TDSS Infection

[mlmorg]

Hi all,

My mother's computer seems to have been infected with TDSS. I told her to follow the instructions on this page: http://community.norton.com/t5/Norton-Inte...SServ/m-p/46674 and run SDFix. She never was able to find the drivers in step 1 but she went through the instructions twice and after doing, programs that used to not open (like symantec) would now work. So she ran symantec antivirus, malwarebytes and super antispyware. Symantec was unhelpful in deleting anything but the other two programs found and deleted many different issues she said; however, she ran them multiple times and each time they would find something new. She also got symantec endpoint and installed ran that and that did a little better than her older symantec program The main issue she's having now is certain sites are being blocked/redirected and the malware programs continue to find new issues. Below is the dds.txt contents and I've attached ark.txt and attach.txt.

My first question is, is there anything we can do from here? Also, she's thinking of formatting and installing windows 7, would this be any better? And finally, if in the end she does reformat and goes back to XP or gets Windows 7, should she change all of her passwords on sites, get new credit cards, etc. or is that taking it too far? She's also wary because she has a few doc files on her comp with passwords, credit card numbers, maybe even SSN's...

Thanks a bunch for any help,

Matt

DDS (Ver_09-12-01.01) - NTFSx86

Run by Barbara Morgan at 11:07:48.63 on Sun 02/28/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1191 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec AntiVirus\Smc.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

C:\WINDOWS\System32\M-AudioTaskBarIcon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Cobian Backup 9\Cobian.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Cobian Backup 9\cbInterface.exe

C:\Program Files\Symantec AntiVirus\SmcGui.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Symantec AntiVirus\SymCorpUI.exe

C:\Program Files\Symantec AntiVirus\SavUI.exe

C:\Documents and Settings\Barbara Morgan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Cobian Backup 9] "c:\program files\cobian backup 9\Cobian.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [soundMan] SOUNDMAN.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mPolicies-system: EnableLUA = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 93.188.163.39,93.188.161.101

TCP: {34E2B6B8-CE46-4A24-90D5-AC19F214FE85} = 93.188.163.39,93.188.161.101

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-16 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-16 108392]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-12-16 2477304]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100227.025\NAVENG.SYS [2010-2-28 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100227.025\NAVEX15.SYS [2010-2-28 1324720]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-12-16 23888]

S3 MAUSBRI;M-Audio Fast Track Ultra Service;c:\windows\system32\drivers\mausbftu.sys [2009-5-21 135944]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]

S3 sonydcam;Generic 1394 Desktop Camera;c:\windows\system32\drivers\sonydcam.sys [2008-4-13 25344]

S4 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]

S4 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

=============== Created Last 30 ================

2010-02-20 19:47:54 0 ------w- c:\documents and settings\barbara morgan\defogger_reenable

2010-02-20 19:44:57 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2010-02-20 19:43:31 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2010-02-18 23:57:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-02-18 23:56:53 0 d-----w- c:\program files\SUPERAntiSpyware

2010-02-18 23:56:53 0 d-----w- c:\docume~1\barbar~1\applic~1\SUPERAntiSpyware.com

2010-02-18 23:56:17 0 d-----w- c:\docume~1\barbar~1\applic~1\Malwarebytes

2010-02-18 23:56:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-18 23:56:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-18 23:56:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-18 23:56:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-02-15 20:16:46 0 d-----w- c:\windows\ERUNT

2010-02-15 20:01:38 0 d-----w- C:\SDFix

==================== Find3M ====================

2010-02-27 15:44:15 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-02-27 15:44:15 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-02-27 15:44:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-02-27 15:44:15 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-12-16 19:58:00 89600 ----a-w- c:\windows\system32\atl71.dll

2009-12-16 19:58:00 87368 ----a-w- c:\windows\system32\FwsVpn.dll

2009-12-16 19:58:00 625032 ----a-w- c:\windows\system32\SymNeti.dll

2009-12-16 19:58:00 357704 ----a-w- c:\windows\system32\sysfer.dll

2009-12-16 19:58:00 242056 ----a-w- c:\windows\system32\SymRedir.dll

2009-12-16 19:58:00 107848 ----a-w- c:\windows\system32\SymVPN.dll

2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr

2009-12-02 04:53:50 695578 ----a-w- c:\windows\system32\unins000.exe

2006-07-05 10:33:24 472000 ----a-w- c:\windows\inf\wg311t\WG311T13.sys

2004-10-20 00:58:28 35232 ----a-w- c:\windows\inf\wg311t\ME_INST.EXE

2004-10-20 00:58:28 26112 ----a-w- c:\windows\inf\wg311t\install.exe

============= FINISH: 11:08:17.39 ===============

[mlmorg]

sorry I think I forgot the attachment

attached.zip

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 1/5/2009 6:01:52 PM

System Uptime: 2/28/2010 5:49:48 AM (6 hours ago)

Motherboard: ASUSTeK Computer INC. | | A8N-SLI DELUXE

Processor: AMD Athlon 64 Processor 3200+ | Socket 939 | 2010/200mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 186 GiB total, 99.652 GiB free.

D: is CDROM ()

E: is FIXED (NTFS) - 37 GiB total, 31.536 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: PCI Memory Controller

Device ID: PCI\VEN_10DE&DEV_005E&SUBSYS_815A1043&REV_A3\3&2411E6FE&0&00

Manufacturer:

Name: PCI Memory Controller

PNP Device ID: PCI\VEN_10DE&DEV_005E&SUBSYS_815A1043&REV_A3\3&2411E6FE&0&00

Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: SM Bus Controller

Device ID: PCI\VEN_10DE&DEV_0052&SUBSYS_815A1043&REV_A2\3&2411E6FE&0&09

Manufacturer:

Name: SM Bus Controller

PNP Device ID: PCI\VEN_10DE&DEV_0052&SUBSYS_815A1043&REV_A2\3&2411E6FE&0&09

Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Ethernet Controller

Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&13699180&0&6048

Manufacturer:

Name: Ethernet Controller

PNP Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&13699180&0&6048

Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description:

Device ID: ACPI\ATK0110\1010110

Manufacturer:

Name:

PNP Device ID: ACPI\ATK0110\1010110

Service:

==== System Restore Points ===================

RP344: 1/12/2010 8:06:13 PM - System Checkpoint

RP345: 1/13/2010 8:16:55 PM - System Checkpoint

RP346: 1/14/2010 10:22:03 PM - System Checkpoint

RP347: 1/15/2010 8:05:36 PM - Installed Google SketchUp Pro 7

RP348: 1/16/2010 8:34:48 PM - System Checkpoint

RP349: 1/17/2010 10:33:22 PM - System Checkpoint

RP350: 1/18/2010 11:21:49 PM - System Checkpoint

RP351: 1/20/2010 3:29:52 AM - System Checkpoint

RP352: 1/21/2010 4:37:27 AM - System Checkpoint

RP353: 1/22/2010 1:01:36 PM - System Checkpoint

RP354: 1/23/2010 1:36:04 PM - System Checkpoint

RP355: 1/24/2010 2:39:50 PM - System Checkpoint

RP356: 1/25/2010 3:26:53 PM - System Checkpoint

RP357: 1/26/2010 3:57:03 PM - System Checkpoint

RP358: 1/27/2010 4:08:23 PM - System Checkpoint

RP359: 1/28/2010 4:58:14 PM - System Checkpoint

RP360: 1/29/2010 5:03:22 PM - System Checkpoint

RP361: 1/30/2010 6:06:49 PM - System Checkpoint

RP362: 1/31/2010 7:03:55 PM - System Checkpoint

RP363: 2/1/2010 8:06:42 PM - System Checkpoint

RP364: 2/2/2010 8:41:20 PM - System Checkpoint

RP365: 2/3/2010 8:50:09 PM - System Checkpoint

RP366: 2/4/2010 11:44:51 PM - System Checkpoint

RP367: 2/6/2010 12:20:18 AM - System Checkpoint

RP368: 2/7/2010 9:44:24 AM - System Checkpoint

RP369: 2/7/2010 3:33:30 PM - Installed Windows XP -- Software Updates KB952011.

RP370: 2/8/2010 3:41:29 PM - System Checkpoint

RP371: 2/9/2010 4:12:28 PM - System Checkpoint

RP372: 2/10/2010 4:31:11 PM - System Checkpoint

RP373: 2/11/2010 5:40:15 PM - System Checkpoint

RP374: 2/12/2010 6:28:45 PM - System Checkpoint

RP375: 2/13/2010 6:29:50 PM - System Checkpoint

RP376: 2/14/2010 10:04:11 AM - Unsigned driver install

RP377: 2/15/2010 10:07:45 AM - System Checkpoint

RP378: 2/16/2010 11:08:34 AM - System Checkpoint

RP379: 2/17/2010 11:58:38 AM - System Checkpoint

RP380: 2/18/2010 2:54:14 PM - System Checkpoint

RP381: 2/18/2010 6:56:52 PM - Installed SUPERAntiSpyware Free Edition

RP382: 2/19/2010 7:41:51 PM - System Checkpoint

RP383: 2/20/2010 2:41:09 PM - Removed Symantec AntiVirus

RP384: 2/20/2010 7:15:20 PM - Installed Windows XP WgaNotify.

RP385: 2/21/2010 8:35:41 PM - System Checkpoint

RP386: 2/22/2010 9:03:37 PM - System Checkpoint

RP387: 2/23/2010 9:06:28 PM - System Checkpoint

RP388: 2/24/2010 9:59:43 PM - System Checkpoint

RP389: 2/25/2010 10:03:59 PM - System Checkpoint

RP390: 2/26/2010 11:39:20 PM - System Checkpoint

RP391: 2/27/2010 10:44:21 AM - Removed Symantec AntiVirus

==== Installed Programs ======================

[Maurice Naggar]

It would the safest in the long term to wipe the HD and install Windows as a fresh (new) install, unless your mom has a recent backup from before this current infection. Find out if she has that backup.

It would be a very good idea for her to change all her login passwords for online accounts -using a clean pc / not this one- You never know what co-infectors came with or after TDSS.

[mlmorg]

Thanks Maurice for the quick reply.

I'll definitely let her know to format and install a new os -- I set up cobian to backup her user directory to another drive in the computer but it's not a full mirror so the format would be the best option -- the backups have been running since she got the rootkit, however, so do you think this would be an issue when I format the C: and move her documents, pics etc. back to the C: from the E:?

As for the logins, I let her know to change those all today from another computer -- is that enough? Should she be worried about any of the other information in her doc files?

Thanks again,

Matt

[Maurice Naggar]

You mom should be on the lookout for possible theft of her credit card & bank information if they were used online or even if she stored her numbers in a document or other. It's up to her if she wishes to advise her CC companies & bank that the accounts may have been compromised. Certainly she should really watch her card & bank statements.

If you only have a partial backup, then you must be extremely carefull about how & when you copy back documents.

The Windows o.s. must be re-installed first, an up-to-date antvirus setup next, and next a full visit to Windows Updates.

Any old documents & files restored must first be thoroughly scanned by the antivirus program.

Keep this handy for fresh install of Windows:

Make sure you have at hand the Windows XP CD and also, a fresh new copy of your antivirus that is downloaded from a clean pc and saved on transportable-media (CD-DVD or clean thumb drive).

When you are at point of re-installing o.s., I'd recommend you have the pc disconnected from internet until after the o.s. is installed, plus the antivirus is fully setup and running.

See Windows XP Clean Installation - Partitioning and Formatting using Windows XP CD by Ramesh Srinivasan, MS-MVP

Also Clean Install Windows by Michael Stevens, MS-MVP

I would urge you to follow the directions very carefully.

You will loose your documents so if you have some to save, offload them to a separate offline media. And later on insure you do a full scan of them by running your antivirus.

[mlmorg]

Great, thanks again Maurice.

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!