Tech Support Forum - View Single Post

extremeboy · 06-26-2009, 08:39 AM

Hello.

Let's see what we can find and remove. I see a few infection from the DDS log already. TDSSserv is a rootkit, we'll see if it's active or not but take a read below regarding rootkits and backdoors. If you wish to continue follow the steps on running Combofix and GMER.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you wish to continue follow the steps below.

Download and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3

Please refer to this page for full instructions on how to run ComboFix.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
Double click ComboFix.exe to start the program. Agree to the prompts.
When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Then, please take a GMER scan for me.

We need to scan for Rootkits with GMER

Please download GMER from one of the following locations, and save it to your desktop:
- Main Mirror
  This version will download a randomly named file (Recommended)
- Zip Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
Close any and all open programs, as this process may crash your computer.
Double click or on your desktop.
Allow the gmer.sys driver to load if asked.
You may see this window. If you do, click No.
Click on and wait for the scan to finish.
If you see a rootkit warning window, click OK.
Push and save the logfile to your desktop.
Copy and Paste the contents of that file in your next post.

Take a new DDS run afterwards and post back with the logs.

With Regards,
Extremeboy

06-26-2009, 08:39 AM	#2 (permalink)
extremeboy Analyst, Security Team Join Date: Jan 2009 Posts: 554 OS: N/A	Re: PC severely hosed due to Trojan Hello. Let's see what we can find and remove. I see a few infection from the DDS log already. TDSSserv is a rootkit, we'll see if it's active or not but take a read below regarding rootkits and backdoors. If you wish to continue follow the steps on running Combofix and GMER. Unfortunatly One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you wish to continue follow the steps below. Download and Run ComboFix Download Combofix from any of the links below, and save it to your desktop. Link 1 Link 2 Link 3 Please refer to this page for full instructions on how to run ComboFix. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how. Double click ComboFix.exe to start the program. Agree to the prompts. When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it. Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so. Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall. Then, please take a GMER scan for me. We need to scan for Rootkits with GMER Please download GMER from one of the following locations, and save it to your desktop: Main Mirror This version will download a randomly named file (Recommended) Zip Mirror This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Close any and all open programs, as this process may crash your computer. Double click or on your desktop. Allow the gmer.sys driver to load if asked. You may see this window. If you do, click No. Click on and wait for the scan to finish. If you see a rootkit warning window, click OK. Push and save the logfile to your desktop. Copy and Paste the contents of that file in your next post. Take a new DDS run afterwards and post back with the logs. With Regards, Extremeboy __________________ If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.