Endpoint Protection

Hi.  I have Symantec Antivirus 10.1.6.6000, virus definitions 11/03/09 rev. 3.  Windows XP.  I hope I'm posting in the correct forum.  It seems the version of Symantec AV software my graduate school gives out to students and faculty is a corporate version, and the people on the Norton board sent me here.

 In the last two days I have seen auto-protect pop up with Backdoor.tidserv something like 12 times.  Each time it says, "cleaned by deletion."  But then a few hours later it comes back.  It seems there must be some part of this infection not being removed.  I have the risk history log that just shows the dozen occurences I mentioned and a cluster of trojan horse files that were supposedly quarantined on 11/8/09.  Can anyone help?

 Thanks in advance.  Apologies if I have omitted some baseline information.  I have never posted to this forum before.

There could be  a possiblity that a machine in the network may be infecting the computer again and again

http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99&tabid=3


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.

This occurs on a home network with an integrated cable modem / router.  It happens even when mine is the only computer on the network.

File sharing has always been disabled.  I haven't used removable media in months.

Does anyone have ideas?  Can I provide more information to clarify things in any way?

thanks again,
Scott

Run a full scan on the machine in safe mode with the latest virusdefinition

Hi Scottmc10,

Yes, you've found the right place for SAV questions.  : )  Please do use this forum for peer support with SAV, SEP or other enterprise queries.

In cases of persistent reinfection, there are two possibilities: either someone on the network is attempting to re-create those same files over and over, or there is a currently unknown process on your computer that is attempting to recreate them over and over.  A little test will reveal which is the case.

As Pranchand recommended above, run a full system scan in safe mode with the latest definitions.  Then unplug the network connection and reboot the computer.  Does the backdoor.tidserv detection come up again?  If so, then we need to search for a currently undetected process on your computer.  But if the threat does not return until the network cable is plugged back in, then the source comes from somewhere on the network.

Symantec Technical Support have a load point diagnostic tool (similar to Sysinternal's autoruns) which can help to identify suspicious files.  You may want to get in touch with them- with the assistance of such tools, you can submit the possible culprits to Security Response.  They will analyze the submissions and create protection against any new threats.

A couple other bits of advice--- when you are in safe mode, run a disk cleanup to get rid of any potential infectors that are in the temp directories from Windows or Internet Explorer.  Make sure that you have the latest available MS patches, and also the latest available version of Adobe Acrobat and other programs with known vulnerabilities in their older releases.   Make sure you have a new and complex password guarding your computer.  The other best practices above are also good.  Let the forum know how you get on!

Thanks and best of luck! 

Mick

I ran a scan in safe mode, and it found and quarantined a trojan horse file name A0046573.exe.  A few minutes after reboot into normal mode, the auto-protect once again caught a Backdoor.tidserv. 

But as I said before, I am the only computer on my network.  I have an encrypted, password protected wifi network.

I can repeat the process and boot into normal mode with the wireless network disabled, if that will prove something.

thanks,
Scott

I ran a Malwarebytes full scan in safe mode and the results are below.  However, a few minutes after supposedly cleaning the tdss rootkit and rebooting, Symantec found the Backdoor.Tidserv again just as before.



Malwarebytes' Anti-Malware 1.41
Database version: 3184
Windows 5.1.2600 Service Pack 3 (Safe Mode)

11/16/2009 8:21:56 PM
mbam-log-2009-11-16 (20-21-56).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 256518
Time elapsed: 44 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Spyware.Zbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\23557830 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\9129837.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll (Virus.Mariofev) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtServicePackUninstall$\user32.dll (Virus.Mariofev) -> Quarantined and deleted successfully.
C:\WINDOWS\ServicePackFiles\i386\user32.dll (Virus.Mariofev) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdlwsp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bnjh.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Sounds like the system restore is turned on and it causes virus to reinfect
Pls turn off system restore and perform a scan in safe mode... 

It sounds like you are making goodprogress, Scott!  If files are being found on your computer itself by that third-party tool then the infection is coming from your own machine, not from the network.

If posssible, please submit those files to Security Response.  They will perform an analysis on them and update the definitions used to detect and remove such threats.  Many of the hundreds of detections added daily are created in response to submissions from Symantec customers.

Symantec Technical Support have tools similar to the one you used which can help identify any additional suspicious files.

I also recommend running a "disk cleanup"- anything malicious in your  temp locations willl be deleted.

Thanks and best regards,

Mick

I believe this is a rootkit infection. I'm currently looking for a solution to a similar file being re-installed.

System restore is off, but the infecting file name is tdlcmd.dll (installing to c:\windows\system)

Can't seem to find a cleanup utility for this issue...

I am running Vista SP2.  I have Symantec Endpoint Protection installed on the computer. When I run a "Full Scan" within the first 5 minutes, it pauses for about 10-20 seconds on the following files:

c:\windows\hide_evr2.sys
c:\windows\9129837.exe
c:\windows\system32\VirusRemoval.vbs
c:\windows\system32\NewVirusRemoval.vbs

It doesn't identify the files as being problematic and continues scanning all my files for 1 hour, finding nothing.

 I open the folders c:\windows and did not find the file 9129837.exe (folder option is to view hidden files).

 I formated the whole hard drive and installed vista and all the updates (took almost a day) and installed the Endpoint Protection and undates, microsoft and symantec are the only two websites I connected during installation. when I ran the full scan again, same thing happened ---paused for about 10-20 seconds on the following files:

c:\windows\hide_evr2.sys
c:\windows\9129837.exe
c:\windows\system32\VirusRemoval.vbs
c:\windows\system32\NewVirusRemoval.vbs

The files aren't showing up in windows explorer when I browse to those folders.

How can I tell if I am infected?

Hi John,

If those suspicious files reappeared and hid themselves even after reformatting the computer, I recommend that Symantec Security Response take a look at them.  They may be a new variant or threat that is not yet added to the definitions being used.

Hidden files can be revealed by using ATTRIB on the command line.  Might be worth having a look....

Final recommendations: I recommend checking the other computers which are connected to this Vista box.  Worms can move from computer to computer over network conenction that are not protected by strong passwords.  Also check any USB keys that you may have used after re-installing installing, and make sure that you have taken measures to prevent the spread of threats that use autorun.

Thanks and best regards,

Mick