Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Super A-hole virus...is it Combo Fix time?


  • This topic is locked This topic is locked
13 replies to this topic

#1 j_kubach

j_kubach

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 26 August 2010 - 10:03 AM

Hi all,

I've used this site as a resource several times in the past, so thank you to everyone who puts this together and posts/comments. My computer recently had unprotected sex with a prostitute or something because it has a some kind of super-hybrid-gonorrhea virus that just won't go away. I am running Windows Pro 2002 SP3 on a Dell Latitude E6400D.

A few weeks ago, that PC-raping AntiMalware Doctor program just automatically popped up and started its nonsense, so I shut down and restarted in Safe Mode and did a scan. I ran Super-Anti Spyware and my Norton AntiVirus and came up with a few different things. I called Norton and they helped me delete some things here and there, but the problem is still on my computer. I tried contacting Norton again, but they said I'd have to open a new case since it had been 10 days since my last contact with them. Needless to say, I'm through with that process.

So, I am running Symantec Endpoint Protection, which catches nothing during a scan, however, will frequently fire a pop up that says:

SID: 23621 "Http Tidserv Request Detected"

So, I've done some research on that and found different answers, but several point to this ComboFix software that I have yet to DL, but it is looking more and more like I should. But there are these apocalyptic warnings that I keep seeing that say I need to get the OK from a professional before I run that.

So, here I am, wondering if that is the next step?

PS - I just ran a quick scan from Malwarebytes and this is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4483

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

8/26/2010 10:50:13 AM
mbam-log-2010-08-26 (10-50-13).txt

Scan type: Quick scan
Objects scanned: 154312
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\chkaqpyxhst.chkaqpyxhst (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chkaqpyxhst.chkaqpyxhst.1.0 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca6704fb-6b46-4058-a797-befd9d378576} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{fe4c2c37-edc8-4c00-b864-3c38cf3ba834} (Adware.Adshot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{b4ba40a2-75f1-51bd-f413-04b15a2c8953} (Trojan.ErtFor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b4ba40a2-75f1-51bd-f413-04b15a2c8953} (Trojan.ErtFor) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msrun.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\umwmrbe(2).dll (LSP.Hijacker) -> Quarantined and deleted successfully.
C:\WINDOWS\msynbjet.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\skaioejiesfjoee.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.kubach\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.kubach\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.kubach\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.


Thanks...Jason

Edited by hamluis, 26 August 2010 - 10:27 AM.
Moved from XP forum to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:55 AM

Posted 26 August 2010 - 10:11 AM

Are you running both Norton anti virus and Symantec Endpoint Protection anti virus at the same time? If so, this could be part of your problem. You should only run one anti virus at a time as running two together will cause false positives.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 j_kubach

j_kubach
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 26 August 2010 - 10:47 AM

Nope, just Endpoint.

#4 bleble76

bleble76

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 26 August 2010 - 02:33 PM

Dealing with almost the same exact problem. All scans with mbam/gmer/super/msse/SEP come back clean, but occasionally a search is redirected, and the SID 23621 tidserv request popup from symantec endpoint pops up. It happens more often if you search for stuff in yahoo like shoes, vacations, coats, etc.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:55 AM

Posted 26 August 2010 - 05:46 PM

Please follow these instructions: How to remove Google Redirects or the TDSS, TDL3, Alureon rootkit using TDSSKiller
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.3.2.2_20.07.2010.08.26.56_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- For any files detected as 'Suspicious', get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.


Hello bleble76

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 bleble76

bleble76

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 27 August 2010 - 09:24 AM

Sorry Quietman7, was just responding while reading about how to remove this stuff from a friend's laptop, and saw that no one had replied yet. I really appreciate what you guys do and I know how annoying it is to have someone hijack a thread... so I'll make this short. I basically had to do the steps listed at http://www.bleepingcomputer.com/forums/topic335053.html (obviously my services and file names were different, and I had .dat files under the all users folder). System is all clean, I wish the OP luck with the PC-HIV, like he said, your steps WILL be different. Took me 5 hours of reading.

#7 j_kubach

j_kubach
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 30 August 2010 - 07:46 AM

Thanks to both of you.

I ran the TDSS Killer and it looks like it may have removed the one virus, but now my Symantec autoscan comes up with a backdoor Trojan on start up, every time, even after it says "cleaned."

Is this the same virus or is this a different one?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:55 AM

Posted 30 August 2010 - 07:54 AM

Did your anti-virus/anti-spyware scanner provide a specific file name associated with the malware threat(s) detection and if so, where is it located (full file path) at on your system?

Try doing an online scan to see if it finds anything else (i.e. remanants) that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 4483. Last I checked it was 4505.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 j_kubach

j_kubach
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 30 August 2010 - 12:23 PM

Ok, so here are the results:

ESETScan:

C:\WINDOWS\apatevih.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined



Malwarebytes' Anti-Malware Scan:

Database version: 4507

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/30/2010 12:22:09 PM
mbam-log-2010-08-30 (12-22-09).txt

Scan type: Full scan (C:\|)
Objects scanned: 294887
Time elapsed: 1 hour(s), 21 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:55 AM

Posted 30 August 2010 - 12:33 PM

Is Symantec still reporting Trojan alerts?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 j_kubach

j_kubach
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 30 August 2010 - 12:42 PM

Yep, on restart, this popped up:

Backdoor.Trojan

Source Computer: Local Host
Status: Cleaned
Current Location: C:\WINDOWS\system32\
Action Description: The file was repaired successfully.
Date found: 8/30/2010
Primary action: Clean security risk
Secondary Action: Quarantine
Action Taken: Cleaned

Type: Infected File
Description: C:\WINDOWS\system32\temp.temp
Action Taken: Clean Security Risk
Remediation Status: Successful



This has shown up each time I start my computer in my Symantec Autoscan since I ran the TDSSKiller.

Edited by j_kubach, 30 August 2010 - 12:42 PM.


#12 j_kubach

j_kubach
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 30 August 2010 - 12:48 PM

These three system32 files are being modified on start up:

PerfStringBackup
perfh009
perfc009

Any significance?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:55 AM

Posted 30 August 2010 - 01:12 PM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Pandy

Pandy

    Bleepin'


  • Members
  • 9,559 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:55 AM

Posted 30 August 2010 - 03:47 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic344022.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.

Hide not your talents. They for use were made. What's a sundial in the shade?

~ Benjamin Franklin

I am a Bleeping Computer fan! Are you?

Facebook

Follow us on Twitter





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users