Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.TDSS can't be removed -- need help!


  • Please log in to reply
3 replies to this topic

#1 jelloz

jelloz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 26 July 2009 - 01:13 PM

Sometime in the last week or so, a Trojan has found its way on to my computer. I have several anti spyware programs running, so I'm not sure how it got past them, but it did.

The symptoms are fairly simple: on Google searches, most of the pages I click on are redirected to other pages (e.g., Tooseeka.com, etc.). I have used dozens of programs to try to find the problem and remove them, but only Malwarebytes Anti-Malware has been able to find the problem. However, when I go to remove selected files, it says that it does, I restart, but the problem remains. When I run Malwarebytes again, it finds the same two files, which it just won't get rid of. In looking at the Malwarebytes log, the Trojans seem buried in the computer in a place where I cannot get to them. I did manage to find one infected file (of the same name as what Malwarebytes found) in windows/system32 directory using combofix, and deleted it...but the problems still remain. I've also received some help on another site using HijackThis, and the problem has *slightly* improved, but the Trojans remain.

I am completely at a loss as to what to do -- I'm including a log from my most recent Malwarebytes scan:
Malwarebytes' Anti-Malware 1.39
Database version: 2476
Windows 6.0.6001 Service Pack 1

7/26/2009 2:51:01 PM
mbam-log-2009-07-26 (14-50-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 4950
Time elapsed: 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\System32\geyekrjwngftep.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\System32\geyekrjwngftep.dll (Trojan.TDSS) -> No action taken.

Edited by jelloz, 26 July 2009 - 02:24 PM.


BC AdBot (Login to Remove)

 


m

#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 PM

Posted 26 July 2009 - 02:37 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



I am sorry but:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Computer Pro

#3 jelloz

jelloz
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 26 July 2009 - 06:18 PM

Thank you for your quick response -- my wife and I have decided to reformat our computer, and completely reinstall our OS. We had hoped that it wouldn't come to it, but given that nothing we did seemed to work, it looked more and more likely that this came to it. We were both afraid that we were dealing with something a little more malicious than we had hoped. Luckily, we haven't done any internet banking, or anything sensitive like that on the internet since this problem started (we've been out of town and away from our home computer for a bit).

Thanks for the links about reformatting, we'll be reading up on that. We did have a quick question -- are the other files on our computer somehow compromised by this trojan? In other words, would it be safe to back these files up and put them back on our computer when it's reformatted? Or is *everything* on our computer 'damaged goods' that needs to be deleted with the reformatting? We have tons and tons of important files that we don't want to lose if we don't have to...but we'll do what we have to.

Aside from what we know about reformatting, is there anything else we should know/do before we get started with this?

Again, thanks so much for letting me know of this so soon that we can do something about it sooner rather than later.

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 PM

Posted 26 July 2009 - 06:33 PM

You can back up any documents such as Word, Powerpoint, PDF's, and any personal files. But do not backup any files ending in .exe, .com, .html, etc. This includes not backing up any programs.

If you have any questions during the process of reformatting, please feel free to post in the Vista forum regarding your question.

I am sorry that it had to turn out this way.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users