Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Server 2003 Infected with Boot.Tidserv.B


  • Please log in to reply
7 replies to this topic

#1 Mike R. D.

Mike R. D.

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 25 January 2011 - 03:24 AM

I have a home based PC server that I run a personal web site on. My Symantec Antivirus is reporting that it has a Master Boot Record infection of Boot.Tidserv.B. I checked the Symantec forums and found a posting referring another user with the same infection to other sites, including this one, so I have follwed the trail to your forums...

Here's the specs:

System Specs: Intel Pentium 4 - Dual Core, 3 Ghz, 4 GB RAM, 32-bit OS, Windows Server 2003 Enterprise Edition, SP2 - Automatic Updates on and up-to-date; Windows Firewall on.

Hard Drive-related:
Three 2-TB SATA hard drives: 2 in redundant RAID-1 Array, the third is a stand-alone used for backup. If worst comes to worst, I do have validated Acronis Backup & Recovery images of entire system drive, (which are automatically created weekly), that I can use to restore the system to. I'd rather just get rid of the virus, if possible. The system drive is the RAID-1 array.

Anti-Virus/Anti-Spyware:
SuperAntiSpyware Professional, Version 4.48.0.1000 - Does not detect the infection.
Symantec AntiVirus Corportate Edition version 10.1.4.4000, Virus definitions up-to-date. It reports the following:

Risk: Boot.Tidserv.B
Action: Left alone
Count: 1
Filename: Master Boot Record for Physical drive number 0
Risk Type: Boot sector
Original Location: Master Boot Record for Physical drive number 0
Computer: SERVER
User: SERVER\Administrator
Status: Left alone
Current Location: Master Boot Record for Physical drive number 0
Primary Action: Clean security risk
Secondary Action: Quarantine
Logged By: Scheduled scan
Action Description: The file was left unchanged.
Date: 1/24/2011 3:03

Please help. Thank you much!!
Mike D.

Edited by Mike R. D., 25 January 2011 - 03:39 AM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:43 PM

Posted 01 February 2011 - 11:13 PM

Hello.

Sorry for the delay.

Please try this.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

~Blade


In your next reply, please include the following:
TDSSKiller Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Mike R. D.

Mike R. D.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 04 February 2011 - 02:26 PM

Thanks Blade. Here's the log:

2011/02/04 09:50:30.0499 5052 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/04 09:50:30.0812 5052 ================================================================================
2011/02/04 09:50:30.0812 5052 SystemInfo:
2011/02/04 09:50:30.0812 5052
2011/02/04 09:50:30.0812 5052 OS Version: 5.2.3790 ServicePack: 2.0
2011/02/04 09:50:30.0812 5052 Product type: Server
2011/02/04 09:50:30.0812 5052 ComputerName: SERVER
2011/02/04 09:50:30.0812 5052 UserName: Administrator
2011/02/04 09:50:30.0812 5052 Windows directory: C:\WINDOWS
2011/02/04 09:50:30.0812 5052 System windows directory: C:\WINDOWS
2011/02/04 09:50:30.0812 5052 Processor architecture: Intel x86
2011/02/04 09:50:30.0812 5052 Number of processors: 2
2011/02/04 09:50:30.0812 5052 Page size: 0x1000
2011/02/04 09:50:30.0812 5052 Boot type: Normal boot
2011/02/04 09:50:30.0812 5052 ================================================================================
2011/02/04 09:50:31.0828 5052 Initialize success
2011/02/04 09:50:37.0906 0432 ================================================================================
2011/02/04 09:50:37.0906 0432 Scan started
2011/02/04 09:50:37.0906 0432 Mode: Manual;
2011/02/04 09:50:37.0906 0432 ================================================================================
2011/02/04 09:50:42.0296 0432 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/02/04 09:50:42.0296 0432 ================================================================================
2011/02/04 09:50:42.0296 0432 Scan finished
2011/02/04 09:50:42.0296 0432 ================================================================================
2011/02/04 09:50:42.0328 3816 Detected object count: 1
2011/02/04 09:51:18.0453 3816 \HardDisk0 - will be cured after reboot
2011/02/04 09:51:18.0453 3816 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/02/04 09:51:20.0781 4832 Deinitialize success

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:43 PM

Posted 04 February 2011 - 02:31 PM

Hello.

Good! I believe we took out the rootkit.

Now, let's follow up.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

~Blade


In your next reply, please include the following:
Malwarebytes Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Mike R. D.

Mike R. D.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 04 February 2011 - 03:00 PM

Here it is... Wow, that was easy.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5678

Windows 5.2.3790 Service Pack 2
Internet Explorer 7.0.5730.13

2/4/2011 11:47:36 AM
mbam-log-2011-02-04 (11-47-36).txt

Scan type: Quick scan
Objects scanned: 166903
Time elapsed: 11 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:43 PM

Posted 04 February 2011 - 04:03 PM

Hi.

How's the computer running?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 Mike R. D.

Mike R. D.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 04 February 2011 - 04:05 PM

Seems to be running fine. My Symantec AntiVirus is no longer reporting the boot infection. Thank you for your help!

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:43 PM

Posted 04 February 2011 - 04:43 PM

Glad I could help! :thumbup2:

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users