Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware Defense; Trojan.FakeAlert; Rootkit.TDSS and others

  • This topic is locked This topic is locked
3 replies to this topic

#1 windex


  • Members
  • 13 posts
  • Local time:02:32 AM

Posted 02 January 2010 - 04:38 PM

Hi BleepingComputer,

This is my first post here at this site. Thanks for any guidance you may be willing to provide in advance.

On Tuesday morning, I got popups stating my computer was infected. The Program was MalwareDefense. Before the blink of an eye, most of my anti-virus programs would not run, update, or re-install.

This included: Malwarebytes, Spybot, all Mcaffe Security Center applications, SuperAntiSpyware, and Spyware Doctor.

SE-Adware and SpywareBlaster did run, but only SpywareBlaster would update.

I ran SE-Adware with outdated signature files, and it removed three infections (not sure which ones?).

(Also, Firefox would be redirected to AskBar ; I get warnings about being redirected; and IE would auto close after a minute or so.)

With indirect methods (renaming .exe files), I was able to get SuperAntiSpyware and Malwarebytes to install/run, but with outdated sig. files (couldn't update).

SuperAntiSpyware detected: Rogue.SmartProtector

I fixed it, restarted, and ran again: it reappeared. Ran and fixed it again.

Malwarebytes v1.42: clean

On Thursday, Malwarebytes released v1.43. I ran it and it detected: Trojan.FakeAlert (3-instances); Trojan.DNSChanger; Rootkit.TDSS.

I fixed these items, and I noticed the Mcaffe symbol reappeared. I then was able to run the Mcaffe virus scan but with outdated sig. files. It detected: NTOSKRNL - HOOK. I chose to remove it.

I checked Spybot, Malwarebytes, and SuperAntiSpyware and they now all opened. Apparently, the Malwarebytes unblocked the malware which was disabling the anit-virus programs.

The previous scans were done in SAFE MODE. I logged back in NORMAL mode.

I then was extremely overjoyed that I was able to run and update all the antivirus programs.

I updated all of them and ran scans. Here is what was detected with UPDATED files:

Spybot: Microsoft.WindowsSecurityCenter_disabled
Malwarebytes v1.43: Trojan.FakeAlert (2-instances); Malware.Packer; Rootkit.TDSS (3-instances).
SuperAntiSpyware: clean

I checked to fix all items. The next round of scans:

Mcafee: clean
Spybot: clean
SuperAntispyware: clean
Malwarebytes: Trojan.FakeAlert and Rootkit.TDSS

I have since re-updated, and ran all the programs in both SAFE/NORMAL modes, and all of them come back clean.

I also ran SpywareDoctor in Normal mode, and it came back clean.

I did have an episode today, which the screen turned blue, and the after several minutes, something about WMI being terminated, and the system needs to shut down. Somewhere in the notice, it stated something about viruses.

This where I am at now. All the programs state I am clean, but I don't believe it. If someone could tell me how to check and make sure I am clean, it would be greatly appreciated.

Hopefully, I got the protocol correct and help is on the way.

Thanks, windex

Attached Files

Edited by windex, 02 January 2010 - 04:43 PM.

BC AdBot (Login to Remove)


#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:32 AM

Posted 11 January 2010 - 12:15 AM


My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log


#3 windex

  • Topic Starter

  • Members
  • 13 posts
  • Local time:02:32 AM

Posted 12 January 2010 - 10:40 PM

Hi syler,

My issue has been resolved.

I appreciate of you taking the time to help me if I still needed it.

Thanks again,


#4 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:32 AM

Posted 13 January 2010 - 09:31 PM

Thanks for letting us know :(

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users