Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Removal-resistant Trojan.tdss

  • Please log in to reply
1 reply to this topic

#1 TargetPractice


  • Members
  • 1 posts
  • Local time:09:55 AM

Posted 01 August 2009 - 04:12 PM

Problem: Removal-resistant Trojan.tdss

OS: Microsoft Windows XP, media center edition, Service pack 2, version 2002
Browser: Mozilla Firefox 3.5.1- with NoScript; also Opera ver. 9.64

Noted details:

Malwarebytes anti-malware keeps noticing it, with 2 files flagged. Not even reboots after each run purge it. Quote from each run:

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrrkenyvfw.dll (Trojan.TDSS) -> Delete on reboot.
Files Infected:
\\?\globalroot\systemroot\system32\geyekrrkenyvfw.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

Search and Destroy noted it, cleared a chunk of material out , but failed to purge it- Malwarebytes scan run afterwards flagged 2 files above and 27 registry changes as well
Avira Antivir and Lavasoft Ad-aware do not notice anything
Mcaffee is heavily damaged- bringing it up in Administrator profile in Safe mode loads a screenful of 'X is broken or disabled' messages; other accounts in normal mode show no such errors, but come up blank in searches
Microsoft Firewall engaged, but only after infection
SuperAntiSpyware noneffective
SDFix has been run, effects invisible
Previous infection of different trojan occured, but apparently cleared by Malwarebytes, SDFix, Avira- previous symptom of refusal to run antimalware programs no longer present
Second SaD run noted similar files [calls it something else- will scan and post if asked], but results in 17 files found by Malwarebytes; 12 registry value errors, 1 memory module, and 4 programs

That's what I know about this infection right now. What should I do next?

BC AdBot (Login to Remove)


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • Gender:Male
  • Local time:08:55 AM

Posted 01 August 2009 - 05:22 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.

I am sorry to bear bad news but:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Computer Pro

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users