Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Win7-64bit, possible TDSS variant, and more...

  • This topic is locked This topic is locked
2 replies to this topic

#1 ThunderBearer


  • Members
  • 2 posts
  • Local time:04:01 AM

Posted 23 October 2010 - 07:44 PM

  • Windows 7, 64 Bit, 8GB

Probable symptoms:
  • Google search responses frequently redirect to other locations. (started in the past 5 days)
  • When running TrendMicro Housecall Launcher, it pops up a response similar to an IE window stating that the script isn't working (and referencing adult websites)
  • FTP.exe does not work, with a "procedure entry point s_perror" not located in MSWSOCK.dll (started within the past 7 days) (believed te be related)
  • System performance loading browsers has suffered tremendously.
  • Antimalware Doctor appears in the programs menu...
  • AVG AntiSpyware was installed, but doesn't download the pattern files (presumed symptom)
  • All .DOCX (Word Document 2007) icons have changed...

Things that I've tried, and their results:
  • RKill.exe - multiple times.. only seems to dislike my backup hard drive.
  • MalwareBytes - Noted some items on scan and they were removed (don't know where the log is), but the last run (from memory) was clean.
  • TrendMicro OSCE (the standard AV) - Appears to pick up nothing...
  • GridinSoft - Finds and repairs a Hijack.EnableLUA, finds the Antimalware Doctor and what I believe is a remnant of AntiVirus2010 from about a month ago, but then hits me up for cash...
  • TDSSkiller - Found TDSS and cleaned it... the first times, at least. Does not appear on recent attempts
  • TrendMicro Housecall - Found and cleaned up some items... but I can't seem to find the log
  • ESET Online Scanner - Detected 2 variants of Win32/ADON, a probable variant of Win32/PSW.IM.HSUGHJG, a probable variant of Win32/PSW.IM.EQHBKL, and the AntimalwareDoctor is referenced... but it's been going for 3 hours +, and is still only 22% complete. I'll post an update when it completes, but I've spent 4 days (too long) dealing with this and I'm not going to see this finish before I go to bed tonight.

Side notes:
  • DNS settings on both IPv4 and IPv6 are set to automatically detect...
  • IE Connection settings are set for Automatically Detect...
  • System Restore is turned off...
  • I had AntiVirus2010 on this system a month ago, and MBAM cleaned it up... (or so I thought?)

Things that I've considered:
  • Drinking heavily...
  • Sledgehammer...
  • High explosives...

Attached items:
  • I have attached a HiJackThis.log (as GMER didn't appear to operate the same way as shown on the forum instructions, and another reference indicates that it lacks 64 bit functionality), the two DDS log attachments, the last RKILL.log, and the TDSSKiller logs.

Not a bump... just attaching additional scan files as promised.

EDIT: Posts merged ~BP

Attached Files

Edited by Budapest, 25 October 2010 - 08:56 PM.

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:11:01 AM

Posted 01 November 2010 - 08:58 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:11:01 AM

Posted 06 November 2010 - 07:58 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users