Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unknown trojan, completely locked down PC

  • Please log in to reply
10 replies to this topic

#1 MCHolden


  • Members
  • 7 posts
  • Local time:08:37 PM

Posted 29 December 2008 - 10:09 PM

Hello all,

First, thanks for looking at my post, it's my first at this site. Second, I have to apologize - I've already done a lot of cowboy "delete first and ask questions later" stuff in the process of trying to fix it. I work on PC's every day and I'm used to dealing with malware, spyware, hijackers, trojans, etc. but I haven't run into anything like this before. So here's the problem and my attempts at a solution in great detail:

So the problem started out as a rogue spyware program on my buddy's PC. He said he was getting a message from the system tray that he was infected with a zillion trojans, and he needed to click here to scan, which he did. It "scanned" the computer and came up with all kinds of "infections" and of course asked him for like 50 bucks to purchase the software and fix them, at which point he figured out it was all bogus. Now he's got nonstop phony trojan/virus alerts and his browser is hijacked, which is where I come in. I see this all the time so I'm not expecting any problem.

The first thing I try is to run AVG Free to scan for the trojan, but I can't get AVG Free to update virus definitions, which are now 27 days old at this point. It doesn't work through the program interface, and when I try to go to grisoft.com to get them, I get a page not found error. I even downloaded them from another PC, put them on a flash drive, and tried manually updating that way but AVG just says there is no update file in the folder specified.

I decide to hop on google and see what's what. But every time I click on a link I get redirected to one of many different fake search engines or similar sites. So I have to resort to actually copying the link from the google search results and pasting them into the address bar. But even then, sites I actually need like grisoft.com, mcafee.com, trendmicro.com, and even bleepingcomputer.com come up with page not found errors. I check the hosts file for strange entries but nothing is there except some Spybot entries. I delete the hosts file anyway but I'm still getting redirected.

Now I try safe mode. AVG still won't update, the browser is still hijacked (or at least redirecting me), and I can't even run Hijack This to see what's going on. It just sits in the task manager for about ten minutes with zero processor usage and eventually disappears. Malwarebytes Anti-Malware installation does the same thing. Smitfraudfix.exe just flat crashes. Ad-aware won't update, neither will Spybot. And on and on and on...

Now here's where you're going to hate me. I go to the task manager and look for anything strange. I see an executable that is just a string of numbers, something like 213986723.exe and decide it's got to go. I kill it, then search the registry for anything with that string and delete those entries, and do the same in explorer. Problem is, I don't remember what it was called! I also figure out that I can get Hijack This to run if I rename the executable. So I run it and fix any entries I don't recognize (the good news is I have before and after logs so I can actually show you what I removed if you like). On top of that, I finally figure out one thing that I can run, CWShredder. I run it and it finds and removes two entries. Again, I don't remember which ones they were. Go ahead and kill me now.

In any case, the mystery executable is no longer in the task manager and I'm no longer being hounded about scanning my PC for trojans. However, all the other problems are still here: hijacked browser, DNS redirects, can't run or update any kind of useful anti-virus or anti-malware programs, and safe mode doesn't make one bit of difference!

So that's where I'm at. I'm pasting my DDS file. I don't see the attachments section or I'd attach "attach.txt" as well, am I missing something? If anyone has any suggestions, I'm all ears!

Thanks again!

DDS (Version 1.1.0) - NTFSx86
Run by Admin1 at 19:40:55.90 on Mon 12/29/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.439 [GMT -6:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Documents and Settings\Admin1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin1\applic~1\mozilla\firefox\profiles\4799uj9a.default\

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-1-18 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-1-18 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-1-18 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-1-18 10760]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2007-1-18 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2007-1-18 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2007-1-18 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-1-18 4960]
R2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]

=============== Created Last 30 ================

2008-12-29 18:24 <DIR> --d----- c:\windows\pss
2008-12-29 18:21 <DIR> --d----- c:\program files\Trend Micro
2008-12-26 10:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Solt Lake Software

==================== Find3M ====================

2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 04:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-07-21 18:11 4,898,144 a------- c:\program files\LimeWireWin.exe
2008-06-27 15:30 2,218,368 a------- c:\program files\AROTrial.exe

============= FINISH: 19:42:27.67 ===============

BC AdBot (Login to Remove)


#2 MCHolden

  • Topic Starter

  • Members
  • 7 posts
  • Local time:08:37 PM

Posted 29 December 2008 - 10:23 PM

I wanted to mention these little clues as well:

There is a folder called AntiSpywareMaster under C:\Program Files. It is currently empty but it may have been part of the problem at one point.

The bogus spyware alerts were coming from a program called System Security. It put an icon on the desktop that looks almost exactly like the Windows Update yellow shield you see in the system tray on a Windows XP machine. I'm pretty sure I've obliterated everything having to do with that program but that might help you somehow.

Every time I would reboot, a window called "Common" would pop up. It is also located under C:\Program Files. There were four files in there, all of which I deleted, along with the folder itself. The folder recreated itself but the files inside did not. It continued popping up every reboot until I renamed it to "Commons" and it no longer opens.

At one point I went to check the exceptions in Windows Firewall, but when I went to open it, it said that it was disabled. I worked on this very PC about about six weeks ago and I know it was enabled, so something turned it off. I re-enabled it and so far it has remained that way.

Hope any of that helps at all.

#3 MCHolden

  • Topic Starter

  • Members
  • 7 posts
  • Local time:08:37 PM

Posted 29 December 2008 - 10:28 PM

And one last thing, I just looked through my "before" Hijack This log, and one of the files in the C:\Program Files\Common folder mentioned above was called _helper.dll. Like I said, it's gone now but if there's any chance that helps, I figure it doesn't hurt to post it.

#4 MCHolden

  • Topic Starter

  • Members
  • 7 posts
  • Local time:08:37 PM

Posted 16 January 2009 - 10:47 AM

Okay I gave up waiting for help after 2.5 weeks and just popped the drive into another system and scanned it that way. Avira found about a dozen infected .dll files related to multiple different trojans but the real find was that a rootkit was installed. Very nasty. No wonder I couldn't do anything even in safe mode. After deleting the infected files I popped the drive back in an voila, everything was working normally. I updated and ran scans with AVG, Ad-Aware, Spybot, and MBAM, and each of them found more files, folders, registry keys, etc. Everything seems clear now and it's working like a charm. Just in case this might help somebody else, here is the MBAM log. I'll post the Avira log (which shows the rootkit) when I get back to the PC I used to scan it.

Malwarebytes' Anti-Malware 1.33
Database version: 1656
Windows 5.1.2600 Service Pack 3

1/15/2009 8:10:06 PM
mbam-log-2009-01-15 (20-10-06).txt

Scan type: Quick Scan
Objects scanned: 47149
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Solt Lake Software (Rogue.ProAntispyware2009) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin1\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Solt Lake Software (Rogue.ProAntispyware2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009 (Rogue.ProAntispyware2009) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Admin1\Start Menu\Programs\System Security\System Security.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxcp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS51c4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.

#5 MCHolden

  • Topic Starter

  • Members
  • 7 posts
  • Local time:08:37 PM

Posted 19 January 2009 - 12:10 PM

...and the Avira log as promised (remember I ran this one BEFORE MBAM):

Avira AntiVir Personal
Report file date: Thursday, January 15, 2009 17:53

Scanning for 1210079 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: -------
Computer name: -------

Version information:
BUILD.DAT : 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 2817536 Bytes 1/14/2009 03:56:10
ANTIVIR2.VDF : 2048 Bytes 1/14/2009 03:56:11
ANTIVIR3.VDF : 106496 Bytes 1/14/2009 03:56:12
Engineversion :
AEVDF.DLL : 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 340348 Bytes 1/10/2009 00:05:43
AESCN.DLL : 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 393588 Bytes 1/10/2009 00:05:41
AEOFFICE.DLL : 196987 Bytes 1/2/2009 19:21:28
AEHEUR.DLL : 1532280 Bytes 1/10/2009 00:05:39
AEHELP.DLL : 119159 Bytes 1/2/2009 19:21:23
AEGEN.DLL : 323956 Bytes 1/2/2009 19:21:22
AEEMU.DLL : 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 172405 Bytes 1/2/2009 19:21:21
AEBB.DLL : 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\Aaron\LOCALS~1\Temp\644733e8.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: F:,
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, January 15, 2009 17:53

Starting the file scan:

Begin scan in 'F:\'
F:\Documents and Settings\All Users\Documents\My Music\Sample Music\Saving Abel - She Got Over Me.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was deleted!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.adb back-door program
[NOTE] The file was deleted!
[DETECTION] Is the TR/TDss.AT.518 Trojan
[NOTE] The file was deleted!
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.JW back-door program
[NOTE] The file was deleted!
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.acs back-door program
[NOTE] The file was deleted!
[DETECTION] Contains recognition pattern of the RKIT/TDss.G.22 root kit
[NOTE] The file was deleted!
[DETECTION] Contains recognition pattern of the RKIT/TDss.G.22 root kit
[NOTE] The file was deleted!
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.JW back-door program
[NOTE] The file was deleted!
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.adb back-door program
[NOTE] The file was deleted!
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.acs back-door program
[NOTE] The file was deleted!
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.KD back-door program
[NOTE] The file was deleted!

End of the scan: Thursday, January 15, 2009 18:15
Used time: 22:20 Minute(s)

The scan has been done completely.

2503 Scanning directories
148714 Files were scanned
12 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
12 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
4 Files cannot be scanned
148698 Files not concerned
829 Archives were scanned
4 Warnings
12 Notes

#6 Classie83


  • Members
  • 19 posts
  • Local time:08:37 PM

Posted 19 January 2009 - 04:05 PM

Wow, no1 replied to this yet? I wonder why. I'm in no way shape or form an expert, but you definitely have a TDSS rootkit infection. I could not access any tech websites either, but I finally figured out how to disable the rootkit. Once I did that, I was able to jump on this forum and ask for more assistance in cleaning up my comp. No I'm just finishing up the cleansing with help from one of the experts here.

Here's my thread. As I stated, I was able to disable the TDSS rootkit via device manager myself. http://www.bleepingcomputer.com/forums/t/196267/tdss-problems/ PM me if you want me to go into detail if an expert doesn't help.

#7 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:37 PM

Posted 19 January 2009 - 06:22 PM


It's not that we don't want to reply, it's because you bumped your topic way too much, and we think that someone is already helping you and therefore does not need attention anymore.

A few things I need to mention here..

1) Do not post DDS logs in this forum. They do not belong here. They belong in the Hijackthis malware Removal forum located over here.

2) Once you post here, you should wait and instead of bumping your topic 4-5 times. If you have anything to add, try to post it all in once or edit your post if you need to.


You may have tried to disabled the rootkit using what ever method it was but it didn't work. From the GMER log, the TDSSserv infection is still active. Also, you shouldn't tell members to Pm you. This is what the forums are for. Posting here you can let others learn and including yourself learn more. I still learn more and more just by watching and testing things myself.


Let's start off with MBAM again and a rootkit scan to see what is left. Also, what problems do you still have?

Download and run MalwareBytes Anti-Malware(Full Scan)

Please download Malwarebytes Anti-Malware and save it to your desktop if you lost your copy and need to install it, otherwise skip the installation step and continue with the Full Scan.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-MBAM log
-GMER log
-What problems do you still have?

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 MCHolden

  • Topic Starter

  • Members
  • 7 posts
  • Local time:08:37 PM

Posted 20 January 2009 - 10:44 AM

My bad, I didn't realize DDS logs weren't for this forum. I even read the forum guidelines, but I guess not closely enough. I wasn't trying to bump my topic, at least not intentionally... I made all three posts within a half hour of each other which I thought would be okay. I didn't realize I could just edit the post, duh. Sorry bout that and thanks for looking!

The PC I was working on has been returned to its owner so I can't post any logs for you. However, I am working on another PC right now that appears to have a very similar problem, can I post here or should I start a new thread?

Edited by MCHolden, 20 January 2009 - 10:46 AM.

#9 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:37 PM

Posted 20 January 2009 - 03:44 PM

Sure, you can post it here.

Describe any problems you have and run MBAM and GMER scan for me please.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 MCHolden

  • Topic Starter

  • Members
  • 7 posts
  • Local time:08:37 PM

Posted 23 January 2009 - 10:46 AM

Well the owner of the PC has now asked that I just wipe the drive and re-install windows. =) But rest assured, I'll be back for more help in the future. Thanks and keep up the great work!

#11 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:37 PM

Posted 23 January 2009 - 04:05 PM

No Problem. Reinstall and format will make sure everything is gone. You are probably clean now. Below is some information to prevent future infections.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Additional Security Programs

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

With Regards,

Edited by extremeboy, 23 January 2009 - 04:07 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users