CST)
Scanner results: Scanners did not find malware!
File Name : qpmd8377.bin
File Size : 21 byte
File Type : ASCII text, with CRLF line terminators
MD5 : d700c1fab4b1a9819fb85ace190ef330
SHA1 : 3d1f0c809e3aea55a76f3096a067d87fbeebec91
Online report : http://virscan.org/report/5429ee263b1f8bc3...8cd45973f2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100708022008 2010-07-08 5.91 -
AhnLab V3 2010.07.08.00 2010.07.08 2010-07-08 1.51 -
AntiVir 8.2.4.10 7.10.9.48 2010-07-08 0.28 -
Antiy 2.0.18 20100704.4829244 2010-07-04 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.01 -
Authentium 5.1.1 201007081009 2010-07-08 1.27 -
AVAST! 4.7.4 100708-0 2010-07-08 0.00 -
AVG 8.5.793 271.1.1/2989 2010-07-08 0.23 -
BitDefender 7.90123.6432402 7.32678 2010-07-08 3.86 -
ClamAV 0.96.1 11327 2010-07-06 0.00 -
Comodo 4.0 5362 2010-07-08 1.09 -
CP Secure 1.3.0.5 2010.07.08 2010-07-08 0.01 -
Dr.Web 5.0.2.3300 2010.07.08 2010-07-08 8.61 -
F-Prot 4.4.4.56 20100707 2010-07-07 1.29 -
F-Secure 7.02.73807 2010.07.08.02 2010-07-08 10.97 -
Fortinet 4.1.133 12.131 2010-07-07 0.18 -
GData 21.479/21.175 20100708 2010-07-08 7.34 -
ViRobot 20100707 2010.07.07 2010-07-07 0.39 -
Ikarus T3.1.01.84 2010.07.08.76221 2010-07-08 6.99 -
JiangMin 13.0.900 2010.07.08 2010-07-08 1.23 -
Kaspersky 5.5.10 2010.07.08 2010-07-08 0.03 -
KingSoft 2009.2.5.15 2010.7.8.18 2010-07-08 0.69 -
McAfee 5400.1158 6036 2010-07-07 16.87 -
Microsoft 1.5902 2010.07.08 2010-07-08 6.85 -
Norman 6.05.11 6.05.00 2010-07-08 6.01 -
Panda 9.05.01 2010.07.04 2010-07-04 0.51 -
Trend Micro 9.120-1004 7.294.11 2010-07-08 0.02 -
Quick Heal 11.00 2010.07.08 2010-07-08 2.02 -
Rising 20.0 22.55.03.04 2010-07-08 0.20 -
Sophos 3.09.0 4.55 2010-07-08 3.62 -
Sunbelt 3.9.2428.2 6558 2010-07-07 11.15 -
Symantec 1.3.0.24 20100707.002 2010-07-07 0.17 -
nProtect 20100703.02 8906927 2010-07-03 10.77 -
The Hacker 6.5.2.1 v00310 2010-07-07 0.35 -
VBA32 3.12.12.6 20100708.0920 2010-07-08 2.80 -
VirusBuster 4.5.11.10 10.126.123/20515572010-07-08 2.34 -


Attached are the combofix results. I re-enabled Norton after everything was finished in order to re-establish internet connection and am receiving other Virus alerts from Norton for Bloodhound.MalPE in teh c:\windows\temp\logishrd\ directory, file name LVPrcInj01.dll.

Attached Files



#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:41 AM

Posted 09 July 2010 - 04:36 AM

How's the computer running now?



1. Click Start > Run > copy/paste the bolded text below > press Enter. A text file will pop up, please post the contents of that file.
"C:\Qoobox\Add-Remove Programs.txt" > uninstall.txt& start uninstall.txt




2. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  • Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
    c:\windows\system32\regsvr32.exe
  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/





3. I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Edited by sempai, 09 July 2010 - 04:37 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 Stoneway

Stoneway
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 11 July 2010 - 12:54 PM

I was able to perform all the actions you requested. The computer appears better than before. I am considering attempting the Windows Update again since it was disabled by one of the viruses or root kit. If it works that will probably indicate that the primary threat has been removed. However I will wait until you provide feedback.

Also - thank you for your assistance, I plan on donating via PayPal once we are completed. You have been very helpful.

I have attached the 3 txt files that contain the results that you requested I post.

Attached Files



#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:41 AM

Posted 12 July 2010 - 05:11 AM

Hi Stoneway,

Thanks for the donation. smile.gif

Logs are clean, please run another DDS scan and post the latest DDS report for my final review.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Control Panel > Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 Stoneway

Stoneway
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 12 July 2010 - 09:49 AM

I re-installed Java per your instructions and have attached the dds log file. Also, windows update worked which it had not before due to the virus/root kit.

Thanks again for all the help.

Attached Files

  • Attached File  DDS.txt   17.46KB   4 downloads


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:41 AM

Posted 12 July 2010 - 10:16 AM

Hi,

You're good to go. smile.gif


Uninstall:
1. ComboFix
  • Click Start > Run > copy/paste the following bolded text into the Run box and click OK:
    ComboFix /Uninstall


2. ESET online scanner
  • Go to Control Panel > Add Remove Programs > locate and remove ESET Online Scanner.



Delete:
1. GMER
2. DDS



Others:
  1. Please run defogger and click Enable button to enable your CD Emulation drivers. Reboot if ask.
  2. You can now delete defogger.


===============================


Your Log is Clean, please change all your offline and online passwords.

Take the time to read below to secure your machine and take the necessary steps to keep it Clean smile.gif

How to prevent malware

How to increase PC speed


Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware


Practice Safe Internet
One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.



Thanks,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 Stoneway

Stoneway
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 12 July 2010 - 09:07 PM

I have completed all the steps - thank you again for the assistance - I just completed my donation which I think was well worth it.

Thanks!
Kevin

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:41 AM

Posted 13 July 2010 - 07:10 AM

You're welcome and thanks again for the donation.


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users