TechSpot

Infection With Possibly Backdoor Virus

By manupatel
Feb 11, 2009
  1. Dear Virus Expert, 11 February 09

    Here is what has happened to my desk top computer. I am presently using my laptop to communicate here.

    My son downloaded a video file (format .wmv) for the Windows Media Player. When he tried to play it on Win media player, it asked him for a Codec download. He clicked "Yes" to the download, there was a quick Norton warning about a Backdoor.---- (he cannot remember the extension as the message was gone immediately) and asked him to restart the computer immediately. On restarting the Norton icon on the desk top had disappeared and the computer became unresponsive. System restore has been turned off by the virus and there are no system restore points. Now we cannot connect to the internet as the Windows XP does not work. We have a partitioned drive on which we also have Windows Vista, and this works fine. On scanning with an old Symantec program using Windows Vista, nothing turned up. We have Norton Internet Security 2009 (3 licenses) but this does not work on the XP and we cannot install it on the Vista as we have used up all the licenses. Our desk top has an external book drive but that is also not accessible as the XP is unresponsive. On clicking Norton from all programs it appears and disappears in a flash. It seems that the virus has total control over the XP and Norton.

    Can any kindly soul please help us to restore our desk top computer back to health? Any help or guidance will be greatly appreciated.

    Thanks and regards

    manupatel
     
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Hello manupatel

    So as I understand it you have a dual boot and when in Vista you have access to the XP drive but can not boot from it, correct?

    Have you tried to boot it into Safe Mode by hitting F8 before windows starts?

    If not try that now only try Safe Mode do nothing else!

    Mike
     
  3. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    Safe Mode

    Hi Mike, 11 February 2009

    Thank you very much for your very fast reply to my problem.

    Yes the desk top does boot from the Vista, however, it is on a different drive. We partitioned our C drive and now it resides on the J drive. I can boot my XP in the safe mode but do not know how to get rid of the virus. Can you post some instructions on what I should look for and how I can remove the malicious files

    Thanks and regards

    manu
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes I can but you need to reboot it again and this time chose XP Safe Mode with Networking.

    Safe mode with networking should allow Internet access, then connect back here and do the below.

    Boot to Safe Mode networking and do all below.

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.
    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del  tdss*.* /f /q /s
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
    del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del c:\WINDOWS\system32\ieupdates.exe /f /q
    del c:\WINDOWS\system32\scui.cpl /f /q
    del c:\WINDOWS\system32\winsrc.dll /f /q
    
    attrib -h -s -r c:\program files\xwdxqu.txt
    attrib -h -s -r c:\windows\x
    attrib -h -s -r c:\windows\SxsCaPendDel
    
    del c:\program files\xwdxqu.txt  /f /q
    del c:\windows\x  /f /q
    del c:\windows\SxsCaPendDel  /f /q
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    :: rootkit gaopdxserv
    attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
    attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop gaopdxserv.sys.sys
    sc delete gaopdxserv.sys.sys
    
    del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
    del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This should run and exit!

    It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

    Then..

    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    After attaching logs do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Mike
     
  5. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    Safe Mode

    Hi Mike, 11 Feb 09

    I went in to the safe mode and ran Norten Internet Security. It just scanned 3897 files and did not find any problems. I am now going to restart and follow your instructions.

    Just to make sure, is it safe to connect as Norten does not seem to be working?

    Thanks and regards

    manu
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    It will have to be!

    Just do the steps.

    Now this is Safe Mode of XP, correct?

    Mike
     
  7. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    Safe Mode

    Hi Mike

    Thanks again for helping out. Yes this is the safe mode of XP.

    I am sending you the stuff you have asked for as soon as my son comes home. He is more techie than I am and he will probably be better able to do all the stuff you have just instructed me to do.

    We will be sending everything as instructed by you.

    Thanks and regards

    manu
     
  8. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    Hi Mike, 11 Feb 09

    I have started the computer in safe mode with networking.

    I cannot see any command prompt and secondly, how do I paste your software? From all programs, what do I click?

    Thanks and regards

    manu
     
  9. mflynn

    mflynn TS Rookie Posts: 2,655

    Well you need to be connected and logged in here to see the box.

    To get a command prompt do this:

    Start-Run
    type
    cmd
    click ok or hit enter.

    Copy the box, then left click once inside the black screen, then rt click and paste.

    Mike
     
  10. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    manu

    Hi Mike, 11/02/09

    thanks. will do.

    In the meanwhile, while waiting for you reply, I ran Registry Mechanic and got the following results, if this helps:

    Hkey Local Machine\software\microsoft\windows\currentversion - value is invalid and it says high priority.

    hkey Local Machine\software\microsoft\windows\currentversion value is invalid and it says the same message for both medium priority i.e 2 messages with medium priority.

    I have clicked repair. Hope it is ok.

    Thanksand regards

    manu
     
  11. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes I guess but don't do any more until we are finished with steps!

    Mike
     
  12. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    Hi Mike,

    We ran your software and saw lots of files being deleted. It has now exited and we are on the desk top. Now how do I send you the results?
     
  13. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    combofix ran and downloaded something. and now it found "presence of rootkit activity" and needs to reboot. we wrote down the two files
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    OK good so let it reboot after attaching the logs.

    Type the file names into the post.

    To attach the logs look to the left panel bottom while logged on. Attachments.

    Mike
     
  15. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    file names:

    C:\windows\system32\drivers\gaopdxqxdorgom.sys

    C:\windows\system32\gaopdxylyprumu.dll
     
  16. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    we have a .txt file, do you want us to attach that or copy and paste
     
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Attach!

    Mike
     
  18. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    Hi Mike,

    We have finished all the steps. We restarted in normal mode. The Norton logo came back in the bottom right hand corner. SWe tried other programmes and they open as well. It seems to be fixed. Thanks a lot. We really appreciate your help.
    Thanks and regards
     
  19. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    I'm still a bit confused on how to attach the file?
     
  20. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    ok never mind we found it.
     
  21. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    Ok Mike, thanks again for your help. I'm a bit of a computer noob and you saved me £40. I'm gonna go eat dinner now, very hungry.

    Thanks
     
  22. mflynn

    mflynn TS Rookie Posts: 2,655

    OK when you have the edit screen open, click the "Go Advanced" button below the screen, then look at the header beside the Smiley face for the paperclip then browse to the location of the file to send.

    Mike
     
  23. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    Yeh I sent it. It's on the previous page
     
  24. manupatel

    manupatel TS Rookie Topic Starter Posts: 22

    Are we finished or do you want me to do anything else?
     
  25. mflynn

    mflynn TS Rookie Posts: 2,655

    More than 40!

    Just because it seems to be OK don't stop now. let me be sure for you!

    But Combofix was loaded so now we run it again to confirm clean! Post new log!

    Then do this and post log!

    Download SDFix to Desktop.

    http://www.bleepingcomputer.com/resources/link252.html

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    And we have those file names you posted if they are still there.

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...