Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tdsskiller won't open


  • Please log in to reply
14 replies to this topic

#1 sharon44

sharon44

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 22 June 2011 - 06:59 PM

I cannot get the tdsskiller to open after I rename it.

I already ran the rkill.

I am trying to remove the window xp recovery virus.

any help will be appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:16 AM

Posted 22 June 2011 - 07:18 PM

Hello Sharon, I moved this to the Am I Infected forum.
TDSSKiller from Command Prompt

Use the following command to scan the PC with a detailed log written into the file report.txt (created in the TDSSKiller.exe utility folder):
Open Command Prompt in XP = click Start >> Run,type cmd
copy and paste this at the flashing cursor and hit Enter

TDSSKiller.exe -l report.txt
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#3 sharon44

sharon44
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 22 June 2011 - 07:25 PM

I get an error message saying it cannot find the file.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:16 AM

Posted 22 June 2011 - 07:33 PM

OK,let's try the "end around play"

Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now try Tdss and the MBAM... Or MBAM then Tdss of needed.

Post all the logs..
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#5 sharon44

sharon44
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 23 June 2011 - 07:36 PM

Ok, here is the log. I still cannot get tdsskiller to run.
I'm not computer savvy, so I'm at a loss of what to do next.




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/23/2011 at 07:26 PM

Application Version : 4.54.1000

Core Rules Database Version : 7313
Trace Rules Database Version: 5125

Scan type : Complete Scan
Total Scan Time : 00:52:26

Memory items scanned : 271
Memory threats detected : 0
Registry items scanned : 6842
Registry threats detected : 0
File items scanned : 35291
File threats detected : 64

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@network.realmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ru4[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.find-quick-results[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda.at.atwola[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@at.atwola[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pro-market[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adxpose[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@lucidmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@invitemedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@imrworldwide[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@content.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cdn.jemamedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertise[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pointroll[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@a1.interclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastsfind[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@r1-ads.ace.advertising[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediabrandsww[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@collective-media[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ar.atwola[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@content.yieldmanager[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@liveperson[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.financialcontent[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.bighealthtree[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@liveperson[3].txt
C:\Documents and Settings\ltw\Cookies\ltw@adbrite[2].txt
C:\Documents and Settings\ltw\Cookies\ltw@ad.yieldmanager[2].txt
C:\Documents and Settings\ltw\Cookies\ltw@atdmt[1].txt
C:\Documents and Settings\ltw\Cookies\ltw@cdn.jemamedia[1].txt
C:\Documents and Settings\ltw\Cookies\ltw@content.yieldmanager[1].txt
C:\Documents and Settings\ltw\Cookies\ltw@doubleclick[1].txt
C:\Documents and Settings\ltw\Cookies\ltw@lucidmedia[1].txt
C:\Documents and Settings\ltw\Cookies\ltw@pro-market[1].txt
C:\Documents and Settings\sarnold\Cookies\sarnold@collective-media[2].txt
C:\Documents and Settings\sarnold\Cookies\sarnold@apmebf[1].txt
C:\Documents and Settings\sarnold\Cookies\sarnold@segment-pixel.invitemedia[1].txt
C:\Documents and Settings\sarnold\Cookies\sarnold@search.seekfinds[1].txt
C:\Documents and Settings\sarnold\Cookies\sarnold@specificclick[1].txt
C:\Documents and Settings\sarnold\Cookies\sarnold@pointroll[2].txt
C:\Documents and Settings\sarnold\Cookies\sarnold@ads.pointroll[1].txt
C:\Documents and Settings\sarnold\Cookies\sarnold@revsci[1].txt

Trojan.Agent/Gen-OnlineGames
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1396\A0117516.EXE

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:16 AM

Posted 23 June 2011 - 08:07 PM

Hello, Is this Vista? What is your AntiVirus?

Lets see if MBAM will run now.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#7 sharon44

sharon44
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 23 June 2011 - 08:25 PM

at the moment, I'm getting an alert

XP Internet Security 2012

When I try to log onto the internet, I cannot get to your website. I'm assuming this is another virus.
It says it's blocked a program

Internet Explorer is infected with Trojan-BNK.Win32.Keylogger.gen

What do I do now??

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:16 AM

Posted 23 June 2011 - 08:34 PM

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.
Click the Connections tab and click the LAN settings option.
Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.
Now check if the internet is working again.


OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#9 sharon44

sharon44
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 23 June 2011 - 08:46 PM

neither is working.

when I type in cmd and click ok, the threat pops up again and no window.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:16 AM

Posted 23 June 2011 - 09:06 PM

3.This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)

Once that file is downloaded and saved on a removable devices, insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer. You should now be able to run your normal executable programs and can proceed to the next step.

If you do not have any removable media or another clean computer that you can download the FixNCR.reg file onto, you can try and download it to your infected computer using another method. On the infected computer, right click on the Internet Explorer's icon, or any other browser's icon, and select Run As or Run as Administrator. If you are using Windows XP, you will be prompted to select a user and enter its password. It is suggested that you attempt to login as the Administrator user. For Windows 7 or Windows Vista, you will be prompted to enter your Administrator account password.

Once you enter the password, your browser will start and you can download the above FixNCR.reg file. When saving it, make sure you save it to a folder that can be accessed by your normal account. Remember, that you will be launching the browser as another user, so if you save it to a My Documents folder, it will not be your normal My Documents folder that it is downloaded into. Instead it will be the My Documents folder that belongs to the user you ran the browser as. Once the download has finished, close your browser and find the FixNCR.reg file that you downloaded. Now double-click on it and allow the data to be merged. You should now be able to run your normal executable programs and can proceed to the next step.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#11 sharon44

sharon44
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 23 June 2011 - 09:29 PM

well, the only options I have when I right click is

open home page

start without add ons

create shortcut


delete


rename

properties

I'll check back in tomorrow. I have an early am and need to get some rest.

Thanks for helping.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:16 AM

Posted 24 June 2011 - 08:48 AM

Is it possible for you to run this off a Flash Drive or CD

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size.
  • List Minidump Files.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#13 brian0918

brian0918

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 08 July 2011 - 09:35 PM

sharon44: I had this same issue today. Even though I tried renaming tdsskiller.exe to asdf.com, it still would not open. I guessed that the rootkit virus was examining the executable's description/company/product information (which Kaspersky foolishly includes in the file).

I found a utility called verpatch which modifies the tdsskiller file properties, using the following command:

verpatch tdsskiller.exe /s description "12345" /s company "asdf" /s product "qwerty" /s copyright "abc123"


After making this change, just right-click the tdsskiller and go to Properties, and you will see that the information has been changed.

Then just rename the program back to asdf.com, double-click it, and it may start up. In my case, it immediately found the rootkit, removed it, and now I am no longer experiencing the Google Redirect virus.

#14 dmz2002

dmz2002

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 14 July 2011 - 06:06 PM

I had the same problem. I found that the hosts file was missing a row of numbers.
Should be
127.0.0.1 localhost
::1 localhost
I was missing the top row of numbers. When I changed to those numbers Tdsskiller worked and found rootkit and cured.
This is the site to change hosts.
http://geekswithblogs.net/thibbard/archive/2006/12/13/changingyourhostsfileinvista.aspx

#15 dmz2002

dmz2002

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 14 July 2011 - 06:14 PM

Forgot to mention this site for a start. Proxy should be unchecked.
http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users