Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS virus, and others.


  • Please log in to reply
4 replies to this topic

#1 N.E.

N.E.

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 10 December 2010 - 06:05 PM

My work computer was infected with the Whitesmoke Translator virus which installed itself without any interaction. Malwarebytes and SAS seemed to do a good job removing this. After removal, I had the Google redirect virus TDSS.tdl4. I ran TSSkiller which appears to have removed it successfully. Since the removal, I have had problems running IE8.

IE8 would crash with a DEP exception. Reinstalling IE8 usually fixed this problem, but then IE8 would just quit, especially when starting to type into the search field of Google toolbar. Disabling the toolbar allows IE8 to run aparently without problems. I tried reinstalling Google toolbar, but that does not seem to make any difference.

All scanners, (MB, SAS, ESET online scanner, and Norton Endpoint)all run clean. I tried running combofix as per instructions given to others on this trojan but it keeps telling me that I am running CA-Antivirus. I am not, so I am turning to you guys to find out where to go from here.

The machine is running well again since the removal of malware, but I can't get by the Google toolbar issue (and the false positive for CA-Antivirus).

Thanks in advance for any suggestions.

Neal

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 PM

Posted 10 December 2010 - 07:19 PM

I tried running combofix as per instructions given to others on this trojan but it keeps telling me that I am running CA-Antivirus.

You should not be following specific instructions provided to someone else. Those instructions were most likely given under the guidance of a trained staff helper to fix that particular member's problems, NOT YOURS after careful evaluation of the malware involved. Before taking any action, the helper must investigate the nature of the infection and then formulate a fix for the victim. Although your problem may be similar, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware which means the degree of infection can vary.

ComboFix will not run if either AVG or CA anti-virus is installed as a protective measure against the actions of the scanning engine. This is because each of these anti-virus programs "falsely" detect ComboFix (or its embedded files) as a threat and may remove them. If some of these files are removed, ComboFix will not perform its routines properly and the developer has determined this can cause damaging or "unpredictable results". Normally this is avoided by temporarily disabling the anti-virus until ComboFix has been run but AVG and CA cannot be effectively disabled. As such, the developer has chosen not to allow his tool to run until the anti-virus is uninstalled first in order to avoid any potential problems. Please understand that this is an issue with the anti-virus and not with ComboFix.

Further, no one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise due to complex malware infections, false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

IMPORTANT NOTE: Since you say this a work computer, have you contacted and advised your IT Department? In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. These official procedures are designed and implemented to provide security and certain restrictions to protect the network. This allows all users to safely use business resources with minimum risk of malware infection, illegal software, and exposure to inappropriate Internet sites or other prohibited activity. We will not assist with attempts to circumvent those policies or security measures.

Our forums are set up to help the home computer user deal with issues and questions relating to personal computers. At most community security sites like this, we do not have the staff or resources to deal with numerous client machines or the complexities of network disinfection. A lot of helpers are not familiar with Servers and many of the tools we use are restricted to non-commercial use by their creators. Further, we are not equipped to involve ourselves in any legal issues that may arise due to loss of business data and loss of revenue as a result of malware infection or the disinfection process which in some instances require reformatting and reinstallation of the operating system.

A business IT staff generally has established procedures in place to deal with issues and infections on client machines on the network. As such, they may not approve of employees seeking help at an online forum or outside the business office as doing so could interfere or cause problems with their removal methods. The malware you are dealing with may have infected the network. If that's the case, the IT Department needs to be advised right away so they can take the appropriate disinfection measures.

If you're reluctant or embarrassed to inform the IT Team, keep in mind that they can easily trace the source of the infection. It is much better to bring this to their attention than to deal with the consequences of violating security policy.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 N.E.

N.E.
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 11 December 2010 - 09:07 AM

Thank you for your reply,

I understand your comments reguarding it being a work computer, and the using of combofix, etc. I will attempt to tell you why I came here for help.

I have been involved in the IT business for over 30 years, and have worked with operating systems from mainframes to mini-computers to PCs. I have been helping friends and neighbors rid their machines from malware for many years. Your site, as well as others has been the best source of information for dealing with these issues, and I appreciate the dedication and time you guys put into helping others deal with the nasty stuff out there. Your cause is noble, and you should be commended.

That being said, I came here not out of fear of reporting this infection to my IT department, it is because I work in the Tech support department for my organization (but for platforms other than PCs). I and the people I directly work with, take pride in our abilities to solve "issues" using prior knowledge, and the Internet to research what others have done in the same situation. Even though these kind of issues fall outside of our normal job descriptions, we all enjoy the learning experiences this type of thing provides. This infection has become a topic of interest for a few of us in the department. Using your site and others, most of the infections have been eradicated. This one last issue with the Google toolbar has stumped us all, and that is why I have come here for suggestions. If the problem cannot be solved, I will have the drive reimaged, but I much prefer the learning experience to taking the simple way out.


While I understand your comments about not using tools unless specifically directed. I have been around long enough to know how to observe what a tool does, but not "click on any buttons" unless I am sure what I am doing. I have no problem looking at the output from a scan and not going any further without proper understanding on how to proceed. I mentioned the Combofix issue because CA-Antivirus nor AVG is running on the system, the provided anti-virus solution is Norton Endpoint.

If you cannot help, I understand. This infection involves a single machine with no business data to be concerned about. The most important data on the machine is technical manuals that can be offloaded to a USB drive, and restored, or downloaded from the Internet again. Taking it to be reimaged would be easy, but I prefer to turn this bit of bad luck into a learning experience, and dealing with the other malware I picked on this infection up has proved to be fun as well as educational. I'm 90% there, it's the last 10% that has us stumped.

Neal

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 PM

Posted 11 December 2010 - 09:22 AM

Not a problem with a single machine and we can help but advanced tools are not permitted in this forum.

For assistance with a malware infection that requires using ComboFix, please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
  • When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 foxyshadis

foxyshadis

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 17 May 2011 - 10:43 PM

This is an old topic now, but I wanted to contribute: I am experienced with combofix but mystified by this error on a machine that had never had it installed. Apparently some Compaq PCs came with it pre-installed but not active, so there's a CA folder in program files, even with nothing in the start menu, programs, or running tasks. All of the files are dated 2007. By simply removing that folder, Combofix will run.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users