Jump to content
  • Sign up for free and receive a month's subscription

    You are viewing this page as a guest. That means you are either a member who has not logged in, or you have not yet registered with us. Signing up for an account only takes a minute and it means you will no longer see this annoying box! It will also allow you to get involved with our friendly(ish!) community and take part in the discussions on our forums. And because we're feeling generous, if you sign up for a free account we will give you a month's free trial access to our subscriber only content with no obligation to commit. Register an account and then send a private message to @dave u and he'll hook you up with a subscription.

Recommended Posts

Hi all, Hope someone can help me!!

 

My boss has got a nasty thing on his computer. Basically:

 

All google searches redirect to other search engines and spyware removal sites.

 

Antivirus software is not being allowed to update.

 

New virus software I've installed (spybot etc...) is not opening.

 

Addresses for online scanners won't work.

 

 

Seems like this bit of kit is protecting itself from being deleted and I'm stuck now. Anyone know of anything I can do?!

 

Thanks in advance.

Link to comment
Share on other sites

Title made me think of Danny Dyer. Pwoapah nawty virus smashin up your mahah!

 

If it's redirecting all of your website requests, then it's probably messed with the "hosts" file. You can remove all of the entries by going to "c:\windows\system32\drivers\etc" and then editing the file called "hosts" although this will just be a temporary fix.

 

You can probably run Hijack This by just renaming it, since it's only one file. Do you have it? If so, rename it to something else, run it, and then post the log file on here, or pm it to me.

 

If not, download it from Trend Micro HijackThis - Free software downloads and reviews - CNET Download.com.

 

Then tell your boss to stop looking at dwarf porn.

Link to comment
Share on other sites

It's a Rootkit! Probably TDSS.sys or variant, as that seems quite popular at the moment, and that one also prevents you from updating AV/Antimalware stuff amongst other things. One variant also prevents you from running rootkit revealer type software such as GMER in normal mode in an attempt to prevent you from isolating it. One way around this is to rename the .exe of whatever AV/antimalware proggy you are trying to run.

 

First, try GMER anyway (if it'll let you download it).

 

GMER

 

The virus will probably show up as a hidden service, but this will allow you to delete/disable the service that it is running from, although unless you clean the rest of it after this operation it'll probably pop up again. Still, this is an excellent proggy for seeing if things are still lurking there after the following fixes.

 

SD-FIX. Bleeping Computer Downloads: SDFix

 

Download this, and install/run it in safe mode. Follow the on-screen prompts and let it do its stuff.

 

 

SuperAntiSpyware SUPERAntiSpyware.com - Downloads

Malwarebytes Antimalware Malwarebytes.org

 

Run either of these (Malwarebytes is my preferred one at the moment, but they both do a good job of things) back in normal mode, after updating them, after running SD-Fix and GMER to check the main infection is cleared.

Link to comment
Share on other sites

Log file from Hijack this:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:05:14, on 05/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode with network support

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Dell UK: Laptops, Desktop Computers, Monitors, Printers & PC Accessories

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Dell UK: Laptops, Desktop Computers, Monitors, Printers & PC Accessories

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Dell UK: Laptops, Desktop Computers, Monitors, Printers & PC Accessories

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Dell UK: Laptops, Desktop Computers, Monitors, Printers & PC Accessories

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{382AE9E4-9E76-4839-852E-0BDB913BA55B}: NameServer = 192.168.162.250

O17 - HKLM\System\CS1\Services\Tcpip\..\{382AE9E4-9E76-4839-852E-0BDB913BA55B}: NameServer = 192.168.162.250

O17 - HKLM\System\CS2\Services\Tcpip\..\{382AE9E4-9E76-4839-852E-0BDB913BA55B}: NameServer = 192.168.162.250

O17 - HKLM\System\CS3\Services\Tcpip\..\{382AE9E4-9E76-4839-852E-0BDB913BA55B}: NameServer = 192.168.162.250

O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

O24 - Desktop Component 0: (no name) - http://s7d2.scene7.com/is/image/Sothebys/N08502-160-lr-1?$thumb_file$

 

--

End of file - 4730 bytes

 

 

 

 

Can't go to the other links as yet! Have renamed a file in system32 called 'Hostname'. That was the only thing similar to what you suggested.

 

Can you see anything that might help in that log file?

Link to comment
Share on other sites

From GMER

 

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-05 13:18:13

Windows 5.1.2600 Service Pack 2

 

 

---- System - GMER 1.0.14 ----

 

Code E1718388 ZwEnumerateKey

Code E16FC5B0 ZwFlushInstructionCache

Code BA3A0EAB pIofCallDriver

 

---- User code sections - GMER 1.0.14 ----

 

.text C:\WINDOWS\Explorer.EXE[1836] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00AD000A

.text C:\WINDOWS\Explorer.EXE[1836] WS2_32.dll!send 71AB428A 5 Bytes JMP 00AF000A

.text C:\WINDOWS\Explorer.EXE[1836] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00AE000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[2032] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00B9000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[2032] WS2_32.dll!send 71AB428A 5 Bytes JMP 00BB000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[2032] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00BA000A

 

---- Devices - GMER 1.0.14 ----

 

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

 

Device \FileSystem\Fastfat \Fat B994BC8A

 

---- Modules - GMER 1.0.14 ----

 

Module \systemroot\system32\drivers\TDSSijso.sys (*** hidden *** ) BA39F000-BA3B1000 (73728 bytes)

 

---- Threads - GMER 1.0.14 ----

 

Thread 4:336 BA3A1D66

 

---- Services - GMER 1.0.14 ----

 

Service C:\WINDOWS\system32\drivers\TDSSijso.sys (*** hidden *** ) [sYSTEM] TDSSserv.sys

 

---- Registry - GMER 1.0.14 ----

 

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSijso.sys

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSijso.sys

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSedpn.dll

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSierd.dat

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSurra.dll

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSckvy.dll

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSeuvq.dll

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSnhvw.dll

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSShchc.dll

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSfhvv.log

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSuyka.log

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSijso.sys

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSijso.sys

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSedpn.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSierd.dat

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSurra.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSckvy.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSeuvq.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSnhvw.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSShchc.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSfhvv.log

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSuyka.log

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSijso.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSijso.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSedpn.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSierd.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSurra.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSckvy.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSeuvq.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSnhvw.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSShchc.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSfhvv.log

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSuyka.log

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@affid 62

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@subid v300

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@control 0x09 0x19 0x1F 0x16 ...

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@prov 10010

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@googleadserver pagead2.googlesyndication.com

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@flagged 1

 

---- EOF - GMER 1.0.14 ----

 

 

It said it found a rootkit and it was the TDSS.sys you suggested meat. I'm having to find the software through download.com, then rename it, and then go to properties and unblock it. What a mission!

 

Can't get sdfix or malwarebytes to work.

Link to comment
Share on other sites

From Malwarebytes: Intected files quarantined and deleted!!

 

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 2

 

05/01/2009 13:52:44

mbam-log-2009-01-05 (13-52-44).txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 95320

Time elapsed: 10 minute(s), 58 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

 

 

 

So the only thing I didn't manage was SDfix because I couln't get to it though download.com or any other mirror. Will reboot in normal mode and run it all again.

Link to comment
Share on other sites

Latest from Malwarebytes! Seems to be getting worse!

 

 

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 2

 

05/01/2009 14:15:23

mbam-log-2009-01-05 (14-15-23).txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 86962

Time elapsed: 12 minute(s), 1 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 13

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Documents and Settings\Davidbutler\Local Settings\Temp\TDSSfd7f.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSckvy.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\TDSSedpn.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\TDSSurra.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\drivers\TDSSijso.sys (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\Temp\TDSS398e.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\TDSS3bd0.tmp (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\Temp\TDSS3efd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\TDSS42d5.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\TDSS4bbe.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSeuvq.dll (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\TDSSnhvw.dll (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\TDSSuyka.log (Trojan.TDSS) -> Delete on reboot.

Link to comment
Share on other sites

You could really do with SD-Fix to remove it completely before you let Antimalware do the rest.

 

When you run GMER and it comes up with that initial list, TDSS.sys and associated stuff will be highlighted in red. Have you tried right-clicking to disable/remove the service from there and then running Antimalware?

 

Anyway, I've uploaded SDFix to a Rapidshare link. You should be able to get to it from there.

 

RapidShare: Easy Filehosting

 

Download that, go into Safe mode, unzip it to an easy directory (C:\SDfix for example), and execute RunThis.bat

 

Let it do it's stuff (It'll do so much in Safe mode, then reboot and do the rest in normal), and then let AntiMalwarebytes do the rest.

Link to comment
Share on other sites

Do you have any idea as to when the problem started appearing?

 

If you do, you can probably do a System Restore to the day before to apply the fixes that have already been mentioned in this thread.

 

Does system restores affect viruses? I dont think it does.

Link to comment
Share on other sites

It doesn't all the time, no, but the virus might have been created due to a program being installed and run. If a system restore is done and said program is not installed, then the virus will not re-appear and re-install after it's been removed, should the user run the program it came from again.

 

Of course, this has the possibility to open a hole in the space time continium etc

Link to comment
Share on other sites

System restore wouldn't work either. I don't know if that's down to the virus (I'm sure Meat will have an idea).

 

Meat, you are a legend. I'm running sdfix right now in safe mode, and for the first time I'm felling optimistic! Malwarebytes can't find anything now, but GMER is still showing it. Good program that. I haven't tried deleting the service. I looked for it in 'Services' though, didn't realise I could delete it from GMER.

 

Will keep you posted and distribute reppage forthwith.

Link to comment
Share on other sites

Here's the log from SDfix. Another great bit of software.

 

 

SDFix: Version 1.240

Run by Davidbutler on 06/01/2009 at 08:59

 

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

Name :

TDSSserv.sys

 

Path :

\systemroot\system32\drivers\TDSSijso.sys

 

TDSSserv.sys - Deleted

 

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\system32\drivers\TDSSijso.sys - Deleted

C:\WINDOWS\system32\TDSSierd.dat - Deleted

C:\WINDOWS\SYSTEM32\TDSSIERD.dat - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-06 09:10:09

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\botty\SDUpdate.exe"

Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\botty\SpybotSD.exe"

Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\botty\TeaTimer.exe"

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\RECYCLER\S-1-5-21-2806081057-2675361520-1585658103-1005\Dc16\SDUpdate.exe"

Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\RECYCLER\S-1-5-21-2806081057-2675361520-1585658103-1005\Dc16\SpybotSD.exe"

Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\RECYCLER\S-1-5-21-2806081057-2675361520-1585658103-1005\Dc16\TeaTimer.exe"

Sat 6 Dec 2008 0 ...H. --- "C:\Documents and Settings\Davidbutler\Application Data\Microsoft\Word\~WRL0005.tmp"

 

Finished!

 

 

 

Also, just did a GMER scan and nothing came up.

 

Can't thank you enough Meat. Can't rep you either because it seems you're very helpful/witty/intelligent but I'll spread the love more and get back to you!

 

I really appreciate the help. Thanks so much.

Link to comment
Share on other sites

Dweb cureit will also work when other ativirus/spyware programs dont' work. TDSSserv.sys is often the cause of stopping proceses not running.

 

Anyone else in this predicament. Downlaod & run inthis order - Drweb cureit, combofix and malwarebytes. that combintaion will get rid of everything. Also worthwhile turning off system restore and when clean turning it back on & creating a new restore point

Link to comment
Share on other sites

Good advice on the disable/re-enable System Restore points. I always forget to mention that bit.. And that Dr Web Cureit looks promising, I'll have to infect myself with something and give it a go, see how it does.

 

To be fair, I've not come across *anything* yet (cue massive infection this evening...) that I've not been able to solve with a combination of SD-Fix/ComboFix/Malwarebytes or SuperAntiSpyware and AVG in the end, but anything else that'll help along the way is always good to keep on the USB memory stick of Goodliness. Another Top Tip for your rescue USB stick, use one of those SD Card USB readers so you can write protect the memory card and stop anything from trying to jump onto your memory stick when you plug it into an infected machine.

 

 

As for using that Trinity Rescue Kit to solve this kind of infection, I can't see why not. First, search for and delete all references to any TDSS.sys files (wildcard it, TDSS*.* should do) in the system32 folder, amongst others, and then next load up the registry editor and check your CurrentControlSet and subsequent CurrentControlSet001/002/*/* for TDSS.sys entries and delete the appropriate keys. These live in the HKEY_LOCAL_MACHINE tree, under the key SYSTEM.

Link to comment
Share on other sites

Good advice on the disable/re-enable System Restore points. I always forget to mention that bit.. And that Dr Web Cureit looks promising, I'll have to infect myself with something and give it a go, see how it does.

 

To be fair, I've not come across *anything* yet (cue massive infection this evening...) that I've not been able to solve with a combination of SD-Fix/ComboFix/Malwarebytes or SuperAntiSpyware and AVG in the end, but anything else that'll help along the way is always good to keep on the USB memory stick of Goodliness. Another Top Tip for your rescue USB stick, use one of those SD Card USB readers so you can write protect the memory card and stop anything from trying to jump onto your memory stick when you plug it into an infected machine.

 

 

As for using that Trinity Rescue Kit to solve this kind of infection, I can't see why not. First, search for and delete all references to any TDSS.sys files (wildcard it, TDSS*.* should do) in the system32 folder, amongst others, and then next load up the registry editor and check your CurrentControlSet and subsequent CurrentControlSet001/002/*/* for TDSS.sys entries and delete the appropriate keys. These live in the HKEY_LOCAL_MACHINE tree, under the key SYSTEM.

 

 

Had a couple of pc's that were badly infected. Vista/xp antivirus 2009 i think. Couldn't install any anti virus/spyware program. Run the setup files and nothing happened - even in safe mode. Found this dr-web and it ran on the machines. scasn the memory and system32 folder. Seems to be a .sys file in the system32 folder that caused the problem. Dr-web removed it and after a reboot I was then able to install combofix, malwarebytes and avg etc.

 

great little piece of kit. used to take ages to really clean a virus upped system. now hardly takes anytime at all. avg scan normally being the longest.

Link to comment
Share on other sites

Had a couple of pc's that were badly infected. Vista/xp antivirus 2009 i think. Couldn't install any anti virus/spyware program. Run the setup files and nothing happened - even in safe mode. Found this dr-web and it ran on the machines. scasn the memory and system32 folder. Seems to be a .sys file in the system32 folder that caused the problem. Dr-web removed it and after a reboot I was then able to install combofix, malwarebytes and avg etc.

 

great little piece of kit. used to take ages to really clean a virus upped system. now hardly takes anytime at all. avg scan normally being the longest.

 

 

 

The trick to install AV/spyware software with that particular infection (that one is based upon TDSS.sys/Zlob) is to rename the .exe files of the software. Rename GMER.exe as GME.EXE, rename the Malware installer as mbam-setu.exe, and the resulting installed .exe as mba.exe and so forth. One way the virus tries to look after itself is to kill any launched processes associated with known AV/Spyware products such as the above.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...