Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Final Cleaning Help-backdoor.tdss.565 / Infected with System Tool & redirecting


  • This topic is locked This topic is locked
8 replies to this topic

#1 jbmail

jbmail

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 28 December 2010 - 08:58 AM

I have been scanning the forums for hours and noticed that this post BELOW is the exact same problem I have after running Dr Web............


Quote
Like a few others that have been before me, I have feel victim to the Backdoor.TDSS.565 virus, at least that is what Dr. Web is calling it. Like the others, Dr. Web claims to remove it, but it returns in the very next process that is run on the machine. Also I am be re-directed from any favorites or any clicks from a google search.

Others with a similar problems have claimed to fix it but their post do not give an indication on what needed to be done to make that happen.

I have read the first part and am familiar with most as I do this for a living, but the advanced stuff i will leave to you, if you will help me finish this

Here is my log of GMER. If you want me to start fresh with OTL, I will do this

I have run every program available in safe mode and removed stuff for a week, but as soon as its online again, I get a Generic Windows Services 32 errors, which shows is related to (mshtml.dll) and also an Ntdll) which i see listed in GMER log below

Thanks in advance

JB

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-28 08:56:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD5000AAKS-75A7B2 rev.01.03B01
Running: rgclexyg.exe; Driver: C:\DOCUME~1\Spencer\LOCALS~1\Temp\agtoapoc.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[164] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B5000A
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00C6000A
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B4000C
.text C:\WINDOWS\System32\svchost.exe[1776] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0080000A
.text C:\WINDOWS\System32\svchost.exe[1776] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00CB000A
.text C:\WINDOWS\System32\svchost.exe[1776] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 007F000C
.text C:\WINDOWS\System32\svchost.exe[1776] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D7000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0104000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0136000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0103000C

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8AFCF39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8AFCF39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8AFCF39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8AFCF39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8AFCF39B
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD5000AAKS-75A7B2___________________01.03B01#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:06 AM

Posted 03 January 2011 - 04:13 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



If the system has been used after topic creation time we need to take a look at fresh logs. So, please post fresh copies of dds.txt & attach.txt logs.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 PM

Posted 08 January 2011 - 01:53 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 jbmail

jbmail
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 11 January 2011 - 12:44 PM

I coulkd use some help

I have attached what I think you told me in instruction:

Please advise and thank You

DR Web
Spybot
Avast & boot scan
Malware Bytes
Hijackthis
Superantivirusd

ALL SHOW CLEAN now

Attached Files



#5 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:05:06 PM

Posted 12 January 2011 - 07:12 PM

Reopened and merged by OP request.

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 PM

Posted 12 January 2011 - 11:00 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Watch this topic. Click on this then choose Immediate E-Mail notification and then Proceed and you will be advised when I respond to your topic by email.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Did you originally have a TDSS infection that you cleared on your own? If so then please be aware....

TDSS is a Backdoor trojan/Rootkit.

This can allow hackers to potentially remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan might have been identified and killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I can't guarantee that it will be 100% secure even without evidence of infection.

==========

Are you currently experiencing any problems? If so please outline them now.

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 jbmail

jbmail
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 13 January 2011 - 08:06 AM

Thanks again for getting back to me quickly and reopeming the post

Since i deal with many business clients and home professionals, I forwarded your response to the customer and he agrees that machine and data cannot be trusted and has taken this machine offline & given it to kids for games and to ruin

We are buying a NEW computer for him, so please use your valuable time to help someone else at this point

I'm sure I will need you again in the future

be well

J

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 PM

Posted 13 January 2011 - 10:49 AM

Thanks for the reply. You might consider a format and re-installation of the OS. It will result in a "like new" computer without the risk of propagating infection if those "kids" grow up and an online connection happens to be established in the future. Just something to consider. :thumbup2:
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 PM

Posted 17 January 2011 - 04:12 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users