TDSSosvd.dat TR/Agent.439 was found
in [Spyware]
|
From: Daave on 8 Aug 2010 09:43 I'm looking at a friend's fairly old Dell Dimension 4600c with XP Home. It runs as slow as molasses! Out of frustration, he just bought a new Gateway with Windows 7. (I guess he had been wanting a new PC lately, anyway.) He asked me to set it up and transfer his old files to it. I offered to take the PC home to see if I could rehab it. I will very likely reformat the hard drive and perform a Clean Install. But before I do that, I might want to take a crack at addressing and solving the problem. There is strong evidence malware (a trojan and/or rootkit) was/is on this system. Here is the evidence: 1. I removed the hard drive and used my PC to scan it for malware, using Avira AntiVir and MBAM. There were interesting results (at least to me): a. A scan of the drive with Avira revealed only warnings (61), all of them stating that files beginning with "E:\WINDOWS\$NtUninstallKB..." could not be opened. b. A scan of the drive with MBAM revealed only one infection: bottom.bmp (Spyware.Onlinegames), which was found in the Lexmark scanner/printer folder in E:\Program Files (!). Okay, so far, not tons of evidence. But..... c. As MBAM was scanning, Avira's guard was activated and ran. Then an alert came up! The suspicious file: E:\WINDOWS\SYSTEM32\TDSSosvd.dat Okay, there's something! I found two other files beginning with TDSS in the E:\WINDOWS\SYSTEM32 folder: TDSSfpmp.dll TDSStkdv.log I uploaded all of these to the Jotti's Malware Scan and VirusTotal Web sites. Although there was not anything approaching near unanimity, these files seemed potentially dangerous. See: http://virusscan.jotti.org/en/scanresult/dc3f9018bebf7204b8c5c7e0f70f1cb0619f5124/d7d1545d9ad60f63da97dae65b169f3f19e3d074 http://virusscan.jotti.org/en/scanresult/3ab47094ace8c0ea908de0a0f1b46338ba67f589 The first one (TDSSosvd.dat) was identified by VirusTotal as TR/Agent.439 Trojan-Dropper.Agent (which also was what Avira returned). The second one (TDSSfpmp.dll) was identified by VirusTotal as Vundo.DZC Mal/TDSSConf-A. I'm sure there are still other nasties on this drive. The log file was clean (just a .txt file). 2. As I was copying data, I stumbled upon a text file (avenger.txt). So at one point someone was trying to remove something. Here are the contents of that file: <quote> Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "c:\windows\system32\drivers\TDSSmhxt.sys" not found! Deletion of file "c:\windows\system32\drivers\TDSSmhxt.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Driver "TDSSserv.sys" deleted successfully. Completed script processing. ******************* Finished! Terminate. </quote> Okay, so there's the evidence. :-) I Googled for methods to deal with this trojan. It seems like I would need to run HJT and SDFix at the very least (and maybe OTMoveIt3, too). I also see that "The Avenger2 by Swandog46" (just mentioned by me above) is also recommended on this page: http://www.bleepingcomputer.com/forums/topic177293-15.html (FixPolicies.exe, ComboFix, and Registar Lite are also mentioned. Wow! That's a lot of work!) Although this may be a learning experience, I wonder if a Clean Install would be much quicker. :-) If anyone here has experience with this particular trojan, I would appreciate input. Thanks so much in advance!
From: David H. Lipman on 8 Aug 2010 11:05 From: "Daave" <daave(a)example.com> | I'm looking at a friend's fairly old Dell Dimension 4600c with XP Home. | It runs as slow as molasses! | Out of frustration, he just bought a new Gateway with Windows 7. (I | guess he had been wanting a new PC lately, anyway.) He asked me to set | it up and transfer his old files to it. | I offered to take the PC home to see if I could rehab it. I will very | likely reformat the hard drive and perform a Clean Install. | But before I do that, I might want to take a crack at addressing and | solving the problem. | There is strong evidence malware (a trojan and/or rootkit) was/is on | this system. Here is the evidence: | 1. I removed the hard drive and used my PC to scan it for malware, using | Avira AntiVir and MBAM. There were interesting results (at least to me): | a. A scan of the drive with Avira revealed only warnings (61), all of | them stating that files beginning with "E:\WINDOWS\$NtUninstallKB..." | could not be opened. | b. A scan of the drive with MBAM revealed only one infection: bottom.bmp | (Spyware.Onlinegames), which was found in the Lexmark scanner/printer | folder in E:\Program Files (!). | Okay, so far, not tons of evidence. But..... | c. As MBAM was scanning, Avira's guard was activated and ran. Then an | alert came up! The suspicious file: | E:\WINDOWS\SYSTEM32\TDSSosvd.dat | Okay, there's something! | I found two other files beginning with TDSS in the E:\WINDOWS\SYSTEM32 | folder: | TDSSfpmp.dll | TDSStkdv.log | I uploaded all of these to the Jotti's Malware Scan and VirusTotal Web | sites. Although there was not anything approaching near unanimity, these | files seemed potentially dangerous. See: | http://virusscan.jotti.org/en/scanresult/dc3f9018bebf7204b8c5c7e0f70f1cb0619f5124/ | d7d1545d9ad60f63da97dae65b169f3f19e3d074 | http://virusscan.jotti.org/en/scanresult/3ab47094ace8c0ea908de0a0f1b46338ba67f589 | The first one (TDSSosvd.dat) was identified by VirusTotal as | TR/Agent.439 Trojan-Dropper.Agent (which also was what Avira returned). | The second one (TDSSfpmp.dll) was identified by VirusTotal as Vundo.DZC | Mal/TDSSConf-A. | I'm sure there are still other nasties on this drive. | The log file was clean (just a .txt file). | 2. As I was copying data, I stumbled upon a text file (avenger.txt). So | at one point someone was trying to remove something. Here are the | contents of that file: | <quote> | Logfile of The Avenger Version 2.0, (c) by Swandog46 | http://swandog46.geekstogo.com | Platform: Windows XP | ******************* | Script file opened successfully. | Script file read successfully. | Backups directory opened successfully at C:\Avenger | ******************* | Beginning to process script file: | Rootkit scan active. | No rootkits found! | Error: file "c:\windows\system32\drivers\TDSSmhxt.sys" not found! | Deletion of file "c:\windows\system32\drivers\TDSSmhxt.sys" failed! | Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) | --> the object does not exist | Driver "TDSSserv.sys" deleted successfully. | Completed script processing. | ******************* | Finished! Terminate. | </quote> | Okay, so there's the evidence. :-) | I Googled for methods to deal with this trojan. It seems like I would | need to run HJT and SDFix at the very least (and maybe OTMoveIt3, too). | I also see that "The Avenger2 by Swandog46" (just mentioned by me above) | is also recommended on this page: | http://www.bleepingcomputer.com/forums/topic177293-15.html | (FixPolicies.exe, ComboFix, and Registar Lite are also mentioned. Wow! | That's a lot of work!) | Although this may be a learning experience, I wonder if a Clean Install | would be much quicker. :-) | If anyone here has experience with this particular trojan, I would | appreciate input. | Thanks so much in advance! Yeah, you found remanants of the TDSS (aka; TDL3) RootKit. It is often used to protect fake anti malware applications and is the most common RootKit found on Win32 computers. However, you put the drive on a surrogate computer and you are moving the data off the drive to be placed on the Windows 7 based computer so there is no problem. Since you ar doing this, yes, wipe the Dell Dimension 4600c and re-inastall Windows XP from scratch. I also suggest making sure the BIOS is at version A12 level and making sure you have between 1GB (PC2700) and 2GB of RAM (the max. RAM it can utilize is 2GB). -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Daave on 8 Aug 2010 11:29 David H. Lipman wrote: > From: "Daave" <daave(a)example.com> > >> I'm looking at a friend's fairly old Dell Dimension 4600c with XP >> Home. It runs as slow as molasses! > >> Out of frustration, he just bought a new Gateway with Windows 7. (I >> guess he had been wanting a new PC lately, anyway.) He asked me to >> set it up and transfer his old files to it. > >> I offered to take the PC home to see if I could rehab it. I will very >> likely reformat the hard drive and perform a Clean Install. > >> But before I do that, I might want to take a crack at addressing and >> solving the problem. > >> There is strong evidence malware (a trojan and/or rootkit) was/is on >> this system. Here is the evidence: > >> 1. I removed the hard drive and used my PC to scan it for malware, >> using Avira AntiVir and MBAM. There were interesting results (at >> least to me): > >> a. A scan of the drive with Avira revealed only warnings (61), all of >> them stating that files beginning with "E:\WINDOWS\$NtUninstallKB..." >> could not be opened. > >> b. A scan of the drive with MBAM revealed only one infection: >> bottom.bmp (Spyware.Onlinegames), which was found in the Lexmark >> scanner/printer folder in E:\Program Files (!). > >> Okay, so far, not tons of evidence. But..... > >> c. As MBAM was scanning, Avira's guard was activated and ran. Then an >> alert came up! The suspicious file: > >> E:\WINDOWS\SYSTEM32\TDSSosvd.dat > >> Okay, there's something! > >> I found two other files beginning with TDSS in the >> E:\WINDOWS\SYSTEM32 folder: > >> TDSSfpmp.dll >> TDSStkdv.log > >> I uploaded all of these to the Jotti's Malware Scan and VirusTotal >> Web sites. Although there was not anything approaching near >> unanimity, these files seemed potentially dangerous. See: > >> http://virusscan.jotti.org/en/scanresult/dc3f9018bebf7204b8c5c7e0f70f1cb0619f5124/ >> d7d1545d9ad60f63da97dae65b169f3f19e3d074 > >> http://virusscan.jotti.org/en/scanresult/3ab47094ace8c0ea908de0a0f1b46338ba67f589 > >> The first one (TDSSosvd.dat) was identified by VirusTotal as >> TR/Agent.439 Trojan-Dropper.Agent (which also was what Avira >> returned). The second one (TDSSfpmp.dll) was identified by >> VirusTotal as Vundo.DZC Mal/TDSSConf-A. > >> I'm sure there are still other nasties on this drive. > >> The log file was clean (just a .txt file). > >> 2. As I was copying data, I stumbled upon a text file (avenger.txt). >> So at one point someone was trying to remove something. Here are the >> contents of that file: > >> <quote> > >> Logfile of The Avenger Version 2.0, (c) by Swandog46 >> http://swandog46.geekstogo.com > >> Platform: Windows XP > >> ******************* > >> Script file opened successfully. >> Script file read successfully. > >> Backups directory opened successfully at C:\Avenger > >> ******************* > >> Beginning to process script file: > >> Rootkit scan active. >> No rootkits found! > > >> Error: file "c:\windows\system32\drivers\TDSSmhxt.sys" not found! >> Deletion of file "c:\windows\system32\drivers\TDSSmhxt.sys" failed! >> Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) >> --> the object does not exist > >> Driver "TDSSserv.sys" deleted successfully. > >> Completed script processing. > >> ******************* > >> Finished! Terminate. > >> </quote> > >> Okay, so there's the evidence. :-) > >> I Googled for methods to deal with this trojan. It seems like I would >> need to run HJT and SDFix at the very least (and maybe OTMoveIt3, >> too). I also see that "The Avenger2 by Swandog46" (just mentioned by >> me above) is also recommended on this page: > >> http://www.bleepingcomputer.com/forums/topic177293-15.html > >> (FixPolicies.exe, ComboFix, and Registar Lite are also mentioned. >> Wow! That's a lot of work!) > >> Although this may be a learning experience, I wonder if a Clean >> Install would be much quicker. :-) > >> If anyone here has experience with this particular trojan, I would >> appreciate input. > >> Thanks so much in advance! > > > Yeah, you found remanants of the TDSS (aka; TDL3) RootKit. It is > often used to protect fake anti malware applications and is the most > common RootKit found on Win32 computers. > > However, you put the drive on a surrogate computer and you are moving > the data off the drive to be placed on the Windows 7 based computer > so there is no problem. Since you ar doing this, yes, wipe the Dell > Dimension 4600c and re-inastall Windows XP from scratch. > > I also suggest making sure the BIOS is at version A12 level and > making sure you have between 1GB (PC2700) and 2GB of RAM (the max. > RAM it can utilize is 2GB). Thanks for the suggestions. I suppose you believe that a Clean Install is the correct course of action? At least, it would guarantee the complete removal of this rootkit! Then again, if I wanted to get some experience in attempting to remove it, what would you recommend? Is this page useful: http://support.kaspersky.com/viruses/solutions?qid=208280684 Or would I need to run HJT and solicit expert assistance, using all the programs mentioned above? What would be the disadvantage of not upgrading the BIOS? Can you post a link to the *best* method to upgrade the BIOS for this PC? Also, according to this page: http://support.dell.com/support/downloads/driverslist.aspx?c=us&cs=19&l=en&s=dhs&ServiceTag=GC0SM41&SystemID=DIM_P4_4600C&os=WW1&osl=en&catid=&impid= the most recent BIOS update for this particular Dell is A09. Would A12 work? For the A09 BIOS, I found these instructions on the Dell site: NOTE:You will need to provide a bootable DOS diskette. This executable file does not create the MS DOS system files. Copy the file D460CA09.EXE to a bootable floppy. Boot from the floppy to the MS DOS prompt. Run the file by typing Y:\D460CA09.EXE (where y is the drive letter where the executable is located). Sound right? Or is there a better method? This page also mentions using Windows: http://support.dell.com/support/downloads/download.aspx?c=us&cs=19&l=en&s=dhs&releaseid=R84098&SystemID=DIM_P4_4600C&servicetag=GC0SM41&os=WW1&osl=en&deviceid=308&devlib=0&typecnt=0&vercnt=8&catid=-1&impid=-1&formatcnt=0&libid=1&typeid=-1&dateid=-1&formatid=-1&source=-1&fileid=110558 Thanks again!
From: David H. Lipman on 8 Aug 2010 12:05 From: "Daave" <daave(a)example.com> <snip > >> However, you put the drive on a surrogate computer and you are moving >> the data off the drive to be placed on the Windows 7 based computer >> so there is no problem. Since you ar doing this, yes, wipe the Dell >> Dimension 4600c and re-inastall Windows XP from scratch. >> I also suggest making sure the BIOS is at version A12 level and >> making sure you have between 1GB (PC2700) and 2GB of RAM (the max. >> RAM it can utilize is 2GB). | Thanks for the suggestions. | I suppose you believe that a Clean Install is the correct course of | action? At least, it would guarantee the complete removal of this | rootkit! | Then again, if I wanted to get some experience in attempting to remove | it, what would you recommend? Is this page useful: | http://support.kaspersky.com/viruses/solutions?qid=208280684 | Or would I need to run HJT and solicit expert assistance, using all the | programs mentioned above? | What would be the disadvantage of not upgrading the BIOS? Can you post a | link to the *best* method to upgrade the BIOS for this PC? Also, | according to this page: | http://support.dell.com/support/downloads/driverslist.aspx?c=us&cs=19&l=en&s=dhs& | ServiceTag=GC0SM41&SystemID=DIM_P4_4600C&os=WW1&osl=en&catid=&impid= | the most recent BIOS update for this particular Dell is A09. Would A12 | work? | For the A09 BIOS, I found these instructions on the Dell site: | NOTE:You will need to provide a bootable DOS diskette. This executable | file does not create the MS DOS system files. | Copy the file D460CA09.EXE to a bootable floppy. | Boot from the floppy to the MS DOS prompt. | Run the file by typing Y:\D460CA09.EXE (where y is the drive letter | where the executable is located). | Sound right? Or is there a better method? This page also mentions using | Windows: | http://support.dell.com/support/downloads/download.aspx?c=us&cs=19&l=en&s=dhs&releaseid= | R84098&SystemID=DIM_P4_4600C&servicetag=GC0SM41&os=WW1&osl=en&deviceid=308&devlib=0& | typecnt=0&vercnt=8&catid=-1&impid=-1&formatcnt=0&libid=1&typeid=-1&dateid=-1&formatid=- | 1&source=-1&fileid=110558 | Thanks again! Well, if you want to gain experince then I suggest using the following; GMer, Norman TSS Cleaner and/or Kaspersky's TDSSKiller http://www.gmer.net/ http://download.norman.no/public/Norman_TDSS_Cleaner.exe Then after you had you fun, wipe it and re-install anyway. All the drivers are at; http://support.dell.com The instructions for the BIOS upgrade are correct and there should be NO problem bringing it from A09 to A12. The advantages are to make sure that whatever was fixed or corrected in BIOS vA12 is applied and it is a good idea especially when adding RAM. I strongly believe that the Dell Dimension 4600c that you are working on only has 256MB or 512MB. A 1GB PC2700 module goes for around $45.00 and is worth it. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Daave on 8 Aug 2010 13:01
David H. Lipman wrote: > Well, if you want to gain experince then I suggest using the > following; GMer, Norman TSS Cleaner and/or Kaspersky's TDSSKiller > > http://www.gmer.net/ > http://download.norman.no/public/Norman_TDSS_Cleaner.exe > > Then after you had you fun, wipe it and re-install anyway. LOL > All the drivers are at; http://support.dell.com > > The instructions for the BIOS upgrade are correct and there should be > NO problem bringing it from A09 to A12. > > The advantages are to make sure that whatever was fixed or corrected > in BIOS vA12 is applied and it is a good idea especially when adding > RAM. I strongly believe that the Dell Dimension 4600c that you are > working on only has 256MB or 512MB. A 1GB PC2700 module goes for > around $45.00 and is worth it. Thanks much. |