Solved Safe to backup data files after a Backdoor.Tidserv.l!inf attack?

[Sincity]

Hi,

I have just been hit with the Backfoor.Tidserv.linf and in the process on reading how to remove it. From what I have read, even after a disinfection, the backdoor may still be there. If the PC has been disinfected, is it safe to move my data (MP3s, Word, Excel, Outlook .pst files) to a portable hard drive? Is it safe to move the files before disinfection?

Because of the backdoor vulnerabilty, I plan on reformatting the drive and reinstalling everything.

Thanks for your help.

 

[Bobbye]

Is it safe to move the files before disinfection?

The purpose of moving the files would be to put them back on the system when you reformat. If any of the files you move are infected and you put them back on the system after the reformat, you will reinfect the system again.

So is it safe? No.

Why don't you let me take at look at what's going on?

Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[Sincity]

Bobbye,

Thank you for your assistance in my desperate time of need. Let me give you some background info prior to me starting this thread. I do not remember the exact events from yesterday, but while I was online, the computer suddenly restarted and when XP was loaded, Norton advised me that the PC was infected with Backdoor.Tidserv.l!inf. I followed Symantec's instructions and disabled Restore (still disabled). I also ran TDSSKILLER along with installing AVG free. I did a complete scan in Safe Mode using both Norton and AVG (of course not at the same time). Currently, AVG is deactivated and running Norton.

Here are my logs as requested. Thank you VERY much for your time and attention.

 

[Bobbye]

To do first:
1. If you intend to keep Norton as your security, you need to uninstall AVG. Multiple antivirus programs actually make the system more vulnerable. It is still loading and running. Please run this AVG Removal: Note: You may have to reinstall AVG to uninstall it fully
Reboot the computer when through

2. Remove both of these Domains from the Trusted Zone. The security is lower for this zone and having Domains in it is a vulnerability. Nothing needs to be in the Trusted zone: Open Internet Options in the Control Panel or Tools in IE:

• Click on the Security tab
• Click on Trusted Sites, then Sites
• Highlight each of the following> Click on Remove:
  [o] aol.com\free
  [o] turbotax.com
• Click on OK> Apply> OK

3. Removing old Java and update to current version: Please download JavaRa and unzip it to your desktop.
(Note: screenshot shows earlier version, but is the same for current version)

• Please any instances of Internet Explorer before continuing!
• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update21: .Java Updates
About the Norton Alert: Norton does not distinguish location of the file when giving the alert. It is possible that it was in a restore point, in the Recycler or in a quarantined folder from another security program, but not active in the system. Unfortunately Norton instructs the user to do things like turn off system restore, which we don't do until the end of cleaning.

Did you save the log from TDSSKiller? If so, I'd like to see it. (Don't run it again- just leave log if you have it.)
=====================================
Please reboot the computer after all of the above has been handled: Download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=============================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[Sincity]

Good evening Bobbye,

Here are the logs. When I ran JavaRa, it stopped because of an error. When I re-ran it, it apparently was finished and the log was created. Also, I wasn't able to remove AVG from the link you provided. I uninstalled it using it's own uninstaller.

When I was looking for my XP disc, I found that I made an image of the system when it was freshly installed. Should I still reformat the drives or can I just load the image?

Thanks!

 

[Bobbye]

I am not convinced you had this rootkit at all! Can you copy the information from the Norton log?

Don't do any reformatting/reinstalling/backing up until I complete my search. What I have seen so far does not indicate this rootkit.

Edit for spelling correction pointed out by member.

 

[Sincity]

How do I "coy" you the log? I forgot to tell you that over a week ago, Norton caught and Quarantined a Trojan.gen called pdfupd.exe. If I didn't catch the backdoor, then why did Norton report it? What did I catch that caused the computer to reboot suddenly and then Norton reporting the Backdor.Tidserv.!inf when XP was reloaded? Thanks for your diligence!

BTW-What is this (portion of TDSSKiller log):

2010/08/18 19:57:30.0343 Detected object count: 1
2010/08/18 19:58:12.0359 sfsync03 (6f43d70ac466b07cf58ad9a96d6e75cc) C:\WINDOWS\system32\drivers\sfsync03.sys
2010/08/18 19:58:12.0390 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\sfsync03.sys. md5: 6f43d70ac466b07cf58ad9a96d6e75cc
2010/08/18 19:58:13.0296 Backup copy not found, trying to cure infected file..
2010/08/18 19:58:13.0296 Cure success, using it..
2010/08/18 19:58:13.0406 C:\WINDOWS\system32\drivers\sfsync03.sys - will be cured after reboot
2010/08/18 19:58:13.0406 Rootkit.Win32.TDSS.tdl3(sfsync03) - User select action: Cure
2010/08/18 19:58:26.0796 Deinitialize success

 

[Bobbye]

I have corrected my speeling. Unfirtunately, 'coy' is also a wurd so the spell chk missed ot.

Now that we have that cleared up: The TDSSKiller log found this to be suspicious:
C:\WINDOWS\system32\drivers\sfsync03.sys
The TDSSKiller could not find a 'backup file. But somehow managed to 'cure' it because you asked it to: User select action: Cure
An update cause many people to complain about Norton blocking sites: Note the risk name.

By the way, this must be some new kind of malware: Backfoor.Tidserv.linf
Quid pro quo.
=======================================
Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::
Folder::
c:\program files\AVG
c:\documents and settings\All Users\Application Data\avg9
c:\documents and settings\All Users\Application Data\TEMP

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please run HijackThis when through. After I check that, I'll have you remove the cleaning tools.

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[Sincity]

I am glad we could LOL!

I just realized before posting this thead, I did run HiJack This (didn't make any changes). Instead of pasting the entire log from the scan I just ran tonight, I have included both logs by date. Not sure how to COPY the Norton log for you.

Also, is a screen capture of the Norton back door warning that prompted this hysteria. Is sfsync03.sys the Starforce protection that was used on certain Ubisoft games from several years ago? http://www.google.com/search?hl=en&rls=com.microsoft%3Aen-us%3AIE-SearchBox&rlz=1I7SUNA_en&q=ubisoft+starforce+sfsync03.sys&aq=f&aqi=&aql=&oq=&gs_rfai=

Does this mean anything (too technical for me) to you: http://www.onlinesecurity-on.com/protect.phtml?c=55

 

[Bobbye]

Okay, we're getting bogged down in technicalities so let me tell you where I'm coming from.

StarForce is a software copy protection mechanism developed by Protection Technology. It is a CD Emulator. The Emulators use "rootkit-like" techniques to hide from other apps. When there is malware infection-or a suspected infection- this technique can interfere with anti-rootkit tools. This can result in inaccurate scan results, including falsely detecting a legitimate file as malware. It can also cause unexplained crashes, BSODs and a problem differentiating between genuine malicious rootkits and the legitimate drivers used by CD Emulators. (Background courtesy Bleeping Computer)

The site reference you left- which I had seen when I was gathering my information on StarForce is explaining this- that CD Emulators use a hidden driver which can be seen as a rootkit. When there is any doubt, we have the CD Emulator disabled while cleaning and some sites have it done before cleaning begins using a special program named DeFogger
=====================================
Please reopen HijackThis to 'do system scan only.' Check each of the following if present. Don't click on Fix Checked until all of the entries have been checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

When you get to the 018 entries, Begin with this first entry below and check ALL of the other 018 Logitech Desktop Messenger:
O18 - Protocol: bw+0 - {6F4EF656-7C6D-449E-9064-2EA550CD810E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
------------------------------------through----------------------------------------------------
O18 - Protocol: offline-8876480 - {6F4EF656-7C6D-449E-9064-2EA550CD810E} - C:\Program Files\Logitech\DesktopMessenger\8876480\Program\BWPlugProtocol-8876480.dll

When finished checking all entries, close all Windows except for HijackThis and click on "Fix Checked."

Go to the Control Panel> Add/Remove Programs> Uninstall the Logitech Desktop Manager.
This is an auto-updater that does not need to run. If you still use the program, reinstall it but do not check the auto-update section.

As for the question:

Is sfsync03.sys the Starforce protection that was used on certain Ubisoft games from several years ago?

Possibly. I can have you remove this driver if you no longer use it by including it in the script I am writing for you to run. Would you like me to do that?

 

[Sincity]

Okay, we're getting bogged down in technicalities so let me tell you where I'm coming from.

Sorry.

As for the question:
Possibly. I can have you remove this driver if you no longer use it by including it in the script I am writing for you to run. Would you like me to do that?

Please.

Ran HiJack This and deleted items per your instructions.

Any idea why Norton is so late in picking this file (sfsync03.sys) up? I installed those Starforce protected games years ago and haven't played them in over two years.

 

[Bobbye]

Any idea why Norton is so late in picking this file (sfsync03.sys) up? I installed those Starforce protected games years ago and haven't played them in over two years.

There are 2 reasons that can be rolled in to 1- which I tried to explain.
1. It was a False Positive. Perhaps Norton had an update that cause the CD Emulator to read as malware.
2. Or if there was an infection, which is not the way I'm leaning, although you've had this on the system for a while, it only recently got infected.

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
C:\WINDOWS\system32\drivers\sfsync03.sys
Folder::

Registry::
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=-

Driver::
sfsync03
FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste to your next reply.
=======================================
Try to keep in mind that every time a program updates- any program-something changes. It may cause things to happen that didn't happen before. It may stop things that happened before from happening. Or the update may just become a part of the system without any events that you notice/

 

[Sincity]

There are 2 reasons that can be rolled in to 1- which I tried to explain.
1. It was a False Positive. Perhaps Norton had an update that cause the CD Emulator to read as malware.
2. Or if there was an infection, which is not the way I'm leaning, although you've had this on the system for a while, it only recently got infected.

=======================================
Try to keep in mind that every time a program updates- any program-something changes. It may cause things to happen that didn't happen before. It may stop things that happened before from happening. Or the update may just become a part of the system without any events that you notice/

Strange.....

 

[Bobbye]

Nothing strange about what I said, but the Favorites that were removed in Combofix are puzzling. Looking the list over makes me wonder if the source for these Favorites was from file sharing. For instance, I did a search for the following:

MajorGeeks.com - Download Freeware and Shareware Computer Utilities. which brings up 26,500 hits in Google. Almost all of the sites on the first 3 pages are reputable download sites. But if someone sent the URLs to you and you saved them to your Favorites, it appears something else was included with the URL.

I would recommend you remove these sites from your Favorites:
ADS Consulting Group Inc - Computer Consultants, Software Developers, Network Engineers.
Custom color matched caulking and metallic caulking.
Grills open style CHEAPEST HERE World Impex, Inc..
Hulu - Watch your favorites. Anytime. For free..
Jameco Electronics! Great Products, Low Prices..
MajorGeeks.com - Download Freeware and Shareware Computer Utilities..
Painter's tools, sealants, caulk, home repair tools - Red Devil, Inc..
Racer Factory, Inc..
Resistor Color Code, Tutorial, Formulas, Georg Simon Ohm history, What is Rho.
Restaurant.com - Dine out for less! $25 Restaurant Certificates for only $10.

If you would like to re-add these to your Favorites, type the site name in the search box, then choose the site from the merchant or manufacturer. When it's loaded, then save the new Favorite.

You're almost through. There are just a couple of files to move. There are 2 entries from old programs that I ask if you still use- if not, I'll add them:
ABIT uGuru (2005)
Guru Clock (2004)

Go ahead an run the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

I'll check for any bad entries and give you one more small script. The will have you remove all the cleaning tools and their logs.

 

[Sincity]

I would recommend you remove these sites from your Favorites:
ADS Consulting Group Inc - Computer Consultants, Software Developers, Network Engineers.
Custom color matched caulking and metallic caulking.
Grills open style CHEAPEST HERE World Impex, Inc..
Hulu - Watch your favorites. Anytime. For free..
Jameco Electronics! Great Products, Low Prices..
MajorGeeks.com - Download Freeware and Shareware Computer Utilities..
Painter's tools, sealants, caulk, home repair tools - Red Devil, Inc..
Racer Factory, Inc..
Resistor Color Code, Tutorial, Formulas, Georg Simon Ohm history, What is Rho.
Restaurant.com - Dine out for less! $25 Restaurant Certificates for only $10.

I just tried looking for those Favorites and they are no longer there. I guess they are already deleted?

You're almost through. There are just a couple of files to move. There are 2 entries from old programs that I ask if you still use- if not, I'll add them:
ABIT uGuru (2005)
Guru Clock (2004)

We could delete the Gurus.

 

[Sincity]

Sorry-repost.

 

[Sincity]

Sorry-repost.

 

[Bobbye]

Did you get the hiccups?

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::
Folder::
c:\program files\Timeslips by Sage 2007 Trial Version
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuru]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GuruClock]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . No log needed.
====================
There are two outdated programs that you need to get current:
Java:
Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Adobe Reader: You have v6> current is v9.xx:
Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

Almost through- any remaining problems?

 

[Sincity]

Did you get the hiccups?

Almost through- any remaining problems?

Schizophrenia

Script ran. Updated Java and Adobe Reader.

Relieved to hear that you don't think that I got hit with Backdoor.Tidserv.l!inf. Does my PC get a clean bill of health and safe to back everything up?

 

[Bobbye]

Clean!:grinthumb How is the system running?

You can do this now: Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• Set a new Restore Point and remove the old restore points
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
-----------------------------------------------------------
Tips for added security and safer browsing:

1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
   This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
   
2. Have layered Security:
   • Antivirus Software(only one):Both of the following programs are free and known to be good:
     [o]Avira Free
     [o]Avast Home
   • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
     [o]Comodo
     [o]Zone Alarm
   • Antispyware: I recommend all of the following:
     [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
   [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
   [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
   [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
   
3. Stay current on updates:
   [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
   [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
   [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
   
4. Reset Cookies to prevent Tracking Cookies:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   
5. Do regular Maintenance
6. Remove Temporary Internet Files regularly:
   [o]ATF Cleaner by Atribune
   OR
   [o]TFC
7. Disable and Enable System Restore:
   [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
   
8. Practice Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Let me know if you have any more questions.

 

[Sincity]

Clean!:grinthumb How is the system running?

Let me know if you have any more questions.

Bobbye,

I want to thank you VERY MUCH for taking the time to help me in cleaning the system during my time of frustration and anxiety. I'll keep this in my FAVORITES so I can reference to make sure everything runs smoothly.

 

[Bobbye]

You're very welcome. Glad to help. The tips I left are basics for almost any computer or Windows OS.