[H]Huge BackDoor Trojan Problem

Mickey

United States2606 Posts

June 18 2009 05:14 GMT

I never thought I'd say this, but I seriously need help getting rid of the nastiest malware infection I've ever had.

This infection not only slows down my computer, crashes firefox, redirects search results, it also doesn't let certain antispyware programs install/turn on.

+ Show Spoiler +

I tried researching how to get rid of it ,and I just found this link.
LINK

I've tried booting up in Safe Mode and using both Antivir/Super Antispyware it found about 50 Trojans. Antivir finds that specific Trojan, but won't let me remove it. A squared found it, but won't let me remove it.

Malwarebytes/Spybot install, but won't run. I tried changing the .exe file like I did with super Antispyware, but it still won't run.

Does anyone know anything that will FUCKING kill this? If worst comes to worst I'll have to reformat.

GOD THIS IS THE SMARTEST VIRUS EVER!

RaGe

Belgium9947 Posts

June 18 2009 05:20 GMT

You couldn't run Malwarebytes in Safe Mode? I find that hard to believe.

jimminy_kriket

Canada5499 Posts

June 18 2009 05:22 GMT

Does hijack this run? Try posting a hijackthis log on a tech forum

Mickey

United States2606 Posts

June 18 2009 05:23 GMT

On June 18 2009 14:20 RaGe wrote:
You couldn't run Malwarebytes in Safe Mode? I find that hard to believe.

It won't run. It takes forever to install(probably the virus/trojan is doing it's mischief).

On June 18 2009 14:22 jimminy_kriket wrote:
Does hijack this run? Try posting a hijackthis log on a tech forum

First, thing I did was run hijackthis, and post it on a site that analyzes malicious processes. The problem is that Hijackthis can't detect these. All the ones it did detect I deleted.

My LOG(WARNING LONG)
+ Show Spoiler +

Logfile of HijackThis v1.99.1
Scan saved at 12:23:38 AM, on 6/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Mike\My Documents\asddadw.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.21.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Shrimp\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.21.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.21.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O15 - Trusted Zone: http://*.att.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SP\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate1c912faf57de5c4) (gupdate1c912faf57de5c4) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

I'm currently using the online scanner Housecall.

Kentor

United States5784 Posts

June 18 2009 05:28 GMT

Dude just reformat.

Mickey

United States2606 Posts

June 18 2009 05:31 GMT

On June 18 2009 14:28 Kentor wrote:
Dude just reformat.

No. I'm fucking sick of people always just saying "Reformat!". Do you know how much a pain in the ass it is, also I've always been a pretty knowledgeable person on ad ware/viruses. My Brother has fucked up the comp tons of tons of times doing dumb shit/looking at porn. I've always fixed the infection. Reformatting is like excepting defeat in my opinion.

God why do I always have stress/shit happened to me. I'm a nice guy!

ZoW

United States3983 Posts

June 18 2009 05:32 GMT

Have you tried combofix?

Bac

United States53 Posts

June 18 2009 05:32 GMT

Anyone else do a double-take after reading the thread title, and then after clicking on the thread feel ashamed and dirty for your thoughts?

evanthebouncy!

United States12796 Posts

June 18 2009 05:34 GMT

I was gonna say why you need to wear condoms while fucking in the anus.

Reason

United Kingdom2770 Posts

June 18 2009 05:35 GMT

#10

Nasty processes you got there :o

Kentor

United States5784 Posts

June 18 2009 05:35 GMT

#11

On June 18 2009 14:31 Mickey wrote:

Show nested quote +

Well next time put all your shit in another partition different from the OS. You only need at most about 60GB for your OS.

Deleted User 3420

24492 Posts

June 18 2009 05:38 GMT

#12

Try downloading "trojan defense suite"

u can get a trial of the newest version for free, probably

here

http://tucows.menanet.net/preview/195501.html

jimminy_kriket

Canada5499 Posts

June 18 2009 05:40 GMT

#13

Well only advice i can give really is to wait for people on the tech forum you posted at to give you further instructions and in the meantime try running every online scanner known to man. F secure, eset, panda, bitdefender all have good scanners if i recall correctly

Grobyc

Canada18410 Posts

June 18 2009 05:53 GMT

#14

Stop downloading so much porn?

and this:

On June 18 2009 14:34 evanthebouncy! wrote:
I was gonna say why you need to wear condoms while fucking in the anus.

kekeke

Mickey

United States2606 Posts

June 18 2009 05:56 GMT

#15

On June 18 2009 14:32 ZoW wrote:
Have you tried combofix?

I'm not really knowledgeable on this software. I've read it in the threads, but I also found out that it can do some damage to your OS if not used properly.

Would you care to explain how it works?

On June 18 2009 14:38 travis wrote:
Try downloading "trojan defense suite"

u can get a trial of the newest version for free, probably

here

http://tucows.menanet.net/preview/195501.html

Thanks will do although this seems really old.

On June 18 2009 14:53 Grobyc wrote:
Stop downloading so much porn?

I don't download porn I'm smarter than that. I stream it on Redtube with adblocker making that window look clean.

Honestly another thing that is bothering me is how I got the trojan to begin with. I have to 2 possibilities. A MP3 I downloaded, or a Antivirus suit torrent I downloaded and ran. I think it was the MP3.

I knew it looked shady. Chains of Love by Erasure is now my least favorite song ever.

Deleted User 3420

24492 Posts

June 18 2009 06:00 GMT

#16

It is old, but the trojan/virus lists are up to date afaik

pretty sure it's the best there is

Mickey

United States2606 Posts

June 18 2009 06:02 GMT

#17

Travis you are my boy. I owe you man.

Deleted User 3420

24492 Posts

June 18 2009 06:07 GMT

#18

did you get it fixed?
glad I could help

MamiyaOtaru

United States1687 Posts

June 18 2009 07:07 GMT

#19

On June 18 2009 14:56 Mickey wrote:
Honestly another thing that is bothering me is how I got the trojan to begin with. I have to 2 possibilities. A MP3 I downloaded, or a Antivirus suit torrent I downloaded and ran. I think it was the MP3.

Hahaha are you serious? Your choices are a music file and a warezed app suite containing presumably at least one executable, and you suspect the music file??

Admit defeat. Reformat. Once you've been back doored you can never be sure it is gone. That's the nature of rootkits. And next time don't download warez antivirus apps. Wasn't your brother "doing dumb shit" this time.

I mean, it's cool if it seems like Trojan Defense Suite worked, but all the programs you tried previously either couldn't detect or remove something. You can't be %100 sure that TDS got everything, that there isn't something there it couldn't find. I mean if there are no symptoms continue merrily on your way or whatever. Hope you're not part of a botnet.

Etherone

United States1898 Posts

June 18 2009 07:34 GMT

#20

TL > tech forums

well for further reference i would love to know how you got rid of it.

qrs

United States3637 Posts

June 18 2009 07:34 GMT

#21

On June 18 2009 16:07 MamiyaOtaru wrote:
Hope you're not part of a botnet.

Maybe after taking control of the computer, the virus logs on to various internet forums and asks seemingly innocent questions about getting rid of itself, in order to find out what the state of the art in anti-virus technology is. How can we know that it is really Mickey posting? AAAGGHHH!!

evanthebouncy!

United States12796 Posts

June 18 2009 07:44 GMT

#22

On June 18 2009 14:56 Mickey wrote:

Show nested quote +

I'm not really knowledgeable on this software. I've read it in the threads, but I also found out that it can do some damage to your OS if not used properly.

Would you care to explain how it works?

Show nested quote +

Thanks will do although this seems really old.

Show nested quote +

btw pornhub is much better than redtube, think of it as TL vs GG.net

nttea

Sweden4353 Posts

June 18 2009 08:08 GMT

#23

you have to surrender, format C: lose the battle but hope that you will win the war.

NoNones

41 Posts

June 18 2009 08:43 GMT

#24

On June 18 2009 14:31 Mickey wrote:

Show nested quote +

Then you should know that you can never trust that computer again as long as it's not been reformated or shadow coped to a earlier state that known to be secure and done though a separate boot one that is not safe mode ie a linux boot. Shit now of days you need a full security suite once one shit is compromised you can't trust any programs you use or install after the infection even if you believe it's been properly cleaned.

Try to see if you can get G-Data on that and run a scan on their linux boot.

Reformaing is the safest period. You already lost when the infection became noticeable I've used router firewall+hosts file for more then 8 years in that time only 2 times i had an infection. Because i don't install open or even look at strange shit and go to strange websites. l2internet.

StorrZerg

United States13919 Posts

June 18 2009 12:03 GMT

#25

On June 18 2009 16:34 Etherone wrote:
TL > tech forums

well for further reference i would love to know how you got rid of it.

so true lol

inReacH

Sweden1612 Posts

June 18 2009 12:57 GMT

#26

On June 18 2009 14:31 Mickey wrote:

Show nested quote +

Learn how to reformat then.. I reformat over 4 times/year and it takes be about 3 hours to get EVERYTHING reinstalled and my comp completely back to the way it was but running like it's brand new.

Obviously you need a slave drive to be able to do this but holy shit is it worth it

Shauni

4077 Posts

June 18 2009 13:14 GMT

#27

It's pretty much impossible to get a virus from an mp3 file.

Mickey

United States2606 Posts

June 18 2009 13:18 GMT

#28

On June 18 2009 16:07 MamiyaOtaru wrote:

Show nested quote +

I don't download from Warez sites. I'm not an idiot, and neither do I have the bandwith/rapidshare account to do so.

I downloaded a MP3 using frostwire. The MP3 didn't have any seeminly weird details. The size seeemed correct, and I guess I made the mistake of downloading a higher bitrate song that had no downloads before that.

Also, I still don't know how I got the virus. I just estimated those two. Yeah, I have to be smart I guess.

Today I'm staying up all night using every program I can to try to win. If I can't I'll admit defeat and reformat.

Are there any precautions I should do? My gf let me use a external hardrive. I'll basically put my music collection, some videos, and some important text files. Everything else I can reinstall easily. Most of my games are from steam, etc... Should I copy files in safe mode to make sure nothing could infect the external hardrive?

anderoo

Canada1876 Posts

June 18 2009 15:32 GMT

#29

title was extremely misleading

Mickey

United States2606 Posts

June 18 2009 15:38 GMT

#30

Experts Please respond via comment/pm
Can these removers be trusted?
Remove Zlob
Agent Akk
Also I found this guide which seems mildly legit.
+ Show Spoiler +

Do the following to remove trojan TDSSserv (trojan Backdoor.Tidserv).

PART I: TDss RootKit removal

Step 1: Disable TDSSserv trojan driver.
# Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
# Click Properties.
# Click Hardware Tab.
# Click Device Manager.
# In the top menu, click View and click Show Hidden Drivers.
# Scroll down to non Plug and Play drivers.
# Click + at left.
# In the list of drivers right click UACd.sys. (If you do not find this, then skip to Step 2)
# Click Disable.
# Click YES for confirm.
# Close all windows and reboot your computer.

Step 2: Remove TDSSserv Registry Keys
# Download RegASSASSIN from here. Save to your Desktop
# Run RegASSASSIN
# Click "I Agree"
# Copy & Paste the following RegKey to be deleted:
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC
If you receive the error message "The registry key you have specified does not exist or is not visible to regassasin. This may be caused by a set permission that does not allow regassasin to see it, would you like to continue?" Click "Yes" to continue.
# Close all windows and reboot your computer.

PART II: TDss RootKit removal

Step 3: Delete TDSSserv trojan driver.
# Download Avenger from here and unzip to your desktop.
# Run Avenger, copy & paste the following text in Input script Box:
Code:
Drivers to delete:
UACd.sys

Then click "Execute".
# You will be asked, "Are you sure you want to execute the current script?". Click Yes.
# You will now be asked First step completed - The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
# Your PC will now reboot

Step 4: Running ComboFix

Download to your Desktop
- ComboFix by sUBs from >> Geeks2Go <<

Save as AvoidTDSS.exe during the download. ComboFix must be renamed before you download to your Desktop

Close ALL windows

Double click AvoidTDSS.exe follow the prompts

When finished, the program will produce a log

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Step 4: Getting Logs
Post the following logs:
# ComboFix
# ISeeYouXP

SoulMarine

United States586 Posts

June 18 2009 15:52 GMT

#31

someone got confickerroll'd

Kletus

Canada580 Posts

June 18 2009 16:15 GMT

#32

If it is something so persistant as a rootkit, I wouldn't trust that computer until a format was performed.

Just be glad it isn't a Boot Virus. That can really screw shit up and you'd have to flash your box =x.

Mickey

United States2606 Posts

June 18 2009 16:44 GMT

#33

On June 19 2009 01:15 Kletus wrote:
If it is something so persistant as a rootkit, I wouldn't trust that computer until a format was performed.

Just be glad it isn't a Boot Virus. That can really screw shit up and you'd have to flash your box =x.

If I was going to reformat. How could I make sure files that I would be transferring from my hardrive to an external hardrive would be safe from infection? Scan the external hardrive after/transfer during safe mode?

Chef

10810 Posts

June 18 2009 16:56 GMT

#34

On June 19 2009 01:44 Mickey wrote:

Show nested quote +

Next time you'd make backups of the files that are important to you.

PS: Flash apps and things have vulnerabilities too that can cause your PC to be infected. Just streaming porn isn't going to save you from viruses

Try investing in NoScript and find out what sites you can really trust.

0xDEADBEEF

Germany1235 Posts

June 18 2009 17:34 GMT

#35

On June 18 2009 14:31 Mickey wrote:

Show nested quote +

You aren't knowledgeable enough about it if you want to avoid reformatting when you're infected, because this is the best (safest) solution. If you want to be sure that your system is clean, there is no other way.
Virus scanners etc. should be used to detect viruses *before* you execute them (and then *avoid* executing them), before it's too late.

And you should never let someone else fuck up your comp. Make an account with a minimum amount of privileges for your brother.

Kletus

Canada580 Posts

June 18 2009 17:38 GMT

#36

On June 19 2009 01:44 Mickey wrote:

Show nested quote +

Yes you can just scan the external.

I have the same attitude as you towards formatting, it doesn't help that I'm an IT student so when shit hits the fan I don't mind going into the registry and a) Messing it up more or b) Somehow miraculously fixing everything. The best defense against malicious code/packets/whatever you wanna call it, is to prevent them from getting in in the first place; once it is in, your system has been compromised. Period. This can be done with a hardware/software firewall or 3rd party antivirus software stuff. I use Spybot and so far I've had no problems. I USED to use antivir but it wouldnt get rid of a peice of adware that was pissing me off.

Now I also know that you've used spybot and it isn't helping. Maybe it's a new virus that has no definition yet.

Normal

Please or register to reply.

[H]Huge BackDoor Trojan Problem

Completed

Ongoing

Upcoming