My Bad!  I used Bit Torrent to download a replacement for some broken old software and something ugly came with it.

I left it running, I went to bed, got up and the screen was blank. On reboot, Windows XP Pro boots, plays the welcome music, puts up my screen background and the cursor..and that's it. Then every few minutes I geet a Norton message saying a threat was found and fixed (not) then one that Suspicious.Mystic was detected, then a message that saying, only to have it repeat endlessly.Norton AV 2010 (I believe) Version 17.7.0.12, WIN XP Pro SP3

So I did some digging and exploreer.exe is deleted from the c:\windows dir, and if I replace it, saying it is Suspicious.Mystic (or something connected to it)  immediately takes it out. It seems that instead, svchost.exe is run. I found FixO.exe online and the site described similar behavior with that zipped script file fixing the registry, but alas, not for me.No change.

I then discovered I could put explorer.exe on a thumb drive and run it from that using File Run from task manager. Yay, I think, I'll get the beast running and hook up with Symantec for a scan. Well guess what, 5 boots later, while I try to collect info on the nature of the bug and the darn thing has figured me out. Now the thumb drive doesn't run, just re-boots in a few minutes. (doesn't delete explorer on the thumb drive though). Norton gives me that message about Suspicious. Mystic every time, and I now (since the bit torrent incident) get repeated hits from an attack from various trojans, sometimes several in a minute now, seems like this has happened once in a while, for several days and I ignored it as all were "resolved"...what a mess. HTTPS Tidserv Request 2 is often blocked, among others,

MORE Discovered...

Pretty much same thing happens in safe mode.

(an hour later it runs again for several minutes at a time, whoopee) actually managed a live update then ran a quick scan, exporting 17 resolved items (attached)

If I run explorer.exe from the thumb drive and put a copy of it in c:\windows, Norton immediately removes it having identified it as Suspicious.Mystic Hmmm Is Norton out to lunch?

Exported some older history (also attached)

In fact, looking at the attached files, lots of stuff is detected as Suspicious.Mystic and blocked, deleted or quarantined

Yet Norton virus scans didn't remove whatver is causing this, back when the thumb drive would work for an hour or 2.

Even more discoveries

Worse when internet connected, when I run explorer.exe reboots almost immediately.

This may have been interpretd as getting worse at times earlier, as I have connected/disconnected the net several times.

But, after disconnecting the net, it continues to detect explorer.exe as Suspicious.Mystic and delete it (if in the C drive or just rebooting if elsewhere.

To stop this behavior, I have to 1) power down the PC and then 2)nrun in safe mode, before I can get it to run more than a minute. Is that bizarre?

Currently I'm trying to run a full system scan in normal mode having first done above, and it's running...we will see how long.

This should be good for a half day on the phone with Symantec tomorrow....

My Bad!  I used Bit Torrent to download a replacement for some broken old software and something ugly came with it.

I left it running, I went to bed, got up and the screen was blank. On reboot, Windows XP Pro boots, plays the welcome music, puts up my screen background and the cursor..and that's it. Then every few minutes I geet a Norton message saying a threat was found and fixed (not) then one that Suspicious.Mystic was detected, then a message that saying, only to have it repeat endlessly.Norton AV 2010 (I believe) Version 17.7.0.12, WIN XP Pro SP3

So I did some digging and exploreer.exe is deleted from the c:\windows dir, and if I replace it, saying it is Suspicious.Mystic (or something connected to it)  immediately takes it out. It seems that instead, svchost.exe is run. I found FixO.exe online and the site described similar behavior with that zipped script file fixing the registry, but alas, not for me.No change.

I then discovered I could put explorer.exe on a thumb drive and run it from that using File Run from task manager. Yay, I think, I'll get the beast running and hook up with Symantec for a scan. Well guess what, 5 boots later, while I try to collect info on the nature of the bug and the darn thing has figured me out. Now the thumb drive doesn't run, just re-boots in a few minutes. (doesn't delete explorer on the thumb drive though). Norton gives me that message about Suspicious. Mystic every time, and I now (since the bit torrent incident) get repeated hits from an attack from various trojans, sometimes several in a minute now, seems like this has happened once in a while, for several days and I ignored it as all were "resolved"...what a mess. HTTPS Tidserv Request 2 is often blocked, among others,

MORE Discovered...

Pretty much same thing happens in safe mode.

(an hour later it runs again for several minutes at a time, whoopee) actually managed a live update then ran a quick scan, exporting 17 resolved items (attached)

If I run explorer.exe from the thumb drive and put a copy of it in c:\windows, Norton immediately removes it having identified it as Suspicious.Mystic Hmmm Is Norton out to lunch?

Exported some older history (also attached)

In fact, looking at the attached files, lots of stuff is detected as Suspicious.Mystic and blocked, deleted or quarantined

Yet Norton virus scans didn't remove whatver is causing this, back when the thumb drive would work for an hour or 2.

Even more discoveries

Worse when internet connected, when I run explorer.exe reboots almost immediately.

This may have been interpretd as getting worse at times earlier, as I have connected/disconnected the net several times.

But, after disconnecting the net, it continues to detect explorer.exe as Suspicious.Mystic and delete it (if in the C drive or just rebooting if elsewhere.

To stop this behavior, I have to 1) power down the PC and then 2)nrun in safe mode, before I can get it to run more than a minute. Is that bizarre?

Currently I'm trying to run a full system scan in normal mode having first done above, and it's running...we will see how long.

This should be good for a half day on the phone with Symantec tomorrow....

I have just succeeded in running a full scan with zero errors...

then I copied explorer.exe to the c:\windows directory

NAV detected it as Suspicious.Mystic and deleted it

10 seconds later, the PC rebooted, aftr running for an hour during the scan.

Unfortunately, I'm new to THIS level of antivirus..Can you or someone tell me how to fix it?

When you say Tidserv is blocked, what does that mean?

Is TDL Rootkit the name of the virus/trojan or whatever?

Thanks a lot, I have already lost 14 hours on this.

You have, at the very least, a TDL3/TDL4 rootkit that you downloaded into your machine.  There is no quick easy fix.  You will need to visit one of these free malware removal forums to have it removed. 

www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

I suppose this is a silly question, but doesn't Symantec have ANY mechanism for dealing with this?

Arguably, this is something they failed to protect me from (yes, I did something stupid, but never turned off their protection).

And, I suppose the real question is, CAN they do anything, using their remote access of my PC? Or anything else?

Of course I seem not to be able to have the network connected, and run the PC for more than a couple minutes.

I'm not comfortable with registry edits but will check out those othr forums. Any advice for the timid in this situation?

I don't really consider the problem solved because we haven't verified the infection or removed it.

Thanks, team!

If Symantec was able to find the infected driver, the only mechanism for dealing with it is deletion.  Since the rootkit infects crucial Windows drivers, your machine could be no longer able to boot.  Most antivirus can't fix a rootkit. That is what the Tidserv entry is all about.

No antivirus software protects the user from himself. Torrents and P2P sharing make things very much easier for the malware writers.

Any of the free removal forums have volunteers to walk you through each step, with tools and utilities to get the job done.  Your only other alternative is to take it to a computer repair shop probably for a low-level format which will wipe the drive clean.  You will then need to reload all of your programs, etc.  Hopefully you have a system disk and have backed up your files.  Not many repair places have the technical know-how to remove it manually.

Your call.

That last question is still open but have to use data from the infected PC so...more questions (thanks tons)

Post-compromise security questions:
When infection happened I was running Bit Torrent (continuing a couple hours before I manually stopped the initial attack) I had 2 other drives, beside the boot drive in the PC.
This PC contained sensitive business info, however much of it was on the non-boot drives, which I disconnected from the PC shortly after seeing this weird behavior.

1. Is Bit Torrent used to steal data or just the bad code delivery means?

2. Does Bit torrent's data rate upload limit (set very low by me) affect the possible data theft RATE, or is that totally separate?

3. I have a hardware firewall in my router, and Microsoft firewall in my PC, do those block ALL possible data theft?

4. What's the chance that boot drive data was stolen?

5. Same for drive 2&3 (they are all big drives, I assume, since my bit torrent upload rate was set very low, not much could be transferred thru bit torrent but maybe the trojan sets its own fast path?

6. I need to use the data from the boot and other 2 drives, how can I do that and not spread the virus/trojan?

7. A...if any of the files were modified by the trojan/virus, wouldn't the date on the file change?
   B....If so, can I use that as a means of telling if the data files I move are clean (since Norton is no help here)?

8. can I assume that a flashdisk can safely be moved between the infected PC and another without spreading the bug?

9. Can I use a CD burner to copy off my data files from the infected PC, assuming the infection is not in pre-infection dated files?

10. finally, based on the above, should I change any and all account info that might have been gleaned from the files on that PC or did the firewalls save me?

Once again, Thanks a lot, this is a horror show for me, and a beyond painful lesson.

There is lots of info on the web about root infections, but most is geared toeard you guys, and not the poor suckers who get nailed.

Thanks Delphinium,

any comments on the post I sent in while you were answering my last one?

Hello madscien

I can answer one of those questions. With NIS installed, the windows firewall should have been turned off.

If the last question was for advice, that was the recommendation to vist the forums. 

The other two drives are probably all right, but scan them when you plug them into another machine.  I don't know what else you might have.  The Tidserv could be just one of several additional problems.  There is no way to know what all was downloaded.

1.  Torrents, cracks, keygens, and malocious scripts deliver the installers for the infections

2.  No idea on that one.  The rootkit normally tries to connect to install more malware, but it apparently was blocked.

3.  No.  The router firewall and the Windows XP firewall are incoming only.  Your only outgoing firewall is Norton.

4.  No idea really.  Again, we don't know what all happened in that two hour time span.

5.  It would not work through the torrent.

6.  You should be able to pull documents, and images, etc. from the boot drive, but no .exe's, scr's, etc.  Once transfered to a flash drive or CD. You will have to scan it before using it.  See above for the other non-boot drives.

7.  Possibly

8.  Not necessarily

9.  Depending on what all you have in the machine, it may not allow using the CD in case you are trying to get rid of it.  It's a try it and see if it works. 

10.  Changing account info is always wise with this kind of infection.

11.  Malware writing is very profitable and a very big business.  It will not go away.  The antivirus developers have to find the malicious code and write definitions for it.  By the time that is done, often the malicious code is changed to evade detection.  It is an ongoing process.  We will all at some point in time pick up some kind of infection.  It is necessary to avoid obvious risks of infection.

The link where you got FixO.exe was interesting.  The tool was used to fix a symptom, but the user left before the main problem was fixed thinking he or she was cured.  That is always unfortunate.

Hi madscien,

A rootkit will precipitate the installation of all sorts of malware.  The attempts to call out from your PC that were caught by Norton could easily have been designed to download more malicious programs onto your computer.  And yes, some of these programs could be used to steal information.  So that is one issue you face.

Another issue is that even without a rootkit and data-stealing malware on your system there is a real danger of inadvertently sharing sensitive information via P2P.  If any of this data is stored on a shared drive or in a shared folder it can be accessed by others on the P2P network.  You must be very, very careful in how you set up your P2P and where you store your data.  Using P2P on a computer that has sensitive business information is highly risky in more ways than you may have imagined.  Please see the following articles from the Federal Trade Commission and US-CERT for more information:

FTC:  Peer-to-Peer File Sharing: A Guide for Business

US-CERT:  Risks of File Sharing Technology

Delphinium,

Since you have offered the most help so far and this list (not belittling others' contributions, thanks)

Which of these forums is most likely to fit my situation, perhaps being the most effective?

www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

I have a small fortune in software on this PC, and a ton of uncompressed and enormous video editing files on it, too big for a DVD. Started copying and realized this hopeless monster file situation.  I have to try to recover (evn though reformatting and reinstalling would be the quickest). Also, the PC didn't come with XP Pro OS or driver disks, so that's anotheer whole nightmare.

Thank all of you, I have learned a serious lesson....

Hi madscien:

Bleeping Computer is possibly the best but they are also backed up a mile.  It could be a long wait.

I check all of the suggested forums to ensure that the volunteers doing the removals appeared to be capable and competent.

Personally, I kind of lean toward whatthetech, as they don't seem as busy.  Make sure to include the HTTPS Tidserv Request2 in the header of your first post.  It will alert them to what kind of an issue they are dealing with.  Describe the symptoms, your operating system and service pack level, whatever security software you have on board as well as Norton, and the major symptoms.  Do not risk trying any of the tools you may find on the removal forum without supervision.

Let us know how you make out.

Best wishes

Hello madscien

Also, if you don't understand something that they want you to do, ask them the questions and write down any special instructions they give you.. Some things you may have to do offline and won't be able to look at the instructions then unless you have a 2nd computer to use.

---

madscien wrote:

 

[ ,,, ]

 

I have a small fortune in software on this PC, and a ton of uncompressed and enormous video editing files on it, too big for a DVD. Started copying and realized this hopeless monster file situation.  I have to try to recover (evn though reformatting and reinstalling would be the quickest). Also, the PC didn't come with XP Pro OS or driver disks, so that's anotheer whole nightmare.

 

Thank all of you, I have learned a serious lesson....

---

I'm certainly no good in helping you fix the malware situation -- you are getting very good advice on that -- but I do have experience in backing up and so on which you should perhaps look at to cover an If all else fails situation.

In view of that you should rush to your nearest computer hardware store and buy an external hard drive to plug into eg a USB socket on your computer and copy your video files over (much quicker than burning DVDs) and they are not that expensive these days.

Also you should consider buying imaging software like GHOST 15 and making an image of your drive. Even if you can't boot up to your damaged drive it is still possible to do this using a recovery CD created or downloaded if you have the imaging software.

If you check with your PC manufacturer you may be able to buy a set of recovery media for a very reasonable price -- typically about $20 delivered. I know you can with HP Lenovo and Toshiba but not for every model.

Also certain computers come with a recovery partition from which you can make recovery disks (I know HP/Compaq and Toshiba do) and often that is accessible if after removing the malware you find you can't boot up to your normal Windows and it often includes a Repair function for Windows that can replace or repair damaged files.

I would suggest that you try to safeguard yourself against a wipe out but note that you can't reinstall software unless you have the installation media -- you can't just copy it into place on a new clean installation of Windows.

Good luck ...

Hugh

Hopefully its ok to leave this thread open while I go off to do battle. I will come back after I'm done.

Before I start. I'll go get a USB backup drive and copy all the working files. That'll take at least a day!

I have copied all of this thread into a text file for reference, and will do the same for the actions I take, as I'm sure I will have to actively refer to it.  So I'll be gone for several days and hopefully return with a smile. I tried to contact a guy that should be a pro at this but haven't had luck, so I'm on my own.

Thanks, again, I'll be back !

We wait with bated breath ....

Good luck -- I hope all goes well with the copying. Before you do anything with the copied files, and after you sort out the malware, give that external drive a good AV/malware check with Norton and maybe with Malwarebytes / Superantispyware to check that it is clean.

Hello

You can also ask the malware forum if your backup is safe also depending on the type of malware that is found.

You will be able to find your thread by clicking on your name.  You will find a link to your last post.

Good luck.