Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Afraid to backup data as requested by the Preparation Guide for Malware removal. What should I do?


  • This topic is locked This topic is locked
12 replies to this topic

#1 good day

good day

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:11:23 PM

Posted 05 August 2010 - 07:37 PM

I have begun to follow the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help," but I am afraid to backup my computer/data as requested in Step 1. I am quite certain that I have a bad virus/rootkit on my computer. The problem is that if I backup my data to my HP SimpleSave external hard-drive, won't that device become infected? Won't I be backing up infected files?

I have run Norton 360, and it has removed everything it could (just cookies lately), but I continue to get numerous blocked intrusion attempts. This lead me to believe that the Norton firewall is doing its job, but that a serious threat is lurking in the background and trying to frequently attack my computer. Every so often this malware succeeds and opens a random window/tab when I am on Mozilla. Hence, do to all this, I am afraid that since something is on my machine, when I backup, won't I still be backing up a virus/rootkit?

Thanks for any and all who can shed light on this situation.

B

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:23 AM

Posted 05 August 2010 - 08:05 PM

Hello and welcome. WE will first do this and perhaps we can avoid the guide.
Please run the tool here How to remove Google Redirects

When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.
Before you save it rename it to say zztoy.exe


alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:11:23 PM

Posted 05 August 2010 - 08:25 PM

Thanks for the response boopme. I have a couple of concerns. 1) According to the structure of bleepingcomputer.com and the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help," I should be posting my virus topic there. This topic was simply meant to address my concerns regarding backing up data when I am afraid that my computer is infected. Therefore, I am afraid to follow any advice that is not directly associated first with my virus topic. 2) Why have the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" if I am not going to follow it?

Again, I appreciate your response, but I am skeptical to follow it since it is not part of the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help." I am first interested in the matter if it is safe to still backup my data/computer while it is infected.

B

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:23 AM

Posted 05 August 2010 - 09:00 PM

Hi, sorry for the mis understanding. A few things, Some malware can be removed here by me or other staff. If I see something that requires specialized tools I will help you prep for that forum. Or I can just help and let you post there. The other reason is that that forum is extremly busy right now and you will wait several days for a reply. So I am running a sort of triage here.

I do not mind and unserstand your concerns..

Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:11:23 PM

Posted 06 August 2010 - 01:08 AM

Thanks for the response. Sounds as though it is quite busy in the Malware forum. Well, I'm going to begin by backing things up first. Then I will start the process you are outlining.

By starting the process that you discussed, if that is able to help and rectify my situation, that would be great. But, if it can't, will that put me in jeopardy or worse off than I am now?

I feel that perhaps a little background info on my situation is in order. Last week, I picked up some fake antivirus program. It was continuously trying to inform me that my computer was infected. I would not click on any of its windows. It must have been preventing me from opening certain webpages and run Spybot, Adaware/Lavasoft, and Inoculate. I did a hard shut down of my computer, started in safe mode, and then ran scans using the three aforementioned anti-malware systems. Besides cookies, none of them found anything. I went out and purchased Norton 360, but was unable to load it in normal mode. This fake antivirus was blocking it. So, I loaded Norton in safe mode with networking (I am not sure on the differences of all the different safe modes), ran it, and it detected and removed Trojan.FakeAV!gen35. Something else was detected by Norton sonar, but I am unable to remember. I thought all was resolved, but after this I was unable to retrieve mail using Windows Live Mail or use IE to run Windows update. So, I used system restore to go to earlier restore point. Things appeared okay, but slower. I removed Inoculate & Ad-aware, and attempted to remove TrendMicro, but was unable to remove Trend b/c it needed something to remove it (I figured I would do later; not a big deal). I removed those programs b/c I thought they were the ones competing with Norton & were slowing my computer, & that I didn't need them anymore since having purchased Norton 360. Besides, Inoculate lapsed & I could no longer get updates. One program I did leave was Spybot.

I know things are not right because ever since restoring the computer to an earlier time, I continuously get notices that Norton has blocked an intrusion attack. The intrusions are from by HTTP Tidserv Request & HTTPS Tidserv Request 2. I have re-run Norton, but nothing besides cookies are detected. My computer appears to relatively normal,
but I am convinced something is on it & is just being blocked by the Norton firewall. So, in a way I am under an umbrella staying slightly dry, but the rain is coming down hard trying to get in & get me wet. The Norton firewall is blocking whatever this is, but it still lurks in the background. I would like to remove it and have the computer back to normal.

Also, not sure if it is related, but every so often I get notices that my "revocation information for the security certificate for this site is not available." I never used to see this message before, and I don't know what it is related to.

To summarize my Norton intrusion prevention log, I see attempts have been made by: HTTP Tidserv Request, HTTPS Tidserv Request 2, HTTP Misleading Application Detection, HTTP Fake Scan Webpage 5.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:23 AM

Posted 06 August 2010 - 09:37 AM

Ok, some further advice/info.
Backdoor.Tidserv is a Trojan horse that opens a back door on the compromised computer.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


To clean you will need to use the guide and post. I'd recommend you do the rest and post and then do your back ups while you wait.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:11:23 PM

Posted 06 August 2010 - 03:15 PM

Thanks for the reponse boopme. Well, I am now more concerned than before, and before I was quite concerned. First off, how do you know I have Backdoor.Tidserv? Is this a rootkit (not that I know a lot about rootkits except that they are bad)? I am not sure if I should do a reformat or not, or first try other cleaning/removal attempts with this site's guidance. So, are you saying that either after your help or the Malware Forum's help, that my computer could still be compromised? How would this be evident?

I read this post at bleepingcomputer (http://www.bleepingcomputer.com/forums/topic334117.html "Trojan.FakeAV!gen35, HTTP Tidserv Request, HTTPS Tidserv Request 2, Have no idea what to do to remove it."), and it sounds very similar to my situation. The OP was helped without having to perform a reformat/re-install. This OP came to the conclusion that their computer was cleaned/clear. Now, could it be said that this OP's computer is still at jeopardy?

I am still in the process of backing things up to CDs, as well as using online storage sites. I will inform when completed. Thanks for the input & assistance thus far.

#8 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:11:23 PM

Posted 06 August 2010 - 04:33 PM

From the research I have done at Norton's site, I believe that my computer's infection may have begun with Trojan.FakeAV!gen35, and progressed to Trojan.FakeAV, which is responsible for HTTP Misleading Application Detection and HTTP Fake Scan Webpage 5, and then progressed to Backdoor.Tidserv, which is responsible for HTTP Tidserv Request and HTTPS Tidserv Request 2. Not sure if this is the nature of the progression or what not, but from what I read it sounds as though the responsible viruses are: Trojan.FakeAV and Backdoor.Tidserv.

I have read Norton's recommended removal of the above viruses, but I am not sure they would work. They definitely appear different than what may be recommended by Bleepingcomputer. For the Backdoor.Tidserv they recommend:
1. Restart the computer using the Windows Recovery Console
2. Disable System Restore (Windows Me/XP).
3. Update the virus definitions.
4. Run a full system scan.
5. Delete any values added to the registry.

For the Trojan.FakeAV they recommend:
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.

I am not proceeding forward with what they recommend, more so just posting it for comments and/or to highlight Norton's approach.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:23 AM

Posted 06 August 2010 - 07:17 PM

As I mentioned earlier, we can still clean this. But we need specialized tools and supervision in the Malware Removal forum. I would prefer this method over the Norton method.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:11:23 PM

Posted 08 August 2010 - 12:33 PM

Okay. I have finally finished backing up My Documents folder. It took some time due to having to work, and when I was backing up data, just seems like it was taking longer than normal. The computer would just freeze sometimes when I was dragging stuff over to be written to the CD. A couple of restarts later, I'm finished with the backing up.

Now, a couple of things before I begin the next step(s). If I proceed with the virus cleaning/removal approach, how will I/bleeping computer be able to ultimately say that the virus has been removed? If it would resurface again, would it be quite promptly, or could it be days, weeks, months, or years later? And, if the cleaning/removal option does not work, will a reformat/reinstall of the OS still be an option?

After reading the links you posted, I guess I still can't tell what factors would warrant I do a reinstall versus a clean/removal if you said that this can still be cleaned/removed. Any insight on this one?

Lastly, you stated "To clean you will need to use the guide and post. I'd recommend you do the rest and post and then do your back ups while you wait." Well, I have backed stuff up. But, when you say to "do the rest," do you mean the rest of the Malware removal guide, or the rest of what you stated in our thread?

Again, thanks for all the help.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:23 AM

Posted 08 August 2010 - 04:25 PM

The MR team after reviewing your logs can determine how bad it is. I mean post the DDS and Gmer logs. If Gmer won't run just post the DDS log.
We need info. Where at ,,I had a car accident and how much ti fixit and we are on the phone. :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:11:23 PM

Posted 09 August 2010 - 05:27 PM

I just posted to the Malware Forum. Thanks for all your help boopme.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:23 AM

Posted 09 August 2010 - 10:39 PM

You're welcome, it will be a couple days due to backlog. But you will be answered.
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users