TDSSosvd.dat TR/Agent.439 was found

[Daave]

I'm looking at a friend's fairly old Dell Dimension 4600c with XP Home.
It runs as slow as molasses!

Out of frustration, he just bought a new Gateway with Windows 7. (I
guess he had been wanting a new PC lately, anyway.) He asked me to set
it up and transfer his old files to it.

I offered to take the PC home to see if I could rehab it. I will very
likely reformat the hard drive and perform a Clean Install.

But before I do that, I might want to take a crack at addressing and
solving the problem.

There is strong evidence malware (a trojan and/or rootkit) was/is on
this system. Here is the evidence:

1. I removed the hard drive and used my PC to scan it for malware, using
Avira AntiVir and MBAM. There were interesting results (at least to me):

a. A scan of the drive with Avira revealed only warnings (61), all of
them stating that files beginning with "E:\WINDOWS\$NtUninstallKB..."
could not be opened.

b. A scan of the drive with MBAM revealed only one infection: bottom.bmp
(Spyware.Onlinegames), which was found in the Lexmark scanner/printer
folder in E:\Program Files (!).

Okay, so far, not tons of evidence. But.....

c. As MBAM was scanning, Avira's guard was activated and ran. Then an
alert came up! The suspicious file:

E:\WINDOWS\SYSTEM32\TDSSosvd.dat

Okay, there's something!

I found two other files beginning with TDSS in the E:\WINDOWS\SYSTEM32
folder:

TDSSfpmp.dll
TDSStkdv.log

I uploaded all of these to the Jotti's Malware Scan and VirusTotal Web
sites. Although there was not anything approaching near unanimity, these
files seemed potentially dangerous. See:

http://virusscan.jotti.org/en/scanre...169f3f19e3d074

http://virusscan.jotti.org/en/scanre...b46338ba67f589

The first one (TDSSosvd.dat) was identified by VirusTotal as
TR/Agent.439 Trojan-Dropper.Agent (which also was what Avira returned).
The second one (TDSSfpmp.dll) was identified by VirusTotal as Vundo.DZC
Mal/TDSSConf-A.

I'm sure there are still other nasties on this drive.

The log file was clean (just a .txt file).

2. As I was copying data, I stumbled upon a text file (avenger.txt). So
at one point someone was trying to remove something. Here are the
contents of that file:

<quote>

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\system32\drivers\TDSSmhxt.sys" not found!
Deletion of file "c:\windows\system32\drivers\TDSSmhxt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "TDSSserv.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

</quote>

Okay, so there's the evidence. :-)

I Googled for methods to deal with this trojan. It seems like I would
need to run HJT and SDFix at the very least (and maybe OTMoveIt3, too).
I also see that "The Avenger2 by Swandog46" (just mentioned by me above)
is also recommended on this page:

http://www.bleepingcomputer.com/foru...177293-15.html

(FixPolicies.exe, ComboFix, and Registar Lite are also mentioned. Wow!
That's a lot of work!)

Although this may be a learning experience, I wonder if a Clean Install
would be much quicker. :-)

If anyone here has experience with this particular trojan, I would
appreciate input.

Thanks so much in advance!

[David H. Lipman]

From: "Daave" <daave@example.com>

| I'm looking at a friend's fairly old Dell Dimension 4600c with XP Home.
| It runs as slow as molasses!

| Out of frustration, he just bought a new Gateway with Windows 7. (I
| guess he had been wanting a new PC lately, anyway.) He asked me to set
| it up and transfer his old files to it.

| I offered to take the PC home to see if I could rehab it. I will very
| likely reformat the hard drive and perform a Clean Install.

| But before I do that, I might want to take a crack at addressing and
| solving the problem.

| There is strong evidence malware (a trojan and/or rootkit) was/is on
| this system. Here is the evidence:

| 1. I removed the hard drive and used my PC to scan it for malware, using
| Avira AntiVir and MBAM. There were interesting results (at least to me):

| a. A scan of the drive with Avira revealed only warnings (61), all of
| them stating that files beginning with "E:\WINDOWS\$NtUninstallKB..."
| could not be opened.

| b. A scan of the drive with MBAM revealed only one infection: bottom.bmp
| (Spyware.Onlinegames), which was found in the Lexmark scanner/printer
| folder in E:\Program Files (!).

| Okay, so far, not tons of evidence. But.....

| c. As MBAM was scanning, Avira's guard was activated and ran. Then an
| alert came up! The suspicious file:

| E:\WINDOWS\SYSTEM32\TDSSosvd.dat

| Okay, there's something!

| I found two other files beginning with TDSS in the E:\WINDOWS\SYSTEM32
| folder:

| TDSSfpmp.dll
| TDSStkdv.log

| I uploaded all of these to the Jotti's Malware Scan and VirusTotal Web
| sites. Although there was not anything approaching near unanimity, these
| files seemed potentially dangerous. See:

| http://virusscan.jotti.org/en/scanre...f1cb0619f5124/
| d7d1545d9ad60f63da97dae65b169f3f19e3d074

| http://virusscan.jotti.org/en/scanre...b46338ba67f589

| The first one (TDSSosvd.dat) was identified by VirusTotal as
| TR/Agent.439 Trojan-Dropper.Agent (which also was what Avira returned).
| The second one (TDSSfpmp.dll) was identified by VirusTotal as Vundo.DZC
| Mal/TDSSConf-A.

| I'm sure there are still other nasties on this drive.

| The log file was clean (just a .txt file).

| 2. As I was copying data, I stumbled upon a text file (avenger.txt). So
| at one point someone was trying to remove something. Here are the
| contents of that file:

| <quote>

| Logfile of The Avenger Version 2.0, (c) by Swandog46
| http://swandog46.geekstogo.com

| Platform: Windows XP

| *******************

| Script file opened successfully.
| Script file read successfully.

| Backups directory opened successfully at C:\Avenger

| *******************

| Beginning to process script file:

| Rootkit scan active.
| No rootkits found!


| Error: file "c:\windows\system32\drivers\TDSSmhxt.sys" not found!
| Deletion of file "c:\windows\system32\drivers\TDSSmhxt.sys" failed!
| Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
| --> the object does not exist

| Driver "TDSSserv.sys" deleted successfully.

| Completed script processing.

| *******************

| Finished! Terminate.

| </quote>

| Okay, so there's the evidence. :-)

| I Googled for methods to deal with this trojan. It seems like I would
| need to run HJT and SDFix at the very least (and maybe OTMoveIt3, too).
| I also see that "The Avenger2 by Swandog46" (just mentioned by me above)
| is also recommended on this page:

| http://www.bleepingcomputer.com/foru...177293-15.html

| (FixPolicies.exe, ComboFix, and Registar Lite are also mentioned. Wow!
| That's a lot of work!)

| Although this may be a learning experience, I wonder if a Clean Install
| would be much quicker. :-)

| If anyone here has experience with this particular trojan, I would
| appreciate input.

| Thanks so much in advance!


Yeah, you found remanants of the TDSS (aka; TDL3) RootKit. It is often used to protect
fake anti malware applications and is the most common RootKit found on Win32 computers.

However, you put the drive on a surrogate computer and you are moving the data off the
drive to be placed on the Windows 7 based computer so there is no problem. Since you ar
doing this, yes, wipe the Dell Dimension 4600c and re-inastall Windows XP from scratch.

I also suggest making sure the BIOS is at version A12 level and making sure you have
between 1GB (PC2700) and 2GB of RAM (the max. RAM it can utilize is 2GB).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Daave]

David H. Lipman wrote:
> From: "Daave" <daave@example.com>
>
>> I'm looking at a friend's fairly old Dell Dimension 4600c with XP
>> Home. It runs as slow as molasses!
>
>> Out of frustration, he just bought a new Gateway with Windows 7. (I
>> guess he had been wanting a new PC lately, anyway.) He asked me to
>> set it up and transfer his old files to it.
>
>> I offered to take the PC home to see if I could rehab it. I will very
>> likely reformat the hard drive and perform a Clean Install.
>
>> But before I do that, I might want to take a crack at addressing and
>> solving the problem.
>
>> There is strong evidence malware (a trojan and/or rootkit) was/is on
>> this system. Here is the evidence:
>
>> 1. I removed the hard drive and used my PC to scan it for malware,
>> using Avira AntiVir and MBAM. There were interesting results (at
>> least to me):
>
>> a. A scan of the drive with Avira revealed only warnings (61), all of
>> them stating that files beginning with "E:\WINDOWS\$NtUninstallKB..."
>> could not be opened.
>
>> b. A scan of the drive with MBAM revealed only one infection:
>> bottom.bmp (Spyware.Onlinegames), which was found in the Lexmark
>> scanner/printer folder in E:\Program Files (!).
>
>> Okay, so far, not tons of evidence. But.....
>
>> c. As MBAM was scanning, Avira's guard was activated and ran. Then an
>> alert came up! The suspicious file:
>
>> E:\WINDOWS\SYSTEM32\TDSSosvd.dat
>
>> Okay, there's something!
>
>> I found two other files beginning with TDSS in the
>> E:\WINDOWS\SYSTEM32 folder:
>
>> TDSSfpmp.dll
>> TDSStkdv.log
>
>> I uploaded all of these to the Jotti's Malware Scan and VirusTotal
>> Web sites. Although there was not anything approaching near
>> unanimity, these files seemed potentially dangerous. See:
>
>> http://virusscan.jotti.org/en/scanre...f1cb0619f5124/
>> d7d1545d9ad60f63da97dae65b169f3f19e3d074
>
>> http://virusscan.jotti.org/en/scanre...b46338ba67f589
>
>> The first one (TDSSosvd.dat) was identified by VirusTotal as
>> TR/Agent.439 Trojan-Dropper.Agent (which also was what Avira
>> returned). The second one (TDSSfpmp.dll) was identified by
>> VirusTotal as Vundo.DZC Mal/TDSSConf-A.
>
>> I'm sure there are still other nasties on this drive.
>
>> The log file was clean (just a .txt file).
>
>> 2. As I was copying data, I stumbled upon a text file (avenger.txt).
>> So at one point someone was trying to remove something. Here are the
>> contents of that file:
>
>> <quote>
>
>> Logfile of The Avenger Version 2.0, (c) by Swandog46
>> http://swandog46.geekstogo.com
>
>> Platform: Windows XP
>
>> *******************
>
>> Script file opened successfully.
>> Script file read successfully.
>
>> Backups directory opened successfully at C:\Avenger
>
>> *******************
>
>> Beginning to process script file:
>
>> Rootkit scan active.
>> No rootkits found!
>
>
>> Error: file "c:\windows\system32\drivers\TDSSmhxt.sys" not found!
>> Deletion of file "c:\windows\system32\drivers\TDSSmhxt.sys" failed!
>> Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
>> --> the object does not exist
>
>> Driver "TDSSserv.sys" deleted successfully.
>
>> Completed script processing.
>
>> *******************
>
>> Finished! Terminate.
>
>> </quote>
>
>> Okay, so there's the evidence. :-)
>
>> I Googled for methods to deal with this trojan. It seems like I would
>> need to run HJT and SDFix at the very least (and maybe OTMoveIt3,
>> too). I also see that "The Avenger2 by Swandog46" (just mentioned by
>> me above) is also recommended on this page:
>
>> http://www.bleepingcomputer.com/foru...177293-15.html
>
>> (FixPolicies.exe, ComboFix, and Registar Lite are also mentioned.
>> Wow! That's a lot of work!)
>
>> Although this may be a learning experience, I wonder if a Clean
>> Install would be much quicker. :-)
>
>> If anyone here has experience with this particular trojan, I would
>> appreciate input.
>
>> Thanks so much in advance!
>
>
> Yeah, you found remanants of the TDSS (aka; TDL3) RootKit. It is
> often used to protect fake anti malware applications and is the most
> common RootKit found on Win32 computers.
>
> However, you put the drive on a surrogate computer and you are moving
> the data off the drive to be placed on the Windows 7 based computer
> so there is no problem. Since you ar doing this, yes, wipe the Dell
> Dimension 4600c and re-inastall Windows XP from scratch.
>
> I also suggest making sure the BIOS is at version A12 level and
> making sure you have between 1GB (PC2700) and 2GB of RAM (the max.
> RAM it can utilize is 2GB).

Thanks for the suggestions.

I suppose you believe that a Clean Install is the correct course of
action? At least, it would guarantee the complete removal of this
rootkit!

Then again, if I wanted to get some experience in attempting to remove
it, what would you recommend? Is this page useful:

http://support.kaspersky.com/viruses...?qid=208280684

Or would I need to run HJT and solicit expert assistance, using all the
programs mentioned above?

What would be the disadvantage of not upgrading the BIOS? Can you post a
link to the *best* method to upgrade the BIOS for this PC? Also,
according to this page:

http://support.dell.com/support/down...&catid=&impid=

the most recent BIOS update for this particular Dell is A09. Would A12
work?

For the A09 BIOS, I found these instructions on the Dell site:

NOTE:You will need to provide a bootable DOS diskette. This executable
file does not create the MS DOS system files.

Copy the file D460CA09.EXE to a bootable floppy.

Boot from the floppy to the MS DOS prompt.

Run the file by typing Y:\D460CA09.EXE (where y is the drive letter
where the executable is located).

Sound right? Or is there a better method? This page also mentions using
Windows:

http://support.dell.com/support/down...&fileid=110558

Thanks again!

[David H. Lipman]

From: "Daave" <daave@example.com>

<snip >

>> However, you put the drive on a surrogate computer and you are moving
>> the data off the drive to be placed on the Windows 7 based computer
>> so there is no problem. Since you ar doing this, yes, wipe the Dell
>> Dimension 4600c and re-inastall Windows XP from scratch.

>> I also suggest making sure the BIOS is at version A12 level and
>> making sure you have between 1GB (PC2700) and 2GB of RAM (the max.
>> RAM it can utilize is 2GB).

| Thanks for the suggestions.

| I suppose you believe that a Clean Install is the correct course of
| action? At least, it would guarantee the complete removal of this
| rootkit!

| Then again, if I wanted to get some experience in attempting to remove
| it, what would you recommend? Is this page useful:

| http://support.kaspersky.com/viruses...?qid=208280684

| Or would I need to run HJT and solicit expert assistance, using all the
| programs mentioned above?

| What would be the disadvantage of not upgrading the BIOS? Can you post a
| link to the *best* method to upgrade the BIOS for this PC? Also,
| according to this page:

| http://support.dell.com/support/down...19&l=en&s=dhs&
| ServiceTag=GC0SM41&SystemID=DIM_P4_4600C&os=WW1&os l=en&catid=&impid=

| the most recent BIOS update for this particular Dell is A09. Would A12
| work?

| For the A09 BIOS, I found these instructions on the Dell site:

| NOTE:You will need to provide a bootable DOS diskette. This executable
| file does not create the MS DOS system files.

| Copy the file D460CA09.EXE to a bootable floppy.

| Boot from the floppy to the MS DOS prompt.

| Run the file by typing Y:\D460CA09.EXE (where y is the drive letter
| where the executable is located).

| Sound right? Or is there a better method? This page also mentions using
| Windows:

| http://support.dell.com/support/down...dhs&releaseid=
| R84098&SystemID=DIM_P4_4600C&servicetag=GC0SM41&os =WW1&osl=en&deviceid=308&devlib=0&
| typecnt=0&vercnt=8&catid=-1&impid=-1&formatcnt=0&libid=1&typeid=-1&dateid=-1&formatid=-
| 1&source=-1&fileid=110558

| Thanks again!

Well, if you want to gain experince then I suggest using the following; GMer, Norman TSS
Cleaner and/or Kaspersky's TDSSKiller

http://www.gmer.net/
http://download.norman.no/public/Nor...SS_Cleaner.exe

Then after you had you fun, wipe it and re-install anyway. All the drivers are at;
http://support.dell.com

The instructions for the BIOS upgrade are correct and there should be NO problem bringing
it from A09 to A12.

The advantages are to make sure that whatever was fixed or corrected in BIOS vA12 is
applied and it is a good idea especially when adding RAM. I strongly believe that the Dell
Dimension 4600c that you are working on only has 256MB or 512MB. A 1GB PC2700 module goes
for around $45.00 and is worth it.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Daave]

David H. Lipman wrote:

> Well, if you want to gain experince then I suggest using the
> following; GMer, Norman TSS Cleaner and/or Kaspersky's TDSSKiller
>
> http://www.gmer.net/
> http://download.norman.no/public/Nor...SS_Cleaner.exe
>
> Then after you had you fun, wipe it and re-install anyway.

LOL

> All the drivers are at; http://support.dell.com
>
> The instructions for the BIOS upgrade are correct and there should be
> NO problem bringing it from A09 to A12.
>
> The advantages are to make sure that whatever was fixed or corrected
> in BIOS vA12 is applied and it is a good idea especially when adding
> RAM. I strongly believe that the Dell Dimension 4600c that you are
> working on only has 256MB or 512MB. A 1GB PC2700 module goes for
> around $45.00 and is worth it.

Thanks much.

[Daave]

David H. Lipman wrote:

> Well, if you want to gain experince then I suggest using the
> following; GMer, Norman TSS Cleaner and/or Kaspersky's TDSSKiller
>
> http://www.gmer.net/
> http://download.norman.no/public/Nor...SS_Cleaner.exe

Do they have to be installed on the infected PC? Or could I install and
run them on my good PC, scanning the infected drive like I did ealier
with Avira and MBAM?

I ask because I am not familiar with these programs and didn't know if
they had the feature to scan other drives.

[David H. Lipman]

From: "Daave" <daave@example.com>

| David H. Lipman wrote:

>> Well, if you want to gain experince then I suggest using the
>> following; GMer, Norman TSS Cleaner and/or Kaspersky's TDSSKiller

>> http://www.gmer.net/
>> http://download.norman.no/public/Nor...SS_Cleaner.exe

| Do they have to be installed on the infected PC? Or could I install and
| run them on my good PC, scanning the infected drive like I did ealier
| with Avira and MBAM?

| I ask because I am not familiar with these programs and didn't know if
| they had the feature to scan other drives.


If you scan a suspect hard drive through a surrogate PC, it will find malware that may
well be hidden and protected via RootKit techniques more readily. But it will do so ONLY
at the file level of the suspect hard drive. any scanning of the Registry is the Registry
of the surrogate PC and not the Registry of the OS the suspect drive represents. When
scanning via a surrogate PC, standard anti malware software can be used.

When scanning a suspect computer you will have to use anti rootkit software, if a RootKit
is suspected, because the OS of the suspect computer is actually running and thus the
RootKit would also be running and thus protecting itself and hiding from standard anti
malware software.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Daave]

David H. Lipman wrote:
> If you scan a suspect hard drive through a surrogate PC, it will find
> malware that may well be hidden and protected via RootKit techniques
> more readily. But it will do so ONLY at the file level of the
> suspect hard drive. any scanning of the Registry is the Registry of
> the surrogate PC and not the Registry of the OS the suspect drive
> represents.

This confuses me. If I scan the *entire* drive, am I not by definition
scanning the registry on the suspect drive? The registry I'm pretty sure
would be here:

E:\WINDOWS\system32\config

Data is data, no?

[David H. Lipman]

From: "Daave" <daave@example.com>

| David H. Lipman wrote:
>> If you scan a suspect hard drive through a surrogate PC, it will find
>> malware that may well be hidden and protected via RootKit techniques
>> more readily. But it will do so ONLY at the file level of the
>> suspect hard drive. any scanning of the Registry is the Registry of
>> the surrogate PC and not the Registry of the OS the suspect drive
>> represents.

| This confuses me. If I scan the *entire* drive, am I not by definition
| scanning the registry on the suspect drive? The registry I'm pretty sure
| would be here:

| E:\WINDOWS\system32\config

| Data is data, no?


No. Infact the User Hive isn't there, it is in the User's Profle.

The OS of the surrogate PC can't tell that the suspect hard disk is from another computer
or just another drive for the surrugate. Therefore the anti malware scanner will scan the
surrogate OS' Registry and not the Registry of the affected drive.

Example: Take an Outlook PST. The vast majority can not by themselves scan a PST. You
have to load MS Outlook and a MAPI compliant AV scanner and THEN you can scan the contents
of the PST.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Daave]

David H. Lipman wrote:
> From: "Daave" <daave@example.com>
>
>> David H. Lipman wrote:
>>> If you scan a suspect hard drive through a surrogate PC, it will
>>> find malware that may well be hidden and protected via RootKit
>>> techniques more readily. But it will do so ONLY at the file level
>>> of the suspect hard drive. any scanning of the Registry is the
>>> Registry of the surrogate PC and not the Registry of the OS the
>>> suspect drive represents.
>
>> This confuses me. If I scan the *entire* drive, am I not by
>> definition scanning the registry on the suspect drive? The registry
>> I'm pretty sure would be here:
>
>> E:\WINDOWS\system32\config
>
>> Data is data, no?
>
>
> No. Infact the User Hive isn't there, it is in the User's Profle.
>
> The OS of the surrogate PC can't tell that the suspect hard disk is
> from another computer or just another drive for the surrugate.
> Therefore the anti malware scanner will scan the surrogate OS'
> Registry and not the Registry of the affected drive.
>
> Example: Take an Outlook PST. The vast majority can not by
> themselves scan a PST. You have to load MS Outlook and a MAPI
> compliant AV scanner and THEN you can scan the contents of the PST.

Didn't know that. Thanks for the explanation.