BleepingComputer.com: TDSS TDL4 - scvhost.exe errors

Greetings,

Got this virus 5/13. Mistakenly (I think) didn't use system restore.
I did so many things to attempt a fix I may be missing some steps or have the order wrong.

Symptoms:
1) MS Removal Tool
2) all program file menu items grayed out (empty)
3) browser hijacked
4) researched MS Removal Tool from my UBUNTU machine

My actions:
1)
a) got BSOD trying to get to safe mode - INVALID_WORK_QUEUE_ITEM
*) discovered that JGOGO.sys was causing BSOD - disconnected SATA external
c) Got to safe mode; did a chkdsk. That found errors in my ntuser.dat. I renamed it to ntuser.dat.old thinking that I didn't want it being used if it was infected/damaged.
d) got to regedit: followed instructions for removing MS Removal Tool; deleted suggested entries in registry, startup, LocalSettings, etc. per instructions
e) Still had hijacking - wanted to try MBAM; was being blocked from access
f) did an MBAM scan with existing db but ineffective.

2) Did an XP repair existing install.
a) The repair install created a new user with all the default XP background etc. User Was Kmiller, now Kmiller.ROADUNIT (machine name).
*) also ran sfc /scannow at some point

3) Started trying different antivirus apps transferring them on CD from UBUNTU machine to laptop
a) Kapersky - wouldn't install - machine infected - per instructions, used another Kapersky utility (forgot name) - no effect
*) ran GMER; found rootkit immediately - crashed machine
c) installed AVG; scanned all files (2 hours); clean. Then realized the rootkit search was separate from file scan. Used rootkit scan. It cleaned 5 of 11 found. The other six it can't remove.
d) Applied all windows updates - many updates - including SP3
e) Mostly usable but still having scvhost errors: 0x00ab0eec, then 0x00dc9eec
f) Tried many tools to attempt a fix: TDSSKiller, DrWeb, ATF-Cleaner, sophos, blacklight, etc...

4) Came here.

Any help much appreciated...
-km

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Looks like your in a real mess. Before this PC gets borked..
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If you have the Gmer log post it,if not skip it and move on.

Let me know if that went well.

This post has been edited by boopme: 16 May 2011 - 12:12 PM

I hear what your sayin'
I'm in the process of doing that now.
First I wanted to back up Docs&Set.
Couldn't tell if Acronis was working or not so I just WinRar'ed the thing. (4 hours)
I hope that archive is usable. Shipped it out to external.
I've got a 2 month old disk image. Was thinking of using that. Opinion?

Thanks, -km

Probably a good idea. Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

Here's our quietman's canned reply on this. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

• How and Where to backup your files in XP or Vista
  
• How to Backup and Restore in Windows 7
  
• How to use Ubuntu Live CD to Backup Files from your dead Windows Computer

Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:

• How to partition and format a hard disk in Windows XP
  
• Prepping for a Clean Install Windows XP.

These links include step-by-step instructions with screenshots:

• XP Clean Install Interactive Setup
  
• How to reformat your computer in case of a severe malware infection
  
• Reformat & Clean Install Windows XP

Vista users can refer to these instructions:

• Windows Vista Clean Install
  
• How to Do a Clean Install and Setup with a Full Version of Vista
  
• How to Do a Clean Install with a Upgrade Version of Vista

Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.