TDSSosvd.dat TR/Agent.439 was found

[David H. Lipman]

From: "Daave" <daave@example.com>

| I'm looking at a friend's fairly old Dell Dimension 4600c with XP Home.
| It runs as slow as molasses!

| Out of frustration, he just bought a new Gateway with Windows 7. (I
| guess he had been wanting a new PC lately, anyway.) He asked me to set
| it up and transfer his old files to it.

| I offered to take the PC home to see if I could rehab it. I will very
| likely reformat the hard drive and perform a Clean Install.

| But before I do that, I might want to take a crack at addressing and
| solving the problem.

| There is strong evidence malware (a trojan and/or rootkit) was/is on
| this system. Here is the evidence:

| 1. I removed the hard drive and used my PC to scan it for malware, using
| Avira AntiVir and MBAM. There were interesting results (at least to me):

| a. A scan of the drive with Avira revealed only warnings (61), all of
| them stating that files beginning with "E:\WINDOWS\$NtUninstallKB..."
| could not be opened.

| b. A scan of the drive with MBAM revealed only one infection: bottom.bmp
| (Spyware.Onlinegames), which was found in the Lexmark scanner/printer
| folder in E:\Program Files (!).

| Okay, so far, not tons of evidence. But.....

| c. As MBAM was scanning, Avira's guard was activated and ran. Then an
| alert came up! The suspicious file:

| E:\WINDOWS\SYSTEM32\TDSSosvd.dat

| Okay, there's something!

| I found two other files beginning with TDSS in the E:\WINDOWS\SYSTEM32
| folder:

| TDSSfpmp.dll
| TDSStkdv.log

| I uploaded all of these to the Jotti's Malware Scan and VirusTotal Web
| sites. Although there was not anything approaching near unanimity, these
| files seemed potentially dangerous. See:

| http://virusscan.jotti.org/en/scanre...f1cb0619f5124/
| d7d1545d9ad60f63da97dae65b169f3f19e3d074

| http://virusscan.jotti.org/en/scanre...b46338ba67f589

| The first one (TDSSosvd.dat) was identified by VirusTotal as
| TR/Agent.439 Trojan-Dropper.Agent (which also was what Avira returned).
| The second one (TDSSfpmp.dll) was identified by VirusTotal as Vundo.DZC
| Mal/TDSSConf-A.

| I'm sure there are still other nasties on this drive.

| The log file was clean (just a .txt file).

| 2. As I was copying data, I stumbled upon a text file (avenger.txt). So
| at one point someone was trying to remove something. Here are the
| contents of that file:

| <quote>

| Logfile of The Avenger Version 2.0, (c) by Swandog46
| http://swandog46.geekstogo.com

| Platform: Windows XP

| *******************

| Script file opened successfully.
| Script file read successfully.

| Backups directory opened successfully at C:\Avenger

| *******************

| Beginning to process script file:

| Rootkit scan active.
| No rootkits found!


| Error: file "c:\windows\system32\drivers\TDSSmhxt.sys" not found!
| Deletion of file "c:\windows\system32\drivers\TDSSmhxt.sys" failed!
| Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
| --> the object does not exist

| Driver "TDSSserv.sys" deleted successfully.

| Completed script processing.

| *******************

| Finished! Terminate.

| </quote>

| Okay, so there's the evidence. :-)

| I Googled for methods to deal with this trojan. It seems like I would
| need to run HJT and SDFix at the very least (and maybe OTMoveIt3, too).
| I also see that "The Avenger2 by Swandog46" (just mentioned by me above)
| is also recommended on this page:

| http://www.bleepingcomputer.com/foru...177293-15.html

| (FixPolicies.exe, ComboFix, and Registar Lite are also mentioned. Wow!
| That's a lot of work!)

| Although this may be a learning experience, I wonder if a Clean Install
| would be much quicker. :-)

| If anyone here has experience with this particular trojan, I would
| appreciate input.

| Thanks so much in advance!


Yeah, you found remanants of the TDSS (aka; TDL3) RootKit. It is often used to protect
fake anti malware applications and is the most common RootKit found on Win32 computers.

However, you put the drive on a surrogate computer and you are moving the data off the
drive to be placed on the Windows 7 based computer so there is no problem. Since you ar
doing this, yes, wipe the Dell Dimension 4600c and re-inastall Windows XP from scratch.

I also suggest making sure the BIOS is at version A12 level and making sure you have
between 1GB (PC2700) and 2GB of RAM (the max. RAM it can utilize is 2GB).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp