Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Cannot remove Trojan.TDSS

  • Please log in to reply
1 reply to this topic

#1 mr-ruks


  • Members
  • 2 posts
  • Local time:02:19 AM

Posted 06 August 2009 - 10:05 PM

Wife and daughter's computer. Wife reported web redirects about a week ago (I know I should have checked it, but...). Daughter clicked on a "click here to fix your computer" button.

System is WinXP SP3 with all windows updates. AVG Free 8.5 antivirus.

When I checked it a "security application" was running after bootup and could not be disabled. Task manager wouldn't run, background was a warning about using the application to protect your files etc...

Booted into safe mode. Downloaded Malwarebytes and ran it. The "security app" is gone, but Malwarebytes reports Trojan.TDSS is still there and it cannot remove it.

AVG reports Win32/Cryptor infecting 54 files and it cannot remove them.

I found a thread on Malwarebytes forum and followed along using couple of recommended tools:

SysProt Antirootkit

However, without "adult supervision" my results weren't too good and I'm afraid I need some help.

The main symptoms appear to be gone or lurking, but I think I really need to clean these remaining problems up. (I could just reinstall Windows, but want to make sure I've tried everything first).

Any help graciously appreciated.

BC AdBot (Login to Remove)


#2 mr-ruks

  • Topic Starter

  • Members
  • 2 posts
  • Local time:02:19 AM

Posted 07 August 2009 - 12:08 AM

Malwarebytes log:

Malwarebytes' Anti-Malware 1.40
Database version: 2570
Windows 5.1.2600 Service Pack 3

8/7/2009 12:59:08 AM
mbam-log-2009-08-07 (00-59-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 256999
Time elapsed: 47 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrbwucfmki.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrbwucfmki.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

Rescans show 2 infections:

Memory module \\?\globalroot\systemroot\system32\geyekrbwucfmki.dll (Trojan.TDSS)
File \\?\globalroot\systemroot\system32\geyekrbwucfmki.dll (Trojan.TDSS)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users