There are no guarantees or shortcuts
when it comes to malware removal, especially when dealing with backdoor Trojans
or rootkit components
that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install.
Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is an undetected hidden piece of malware
) which protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Infections will vary and some will cause more harm to your system then others as backdoor Trojans
not only compromise your system
, they have the ability to download more malicious files. Thus, it may take several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous.
In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned, repaired or trusted. Security vendors that claim to be able to remove rootkits and backdoor Trojans cannot guarantee
that all traces will be removed as their tools may not find all the remnants. Further, if something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to your data.
The Malware Response Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. If you do not mind waiting and want someone to check your system thoroughly, then please follow the directions provided by cryptodan. If you want to continue in this forum, continue as follows:
Please post the complete results of your TDSSkiller scan for review.
After running TDSSkiller, a log file named TDSSKiller_version_date_time_log.txt will have been created and saved to the root directory (usually Local Disk C:). Open that file in notepad, then copy and paste the contents of that file in your next reply.
You indicated you performed scans in safe mode. Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode
MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness
for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended
so it does not limit the abilities of MBAM. Doing a safe mode scan should only
be done when a regular mode scan fails or you cannot boot up normally. If that is the case, after completing a safe mode scan, reboot normally, update the database definitions
through the program's interface (preferable method
) and try rescanning again in normal mode. When done, click the Logs
tab and copy/paste the contents of the new report in your next reply.
Please perform a scan with Eset Online Anti-virus Scanner
- This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
- Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
- Click the green button.
- Read the End User License Agreement and check the box:
- Check .
- Click the button.
- Accept any security warnings from your browser.
- Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
- Click the Start button.
- ESET will then download updates for itself, install itself, and begin scanning your computer.
- If offered the option to get information or buy software at any point, just close the window.
- The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
- When the scan completes, push
- Push , and save the file to your desktop as ESETScan.txt.
- Push the button, then Finish.
- Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt
file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click
, then type or copy and paste everything in the code box below into the Open dialogue box:
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.IMPORTANT NOTE
- Click Ok and the scan results will open in Notepad.
- Copy and paste the contents of log.txt in your next reply.
) is the third and fourth generation of TDSS
which uses rootkit
technology to hide itself on a system by infecting system files/drivers like atapi.sys which is a common target because it loads early during the boot process and is difficult to detect. Newer varinats, however, can target a number of other legitimate drivers in the Windows drivers folder. Common symptoms/signs of this infection include:
- Google search results redirected as TDL3 modifies DNS query results.
- Infected (patched/forged) files in the Windows drivers folder.
- Slowness of the computer and poor performance.
- Multiple instances of IEXPLORE.exe in Task Manager.
- Internet Explorer opens on its own.
- BSODs as described in this article.
For more specific analysis and explanation of the infection, please refer to: TDL3: The Rootkit of All Evil?Rootkits
, backdoor Trojans
, and IRCBots
are very dangerous
because they compromise system integrity
by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by backdoor Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal
. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker.
Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat
and reinstall the OS. Please read:
Backdoors and What They Mean to You
Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).