Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Audio Advertisements


  • Please log in to reply
42 replies to this topic

#1 JeffA2

JeffA2

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ann Arbor
  • Local time:09:16 AM

Posted 20 April 2011 - 03:51 PM

Can some one help? I'm inexperienced to computers but have learned some basic things.
Under Computer Properties, I see:
Microsoft Windows XP
Professional
Version 2002
Service Pack 3.

The biggest problems are random audio ads, internet script errors, and a google redirect virus
THanks in advance

BC AdBot (Login to Remove)

 


#2 Quattr0

Quattr0

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 20 April 2011 - 04:06 PM

I've just started running into this one. I fixed a client machine this morning with the same symptoms.


To fix it i did the following

Unplug the network cable.

Boot into safe mode.

Ran a renamed copy of TDSSkiller (explorer.exe)

Found a ***.sys file that was the root kit.

Removed it. Rebooted.

Update and scan with malwarebytes to remove the remaining remnants.


This worked great for me. Your mileage may vary.

However I've got a similarly infected machine on the test bench now that has yet to be detected by any tools I've used thus far.

Good Luck!

Edited by Quattr0, 20 April 2011 - 04:45 PM.


#3 JeffA2

JeffA2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ann Arbor
  • Local time:09:16 AM

Posted 20 April 2011 - 04:09 PM

Thank you for trying to help me but unfortunately I don't know what you mean by unplugging the network cable

#4 Quattr0

Quattr0

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 20 April 2011 - 04:14 PM

Un plug the network cable from your computer.

The machine was also infected with the Windows Recovery malware here

http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

#5 JeffA2

JeffA2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ann Arbor
  • Local time:09:16 AM

Posted 20 April 2011 - 04:18 PM

Oh thanks. I had the Windows Restore Virus but was able to remove it. So maybe those are remnants. For the TDSSkiller I should download to a usb, then boot in safe mode then run?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:16 AM

Posted 20 April 2011 - 08:45 PM

If you have access to yhe web then just run it straight in normal mode.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 JeffA2

JeffA2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ann Arbor
  • Local time:09:16 AM

Posted 21 April 2011 - 06:12 PM

Thanks boopme, but the TDSSkiller is not running. I have tried renaming it to 123abc.com and running as the administrator, but nothing pops up.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:16 AM

Posted 21 April 2011 - 07:08 PM

Ok, you may need to diable your Antivirus app temporarily.

Try TDSSKiller from Command Prompt

Use the following command to scan the PC with a detailed log written into the file report.txt (created in the TDSSKiller.exe utility folder):
Open Command Prompt in XP = click Start >> Run,type cmd
copy and paste this at the flashing cursor and hit Enter

TDSSKiller.exe -l report.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 JeffA2

JeffA2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ann Arbor
  • Local time:09:16 AM

Posted 21 April 2011 - 09:00 PM

I know how to disable my antivirus, but I dont understand "Try TDSSkiller from command prompt". Im so sorry but you might have to hold my hand the rest of the way.

#10 JeffA2

JeffA2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ann Arbor
  • Local time:09:16 AM

Posted 21 April 2011 - 09:27 PM

Also, I have no school tomorrow for Good Friday and will have a relatively easy weekend, so I will be on the computer very often and be able to respond quickly.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:16 AM

Posted 22 April 2011 - 10:57 AM

Ok we want to try to run it from the utility called Command Prompt..>> What is a command prompt?

Open Command Prompt in XP = click Start >> Run,this opens the Command prompt
now type cmd
Copy and paste this (below)at the flashing cursor and hit Enter

TDSSKiller.exe -l report.txt

This should make TDSS run on its own and produce a log the you can Copy/paste back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 JeffA2

JeffA2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ann Arbor
  • Local time:09:16 AM

Posted 22 April 2011 - 12:20 PM

Alright I did that. but It said that TDSSKiller.exe is not recognized as an internal or external command, operable program or batch file

I then redownloaded the TDSSKiller link you posted earlier and tried the same to no success.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:16 AM

Posted 22 April 2011 - 12:34 PM

What is your antivirus?

Let's run an online scan. Perhaps there is another malware stopping the TDSS.
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 JeffA2

JeffA2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ann Arbor
  • Local time:09:16 AM

Posted 22 April 2011 - 12:46 PM

thanks i start on that right now

#15 JeffA2

JeffA2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ann Arbor
  • Local time:09:16 AM

Posted 22 April 2011 - 02:34 PM

Alright. This is what I have gotten from the Online Scanner
I hope this is what you needed.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=6b5e5b3047c2a24aa117c591c9c61206
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-04-22 07:08:21
# local_time=2011-04-22 03:08:21 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777191 100 0 585093 585093 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=81064
# found=1
# cleaned=0
# scan_time=3885
C:\RECYCLER\S-1-5-21-1837804963-3812337402-1792353879-1005\Dc16.exe multiple threats (unable to clean) 0000000000000000000




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users