Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fun With Tdss And Svchost.exe Trojans


  • Please log in to reply
21 replies to this topic

#1 bigbrew

bigbrew

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:49 AM

Posted 01 October 2008 - 01:31 AM

I primarily use Google and Yahoo search engines, and get a page of results. When I click on a result link, I am sent to some arbitrary page ... it's like this malware has a table of sites to send me to. It will also give me the PAGE NOT FOUND error, when I know that it is a valid URL. This problem happens in both FireFox 2.0.0.17, and IE6. I am on Windows XP Home Edition SP2. I used another computer to download mbam-setup.exe and ran mbam.exe twice. First time performed a quick scan and after that a full scan. System was rebooted after each scan. Then I updated my AVG7 Free Edition with the latest virus defs and did a scan with that as well. I attempted to use the ESET online antivirus scanner, but IE6 crashed about halfway through the download/update. Logs for mbam.exe and AVG posted below. Is there anything else I need to do to be rid of this?


Malwarebytes' Anti-Malware 1.28
Database version: 1222
Windows 5.1.2600 Service Pack 2

9/30/2008 7:34:52 PM
mbam-log-2008-09-30 (19-34-52).txt

Scan type: Quick Scan
Objects scanned: 66506
Time elapsed: 8 minute(s), 5 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.28
Database version: 1222
Windows 5.1.2600 Service Pack 2

9/30/2008 8:32:25 PM
mbam-log-2008-09-30 (20-32-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 114978
Time elapsed: 52 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP217\A0021155.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Rootkit.Agent) -> Delete on reboot.

AVG7 Free Edition
Program version 7.5.524
Virus base 270.7.5/1701 Release date 9/30/2008 7:08 PM
General properties
Report name Selected Areas Test
Start time 9/30/2008 22:21
End time 9/30/2008 10:51:21 PM (total: 29:57.9 Min)
Launch method Scanning launched manually
Scanning result Threats found
Report status Scanning completed successfully

Object summary
Scanned 58194
Threats Found 4
Cleaned 0
Moved to vault 0
Deleted 4
Errors 0

C:\WINDOWS\system32\kernel32.dll Change Changed
C:\WINDOWS\system32\user32.dll Change Changed
C:\WINDOWS\system32\shell32.dll Change Changed
C:\WINDOWS\system32\ntoskrnl.exe Change Changed
C:\WINDOWS\system32\tdssadw.dll Deleted
C:\WINDOWS\system32\tdssl.dll Deleted
C:\WINDOWS\system32\tdsslog.dll Deleted
C:\WINDOWS\system32\tdssserf1.dll Deleted

-BB

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 AM

Posted 01 October 2008 - 01:45 AM

Your log shows a Rootkit infection. These can be particularly nasty, and you should assume that your online passwords have been compromised.

Try scanning with Sophos Anti-Rootkit.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 bigbrew

bigbrew
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:49 AM

Posted 01 October 2008 - 02:17 AM

Thanks for the quick reply!


Sophos Anti-Rootkit result:

No hidden items found by scan.


I did a search of C:\WINDOWS and found the file tdssservers.dat in the C:\WINDOWS\system32 folder. File was created and last modified 9/27/08 at 11:44:37 AM, probably when the infection was picked up. Neither Malwarebytes' Anti-Malware or AVG Anti-Virus found or identified this file. Is this something I should delete as well?

Any other suggestions so this doesn't come back? No financial or sensitive info was stored or accessed from this computer. I never save any passwords and always clear Firefox private data on exit. IE is only used when absolutely necessary.

--BB

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 AM

Posted 01 October 2008 - 02:20 AM

Any suspicious files can be uploaded at Jotti for analysis.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 bigbrew

bigbrew
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:49 AM

Posted 01 October 2008 - 02:44 AM

Jotti did not find anything on the tdssservers.dat file.

I will download SUPERAntiSpyware Free and ATF Cleaner tomorrow when I have a faster connection.

Something I previously neglected to share: On boot-up (prior to using Malwarebytes' Anti-Malware) I found that the Windows Firewall was disabled. I re-enabled it and it has been running fine since.

#6 bigbrew

bigbrew
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:49 AM

Posted 02 October 2008 - 02:34 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/02/2008 at 00:10 AM

Application Version : 4.21.1004

Core Rules Database Version : 3584
Trace Rules Database Version: 1572

Scan type : Complete Scan
Total Scan Time : 02:37:43

Memory items scanned : 155
Memory threats detected : 0
Registry items scanned : 5253
Registry threats detected : 0
File items scanned : 55309
File threats detected : 16

Adware.Tracking Cookie
.doubleclick.net [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
stats.manticoretechnology.com [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
.keywordmax.com [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
statse.webtrendslive.com [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
.qksrv.net [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
.qksrv.net [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\<name>\Application Data\Mozilla\Firefox\Profiles\by82jffb.default\cookies.txt ]

--BB

#7 bigbrew

bigbrew
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:49 AM

Posted 02 October 2008 - 01:53 PM

What's my next step?

--BB

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 AM

Posted 02 October 2008 - 03:51 PM

Run a new Malwarebytes scan and let us know how your computer is now?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 bigbrew

bigbrew
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:49 AM

Posted 03 October 2008 - 03:23 PM

Until today, the system seemed fine. No browser redirects or any other strangeness.

Updated the Malwarebytes program, then the computer stopped responding in normal mode. I rebooted in safe mode and ran a new Malwarebytes scan then AVG Anitvirus Free. Logs of both follow.

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 2

10/3/2008 11:59:33 AM
mbam-log-2008-10-03 (11-59-00).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 102380
Time elapsed: 2 hour(s), 27 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP217\A0021156.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> No action taken.


AVG7 Free Edition
"Report name" "Complete Test"
"Start time" "10/3/2008 12:00:28 PM"
"End time" "10/3/2008 12:48:27 PM (total: 47:58.4 Min)"
"Launch method" "Scanning launched manually"
"Scanning result" "No threats found"
"Report status" "Scanning completed successfully"
"Object summary"
"Scanned" "58319"
"Threats Found" "0"
"Cleaned" "0"
"Moved to vault" "0"
"Deleted" "0"
"Errors" "0"
"C:\WINDOWS\system32\kernel32.dll" "Change" "Changed"
"C:\WINDOWS\system32\user32.dll" "Change" "Changed"
"C:\WINDOWS\system32\shell32.dll" "Change" "Changed"
"C:\WINDOWS\system32\ntoskrnl.exe" "Change" "Changed"

Rebooted back into normal mode, all seems OK. I'll run a new Malwarebytes scan and see what turns up.

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:49 AM

Posted 03 October 2008 - 03:37 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry948242

SDFix is quite complicated but may help with that rootkit

Try to follow the directions exactly and completely
Chewy

No. Try not. Do... or do not. There is no try.

#11 bigbrew

bigbrew
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:49 AM

Posted 03 October 2008 - 05:25 PM

I ran SDFix per the instructions. Here's the log:

SDFix: Version 1.230
Run by Jason on Fri 10/03/2008 at 03:11 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
tdssserv

Path :
\systemroot\system32\drivers\TDSSserv.sys

tdssserv - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\1.tmp - Deleted
C:\WINDOWS\system32\1.tmp - Deleted
C:\WINDOWS\antiv.exe - Deleted
C:\WINDOWS\system32\autorun.ini - Deleted





Removing Temp Files

ADS Check :


Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 15:16:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\usmt\\migwiz.exe"="C:\\WINDOWS\\System32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:AVG Free Control Center"
"C:\\Program Files\\Grisoft\\AVG Free\\avgw.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgw.exe:*:Enabled:AVG Free Edition for Windows"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 4 Jul 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Tue 4 Jul 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Tue 4 Jul 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Tue 8 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Tue 4 Jul 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Fri 16 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Fri 12 Sep 2008 618,048 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3bf677da513c92756c056a5a72822416\BIT2.tmp"

Finished!

An additional note: the original problem of redirected searches (go.google.com and go.yahoo.com links instead of real search links) has not reoccured.

Edited by bigbrew, 03 October 2008 - 06:22 PM.


#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:49 AM

Posted 04 October 2008 - 08:15 AM

Let's update MBAM and run another quick scan

I hate to think how many thousands of computers have been reloaded with this rootkit/back door trojan
Chewy

No. Try not. Do... or do not. There is no try.

#13 rm5

rm5

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 04 October 2008 - 04:27 PM

I had the same infection I think. To fix it I used Malware Bytes (current version as of 27th Sep), then I scanned with F-Secure Blacklight (since that was one of the sites that was blocked when I was infected), and I used Sophos' Rootkit Revealer but that just tells you what you've got, it didn't have any delete or quarantine options.
MOST IMPORTANTLY I found a phony "svchost.exe" in startup items when I ran msconfig so I unchecked that.

Those steps fixed everything for me, although I still have no idea how I may have become infected.
Hopefully this might help others.

Cheers.

#14 bigbrew

bigbrew
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:49 AM

Posted 06 October 2008 - 10:52 AM

Computer is totally* unresponsive if booted into normal mode. Task manager doesn't even respond correctly. I can log on to the web, but Firefox and IE6 do not start. I reran SDFix but nothing was found. AVG7 Free Antivirus finds nothing when run from safe mode.

The svchost.exe thing shows up multiple times in task manager processes, all with the same memory usage, 4128K or something like that.

Is there a link for downloading MBAM updates manually?


*hyperbole

Edited by bigbrew, 06 October 2008 - 11:57 AM.


#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 AM

Posted 06 October 2008 - 04:02 PM

MBAM definitions can be download using this file:

http://www.malwarebytes.org/mbam/database/mbam-rules.exe
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users