Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware has disabled my firewall and caused many other problems


  • Please log in to reply
10 replies to this topic

#1 bus

bus

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 14 October 2010 - 01:14 PM

I have an HP desktop running Windows XP SP3. I use Avast and Spyware Doctor, which load on startup, and occasionally scan with Malwarebytes. I have also installed SUPERAntispyware recently (actually after the problem occurred). I am posting from my laptop because it is difficult to run the desktop outside of safe mode.
About a week ago I had an instance of Microsoft Security Essentials Alert malware, which I terminated with RKill and then ran a Malwarebytes scan which found three infected items (Trojan.Fake Alert, Rootkit:TDSS, and a Registry value Trojan.agent) which it says were quarantined and deleted. Shortly after I had a Google Chrome problem. Google Chrome screen went blue. I could not uninstall Chrome or reinstall on top of it, continued to get error messages. Shortly after that I began to notice serious performance issues. I use IE8 also, and it was constantly being redirected. Spyware Doctir scans on startup were showing 40 infections without even opening a browser. Concluded that firewall was not working, even though Security Essentials showed all green. I have run numerous scans with Avast, Malwarebytes and SAS in both normal and safe (with and without networking) modes. Only thing that turned up was two instances of Malware.Trace in a Malwarebytes scan two days ago.
Symptoms: When operating in Normal mode, lots of browser redirection to ad sites. Svchost.exe seems to be taking about 150 MB whenever I check. Usually get a popup at some point saying Generic Host Services for Win32 has encountered an error and has to close. Can open some applications at first but gradually degrades to where nothing responds and cannot shut down normally but have to cut the power.
I have had some problems w/ malware before and been able to recover, but this is the worst and most frustrating experience ever.
Thanks for any assistance.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:09 PM

Posted 14 October 2010 - 04:24 PM

The Tdss rootkit has evolved into a real nasty infection. newer variants seem almost uncurable

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller

Have you been backing up your data?
Chewy

No. Try not. Do... or do not. There is no try.

#3 bus

bus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 14 October 2010 - 04:58 PM

Geez, that's like when you go to the doctor for your results and he says "Oh by the way is your will up to date?". I have backed up locally to an external drive and with Mozy (just signed up for that and did the backup when this whole mess started; checked online to be sure my files are there).

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:09 PM

Posted 14 October 2010 - 05:43 PM

http://www.securelist.com/en/analysis/204792131/TDSS

There are worse infections, but only a few, this one was designed to make a lot of money.
Chewy

No. Try not. Do... or do not. There is no try.

#5 bus

bus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 14 October 2010 - 06:35 PM

I followed the Kaspersky suggestions and it found the virus just as was shown on your link. It's been trying to cure it for 18 minutes now so I suspect it won't work. Is Kaspersky working on a further version? I do have my data backed up so I can wait.

#6 bus

bus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 14 October 2010 - 10:12 PM

I slightly misspoke - I ran the Kaspersky scan in safe mode and got the hanging result. When I went to normal mode and tried it, it detected the object and said it would be removed on reboot (like your Kaspersky guide page showed). When I rebooted to normal mode and ran the scan again, it didn't find anything. I am now connected on my desktop and am going to try to keep cleaning up - I will advise whether this fixed everything or just is a temporary respite.

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:09 PM

Posted 14 October 2010 - 10:59 PM

Don't expect any cure alls, update and run MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#8 bus

bus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 14 October 2010 - 11:26 PM

This has gotten a lot better, although there are still some problems. I can now run in normal mode without all the instability and performance degrading. But I still can't access some key sites - e.g. tried to install the new Windows XP upgrade and it completely hung up, cannot open Spyware Doctor to run a scan. Did the Malwarebytes upgrade and scan but nothing showed up. My conclusion - got rid of the worst part of the TDSS rootkit thanks to your help but might have some remainder on the system and/or some other infections which got on because of the general lack of security TDSS caused. Please don't give up on me - you've made a huge difference already.

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:09 PM

Posted 14 October 2010 - 11:57 PM

Something is still hiding, try running RKill and see if it stops any process, if so repeat scans after the malware process is stopped.

Also

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. (TFC will close ALL open programs including your browser!)
  • Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
but first

Download and install and update SAS

When TFC finishes and reboots then start in safe mode and run SAS

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Lastly

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
Chewy

No. Try not. Do... or do not. There is no try.

#10 bus

bus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 17 October 2010 - 09:54 AM

I have the situation pretty much controlled now. I tried TFC and it was probably not a good idea. terminating processes caused the same type of issues I had previously encountered. I rebooted and ran TDSS killer again and showed it was still gone. Ran several other scans with Avast and Malwarebytes and things were almost normal. Because Kaspersky really saved the day with TDSSKiller, I purchased their Antivirus program and installed it. Initial scan found 1 virus and 6 trojans which were all successfully quarantined. So back to normal and feel more secure having Kaspersky installed. Thank you Chewy for providing the solution.

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:09 PM

Posted 17 October 2010 - 10:06 AM

Kasp is one of the best

Ran several other scans with Avast


Make sure that you unistall it completely

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either xxxx or xxxx.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users