Infection With Possibly Backdoor Virus

Status
Not open for further replies.

manupatel

Posts: 22   +0
Dear Virus Expert, 11 February 09

Here is what has happened to my desk top computer. I am presently using my laptop to communicate here.

My son downloaded a video file (format .wmv) for the Windows Media Player. When he tried to play it on Win media player, it asked him for a Codec download. He clicked "Yes" to the download, there was a quick Norton warning about a Backdoor.---- (he cannot remember the extension as the message was gone immediately) and asked him to restart the computer immediately. On restarting the Norton icon on the desk top had disappeared and the computer became unresponsive. System restore has been turned off by the virus and there are no system restore points. Now we cannot connect to the internet as the Windows XP does not work. We have a partitioned drive on which we also have Windows Vista, and this works fine. On scanning with an old Symantec program using Windows Vista, nothing turned up. We have Norton Internet Security 2009 (3 licenses) but this does not work on the XP and we cannot install it on the Vista as we have used up all the licenses. Our desk top has an external book drive but that is also not accessible as the XP is unresponsive. On clicking Norton from all programs it appears and disappears in a flash. It seems that the virus has total control over the XP and Norton.

Can any kindly soul please help us to restore our desk top computer back to health? Any help or guidance will be greatly appreciated.

Thanks and regards

manupatel
 
Hello manupatel

So as I understand it you have a dual boot and when in Vista you have access to the XP drive but can not boot from it, correct?

Have you tried to boot it into Safe Mode by hitting F8 before windows starts?

If not try that now only try Safe Mode do nothing else!

Mike
 
Safe Mode

Hi Mike, 11 February 2009

Thank you very much for your very fast reply to my problem.

Yes the desk top does boot from the Vista, however, it is on a different drive. We partitioned our C drive and now it resides on the J drive. I can boot my XP in the safe mode but do not know how to get rid of the virus. Can you post some instructions on what I should look for and how I can remove the malicious files

Thanks and regards

manu
 
Yes I can but you need to reboot it again and this time chose XP Safe Mode with Networking.

Safe mode with networking should allow Internet access, then connect back here and do the below.

Boot to Safe Mode networking and do all below.

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.
Code:
@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del  tdss*.* /f /q /s
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del c:\program files\xwdxqu.txt  /f /q
del c:\windows\x  /f /q
del c:\windows\SxsCaPendDel  /f /q

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit
This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

Then..

Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log.

Note: Do not click combofix's window while its running. That may cause it to stall.

After attaching logs do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Mike
 
Safe Mode

Hi Mike, 11 Feb 09

I went in to the safe mode and ran Norten Internet Security. It just scanned 3897 files and did not find any problems. I am now going to restart and follow your instructions.

Just to make sure, is it safe to connect as Norten does not seem to be working?

Thanks and regards

manu
 
Safe Mode

Hi Mike

Thanks again for helping out. Yes this is the safe mode of XP.

I am sending you the stuff you have asked for as soon as my son comes home. He is more techie than I am and he will probably be better able to do all the stuff you have just instructed me to do.

We will be sending everything as instructed by you.

Thanks and regards

manu
 
Hi Mike, 11 Feb 09

I have started the computer in safe mode with networking.

I cannot see any command prompt and secondly, how do I paste your software? From all programs, what do I click?

Thanks and regards

manu
 
Well you need to be connected and logged in here to see the box.

To get a command prompt do this:

Start-Run
type
cmd
click ok or hit enter.

Copy the box, then left click once inside the black screen, then rt click and paste.

Mike
 
manu

Hi Mike, 11/02/09

thanks. will do.

In the meanwhile, while waiting for you reply, I ran Registry Mechanic and got the following results, if this helps:

Hkey Local Machine\software\microsoft\windows\currentversion - value is invalid and it says high priority.

hkey Local Machine\software\microsoft\windows\currentversion value is invalid and it says the same message for both medium priority i.e 2 messages with medium priority.

I have clicked repair. Hope it is ok.

Thanksand regards

manu
 
Hi Mike,

We ran your software and saw lots of files being deleted. It has now exited and we are on the desk top. Now how do I send you the results?
 
combofix ran and downloaded something. and now it found "presence of rootkit activity" and needs to reboot. we wrote down the two files
 
OK good so let it reboot after attaching the logs.

Type the file names into the post.

To attach the logs look to the left panel bottom while logged on. Attachments.

Mike
 
Hi Mike,

We have finished all the steps. We restarted in normal mode. The Norton logo came back in the bottom right hand corner. SWe tried other programmes and they open as well. It seems to be fixed. Thanks a lot. We really appreciate your help.
Thanks and regards
 
Ok Mike, thanks again for your help. I'm a bit of a computer noob and you saved me £40. I'm gonna go eat dinner now, very hungry.

Thanks
 
OK when you have the edit screen open, click the "Go Advanced" button below the screen, then look at the header beside the Smiley face for the paperclip then browse to the location of the file to send.

Mike
 
More than 40!

Just because it seems to be OK don't stop now. let me be sure for you!

But Combofix was loaded so now we run it again to confirm clean! Post new log!

Then do this and post log!

Download SDFix to Desktop.

http://www.bleepingcomputer.com/resources/link252.html

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

And we have those file names you posted if they are still there.

Mike
 
Status
Not open for further replies.
Back