Backdoor Malware/Trojan issue. - BackDoor.Tdss based problem

Question

Hi, Working on a Dell PC that has been infected with some form of Backdoor malware/trojan. Running Windows XP Pro. Shaw Secure (F-Secure) Firewall/Antivirus caught  'Packed.Win32.tdss' and quarantined it then all went to heck in a handbasket! Seems that it didn't stop everything! Computer began running abnormally. Everytime internet explorer was opened it either did not go to the home page (just stayed white) and/or froze the computer. - Rebooted then ran a complete scan with Shaw Secure and nothing was found. - Windows Defender also didn't find anything. - Spybot Search and destroy was downloaded and installed but will not launch. - Tried to perform a System Restore and could not get past the final next button where the restore should start.- Downloaded and ran DR WEB standalone virus scanner and it found and moved: UACknukhtpl.dll;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.; UACmnelvadn.dll;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.; UACmtmxbwnf.dll;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.; UACtgpyubox.dll;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.; UACtkisprps.dll;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.; uacwjhkucyn.dll.$DIS;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.; uacwjhkucyn.dll.uss_dis;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.; - Rebooted and ran DR WEB again and it found: UACknukhtpl.dll;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.; - Then rebooted again scanned again with DR WEB and it found: Process in memory: C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:1796;;Win32.SQL.Slammer.376;Eradicated.; Process in memory: C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:1796;;Win32.SQL.Slammer.376;Eradicated.; UACknukhtpl.dll;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.; Obviously it keeps reinfecting on boot up but I can't find the root cause. Hopefully someone can provide some suggestions on how to get rid of this and get the computer working again normally. Would prefer to not to have to reformat and to have things operating normally again (like system restore etc.) Below is a log from Hijack This which I understand will help? Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:05:44 PM, on 4/14/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exeC:\Program Files\Shaw Secure\Common\FSM32.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Microsoft IntelliType Pro\itype.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\1-Click Answers\answers.exeC:\PROGRA~1\1-CLIC~1\agtserv.exeC:\Program Files\Dell Network Assistant\ezi_hnm2.exeC:\Program Files\FinePixViewer\QuickDCF.exeC:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exeC:\Program Files\Shaw Secure\Common\FSMA32.EXEC:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXEC:\Program Files\Dell Network Assistant\hnm_svc.exeC:\Program Files\Shaw Secure\Common\FSMB32.EXEC:\WINDOWS\system32\svchost.exeC:\Program Files\Shaw Secure\Common\FCH32.EXEC:\Program Files\Shaw Secure\Common\FAMEH32.EXEC:\Program Files\Shaw Secure\Anti-Virus\fsqh.exeC:\Program Files\Shaw Secure\FSGUI\fsguidll.exeC:\Program Files\Shaw Secure\FSAUA\program\fsaua.exeC:\Program Files\Shaw Secure\Anti-Virus\fssm32.exeC:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exeC:\Program Files\Shaw Secure\FSAUA\program\fsus.exeC:\Program Files\Windows Live\Messenger\usnsvc.exeC:\Program Files\Shaw Secure\Anti-Virus\fsav32.exeC:\Program Files\Java\jre1.6.0_07\bin\jucheck.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\RDSHOST.exeC:\WINDOWS\system32\sessmgr.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32	askmgr.exeC:\WINDOWS\system32\cmd.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Shaw Secure\FSGUI\fsavgui.exeC:\Program Files\Shaw Secure\FSGUI\quaranti.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_ca?hl=en&client=dell-row&channel=ca-smb&ibd=0080815R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca-smbR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_ca?hl=en&client=dell-row&channel=ca-smb&ibd=0080815R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz.dell.com/en_ca?hl=en&client=dell-row&channel=ca-smb&ibd=0080815O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dllO2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe'O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [Google Desktop Search] 'C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe' /startupO4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exeO4 - HKLM\..\Run: [dscactivate] 'C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe'O4 - HKLM\..\Run: [PDVDDXSrv] 'C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe'O4 - HKLM\..\Run: [F-Secure Manager] 'C:\Program Files\Shaw Secure\Common\FSM32.EXE' /splashO4 - HKLM\..\Run: [F-Secure TNB] 'C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe' /CHECKALL /WAITFORSWO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] 'C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe'O4 - HKLM\..\Run: [Windows Defender] 'C:\Program Files\Windows Defender\MSASCui.exe' -hideO4 - HKLM\..\Run: [itype] 'C:\Program Files\Microsoft IntelliType Pro\itype.exe'O4 - HKLM\..\Run: [IntelliPoint] 'C:\Program Files\Microsoft IntelliPoint\ipoint.exe'O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -uO4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKCU\..\Run: [ISUSPM] 'C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe' -schedulerO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] 'C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe' /backgroundO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exeO4 - Global Startup: Dell Network Assistant.lnk = ?O4 - Global Startup: Exif Launcher.lnk = ?O8 - Extra context menu item: Answers... - file://C:\Program Files\1-Click Answers\Html\atiemenu.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download1.answers.com/pub/AnswersSetup.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cabO16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cabO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLLO23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exeO23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exeO23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exeO23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXEO23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exeO23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exeO23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe --End of file - 10776 bytes Hopefully someone can help us sort this out. Looking forward to your replies and if you need more information please let me know. Thanks,Steve

bamajim · Answer

Ytee Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select 'Perform Quick Scan', then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Ytee · Answer

OK, I downloaded Malwarebytes's Anti-Malware and then tried to install it. It would not launch the installer. Thinking this was a part of the infection I renamed the MBAM installer to a different file name and then ran it and was then able to install MBAM

Even after installing I could not launch MBAM. Ended up going to C:\Program Files\Malwarebytes' Anti-Malware and renamed mbam.exe to Steve_mbam.exe and ran that newly named file. MBAM then launched. From the Update Tab I was able to update MBAM and then ran the quick scan as directed. It found FOUR items. With everything selected I selected remove and then was prompted to reboot, which I did.

Attached below is the log from that scan:

Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 3

4/15/2009 7:22:59 PM
mbam-log-2009-04-15 (19-22-59).txt

Scan type: Quick Scan
Objects scanned: 76108
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a072ec12-a40b-41dd-9a1a-cdb848b70f3c} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd4f7a6d-0107-4bdf-b72b-021b717b06ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

What should my next steps be? Should I run a full scan using MBAM?

Thanks, Steve

bamajim · Answer

Ytee

I don't see anything there that would prevent MBAM from running, so what we are looking for we have not found yet.

1. Go HERE and download File Lister.

Save it to your Desktop
Rt Click ->> Extract all ->> And extract it to your Desktop
Additional help on extracting zip files can be found HERE
Open the File Lister Folder.
Note: Leave the FileLister.vbe file in the folder and run it from there.
Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
As the program runs, it will appear that nothing is happening.
When the program is fnished it will produce a log for you C:\Files.txt

Copy and paste the contents of that log in your reply.

Virus & Spyware

Was this post helpful?