Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I may have TDss


  • Please log in to reply
8 replies to this topic

#1 annecliffyf

annecliffyf

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 01 April 2009 - 12:13 AM

My Sophos AV kept popping up with various virus alerts. After searching the names, Tdss in particular I became incredibly concerned and ran Avira which came up with a log of trojans including:
agent.3254
agent.3261
TDss.66048
TDss.ror
Crypt.Zpack.gen
TR/Trash.gen

I have tried running Malaware Malbytes, but I cannot open the program, I tried renaming the program based on some advice I saw somewhere, but I still can't open the program. I ran AVG Free but it didn't help much. I ran Sophos and it didn't eliminate anything, I'm now running Avira again because I think I might not have checked the box that said "deal with the infected files" the first time I ran it.

Any help would be appreciated, I'm concerned because in doing research it seems some of these viruses may be used for identity theft.

I want to try to remove the malware without having to reformat my drive, and I would like advice as to how concerned I should be about identity theft based on these results?

Thanks

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:01 PM

Posted 01 April 2009 - 12:42 AM

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either xxxx or xxxx.


First let's go into safe mode and try to remove some of this infection

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#3 annecliffyf

annecliffyf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 01 April 2009 - 08:05 PM

UAC2da3.tmp;C:\Documents and Settings\af6uw\Local Settings\Temp;Trojan.Starter.969;Incurable.Moved.;
3 Months Free NetZero.exe;C:\Program Files\Dell\Launcher\files;Trojan.Click.1487;Deleted.;
delfolder.exe;C:\Program Files\DellSupport\GTCoach;Trojan.MulDrop.30652;Deleted.;
delfolder.exe;C:\Program Files\WebCyberCoach\b_Dell;Trojan.MulDrop.30652;Deleted.;
Dc6.exe;C:\RECYCLER\S-1-5-21-2700749156-2290456567-988309283-1005;Trojan.Click.1487;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
sdra64.exe.XXX;C:\WINDOWS\system32;Trojan.PWS.Panda.114;Deleted.;
UACiavjkagr.dll.XXX;C:\WINDOWS\system32;BackDoor.Tdss.105;Deleted.;


That's the results of the scan. I was unable to do it in safe mode because the computer would not let me log in even the log in and password is the administrator's account on my personal computer, so I had to perform the scan in normal mode. Thank you for your help so far. Where do we go now?

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:01 PM

Posted 01 April 2009 - 08:08 PM

I should be about identity theft based on these results?


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#5 annecliffyf

annecliffyf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 01 April 2009 - 08:31 PM

Thanks for the advice. I will go ahead and reformat my computer and change the passwords to financial info.

Since it might take me a few days to locate the windows disks (i havent used them for three years), do you think the viruses that were "incurable" and "moved" will continue to operate on my computer? Should I be concerned?

thanks again

#6 annecliffyf

annecliffyf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 01 April 2009 - 08:36 PM

Also, I have turned back on my computer after running the scan, and now my computer locks up after about a minute of being on. When I try to click on anything it just beeps at me... Do you know what might be causing this?

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:01 PM

Posted 01 April 2009 - 08:50 PM

There's one or more nasty rootkits with this infection

UACiavjkagr.dll


Cureit only wounded it

Disabling sophos and avira might help, they are probably trying to fight a losing battle
Chewy

No. Try not. Do... or do not. There is no try.

#8 annecliffyf

annecliffyf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 01 April 2009 - 09:39 PM

OK, I've gone on a mission to find my Windows CDs now because I was able to get all of my data backed up after using Cureit. Previously it wouldn't let me burn a data CD, access a flash drive, or even upload to virtual drives online.

So, I have a couple other questions for after I reformat. Do you recommend any Anti-viral software since I should only have the one running?

What about for my Mac, the other computer in the house that saved me this time because I could still get the internet and find you guys here?

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:01 PM

Posted 01 April 2009 - 10:04 PM

Avira free is my favorite antivirus, avast may have more layered protection but has a heavier footprint.

Mac infections are rare
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users