Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing System Security 4.52 [Moved]


  • Please log in to reply
16 replies to this topic

#1 killsecsys452

killsecsys452

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 18 July 2009 - 02:46 PM

I have the virus System Security 4.52 on my Windows xp pc. This virus is unlike any I have ever heard of before. It acts as an antivirus scan and keeps popping up and saying that every process I try is infected.

It does allow me to go to IE and reach my email, allows certain sites eg hulu, comcast.net, but that is it. When I visit a site like removalinformation.com it hoses it up and I can't get there or I get to a site like shopzilla. I would appreciate any help and ideas that you can give.

1) I can't get to Task Mgr to stop the process. It says taskmgr.exe is infected. I tried doing ctrl-alt-del as the computer booted up and task manager flashed for a second, but then the virus took over again. I tried this several times with no luck. from run taskmgr it also says taskmgr.exe is infected.

2) I put malware bytes on a jump drive and was able to load it on the infected computer by changing the name to 6.0.1.mbrevenue.setup. Once I got it on the pc from the jump, I couldn't get it to run. THe virus gives the message that mbam.exe is infected. I got the advice on bleeping computer to change the name to mscan.scr or mscan.cmd and see if it works, but I then got the message that mscan.scr.exe is infected. I don't know how to get rid of that .exe extension when I rename it. It (.exe) doesn't show as part of the file name in the list of files. That's one possibility if anyone might know how I can eliminate that extension, maybe I can eventually run the malwarebytes.

2.5) I was able to load SpywareDoctor the same way as malware bytes above. The problem with this one is when I try to run it it says, C:Program Files\spywaredoctor\SDContextExt.dll
Unable to register the DLL/OCX:RegSur32 failed with exit code 0xFFFFFFFF retry/ignore/abort

3)I also searched removing system security 4.52 and found a removal guide in answers.yahoo and removemalware.net, etc. They gave a list of files to delete in addition to registry keys to delete, processes to kill, etc. All I could do was search on all of the files. Strange thing is though that I had none of those files they listed except I did find one systemsecurity.exe. I deleted it, but it made no difference whatsoever. There were a couple of other files, but there were about 4 occurences of each so i didn't dare to delete them (eg ntos.exe and usp10.dll and setupapi.dll).

4)I decided to go to Windows Explorer and search for strange files. I didn't find anything, but they all seem strange to me. I did find one file folder called "Bonjour" and I couldn't delete it. it contained mdnsNSP.dll and mDNSResponder, which can't be deleted.

5)Finally, I can't even get into safe mode. I press f8 and get to the choice for Safe mode, safe mode networking, SM w/command prompt, etc. But once I make the choice for Safe Mode, a page scrolls with a long list of lines that look like this...
multi(0)disk(0)rdlls(0)partition(2)Windows System32\drivers\iaoa.sys
Then after a minute it goes to Windows blue screen A problem has been detected and windows has been shut down to prevent damage to your computer...
Technical information: STOP: OXOOOOOOB4 (OxFFAOBAOO, OxFFA20000,OxFFAE000,Ox00050000)
I don't yet know if this mess happens when I chose other options of Safe Mode, like bootable, etc.

Any ideas on how to get rid of this thing?????
Thanks in advance.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:34 AM

Posted 18 July 2009 - 11:37 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:34 AM

Posted 19 July 2009 - 04:35 PM

Please download and run Process Explorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 killsecsys452

killsecsys452
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 20 July 2009 - 11:05 PM

Garmanma

Hi. Thank you for your help. I read somewhere about using Process Explorer, but I didn't know where to find it. I was able to download the procexp file to my desktop. The problem is however, that I cannot run it because the virus stops all .exe files. I tried running it from the technet website and it still stopped it from running. If I right click on the file and rename it to .scr for example, the virus then stops the file "procexp.scr.exe". This may sound like a stupid question, but in Windows XP, do you know how to change the .exe part of a file?I don't even see the file extension in my views. Will this file even work if I change it?

If not, do you agree with my friend who says I need to reinstall Windows XP and then try to run anti virus after that? My friend also claims that it won't destroy my documents, files and folders, if I reinstall.

Thanks much.
D
killsecsys452

#5 wj32

wj32

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 21 July 2009 - 02:51 AM

This may sound like a stupid question, but in Windows XP, do you know how to change the .exe part of a file?I don't even see the file extension in my views.


Tools > Folder Options > View > Show hidden files and folders. Then rename procexp.exe to something like asdf123.scr and double-click it.
MCTS: Windows Internals.
Stupid bureaucracy.

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:34 AM

Posted 21 July 2009 - 05:02 PM

friend also claims that it won't destroy my documents, files and folders, if I reinstall.


That is a repair install, using a retail Windows CD. While it should leave you files alone, there is no guarantee.
To remove the infections, you need to reformat. Which will destroy everything

Bonjour services is for Apple iTunes

Let's see if we can get you prepped for a HJT log

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.


If you cannot run DDS / HJT, post back for an alternative
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 killsecsys452

killsecsys452
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 21 July 2009 - 10:27 PM

This may sound like a stupid question, but in Windows XP, do you know how to change the .exe part of a file?I don't even see the file extension in my views.


Tools > Folder Options > View > Show hidden files and folders. Then rename procexp.exe to something like asdf123.scr and double-click it.



Thank you for the info. Unfortunately, it didn't change the virus' reaction. I still couldn't run the file even when I changed the name to asdf123.scr etc.

#8 wj32

wj32

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 21 July 2009 - 10:29 PM

This may sound like a stupid question, but in Windows XP, do you know how to change the .exe part of a file?I don't even see the file extension in my views.


Tools > Folder Options > View > Show hidden files and folders. Then rename procexp.exe to something like asdf123.scr and double-click it.



Thank you for the info. Unfortunately, it didn't change the virus' reaction. I still couldn't run the file even when I changed the name to asdf123.scr etc.


What actually happens when you double-click the exe/scr file?
MCTS: Windows Internals.
Stupid bureaucracy.

#9 killsecsys452

killsecsys452
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 21 July 2009 - 10:58 PM

This may sound like a stupid question, but in Windows XP, do you know how to change the .exe part of a file?I don't even see the file extension in my views.


Tools > Folder Options > View > Show hidden files and folders. Then rename procexp.exe to something like asdf123.scr and double-click it.



Thank you for the info. Unfortunately, it didn't change the virus' reaction. I still couldn't run the file even when I changed the name to asdf123.scr etc.


What actually happens when you double-click the exe/scr file?



What happens is the file flashes for a split second and the virus says file.exe is infected and it never runs. Just now I was trying to run a file and I just kept clicking it (winlogon.exe) (which is process explorer given a new name) and finally it ran. I now have process explorer screen up on my pc! This is a big deal. I have located the file that is the exe of the virus 16506254.exe. Garmanma gave me process explorer and wanted me to send a log, but I'm not sure how to create the log. I go to file save as, but I don't know how that's making a log. Depending on where I put my cursor in the panel, it gives me a different name for the file.
Or, should I just kill the process and run malwarebytes or kaspersky, which I have loaded on the pc but have not been able to run.
Thanks.
killsecsys452

#10 killsecsys452

killsecsys452
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 21 July 2009 - 11:35 PM

Please download and run Process Explorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply


Unexpected but good news, I actually got the process explorer to run on my infected pc. I renamed it to winlogon.exe and I noticed that there was a flash of the file when i clicked it so I just kept clicking and to my surprise it eventually loaded.
So, now I have process explorer up and running. I even see the .exe file that is the virus (16506254.exe with the gold and black shield icon).
Do you think that I should kill the process and run malware bytes or kaspersky which I have loaded on my pc, or should I still send a log of the process explorer and post it here? If you think I should post a log, I was not sure what I was doing. I went to file save as, but the name of the file was set to change based on where I placed my cursor, so I dont think you would be getting a log. How do I do that? Thanks for all your help.

#11 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:34 AM

Posted 22 July 2009 - 06:53 PM

Do you think that I should kill the process and run malware bytes or kaspersky which I have loaded on my pc, or should I still send a log of the process explorer and post it here?


Kill the process and copy/paste the log here for review
If you can run malwarebytes, by all means go ahead and post that log as well
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 killsecsys452

killsecsys452
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 22 July 2009 - 11:07 PM

Do you think that I should kill the process and run malware bytes or kaspersky which I have loaded on my pc, or should I still send a log of the process explorer and post it here?


Kill the process and copy/paste the log here for review
If you can run malwarebytes, by all means go ahead and post that log as well



Done. Thanks for your help, the Process Explorer was key once I got it to work.
I think I got rid of this pain in the butt virus (System Security 4.52)!!

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 2

7/22/2009 11:07:20 PM
mbam-log-2009-07-22 (23-07-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 153570
Time elapsed: 31 minute(s), 52 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
C:\Documents and Settings\XXXXX\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TDSSdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\16506254 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\16506254 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users\application data\16506254\16506254 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\16506254\16506254.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\program files\mIRC\mirc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\XXXXXX\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#13 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:34 AM

Posted 23 July 2009 - 03:22 PM

Update mbam and run a FULL scan
Please post the results

Then run ATF and SAS

ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
-----------------------------------

Follow that up with a Dr Web CureIt scan


Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 killsecsys452

killsecsys452
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 28 July 2009 - 09:23 PM

Hi. Well I quickly realized that I am still infected despite getting rid of the System Security 4.52.
After my last post, I wasn't able to get back to any site that had to do with antimalware including this site. But, luckily I was able to run malware bytes and remove it (TDSS). the problem is everytime I reboot, the TDSS trojan or malware returns/regenerates.

I did the scans you suggested (your directions are great by the way).
I ran malware bytes. The log is below.
I also ran ATF
I then ran SAS, but I wasn't able to run it in Safe Mode. I posted the SAS log below anyway. I actually posted 3 fwiw because each time I rebooted, it came back and I had to rerun it to get to any websites.
The Dr Web Cureit is below also, but I couldn't get into safe mode again. It looks like the same TDSS virus again and again.

The problem I am having now is I can't get my computer to run in safe mode. After clicking F8, when I choose run in Safe Mode, I get a screen full of lines that read something like this...
(0)disk(0)rdlls(0)partition(2)
Then it goes to a bluescreen with the message, "windows has been shut down." A Video driver failed to initialize. There's more, but I can get more specific on that message the next time I post.

One more thing I also wanted to mention is that when I was running SAS the first time today I got a message that said, C:\documents~1\XXXX\Locals~1\TemporaryINternetFiles\content.Ie5\2ZL7Q7JK is corrupt and unreadable. Please run chkdsk utility.
I had received this message a week ago when I still had the system security 4.52 virus. Any idea what this is about? Can you tell me how to run chk dsk utility? Should I do this? FYI, I searched for the file in Windows Explorer and I didn't see it.

Thanks for all your help!!!
killsecsys452



*****************************************************
Malwarebytes' Anti-Malware 1.39
Database version: 2515
Windows 5.1.2600 Service Pack 2

7/28/2009 7:43:09 AM
mbam-log-2009-07-28 (07-43-09).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 151114
Time elapsed: 54 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TDSSdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
***************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/28/2009 at 01:44 PM

Application Version : 4.26.1006

Core Rules Database Version : 4022
Trace Rules Database Version: 1962

Scan type : Complete Scan
Total Scan Time : 01:02:23

Memory items scanned : 374
Memory threats detected : 0
Registry items scanned : 5866
Registry threats detected : 5
File items scanned : 56715
File threats detected : 41

Rootkit.TDSServ
HKLM\SOFTWARE\TDSS
HKLM\SOFTWARE\TDSS#serversdown
HKLM\SOFTWARE\TDSS\version
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys

Adware.Tracking Cookie
C:\Documents and Settings\XXXXX\Cookies\harriet friedman@accounts[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@247realmedia[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@7579.91423.icityfind[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@7584.nosubid.clickshield[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ad.yieldmanager[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@admarketplace[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@adopt.specificclick[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.financialcontent[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.imarketservices[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.mail[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@ads.redorbit[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@apartmentfinder[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@apmebf[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@atdmt[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@bridge.admarketplace[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@bridge1.admarketplace[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@burstnet[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@cdn4.specificclick[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@clicksense[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@clickthrough.kanoodle[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@crackle[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@dc.tremormedia[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@enhance[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@find[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@homestore.122.2o7[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@media6degrees[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@mediaplex[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@mediatraffic[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@optimize.indieclick[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@realmedia[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@redorbit[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@specificmedia[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@stats.adbrite[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@teen[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@tracking.realtor[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@traffic.incomeppc[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@tribalfusion[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@www.apartmentfinder[2].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@www.burstbeacon[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@www.icityfind[1].txt

****************************
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/28/2009 at 09:12 PM

Application Version : 4.26.1006

Core Rules Database Version : 4022
Trace Rules Database Version: 1962

Scan type : Quick Scan
Total Scan Time : 00:27:49

Memory items scanned : 371
Memory threats detected : 0
Registry items scanned : 481
Registry threats detected : 20
File items scanned : 21319
File threats detected : 4

Rootkit.TDSServ
HKLM\SOFTWARE\TDSS
HKLM\SOFTWARE\TDSS#cmddelay
HKLM\SOFTWARE\TDSS\connections
HKLM\SOFTWARE\TDSS\connections#b81e6d1a
HKLM\SOFTWARE\TDSS\disallowed
HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#8fb4615b
HKLM\SOFTWARE\TDSS\injector
HKLM\SOFTWARE\TDSS\injector#*
HKLM\SOFTWARE\TDSS\version
HKLM\SOFTWARE\TDSS\version#/ctl/crcmds/init
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#affid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#subid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#control
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#prov
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#googleadserver
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#flagged
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys

Adware.Tracking Cookie
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@clickthrough.kanoodle[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@homestore.122.2o7[1].txt
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@tracking.realtor[1].txt

******************


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/28/2009 at 09:43 PM

Application Version : 4.26.1006

Core Rules Database Version : 4022
Trace Rules Database Version: 1962

Scan type : Quick Scan
Total Scan Time : 00:26:26

Memory items scanned : 377
Memory threats detected : 0
Registry items scanned : 481
Registry threats detected : 20
File items scanned : 21321
File threats detected : 0

Rootkit.TDSServ
HKLM\SOFTWARE\TDSS
HKLM\SOFTWARE\TDSS#cmddelay
HKLM\SOFTWARE\TDSS\connections
HKLM\SOFTWARE\TDSS\connections#b81e6d1a
HKLM\SOFTWARE\TDSS\disallowed
HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#8fb4615b
HKLM\SOFTWARE\TDSS\injector
HKLM\SOFTWARE\TDSS\injector#*
HKLM\SOFTWARE\TDSS\version
HKLM\SOFTWARE\TDSS\version#/ctl/crcmds/init
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#affid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#subid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#control
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#prov
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#googleadserver
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#flagged
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys
******
Dr Web Cureit Log
7/29/09 8:00 AM
tdssserv.sys;c:\windows\system32\drivers;BackDoor.Tdss.14;Deleted.;
TDSS2ed7.tmp;C:\Documents and Settings\XXXX\Local Settings\Temp;Trojan.Starter.896;Incurable.Moved.;
coralfree.exe\data029;C:\Program Files\coralfree.exe;Adware.SaveNow;;
coralfree.exe;C:\Program Files;Archive contains infected objects;Moved.;
aim95.exe\data034;C:\Program Files\AIM95\aim95.exe;Adware.Aws;;
aim95.exe;C:\Program Files\AIM95;Archive contains infected objects;Moved.;
WxBug.EXE;C:\Program Files\AIM95\Sysfiles;Adware.Aws;;
tdssadw.dll;C:\WINDOWS\SYSTEM32;Trojan.Packed.647;Deleted.;
tdssl.dll;C:\WINDOWS\SYSTEM32;BackDoor.Tdss.6;Deleted.;
tdsslog.dll;C:\WINDOWS\SYSTEM32;Trojan.Sespy.13;Deleted.;
tdssmain.dll;C:\WINDOWS\SYSTEM32;Trojan.Packed.365;;
tdssserf.dll;C:\WINDOWS\SYSTEM32;Trojan.Fakealert.1304;Deleted.;
TDSS607a.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.14;Deleted.;
TDSS608a.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.14;Deleted.;
TDSS6617.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.14;Deleted.;
TDSS67dd.tmp;C:\WINDOWS\Temp;Trojan.Packed.365;Incurable.Moved.;
TDSS6ada.tmp;C:\WINDOWS\Temp;Trojan.Sespy.13;Deleted.;
TDSS6c9a.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.14;Deleted.;
TDSS7039.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.14;Deleted.;
TDSS7097.tmp;C:\WINDOWS\Temp;Trojan.Packed.647;Deleted.;
TDSS7172.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.14;Deleted.;
TDSS73a4.tmp;C:\WINDOWS\Temp;Trojan.Fakealert.1304;Deleted.;
TDSSeccd.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.14;Deleted.;

Edited by killsecsys452, 29 July 2009 - 07:10 AM.


#15 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:34 AM

Posted 29 July 2009 - 06:05 PM

You are not going to like what I say, but with that TDSS infection your best course of action is to reformat and reinstall


Two options left-Post a HJT log or re-install

If you want to give removal of the infection a try, please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

====================================

Option 2
Some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action.

In case you need help with this, please review:These links include step-by-step instructions with screenshots:Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, personal data files and photos. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr) or autorun (.ini) files because they may be infected by malwareware appending itself to the executable. Some types of malware may even disguise itself by adding and hiding its extension to the existing extension of files so be sure you look closely at the full file name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

Note: If your using an IBM, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it.

If you need additional assistance with reformatting, you can start a new topic in the Windows XP Home and Professional forum.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users