Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have I succeeded, at long last?


  • This topic is locked This topic is locked
1 reply to this topic

#1 2Gud2BeTrue

2Gud2BeTrue

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 16 November 2008 - 06:48 PM

Hi,

I am wondering how best to confirm if I've removed some malware.

Firstly, the symptoms I originally noticed were...

1) Google search redirected to go.google.com or suchlike
2) Larger than usual text size on the search results. Doesn't match my browser default
3) Problems accessing certain websites and avg, etc.
4) Inability to run various programs such as malwarebytes without renaming them.
5) Some occasional pop-up boxes talking about Anti-Virus 2009.

I've looked at various posts suggesting different methods and after trying...

1) Malwarebytes
2) SDFix
3) GMER
4) SVV
5) Rootkitrevealer

...and others, I think SDFIX and GMER may have done the trick but I'm getting some mixed results. Malwarebytes detected 5 entris and removed them but it just came straight back.

SDFIX and GMER were the last tools used. I executed SDFIX as Administrator in safe mode. I found that after the first reboot, it wanted a second reboot having detected TDSS. It didn't fire up again automatically after reboot so I started it manually and selected F as suggested in some posts. It then ran to completion. After this, GMER was still finding issues so I figured it had failed. I then rebooted normally expecting the problem to be there still, but was surprised when things were OK.

I can now get results in google OK, and it looks familiar text-size. I'm also OK with AVG updates again.

However, GMER continued to report various issues around services all named TDSS. It did so quickly, before the full scan, and I then found that I could delete the service in GMER, close GMER and re-open it and at each re-start, a different service name would be identified. GMER wouldn't be able to find the underlying directory/files for the service when they were deleted. Now, having done a full scan, it still reports some TDSS stuff, but isn't flagging them as rootkits. Eventually, it found nothing and I then put it into full scan.

I can also see TDSS items in regedit and found one TDSS file in windows\system32 which AVG nailed when I clicked on it. Please don't ask why I did that. It's late.

SVV continues to report "deepred" status and says that..

ntoskrnl.exe not found
kernel32.dll 7c800000 - 7c8f5000 suspected verdict 5
USER32.DLL 7e410000 - 7e4a0000 suspected verdict 5

So on the face of it, it looks OK/better but I have the feeling I've done no more than wound it and it will make a comback at some point. So a couple of questions...

1) Can you advise if I need to do any more?
2) Does this trojan compromise passwords, etc. or just p*ss you off. I'm not sure when I picked it up but think quite recently?

I've now installed SpywareBlaster to the machine.

thanks for your help in advance

Not sure why, but I attach a hijackthis log which I hope is helpful.

Attached Files



BC AdBot (Login to Remove)

 


#2 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:18 AM

Posted 05 December 2008 - 09:38 AM

Hi,

Sorry about the wait, we’re very busy. If you still need help please post a fresh HiJackThis log and I will review it.

jedi




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users