Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem after TDSS removal


  • This topic is locked This topic is locked
9 replies to this topic

#1 N.E.

N.E.

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 13 December 2010 - 09:16 AM

I picked up the Whitesmoke infection and removed it using a combination of Add/Remove programs, Norton Endpoint, and Malwarebytes. After this, I still had random pop-ups in IE, random screens opening up to unknown search engines, and Google searchs redirected to other sites.Malwarebytes and Norton found nothing. SuperAntiSpyware found nothing, but a quick look at the tracking cookies being removed found a suspiciously names cookie. A quick Google search pointed to TDSS being associeated with this cookie. TDSSKiller found and removed TDSS.TDL4.

After this, the machine ran faster, but IE would crash with a DEP exception. Reinstalling IE solved that problem, but any attempt to type something into Google Toolbar would result in IE immediately closing down. Removing and reinstalling the toolbar reverted back to the DEP exception state. Disabling the toolbar by unchecking it in the toolbar drop-down improves the situation.

Any help you can give removing the final Gremlin would be greatly appreciated.

Thanks in advance for your time and help.

Neal


DDS (Ver_10-12-12.02) - NTFSx86
Run by neckhardt at 8:00:46.62 on Mon 12/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2002.1312 [GMT -5:00]

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\IBM\Lotus\Notes\nsd.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\KatMouse\KatMouse.exe
C:\Program Files\TomBrennanSoftware\VistaTN3270\vistaTN3270.exe
C:\Program Files\TomBrennanSoftware\VistaTN3270\vistaTN3270.exe
C:\Program Files\TomBrennanSoftware\VistaTN3270\vistaTN3270.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\neckhardt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\ibm\java50\jre\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
StartupFolder: c:\docume~1\neckha~1\startm~1\programs\startup\katmouse.lnk - c:\program files\katmouse\KatMouse.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\ibm\java50\jre\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {1ACECAFE-0015-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266496694708
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258983794718
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://
TCP: {1D11FA6B-0691-48FD-949B-FD3FC069BCF7} = 170.158.1.150,170.158.1.42
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {927E1ED5-CA30-418E-AD03-13B7DA4B46BD} - rundll32.exe "c:\documents and settings\neckhardt\application data\sun\fuvvn.dll", UnregisterDll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:53 AM

Posted 13 December 2010 - 05:16 PM

Hello N.E. ,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to fluffybunny.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 N.E.

N.E.
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 14 December 2010 - 08:12 AM

Combofix erroneously tells me that I am running CA-Antivirus. As you can see from the above log, Norton Endpoint is the AV package in use.

Any way to get by this?

Thanks for picking my problem up.

Neal

#4 N.E.

N.E.
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 14 December 2010 - 08:58 AM

Also, FYI, same result in SAFE mode.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:53 AM

Posted 14 December 2010 - 05:02 PM

Hello,

Got some bad news for you.....you may want to consider a reformat and reinstall. Your computer has been compromised by a new variant of an old infection.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FAmbler.F

TrojanSpy:Win32/Ambler.F is a trojan with a key logging component that captures passwords when a user visits certain online financial or banking Web sites.


And here : http://www.threatexpert.com/report.aspx?md5=1fafd77fca37283e0cdf7d08af5f2fb6

The decision is yours. Just let me know. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 N.E.

N.E.
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 14 December 2010 - 08:55 PM

Hmmm. Not quite sure how you can tell that, but I will poke around tomorrow morning with the info provided in the links you sent me to see if any of it applies. I will let you know tomorrow.

Thanks,
Neal

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:53 AM

Posted 14 December 2010 - 09:02 PM

Hello,

From this line here : mASetup: {927E1ED5-CA30-418E-AD03-13B7DA4B46BD} - rundll32.exe "c:\documents and settings\neckhardt\application data\sun\fuvvn.dll", UnregisterDll

I am sure of this, or I would not have posted such a dire warning to you.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 N.E.

N.E.
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 14 December 2010 - 09:14 PM

You beat me to it, I just spotted that line about 5 minutes ago, and it fit the profile.

Oh well, I will still poke around tomorrow, but the reimage will probably be the safer route.

Thanks for your help.

Neal

#9 N.E.

N.E.
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 15 December 2010 - 08:35 AM

FYI, after renaming the above mentioned file, the Google Toolbar issue disappeared. I will reimage the drive next week as that (as you said) is the safest route. There is nothing on the machine that is not easile recreatable.

Thanks for your help.

Neal

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:53 AM

Posted 27 December 2010 - 11:53 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users