Solved Tidserv virus - redirecting webpages

Status
Not open for further replies.
I downloaded a brand new gmer and I still can't get it to finish running ... always has a problem and stops working and then the windows "this program has stopped working..." window pops-up.

Liz
 
I downloaded gmer.exe from a different site to see if I could get it to finish ... still no go. But, this time I noticed that the status on the bottom (in case it makes a difference or tells you something)...

It was scanning:
\Device\HarddiskVolumeShadowCopy2

Like I said, that might mean nothing .. but it might also tell you why the program (gmer.exe) is failing.

Liz
 
I just got home, so I'll be slow with replying (tons of other topics).

If we're dealing with this new type of TDSS rootkit ( and it looks like we do), we'll have to make GMER running. As of now, it's the only tool, which actually detects this new type of TDSS.

Run rKill first.
When you start GMER, UN-check "Devices" in right pane and try to run it.

If still a problem, restart in Safe Mode and try from there.

From OTL log I can see, that the infection is still there.
Don't worry about Extras. It's not important at all at this moment.
 
ok, ran rkill and then gmer without the "devices" checked ... got farther in the process but I got the "blue screen of death" while it was searching files. So I booted back-up in safe mode and re-ran gmer. Has run fine so far, still running for just aout 12 hours at this point. Just giving a quick update in case you login ... I will post the log as soon as it stops running, which I think will be soon.

Thanks,

Liz
 
Ok, after more than 12 hours (I have a lot of files) the gmer scan has finally finished ... Here is the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-14 11:44:28
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Liz\AppData\Local\Temp\pwloakow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\msahci.sys entry point in ".rsrc" section [0x807C9014]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtProtectVirtualMemory 77454D34 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtWriteVirtualMemory 77455674 5 Bytes JMP 001F000A
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!KiUserExceptionDispatcher 77455DC8 5 Bytes JMP 001D000A
.text C:\Windows\Explorer.EXE[1176] ntdll.dll!NtProtectVirtualMemory 77454D34 5 Bytes JMP 007D000A
.text C:\Windows\Explorer.EXE[1176] ntdll.dll!NtWriteVirtualMemory 77455674 5 Bytes JMP 007E000A
.text C:\Windows\Explorer.EXE[1176] ntdll.dll!KiUserExceptionDispatcher 77455DC8 5 Bytes JMP 007C000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73EE7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73F3A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73EEBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73EDF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73EE75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73EDE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73F18395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73EEDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73EDFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73EDFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73ED71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73F6CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73F0C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73EDD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73ED6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73ED687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73EE2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\msahci.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Hopefully, that gave you the information you need and we can get my laptop back to functioning at 100% now :) --- thank you again for all the help you've given me.

Liz
 
Excellent!
I'm very glad to see GMER log and I'm sorry for all your 12+ hours trouble :)

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code: 
    :filefind
msahci.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
I don't mind the 12+ hour search ... I started it before I went to bed and I was just glad to see that it was still running/hadn't crashed when I woke up! :) It is well worth it as long as it showed where the problem was hiding and we can fix it now :)

Ok, here is the result of the systemlook scan:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:47 on 14/04/2010 by Liz (Administrator - Elevation successful)

========== filefind ==========

Searching for "msahci.sys"
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\msahci.sys --a--- 27112 bytes [12:09 15/12/2009] [06:32 11/04/2009] 5457DCFA7C0DA43522F4D9D4049C1472
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\msahci.sys --a--- 23144 bytes [10:25 02/11/2006] [09:49 02/11/2006] 742AED7939E734C36B7E8D6228CE26B7
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\msahci.sys --a--- 28728 bytes [02:23 21/01/2008] [02:23 21/01/2008] 28023E86F17001F7CD9B15A5BC9AE07D
C:\Windows\System32\drivers\msahci.sys --a--- 27112 bytes [12:09 15/12/2009] [23:32 12/04/2010] 5457DCFA7C0DA43522F4D9D4049C1472
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\msahci.sys --a--- 28728 bytes [02:23 21/01/2008] [02:23 21/01/2008] 28023E86F17001F7CD9B15A5BC9AE07D
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\msahci.sys --a--- 27112 bytes [12:09 15/12/2009] [06:32 11/04/2009] 5457DCFA7C0DA43522F4D9D4049C1472

-=End Of File=-



Liz
 
Using OTM...

  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: 
:Processes

:Services

:Reg

:Files
C:\Windows\System32\drivers\msahci.sys|C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\msahci.sys /replace
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

  • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Check for redirection and post fresh SystemLook log (same script as in my reply #81)
 
Ok, all done!

After OTM process and reboot, I had to boot to my Windows Vista Installation CD because of an issue with the msahci.sys file ... not a huge problem ....

I did a few searches, and so far everything seems to be working perfectly - and I think for good this time!! :)

I have attached the OTM log as well as the systemlook log. Hopefully, everything looks the way it should.

I cannot thank you enough!! I really appreciate your time and assistance with this.

Liz
 

Attachments

  • SystemLook.txt
    2.4 KB · Views: 1
  • 04142010_213719.log
    11 KB · Views: 0
I'm glad to hear it :)
Actually, I'm relieved :)
I assume, you too....hehehe

Let me go through our topic to see what final steps we need to perform.
 
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

  • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
  • Click on the CleanUp! button and follow the prompts.
  • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
  • After the reboot all the tools we used should be gone.
  • The tool will delete itself once it finishes.

======================================================================

Please run a BitDefender Online Scan

  • Disable your antivirus program.
  • Click Start Scanner button.
  • Click Start scan button
  • Allow browser plug-in to be installed when prompted.
  • Click I Agree to agree to the EULA.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on View log.
  • Notepad will open with scan results.
  • Save the report to your desktop and post its content in your next reply.

Post fresh HijackThis log as well.
 
yes, I am relieved too! :)

I will run the clean up tasks tomorrow and post the hijackthis log in the morning.

Thank you again.

Liz
 
Ok ... very good news ... STILL no redirects!! Yay!!! :grinthumb

Hijackthis and bitdefender logs attached. Bitdefender found 4 things, but I reinstalled my norton last night so maybe a full scan with norton will get rid of them. But, again, I'm back to functioning normally and I can search without getting redirects ... if there was a "dancing" smilie I'd use it right now :)

Thank you again!!

Liz
 

Attachments

  • hijackthis.log
    13.9 KB · Views: 0
  • Report 2010-04-15 09.31.26.txt
    61.4 KB · Views: 2
Very good, very good :)

Don't bother with Norton and those files.
We can easily remove them, but I suspect, they may be false positive.

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:

C:\program files\adobe\acrobat 8.0\designer 8.0\en\samples\subformset\outputs\subformset1dataa12731.exe
C:\program files\common files\microsoft shared\ink\sr-latn-cs\tipresxtipresx.exe
C:\Program Files\Java\jre6\bin\new_plugin\ToolkitJavaTM.exe
C:\program files\common files\adobe\color\settings\extrasettings\generaleurope3229.exe

IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
If the result says 0/42, you don't have to post logs.
 
Totally awesome! A long trip and a lot of work well done! My congrats to you both.:grinthumb
 
ok, not sure what it means but this is the only response I keep getting from virustool.com ....

Exception

Please report failure as: ErrorTime= "Apr 16 03:30:31"

Not a huge problem .... maybe I'll try in the morning?

Liz
 
Ok, attached is a "log" made of the scan results ...

it did find something for each one ...

but, none of them seem to be affecting the computer right now ... the biggest issue being the redirects has been resolved .... :)

Liz
 

Attachments

  • online-scan.txt
    2.9 KB · Views: 2
the biggest issue being the redirects has been resolved
Click to expand...
I know, I know, but we have to make sure no leftovers are lurking behind the scenes.

Judging from your latest scan, we better remove those files.

Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: 
:Processes

:Services

:Reg

:Files
C:\program files\adobe\acrobat 8.0\designer 8.0\en\samples\subformset\outputs\subformset1dataa12731.exe
C:\program files\common files\microsoft shared\ink\sr-latn-cs\tipresxtipresx.exe
C:\Program Files\Java\jre6\bin\new_plugin\ToolkitJavaTM.exe
C:\program files\common files\adobe\color\settings\extrasettings\generaleurope3229.exe
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

  • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
 
sorry, that came out wrong ... I didn't mean I wanted to leave the possible problems, simply meant that they aren't as much of a priority/issue so if you had other people to help, whose issues are more serious than the final "tweaks" on my computer ... I would understand ... probably still not explaining it well ...

anyway, I ran OTM again and here is the log ... I'm going to run in the bitdefender scan again since that is the one that found them to make sure they are gone ...

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\program files\adobe\acrobat 8.0\designer 8.0\en\samples\subformset\outputs\SubformSet1DataA12731.exe moved successfully.
C:\program files\common files\microsoft shared\ink\sr-latn-cs\tipresxtipresx.exe moved successfully.
C:\Program Files\Java\jre6\bin\new_plugin\ToolkitJavaTM.exe moved successfully.
C:\program files\common files\adobe\color\settings\extrasettings\GeneralEurope3229.exe moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Liz
->Temp folder emptied: 11578754 bytes
->Temporary Internet Files folder emptied: 13902250 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 36684257 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 1935 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 784848 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 711702 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 11873339 bytes

Total Files Cleaned = 72.00 mb


OTM by OldTimer - Version 3.1.10.1 log created on 04152010_224535

Files moved on Reboot...
File move failed. C:\Windows\temp\WebEx\Log\415\atashost.log scheduled to be moved on reboot.
C:\Windows\temp\00000BO90004.CDX moved successfully.
C:\Windows\temp\00000BO90005.CDX moved successfully.
C:\Windows\temp\00000BO90006.CDX moved successfully.

Registry entries deleted on Reboot...


Liz
 
Very good :)

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

  • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
  • Click on the CleanUp! button and follow the prompts.
  • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
  • After the reboot all the tools we used should be gone.
  • The tool will delete itself once it finishes.


Please, give me fresh HJT log.
 
Status
Not open for further replies.

Similar threads

M
Virus warning popup
Replies
1
Views
539
Mark Fuller
M
midian182
Nvidia CEO Jensen Huang says he constantly worries that the company will fail
Replies
16
Views
520
AdamNovagen
AdamNovagen
Daniel Sims
ChatGPT can browse the web for answers once again, voice and image recognition are also...
Replies
1
Views
303
holydiver
H

Latest posts

Back