Multiple infections including AVR09 and TDSSserv on Windows XP

Hi Folks!

I have a computer running Window XP with multiple infections. Looking up the symptoms it appears that the computer is infected with SillyDL.4PW, Win32.TrojanTDSS and there is also a fake anti-virus AdvancedVirusRemoval 2009. There may also be others I just haven't identified yet.

I tried running the tools in the prep guide but they don't run. DDS opens but never produces the reports in notepad and the same thing happens with RootRepeal.

Everything that runs produces an error message "filename.exe\.dll - Bad image. hjgruilyprridw.dll is not a valid windows image. Please check this against your installation diskette."

I am now not sure how to proceed.

I have UBCD for Windows which I can start from but I cannot get any tools to run this way. I can start windows "normally" but I get the errors listed above and the tools won't run as I said.

Any suggestions?

Right now I am trying to run a copy of spybot search and destroy from the UBCD for windows cd to see if I can get some stuff cleaned enough to run the tools suggested by the prep guide.

Should I just give up the ghost and reformat?

Thank you for any suggestions or comments you may have.

Caroline

Hello and welcome.
It looks like there is a rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.


Download this Utility and save it to your Desktop.
Double-click the Utility to run it and and let it finish.
When it states Finished! Press any key to exit, press any key to close the program.
It will save a .txt file to your desktop automatically. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as part of the reply in the topic you will create below..

Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.

Let me know how that went.


This will be about a week wait so if reformatting is an option that may be quicker. Are you running XP or Vista?

Thank you! I have done as you asked and created a new topic with the log. The computer is running Windows XP.

The new topic references your name and the same topic title.

Thank you!
Caroline

Hello and welcome.
It looks like there is a rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.

[snip]

Your log is posted here.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.