Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SDFix


  • Please log in to reply
17 replies to this topic

#1 contact

contact

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 14 December 2009 - 01:35 PM

I am showing a packed.monder virus. I downloaded and followed all instructions for SD Fix including the advanced mode settings. It still will not run. I get the blue screen so I can't type in the y. Please help. Thanks.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:15 PM

Posted 14 December 2009 - 02:00 PM

What operating system are you trying to run it on?

SDFix only works on Windows 2000 and XP. Further, the developer stopped all work/improvements on his tool some time ago (due to personal reasons) and SDFix has not been updated to include new malware variants since November 6, 2008. As such there are no new script routines incorporated to deal with current infections which may target SDFix and keep the tool from running properly or to completion.

I suggest you use
Malwarebytes Anti-Malware instead.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 contact

contact
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 14 December 2009 - 02:08 PM

I am using windows vista. AVG is naming the virus a packed.monder. Maleware bytes is calling it windows.fraud.protection. It has surfaced in other programs as vundo...none are removing it. I think the problem is in windows\system32\tdlcmd.dll and td/clk.dll. I followed instructions on this website to use SDFix. What next? Any suggestions? Thanks.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:15 PM

Posted 14 December 2009 - 02:25 PM

The instructions on this site include a link to the changelog which clearly states it is only for use on Win 2000 and XP.

As I said, you should be scanning with Malwarebytes Anti-Malware v1.42 instead if you are using an older version. The database version last I checked it was 3358.

If you are using that version and the database is already updated, then rescan but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

If you cannot update MBAM through the program's interface and have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, be aware that mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating, is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
Since this is a malware related issue, I will move your topic to a more appropriate forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 contact

contact
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 14 December 2009 - 02:52 PM

Thanks. I am running the latest version, and just updated to 3359. I will scan again. What happens is that it won't delete windows fraud protection...says it's not accessible or something. I'll send you the log when I'm done. Again, thanks for the help!

#6 contact

contact
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 14 December 2009 - 04:55 PM

Hi,
Here's the file. The infections are changed. AVG resident shield popped up over the windows/system 32 files I referred to before. It always says they are cleaned and then they show up in avg 9. By the way, I recently switched to avg and only now am I having problems with malware/spyware etc. What gives with AVG? Anyway, I'm going to run it again to see if the problem shows up. And I will re-run a Malwarebytes quick scan. Again, thanks.

Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\kuwovogi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\tdlclk.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\tdlcmd.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\Temp\msilojzb.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Windows\Temp\jyjrjnrtm.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\Temp\IXP000.TMP\bm1016.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

#7 contact

contact
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 14 December 2009 - 05:45 PM

I can't figure out how to get the log to you from avg but here is what it says:



"C:\Windows\System32\tdlcmd.dll";"Trojan horse Vundo.JD";"Moved to Virus Vault"

"C:\Windows\System32\tdlclk.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"

"C:\Windows\System32\smss.exe (436):\memory_00110000";"Virus identified Packed.Monder";"Moved to Virus Vault"

"C:\Windows\System32\smss.exe (436)";"Virus identified Packed.Monder";"Reboot is required to finish the action"

"C:\Windows\System32\csrss.exe (612):\memory_00100000";"Virus identified Packed.Monder";"Moved to Virus Vault"

"C:\Windows\System32\csrss.exe (612)";"Virus identified Packed.Monder";"Reboot is required to finish the action"

"C:\Windows\System32\csrss.exe (568):\memory_00100000";"Virus identified Packed.Monder";"Moved to Virus Vault"



"C:\Windows\System32\csrss.exe (568)";"Virus identified Packed.Monder";"Reboot is required to finish the action"

#8 contact

contact
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 14 December 2009 - 06:24 PM

Ran spybot. Again got fraud.windows.protection. AVG resident shield pops up with win32/cryptor in the two files identified above. When go to clean fraud.windows. protection get an error message: Cannot create file. Unexpected error in fixing problem. c:\windows\system32\drivers\etc.\hosts

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:15 PM

Posted 14 December 2009 - 07:00 PM

Please download TDSSKiller.zip and save it to your Desktop.
Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Go to Posted Image > Run..., , then type or copy and paste everything in the code box below into the Open dialogue box:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
  • Click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
  • A log file named report.txtt should have been created and saved to the root directory (usually C:\report.txt).
  • Copy and paste the contents of that report in your next reply.
Please download the Kaspersky Virus Removal Tool save to your Desktop.
Be sure to print out and read the instructions provided in How to use Kaspersky virus removal tool.
  • Double-click the setup file (i.e. setup_7.0.0.290_24.06.2009_12-58.exe) to install the utility.
  • If using Vista, right-click on it and Run As Administrator.
    If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
    .
  • Click Next to continue.
  • It will install by default to your desktop folder. Click Next.
  • Click Ok at the prompt for scanning in Safe Mode if you booted into safe mode.
  • A box will open with a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.
  • System Memory
  • Startup Objects
  • Disk Boot Sectors
  • My Computer
  • Any other drives (except CD-ROM drives)
  • Click on the Scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, name the report AVPT.txt and select Save to file.
  • This tool should uninstall when you close it so please save the report log before closing.
  • When done, close the Kaspersky Virus Removal Tool.
  • You will be prompted if you want to uninstall the program. Click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste only the first part of the report (Detected) in your next reply. Do not include the longer list marked Events.
-- If you cannot run the Kaspersky AVP Removal Tool in normal mode, then try using it in "safe mode".

IMPORTANT NOTE: One or more of the identified infections was related to a nasty variant of the TDSSSERV rootkit also known as Backdoor.Tidserv. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 contact

contact
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 15 December 2009 - 09:51 AM

Hi-
I ran the Kaspersky Virus Tool but don't see how to save the report. There is no save option when I open the report. And specifically, which part of the report do you want saved? I will wait to reboot until I receive your further instructions. I was unable to figure out how to run the TDSSKiller program. Would you mind being more specific with the steps? I didn't understand what the website was instructing. Thanks.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:15 PM

Posted 15 December 2009 - 10:01 AM

There are several ways to run the TDSSKiller program.

1. Using the command line parameter in the instructions I previously provided. Go to Posted Image > Run..., , then type or copy and paste everything in the code box below into the Open dialogue box:
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
Click OK.

2. Run by double-clicking on TDSSKiller.exe.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 contact

contact
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 15 December 2009 - 10:43 AM

It says that it scanned and says 0 and press continue and it ends. Does that mean there was nothing found or that it didn't run properly? What do you want me to do about saving the Kaspersky file?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:15 PM

Posted 15 December 2009 - 10:49 AM

Sounds like nothing was found.

You can try doing a search on your machine for AVPT.txt to see if a report was actually created. If not, don't worry about it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 contact

contact
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 15 December 2009 - 04:52 PM

Thank you for your help.
It appears that everything is gone except the fraud.windows protection suite that Spybot keeps finding. It says the system32/drivers/etc./hosts access is denied, so it won't delete. Online I saw some software that says it will remove it. But, of course, who knows what the software is. Do you have a solution for this particular problem? I ran AVG and a trial version of A-Squared as well as malewarebytes.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:15 PM

Posted 15 December 2009 - 07:07 PM

The HOSTS file is a text file that maps an IP address to a name. It has no extension and can be viewed using notepad. At the top is an explanation of the simple syntax. Each line is an IP address, a domain name, and an optional comment placed after a # sign. In Windows XP, 127.0.0.1 localhost is the universal IP address of all local computers and is the standard hostname given to the address of the loopback network interface which refers to the local computer only.

The original purpose of HOSTS files was to map the proper address to a site's name but now its also used for blocking purposes. The loopback address is used to stop web ads from displaying because 127.0.0.1 indicates home (the location of your computer) and whatever is redirected home will not leave the system. Anything that appears in your HOSTS file without an # at the beginning, except from the "127.0.0.1 localhost" line, should be viewed with suspicion. In Windows Vista the IPv6 localhost is ::1 localhost by default. To learn more about this, you can read Hosts File FAQS and LMHosts and Hosts files.

Since the Hosts file is often used and altered by malware, some security programs (like Spybot S&D) will lock the file's read-only attributes as protection so it cannot be changed without your knowledge unless you disable that feature. As such, you may receive an access is denied message.

When you go into Spybot > Mode > Advanced Mode > Tools > Hosts File and do an "Add Spybot-S&D hosts list", Spybot..."lock" the HOSTS file by setting the attributes on the HOSTS file to read-only.

If you do not want the read-only attribute set on the HOSTS file after doing a "Add Spybot-S&D hosts list", go into Spybot > Mode > Advanced Mode > Tools > IE Tweaks. Under "Miscellaneous locks" uncheck the following: * Lock Hosts file read-only as protection against hijackers.

Spybot Forums: Host file - Access is Denied

There are several legitimate security programs like SpySweeper, STOPzilla, Spybot S&D, etc which can add entries to the HOSTS file and that action may be detected as a change. If you use Spybot's immunization facility the "Global (Hosts)" profile adds entries to the HOSTS file. If you downloaded and used a custom HOSTS file or made edits that too would trigger a change detection. If you did not make any changes or do not have security programs with these features, then you need to investigate what the changes are.To view the folder containing your Hosts file, go to Posted Image > Run..., and in the Open box, type: %windir%\system32\drivers\etc\
Click Ok.

The easiest way to access and view the contents is by using Notepad.
  • Double-click on the HOSTS file.
  • A message will appear saying Windows can't open the file or Choose the program you want to open this file.
  • Scroll down the list of programs until you see Notepad.
  • Select it and click OK.
To view the Hosts file in Notepad automatically, go to Posted Image > Run..., and in the Open box, type: notepad %windir%\system32\drivers\etc\hosts
Click Ok.

After unlocking the Hosts file, you can can restore the file to its default as follows:

Please download HostsXpert - Hosts File Manager
  • Create a new folder on your hard drive called HostsXpert (C:\HostsXpert) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Open the folder and double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- If the Hosts file does not exist, you will be prompted to create a new one. Just press "Ok".
-- If you were using a custom Hosts file you will need to replace any of those entries yourself.


Note: Vista’a UAC blocks access to the HOSTS file since it’s a system file. To get around this you can either turn off UAC and edit it normally, or copy the HOSTS file to your desktop and edit the copy there. Then rename the copied file on your desktop to HOSTS and drag it into the etc folder. When asked if you want to overwrite the existing hosts file, click yes. See Updating the HOSTS file in Windows Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users