Brutal Malware - help

By skein4
Nov 11, 2008
Topic Status:
Not open for further replies.
  1. skein4

    skein4 Newcomer, in training Topic Starter Posts: 39

    Mike- Attached is the SAS log run in normal mode, and the HJT log run after that. I'm going to run MBWM now in normal mode and will post presently.

    AsonJ- Each scan is taking around 15-30 minutes.
  2. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Skein

    You are doing great!

    If the final runs do not get the below

    Code:
    C:\Documents and Settings\DELL\Local Settings\Temp\TDSSa8f6.tmp
    C:\Documents and Settings\DELL\Local Settings\Temp\TDSSa96e.tmp
    Then do this in MWBAM click More Tools-Run Tool.

    Then copy paste the 2 lines in the box above one at a time to the file name box click open and follow prompts to delete.

    Mike
  3. AsonJ27

    AsonJ27 Newcomer, in training Posts: 19

    Have you regained control of your browser and virus protection yet?

    After my first MBAM scan it seems that things are back to normal. I'm still going to run all the scans I can in normal and safe modes to make sure I've gotten everything.
  4. skein4

    skein4 Newcomer, in training Topic Starter Posts: 39

    Attached is the latest MBW log. Mike, I didn't see your last post till now, so will cut and paste, and then re-run.
  5. momok

    momok Newcomer, in training Posts: 2,272

    Nice progress!

    PLease fix this in HJT.
    O3 - Toolbar: LikeVine - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\LikeVine\tbcore3u.dll (file missing)

    Meanwhile, are you now able to download and run Combofix?
  6. skein4

    skein4 Newcomer, in training Topic Starter Posts: 39

    Mike- those C: files you listed were not found.

    Momok: I was able to download Combofix for the first time and was running it when the computer restarted. When it started up, AvirGuard caught a number or registry changes:

    google.com/ie
    microsoft.com/isapi/redir.dll?....a bunch more stuff
    microsoft.com/wlink/?linkID=....numbers
    microsoft.com/wlink/?linkID=...numbers
    microsoft.com/wlink/?linkID=....numbers
    ie.search.msn.com/{sub....
    autorun
    load
    scrnsave.exe

    Also, a red shield shows up in the tray and a window pops up saying "Your computer might not be safe/No Firewall turned on/Click this balloon to fix this problem" I did not click the balloon.

    Then Combofix completed its scan. I ran it again, and both logs are attached. 1 is the first one, 2 is the second one.

    Finally, a windows update downloaded and shows up on the restart/log off dialog box. I have been restarting without loading it. Should I load it?

    Also attached are HJT, MBW, and SAS logs. It seems like something is still there. I'm going to sleep now but will check back first thing in the morning EST. Thanks,

    Also, here is one more AV Scan log before I call it a night.

    Attached Files:

  7. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi

    Do this and run SAS again.

    Before clicking Scan

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure the following are checked:
    1. Close browsers before scanning
    2. Scan for tracking cookies
    3. Terminate memory threats before quarantining.
    4. Leave the others as they are.


    These are all OK allow them
    Code:
    google.com/ie
    microsoft.com/isapi/redir.dll?....a bunch more stuff
    microsoft.com/wlink/?linkID=....numbers
    microsoft.com/wlink/?linkID=...numbers
    microsoft.com/wlink/?linkID=....numbers
    ie.search.msn.com/{sub....
    autorun
    load
    scrnsave.exe
    
    Click the Red Shield and re-enable the Windows Firewall
    or let me know if it will not start.

    Mike
  8. skein4

    skein4 Newcomer, in training Topic Starter Posts: 39

    Mike-

    I turned on the firewall. Incidentally, I had those SAS instructions followed from a previous posting by you, so all the recent SAS logs I posted should have those preferences intact.

    I went fully through the 8 steps and the logs are attached.

    The computer keeps trying to restart. A dialog box from Windows Automatic Updates pops up saying it has downloaded updates and will restart in 5 minutes, then begins counting down.

    Last- should I allow the computer to install updates on shutdown?

    I'm off to work now, but will check for responses later today. Thanks,
  9. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hello Skein

    Good job. I think we are almost there!

    Use HJT Scan only select for removal (will this one not go I and others have recommended removal earlier?)
    O3 - Toolbar: LikeVine - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\LikeVine\tbcore3u.dll (file missing)

    Yes shutdown and let it install updates.

    ----------------------------------------------------------------------------------------------------------------------------------

    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

    http://www.majorgeeks.com/ATF_Cleaner_d4949.html
    ----------------------------------------------------------------------------------------------------------------------------------

    After the above

    Run SpyBot and do the Immunize (run scan also if you want)!

    then

    D/L http://www.javacoolsoftware.com/spywareblaster.html
    install run update enable all protections
    ----------------------------------------------------------------------------------------------------------------------------------
    After all the above recheck with SAS to ensure those tracking cookies are gone
    ----------------------------------------------------------------------------------------------------------------------------------

    If you still have Windows update issues let me know and we will fix that.

    Mike
  10. skein4

    skein4 Newcomer, in training Topic Starter Posts: 39

    Ok, I'll do that all tonight after work in about 10 hours or so. Thanks,
  11. rf6647

    rf6647 TechSpot Maniac Posts: 931

    Mike,
    I think we missed something @message 56.

    This appears in both Combofix logs
    2008-11-10 23:10 . 2008-11-11 02:19 527 --a------ c:\windows\system32\TDSSrrvd.dat

    This one is suspicious, but I don't know. As a dllcache file, I'd add it to the deletion list.
    2008-10-15 08:32 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

    Another thing to consider is the hard reset of the rou ter. It is unknown if this exploit is being used by this infection.
    Rich
  12. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi Rich

    No he had 2 Combo fix runs an the 2nd one was clear.

    I think that was play budokai with DNS Changer that had a possible router incursion.

    Mike
  13. rf6647

    rf6647 TechSpot Maniac Posts: 931

    Mike
    The TDSS file appears in both logs in that message. Since I do not understand all aspects of ComboFix, where do you look to see that it was cleared. Since this file appears in the file list, I do not interpret that it was marked for deletion.

    Additionally, some of the history behind MBAB logs makes me pause. The major trojan gets knocked out, but trojan.fake returns, and finally the all-clear.

    Another run of ComboFix perhaps?
    Create comboscript file with single file: c:\windows\system32\TDSSrrvd.dat
    Rich
     
  14. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi Rich

    Perhaps I am missing it but the 1st log from 11:58 has the tdss that is when it found and cleaned, the 2nd log at 12:15 has no reference to tdss as should be since it was cleaned in the first run.

    The last log is what counts. But maybe I am missing something in that log can you post the item I am missing?

    And it will not hurt to advise him to do download a new ComboFix and run again if you want.

    Mike
  15. rf6647

    rf6647 TechSpot Maniac Posts: 931

    I am speaking of Message #56

    Which message # & which files are you referring to?

    ComboFixLog1
    ComboFix 08-11-11.01 - DELL 2008-11-12 23:58:49.1 - NTFSx86

    ComboFixLog2
    ComboFix 08-11-11.01 - DELL 2008-11-13 0:15:47.2 - NTFSx86

    Search string = TDSSrrvd.dat

    Matches occur in both files.

    Landmarks in each file. Some extra spaces removed. Some [] removed.

    ComboFixLog1
    -------\Legacy_TDSSSERV.SYS
    -------\Service_TDSSserv.sys
    ((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13


    ComboFixLog2
    COLOR=RED]B]]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!/B][/COLOR
    .((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13

    That shows part of what was removed. But TDSSrrvd.dat survived.
    2008-11-10 23:10 . 2008-11-11 02:19 527 --a------ c:\windows\system32\TDSSrrvd.dat

    Where can we establish if this is a legit file?
  16. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi Rich:eek:

    You are correct I missed it

    Code:
    c:\windows\system32\TDSSrrvd.dat
    you must have good young eyes. I have old not so good eyes.:p

    It is only the data file without the program itself it is useless!

    But needs to be gone,

    Skein to remove this file start MABAM don't scan click More Tools-Run Tool

    Copy and paste the line in the box to "File Name" and click open.
    Note: this runs another MalwareBytes stand alone program "FileAssassin" for deleting hard to delete or in use files.

    Mike
  17. skein4

    skein4 Newcomer, in training Topic Starter Posts: 39

    OK- There were several messages before I could get back to my computer, so let me know if I missed a step.

    1. Ran File Assassin on the TDSS DAt file
    2. Restarted, all windows updates loaded.
    3. HJT deleted the LikeVine registry. However it keeps showing up. It is a file I downloaded and know, so is it okay to keep? I deleted it per instructions, but unless there is a reason not to use it, will install it again. Thoughts?
    4. Ran ATF Cleaner till clean
    5. Spybot Immunize
    6. Spyware Blaster
    7. SAS, log attached.
    8. Combofix, log attached
    9. HJT, log attached.

    Let me know if there is something that I missed. Thanks again. If we get to the point of clean, I will try and write a summary of steps that seemed to work, since this one seems to be making the rounds. Thanks,
  18. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Deleted was meant for another user:
    Mime
  19. rf6647

    rf6647 TechSpot Maniac Posts: 931

    Mike, I think you posted HJT findings for a different thread.......Rich

    Skein
    LikeVine may be among the good. The associated clsid also covers crap from some other vendors
    The isotoolbar (vendor) was the most notorious At times it is difficult to judge how many of the vendors are really the same company.
  20. skein4

    skein4 Newcomer, in training Topic Starter Posts: 39

    Mike-

    Yeah, I think that HJT was not mine. Here is a new one after restart, just in case, and none of those issues are here. I understand, tho, since are answering dozens of these things at once!:p You are like those chess geniuses at the park that play 10 people at the same time...

    Shall I still run SD Fix?
  21. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Yeah guys sorry must have had another one open. Tired also!

    Ignore that one for now and I will find who and cut it paste to correct user.

    OK Skein

    Give us the current state how computer runs etc what is left before we continue.

    Mike
  22. skein4

    skein4 Newcomer, in training Topic Starter Posts: 39

    Mike-

    As far as I can tell, everything is running well. It is faster than before, in fact. No more issues with automatic downloading, etc. So, my logs from message #67 and #70 should accurately reflect what is going on there.

    Thanks,
  23. mflynn

    mflynn Newcomer, in training Posts: 2,793

    That is GREAT!

    You do good work. in my next post in 20 -30 minutes I will give final thread closing instructions.

    Mike
  24. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Finishing up!

    Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
    -------------------------------------------------------------------------------------------------------

    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

    http://www.majorgeeks.com/ATF_Cleaner_d4949.html
    -------------------------------------------------------------------------------------------------------

    The issue found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then

    Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------------------------

    Download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.
    These tools update so often they require downloading again later if needed.

    Double-click OTCleanIt.exe-Click CleanUp

    Yes to the "Begin cleanup Process?"

    If prompted to Reboot click Yes.

    OTScanit will delete when finished, if not delete it by yourself.

    Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.
    ----------------------------------------------------------------------------------------------------------------------

    Every 2 weeks or so run mbam and sas until clean. If they find something they can not clean then get back to us.

    Additionally CCleaner, run now and every 2 weeks or so as mentioned above.

    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to co-exist with other Virus scanners.

    Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

    http://www.threatfire.com/Download/
    ----------------------------------------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.

    Hostman http://www.abelhadigital.com/

    Mike
  25. skein4

    skein4 Newcomer, in training Topic Starter Posts: 39

    Mike-

    I've run through your final instructions, and everything seems to be running peachy! Thank you, thank you, thank you. You and the folks here are doing a great service and I wish you the best. Let me know if it would be helpful to summarize the steps that worked for me...otherwise people can follow the blow-by-blow in the previous postings.

    Many thanks and happy trails.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.