Broadband Tech > Security > Security Cleanup > [Rootkit] Tidserv Activity 2

reply to Zoder

Re: [Rootkit] Tidserv Activity 2

What was the 1st.

I'm having a strange issue. I can't boot from the custom made cd. It works on my other computer. It will boot from my Windows XP CD through. There is no option in the BIOS to boot from a USB key. Any ideas?

reply to Zoder
Not a file directly, but the registry association for .exe files had been corruipted. MBAM fixed that.

What I find intriguing is that ESET reported a bad ipsec.sys file, yet TDSS Killer, run after it, reports the same file as ok.

It's confusing to say the least. I'm trying to verify whether there are still corrupted files. System sweep will help.

If it returns ok, then we can attempt to repair the TCP/IP stack.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

Gotcha. Could it possibly be a new varient and that's why the TDDSkiller doesn't see it as bad?

If only I could boot from CD to run system sweep. Not sure why it won't boot the custom cds or a modern bootable cd like Norton 2011 but it will boot my 10 year old copy of Windows XP. It doesn't even say it can't boot, it just goes to the next step as if I inserted a non bootabler cd.

The BIOS is too old to boot from USB or I'd try that instead.

Btw, if I move ipsec.sys to the recycling bin, a new copy is automatically spawned and placed in the system32/drivers folder.

reply to Zoder
Unless the replacement ipsec.sys is corrupted, then that should fix the problem.

Try copying the ipsec.sys file to a computer with internet (not in system folder please) so we can send it to VirusTotal

Then do the following to send it..

Please go to »www.virustotal.com/

Press the 'Browse' button to the right of the yellow box.

Navigate to the file(s) listed below, one at a time (if more than one file). Press the 'Open' button in the file dialog box or double click on the file name. The file name and path should appear in the yellow box.


ipsec.sys (from where ever you have it)


Click on the Send File button

Note: If you can't find the file, let me know in your next post.

Once the Scan is completed, a Web page will open with the scan results. Copy and paste the address of that webpage from the address bar of your browser into your next post in this thread. Note that you can also copy and paste the contents of the webpage if you find that easier.

If the file has been previously scanned, the results webpage will show:
"File has already been submitted:"

Press the "View Last Report" button then copy and paste the address of that webpage from the address bar of your browser into your next post in this thread.

If there is more than one file listed for scanning, press the Another File button at the bottom of the page. Repeat this procedure until all files listed have been scanned.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

ok I'll do that but I'm at a loss. I installed NIS 2012 since you said I shouldn't be unprotected when the internet comes back up and after it finished installing NIS contacted to live update and downloaded the updates. So the internet is working again. Not sure if it was from deleting IPSYS or if NIS did something when I installed it.

So let me do that submission for you and I'll post the results.

Looks infected. »www.virustotal.com/file-scan/rep···24354275

The new file that was created is clean. So it looks like Symantec doesn't detect it yet. How do I submit it to them?

Ready for the next step. Should I delete the bad file.

some progress to report. Since we got the internet back up, and replaced IPSEC, NIS 2012 no longer has been reporting the Tidserv Activity 2 alert. Browser redirects have also stopped and I can once again reach Windows Update.

The duplicate object blocked by services.exe is still occuring but according to the Norton boards, that's a common even in Windows XP.

reply to Zoder
Thanks for that link. Looks like an infected ipsec.sys was the problem.

The duplicate object is an annoyance, but as long as Norton has passed it, we can leave that alone.

The only remaining thing I want to do before cleanup is to have you do a full system scan with Norton. Post back and let me know the results.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

Did that in the middle of the night. No issues found. Since I can't seem to be able to run tools like microsoft system sweeper from boot, is there anything the tests from inside windows could be missing that we should be concerned about before cleanup?

reply to Zoder
System Sweeper is still in beta and does fail on some machines. I would not make anything out of the failure.

On the other hand, if the Microsoft Malicious Software Removal Tool fails to run on the monthy udpates, then I would get concerned if the failure is continuous.

At this point, cleanup is the next step. Then we can see howthe computer runs for the next fews days. If problems arise, they can be addressed at that time.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

reply to Zoder
Cleaning Up:

Delete TFC:

• Delete the TFC icon on your Desktop

• Double click the OTL icon on your Desktop
  
• Press the 'Cleanup' button

• Delete the SecurityCheck icon on your Desktop

• We recommend that you keep MalwareBytes (MBAM) and run it every week. There is no charge to keep the program however the real time protection will stop after the trial period. Be sure to update the definitions before each use. If you decide not to keep MBAM, use Add/Remove Programs to uninstall it.

• If we asked you to install any other programs that are not removed by the OTL cleanup procedure, we will provide separate removal instructions.

Almost finished. I'm having trouble emptying the recycle bin. If I click empty, it says cannot delete Dd47 access denied. I can manually select and delete everything in the bin and it shows 0 items in bin. But the icon still shows as if it has something in there. If I click empty it says there are two files in there. One being that Dd47.

Is that anything to be concerned about?

reply to Zoder
It's probably a permissions issue.

Unlocker should be able to take care of it.

»download.cnet.com/Unlocker/3000-···998.html

Thanks.

All done cleaning. I ran a full scan of MBAM again and got the following:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8393

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/20/2011 4:21:11 PM
mbam-log-2011-12-20 (16-21-11).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 283766
Time elapsed: 1 hour(s), 27 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

Folders Infected:
(No malicious items detected)

Files Infected:
d:\documents and settings\all users\documents\new folder\new folder\new folder\Games2\X-Men\LOTUS.PIC (Extension.Mismatch) -> Not selected for removal.
d:\documents and settings\Ben\application data\Sun\Java\deployment\cache\6.0\56\2a521178-3fa4cda6 (Rootkit.0Access) -> Quarantined and deleted successfully.
f:\new folder\new folder\Games2\X-Men\LOTUS.PIC (Extension.Mismatch) -> Not selected for removal.

What do you think of that infected java file? It wasn't there on the original scan Saturday night..

reply to Zoder
Java files often give strange detects. I would not put too much concern in it unless other symptoms appear.

What does concern me is the registry detect that you elect not fix. That controls notification that updates are available for Windows. Unless you have a pressing reason for having it turned off, run MBAM again, and this time select that entry for fix.,

Didn't mean to do that. Must have clicked it when I was unchecking the 2 other riles.

Thanks so much for everything, I really appreciate it. Hopefully you won't see me here again

reply to Zoder
Glad to help...