BleepingComputer.com: Infected with TDSS Bing and Google redirect

Hi!

Do you remember putting these files here:

[2010/07/19 08:03:58 | 000,000,223 | ---- | C] () -- C:\Program Files\unpackJars.bat
[2010/07/19 08:03:52 | 005,918,124 | ---- | C] () -- C:\Program Files\COMcheck.jar
[2010/07/19 08:03:52 | 004,565,469 | ---- | C] () -- C:\Program Files\cities.dat
[2010/07/19 08:03:52 | 000,633,516 | ---- | C] () -- C:\Program Files\counties.dat
[2010/07/19 08:03:52 | 000,274,944 | ---- | C] () -- C:\Program Files\COMcheck.exe
[2010/07/19 08:03:52 | 000,022,931 | ---- | C] () -- C:\Program Files\splash.gif
[2010/07/19 08:03:52 | 000,022,721 | ---- | C] () -- C:\Program Files\example99.cck
[2010/07/19 08:03:52 | 000,015,663 | ---- | C] () -- C:\Program Files\example.cck
[2010/07/19 08:03:52 | 000,000,299 | ---- | C] () -- C:\Program Files\defaults.dat
[2010/07/19 08:03:52 | 000,000,111 | ---- | C] () -- C:\Program Files\Start_COMcheck_CL_Log.bat
[2010/07/19 08:03:52 | 000,000,074 | ---- | C] () -- C:\Program Files\Start_COMcheck_CL.bat

Do you recognize these?

C:\Program Files\AMSys
C:\Program Files\AMSys\swsys.exe
C:\Program Files\AMSys\swkbhk.dll


OTL Fix

We need to run an OTL Fix

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

• Please reopen on your desktop.
  
• Copy and Paste the following code into the textbox.
  

  :Services
  :OTL
  [2012/02/03 09:11:11 | 000,002,933 | ---- | M] () -- C:\WINDOWS\TOPSS.ini
  [2012/02/03 09:11:11 | 000,000,083 | ---- | M] () -- C:\WINDOWS\subrules.ini
  [2012/02/03 09:11:11 | 000,000,021 | ---- | M] () -- C:\WINDOWS\odbcddp.ini
  [2012/02/03 09:11:11 | 000,000,008 | ---- | M] () -- C:\WINDOWS\dcrudll.ini
  

  
  
• Push
  
• OTL may ask to reboot the machine. Please do so if asked.
  
• Click the OK button.
  
• A report will open. Copy and Paste that report in your next reply.
  
• If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:



AVP Tool by Kaspersky

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right



Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post


Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information



On completion click the link to locate the zip file to upload and attach to your next post

1. Do you remember putting these files here: Yes

2. Do you recognize these? I think it is a program used by IT to track our activities.

3. There were no detected threats. No report was generated.

4. See attached for system info.

Hello noogman,

Quote

Thanks for the info regarding those files, I wanted to ensure they were something that belonged there.

Quote

Okay, my research was showing me that those files were related to a tracking software, and wanted to ensure that was the case.





Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /Uninstall



NEXT:



OTL Fix

We need to run an OTL Fix

• Please reopen on your desktop.
  
• Copy and Paste the following code into the textbox.
  

  :Commands
  [ClearAllRestorePoints]
  

  
  
• Push
  
• OTL may ask to reboot the machine. Please do so if asked.
  
• Click the OK button.
  
• A report will open. Copy and Paste that report in your next reply.

NEXT:



OTL Clean-Up

We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:

• Reopen on your desktop.
  
• Click on
  
• You will be prompted to reboot your system. Please do so.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


NEXT:



All Clean Speech




Below I have included a number of recommendations for how to protect your computer against malware infections.


Updated Anti-Virus Program
It's essential that you have an updated anti-virus program running on your computer. You don't want to run more than one as it can cause program conflicts, as well as false positives

You can view an excellent list of Free Security Software programs that has been compiled by GeekstoGo.


Avoid P2P Programs

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

If you have any of these programs installed then I highly suggest you uninstall them.

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Internet Browsers

Many of the users that I assist here on the forums, ask me which programs they can use to prevent themselves from getting infected again in the future. The best answer I can give you is too practice safe browsing.

Please consider using an alternative browser such as Google Chrome or Opera. They are both much more secure than Internet Explorer, immune to almost all known browser hijackers, and also have great built-in pop-up blockers.

I also suggest you make your Internet Explore more secure.



Extra Goodies

• It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
  Strong passwords: How to create and use them then consider a password keeper, to keep all your passwords safe.
  
  
• Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• You should run an updated scan with MalwareBytes' Anti-Malware weekly. Instructions are included below:
  
  
  • Open Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Check for Updates
  
  
  
• Be weary of e-mails from unknown senders. Keep the following in mind as well: If it's to good to be true, then it more than likely is.
  
  
  
• FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
  
  
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
    
  • Yellow for caution
    
  • Red to stop
  WOT has an addon available for Chrome and Opera.
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
  
• In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
  
  Think Prevention.
  PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Cheers,
SweetTech.

SweetTech,

1. OTL fix report:

========== COMMANDS ==========
Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.31.0 log created on 03062012_181722

2. Currently, computer is running fine. No issues that I am aware of.


Thanks again for your help!

noogman,

You're more than welcome! I'm glad that we were able to work together to solve the issues you were experiencing with your computer.

Please take care!

Kindest Regards,
SweetTech.

____________________________________________________

Since it appears that the issues you were experiencing with your computer have been resolved, I am going to close this thread. If you should need the thread re-opened please send me a Private Message (PM) with a request to re-open the thread, as well as the link to the thread in question, and I'd be happy to re-open the thread.