Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Variant


  • This topic is locked This topic is locked
14 replies to this topic

#1 Mike Kingzett

Mike Kingzett

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 07 July 2011 - 03:37 PM

Hi,

Seems one of my kids downloaded a 'game'. While the game is 'free' I'm now paying for it. I'm normally pretty good at finding virus cleanup procedures and removing them. This one seems different.

According to McAfee it is a TDSS variant. McAfee finds the rootkit every time it runs.

I followed the cleanup procedures here -

- Ran RKill (works with either RKill name or the iexplore.exe download version)
- Downloaded TDSSKiller

I tried running TDSSKiller and the process ended immediately. I can see the process starting in Process Explorer but it doesn't last long.

I renamed it to a random name. Same thing occured. It's almost as though whatever the trojan is doing it recognized the signature of the executable.

I did all the steps specified in the 'how to submit a request' (disabled CD emulator, ran dds, and gmer) and attached the logs.

One interesting thing - I really hated how it used IE to hit the web and download things. I took ownership of the IE executable and marked it as 'not executable' by anyone. I see events stating that a DCOM process is failing. I also noticed that my machine will run out of memory if left logged on long enough. It seems the trojan code doesn't like that much. It's a small victory I guess. It felt a little good.

I appreciate your help and am thanking you ahead of time. It's very impressive reading how you folks help others on this forum.

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:57 AM

Posted 09 July 2011 - 02:02 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Mike Kingzett

Mike Kingzett
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 10 July 2011 - 02:29 PM

Thanks for your help Catbyte.

I did as you said - the file is attached.

After Combofix ran I did re-enable McAfee. I hope that's OK. McAfee does keep finding stuff.

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:57 AM

Posted 10 July 2011 - 03:38 PM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Mike Kingzett

Mike Kingzett
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 11 July 2011 - 06:23 PM

Hi,

So - I did what you said with just a small variation. I have Internet Explorer marked so it can't run. I did this because whatever I have kept using IE to connect to websites doing something.

I used Firefox and Eset had me download a scanner that ran locally. As you can see little was found. I do still have Google Redirect at a minimum. So - and this occured to me - I'm running all this with my id. The account that was infected is different. Does that matter? (please don't murmur bad things about me if that was a 'duh' moment....)

Here are the files -

MalwareBytes:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7068

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/10/2011 7:35:35 PM
mbam-log-2011-07-10 (19-35-35).txt

Scan type: Quick scan
Objects scanned: 206903
Time elapsed: 7 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESet:

C:\Documents and Settings\andrew\Application Data\Sun\Java\Deployment\cache\6.0\47\109d682f-4fdd5979 a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Documents and Settings\andrew\Local Settings\Temporary Internet Files\Content.IE5\3DHREC10\index[1].htm JS/Kryptik.AX trojan

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:57 AM

Posted 11 July 2011 - 08:32 PM

Hi,

that shouldn't make a difference

Earlier on ComboFix installed the Recovery Console. We're going to use that now.
  • Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
    (you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

    Posted Image


    Posted Image

  • When you get to the above screen, take note of the number that references your operating system.
  • If it's '1' like the picture above, type 1 and press Enter
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter.
    Otherwise type in the password and then press enter.

    Posted Image

  • Next type FIXMBR

    Posted Image

  • If it asks if you're sure you want to write a new MBR, answer 'Y'
  • Then type EXIT to reboot the machine.



NEXT


Posted Image Your Java is out of date.
Java™ 6 Update 22 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.



NEXT


Download TFC to your desktop
Mirror
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.



NEXT



Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Mike Kingzett

Mike Kingzett
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 13 July 2011 - 12:35 AM

I got stuck at work today- didn't get a chance to do any of this. I should have time tomorrow.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:57 AM

Posted 13 July 2011 - 02:13 PM

OK, whenever you can.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Mike Kingzett

Mike Kingzett
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 14 July 2011 - 07:02 AM

Hi,

I did all you said with a few variations.

- Ran 'fixmbr' - that was successful
- I had uninstalled Java. I went and manually delete all the Sun/Java directories under all profiles on the machine
- Ran TFC. FWIW the first link was giving me a 404 error - second one worked
- DDS.txt is attached

What I see:

- Google redirect is gone (the boot record fix did that??)
- DCOM errors in the event log are no longer happening - this was how the trojan was calling IE
- McAfee did not find anything the last scan
- Something deleted every single shortcut under the Start menu (not hidden anymore, really deleted). Very annoying...
- Something still restores iexplore under Program Files/Internet Explorer when I delete it (I have a copy)

That last item is the only 'weirdness' I see.

Thanks!

Attached File  DDS.txt   10.18KB   0 downloads

Oh - I did install the latest Java.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:57 AM

Posted 14 July 2011 - 09:04 AM

Please re-run ComboFix > allow it to update if it requests to do so, post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Mike Kingzett

Mike Kingzett
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 15 July 2011 - 06:45 AM

Hi,

Combofix attached.

Thanks!

Attached Files



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:57 AM

Posted 15 July 2011 - 09:05 AM

Hi,

Just some housekeeping to do now,

please do the following:


You can delete the DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.




Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Mike Kingzett

Mike Kingzett
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 17 July 2011 - 04:52 PM

Thanks for your help - I really do appreciate it. You pointed out some tools I hadn't heard of.

I actually have some of what you suggested (WOT, windows update, etc). This computer is mostly used by my kids. I didn't realize the Java update was broken.

Something still isn't quite right but I'll post a new thread if I find anything. The Internet Explorer file recreating itself is weird.

I am curious as to what made you decide to have me run at certain points. I realize you're probably busy - but if you have a link or two I like to read them.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:57 AM

Posted 17 July 2011 - 07:07 PM

I'm sorry, I don't have any links, your symptoms indicted an MBR infection, when ComboFix didn't clear it, I had you fix it manually, used MBAM and ESET to sweep for any left overs and that was it, I don't think the iexplore issue is a problem, but keep an eye on it.

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:57 AM

Posted 19 July 2011 - 09:41 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users