Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Cleared TDSS infection, but unresolvable BSOD in normal boot and weirdness in Safe Mode

  • This topic is locked This topic is locked
8 replies to this topic

#1 oldhand


  • Members
  • 7 posts
  • Local time:10:36 PM

Posted 02 January 2012 - 05:13 PM

Working on a PC that doesn't belong to me - Windows Vista system, Acer-manufactured, apparently compromised some time ago by a very nasty piece of malware that looked like TDSS4; in a couple of decades dealing with PCs, including handling MBR viruses and rebuilding partition tables from scratch under the gun, I haven't personally had to untangle one quite like this.

Short version:

I managed to get rid of the infection - I think. But now the system is left with a smattering of suspicious-looking symptoms: process/file/registry monitoring are dead, logging is dead, normal mode BSODs without fail at boot and all meaningful changes to the registry in safe mode (with or without networking) vanish at reboot.

Would love some help trying to nail this down. In searching all over Google I have found that other parties have encountered similar post-malware combos matching this one, but none of the victims have identified root cause in any of my research. If I can figure out what is making what unhappy, I can dig into this, but right now I'm flying blind.

Longer version:

Initial symptoms:

(1) All attempts to click on a result from a Google search were redirected, regardless of browser.

Steps taken to resolve:

(1) Ran ComboFix (ran, but did not accomplish anything). Based on your posting guidelines I should have done this last rather than first - oops. Thought I was dealing with a different piece of malware, which I have previously resolved with a ComboFix + MalwareBytes one-two punch. :(

(2) Tried a variety of run-in-Windows AV solutions:
- MalwareBytes (detected nothing)
- Microsoft Safety Scanner (detected nothing)
- WebRoot (was already on system, fairly useless but at one point detected Troj/ExpJS-CK)
- ESET NOD32 5 (detected win32/olmarik/TLD4/Trojan - memory - unable to clean; detected
- Kaspersky TDSSKiller (based on observation of Task Viewer, double-click would launch and immediately terminate - no GUI ever presented)

(3) Ran MBRCheck.exe, which repeatedly detected a forged MBR but would not (apparently) write out any corrections (or had them negated by the malware immediately after correction).

(4) Disabled System Restore, to prevent major system tweaking to remove the malware from being undone.

(5) Booted from Kaspersky Rescue Disk 10; ran scan, which deleted the TLD4 Trojan; also identified a Western Digital "button" program as trojan, deleted to be safe.

Step 5 resolved the initial symptom and restored MBRCheck.exe and TDSSKiller to normal behavior.

However, the repair work left the PC in bad shape. The following symptoms are now present (none of these symptoms existed pre-removal):

(1) "Repair Your Computer" option under F8 appears to go to normal boot rather than Windows Recovery Environment.

(2) Normal boot encounters a BSOD referencing no file or driver, whether a user is actually selected to log on or not. No memory dump is saved to disk, despite registry settings in place (verified) telling the system to do so. STOP references 0x0000008E; first parameter is always 0xC0000005, fourth is always 0x00000000, middle two are variable.

(3) Normal boot proceeds far enough to allow selection of a user, but the system will BSOD whether a user is selected or not, and if a user is selected there is not enough time before the BSOD to conduct any system recon.

(4) Safe mode and Safe mode w/Networking boot ok, but upon selecting a user in Safe Mode (user has Admin rights) the first thing to show up is the System Properties dialog (where you would change the computer name), followed by the desktop. EDIT - ADDITIONAL INFO 1/2/2012 11:41PM - Worth noting that if I boot to Safe Mode w/Command Prompt (which does not auto-load Explorer), manually kicking off explorer.exe from the command prompt does *not* cause the System Properties dialog to come up along with the desktop.

(5) Systemwide registry changes made in safe mode (with or without networking) do not persist across reboots. This includes changes made by running install/uninstall routines. At least some per-user changes persist (such as the last thing typed into the Run dialog brought up via a Windows+R prompt).

(6) Event Log service is running, but attempts to read the Windows event logs via any of the canned spots cause the following error: "Event Viewer cannot open the event log or custom view. Verify that Event Log Service is running. The request is not supported (50)"

(7) Event Log files on the system can be read via the "Saved Logs" function in the MMC. However, based on contents and OS file date/timestamp, the Event Logs have not been updated since TDSS was removed via the Kaspersky Rescue Disk 10.

(8) SysInternals' Process Monitor (procmon.exe) will not capture data in Safe Mode, citing the error "Unable to load Process Monitor device driver." Process Explorer (procexp.exe), though, will run just fine.

Other post-TDSS-removal troubleshooting notes:

(1) Some manual cleanup had to be done of the boot partition after removal:
- Partition type was set to 06 (FAT/FAT16/FAT32) instead of NTFS (07) even though its filesystem is NTFS; corrected to 07.
- MBR and Volume Boot Record were obviously compromised; used bootrec (from a Win7 CD repair-command prompt) to return these to normal.
- MBR still retained errant data at byte offset 0x24 - (normal 80 00 80 00, found 80 00 00 00). Returned this manually to 80 00 80 00 on primary MBR. This got the boot process to (on its own) run chkdsk /f, probably due to mismatch of the primary and backup MBR. The chkdsk did some filesystem repair including what was described as a "Bitmap attribute" on the MFT, and synced up the backup MBR to the primary.

(2) Using third-party tools (Boot CD with utilties) it is possible to read, write, and modify files, and it is possible to read, write, and modify the internals of the registry, so long as you are doing all this while *not* booted into Windows from the system partition on the hard drive.

(3) Yanked everything out of the "Startup" key in the Registry (offline registry edit) - don't have the full key handy but you know which one (so all the junk installed over the years wouldn't muck up troubleshooting). No impact.

(4) Re-ran TDSSKiller; it runs; deleted a remnant TDSS partition (\harddisk0\dr0, if memory serves)

(5) Ran RKILL.EXE - no effect/improvement/change/discovery.

(6) Ran GMER - no effect/improvement/change/discovery.

(7) MBRCheck.exe repeatedly detects the MBR as being normal.

(8) Used Subinacl.exe to "restore" admin permissions to pretty much the entire registry and filesystem - no impact.

(9) Windows Defender service is disabled in the registry because I did so as part of the troubleshooting process - the malware apparently had a hold of it. It will run, though. It still shows as disabled because I have not re-enabled it in the offline tool, and in-session enable done during safe mode is lost at reboot.I have also tried selectively disabling startup drivers for normal mode (via offline registry tweaking), based on output to the boot log (ntbtlog.txt). This managed to cut the amount of time spent waiting for the BSOD down, but still getting the BSOD. Gave up after running out of "obvious" things to disable in a very long list, and set things back to the way they were before service-by-service tweaking.

(10) SFC /VERIFYONLY turns up nothing.

(11) McAfee was on this system at some point and partially uninstalled, leaving a handful of drivers loading. I disabled startup of these via offline registry edit (files c:\windows\system32\drivers\mf*). No impact.

(12) References to Webroot and SuperAntiSpyware in the files attached are defunct. These were uninstalled from the system several days (and several reboots) ago; the executables are no longer on the system. ESET is still on the system - can't remove it via anything involving Windows Installer (because Windows Installer won't run in Safe Mode).

(13) "kfehd11f.exe" is GMER.

All that said - here's the DDS.txt file. Other files (attach.txt, ark.txt) attached as per help request guidelines. Thanks for any guidance you can provide.


DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by LeRoy at 16:03:45 on 2012-01-02
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2815.2051 [GMT -5:00]
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k secsvcs
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://my.yahoo.com/p/1.html
mSearch Bar = hxxp://www.earthlink.net/partner/more/msie/button/search.html
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn0\YTNavAssist.dll
BHO: Pop-Up Blocker BHO: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - PopKill Class
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun: [<NO NAME>]
dRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
uPolicies-explorer: <NO NAME> =
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: $talisma_url$
Trusted Zone: intuit.com\ttlc
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer =
TCP: Interfaces\{3774A055-FF31-4409-88D1-465F4C9D4AB3} : DhcpNameServer =
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
================= FIREFOX ===================
FF - ProfilePath - c:\users\leroy\appdata\roaming\mozilla\firefox\profiles\2kw9m7dd.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\programdata\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\programdata\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\leroy\appdata\roaming\mozilla\firefox\profiles\2kw9m7dd.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
============= SERVICES / DRIVERS ===============
S1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2011-1-2 127744]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2011-8-4 118104]
S2 !SASCORE;SAS Core Service;"c:\program files\superantispyware\sascore.exe" --> c:\program files\superantispyware\SASCORE.EXE [?]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2007-4-16 266343]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
S2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2011-8-9 163424]
S2 ekrn;ESET Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" --> c:\program files\eset\eset nod32 antivirus\ekrn.exe [?]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2011-8-4 103112]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-15 21504]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
S2 gupdate1c9ff56b18985a0;Google Update Service (gupdate1c9ff56b18985a0);c:\program files\google\update\GoogleUpdate.exe [2009-7-7 133104]
S2 McciServiceHost;McciServiceHost;c:\program files\common files\motive\McciServiceHost.exe [2011-6-3 315392]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-8-23 2255464]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-8-3 379496]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\webrootsecurity\spysweeper.exe" --> c:\program files\webroot\webrootsecurity\SpySweeper.exe [?]
S2 WRConsumerService;Webroot Client Service;"c:\program files\webroot\webrootsecurity\wrconsumerservice.exe" --> c:\program files\webroot\webrootsecurity\WRConsumerService.exe [?]
S2 WRSVC;WRSVC;"c:\program files\webroot\wrsa.exe" -service --> c:\program files\webroot\WRSA.exe [?]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-7-17 1527900]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-7 133104]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-9-23 139368]
S3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [2007-10-25 616064]
S3 rcmirror;rcmirror;c:\windows\system32\drivers\rcmirror.sys [2008-10-8 3328]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2009-7-17 544768]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2008-5-25 80744]
S4 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-10-25 79816]
S4 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-10-25 35272]
S4 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
S4 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-10-25 34248]
S4 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-10-25 40552]
=============== Created Last 30 ================
2012-01-02 20:57:26 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{56cbd9a5-7d4f-4a6b-8f3d-1f4c9341c67b}\offreg.dll
2011-12-31 03:55:49 -------- d-----w- C:\RSWSAFE
2011-12-31 03:30:02 -------- d-sh--w- C:\found.000
2011-12-29 21:51:48 -------- d-----w- c:\program files\WhoCrashed
2011-12-29 16:50:55 -------- d-----w- c:\users\leroy\appdata\local\temp
2011-12-29 16:50:33 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-29 05:44:47 -------- d-----w- c:\users\leroy\appdata\local\NeoSmart_Technologies
2011-12-29 05:43:17 -------- d-----w- c:\program files\NeoSmart Technologies
2011-12-29 05:21:21 -------- d-----w- c:\windows\pss
2011-12-28 23:18:55 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-28 22:34:02 -------- d-----w- c:\program files\HashTab Shell Extension
2011-12-28 21:07:36 -------- d-----w- c:\users\leroy\{55a5eeea-6af0-4bac-8f8d-d204c48238b3}
2011-12-27 21:13:27 -------- d-----w- c:\program files\ESET_safe
2011-12-26 21:17:58 1563024 ----a-w- c:\windows\WRSetup.dll
2011-12-26 21:17:58 -------- d-----w- c:\program files\bad_Webroot
2011-12-26 19:35:36 -------- d-----w- c:\program files\bad_Ask.com
2011-12-26 19:25:09 -------- d-----w- c:\programdata\Ask
2011-12-26 19:17:47 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2011-12-26 19:17:47 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2011-12-26 19:17:47 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2011-12-26 19:17:47 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2011-12-24 18:07:34 -------- d-----w- c:\program files\Citrix
2011-12-24 05:30:05 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-24 05:18:38 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{56cbd9a5-7d4f-4a6b-8f3d-1f4c9341c67b}\mpengine.dll
2011-12-24 03:30:53 98816 ----a-w- c:\windows\sed.exe
2011-12-24 03:30:53 518144 ----a-w- c:\windows\SWREG.exe
2011-12-24 03:30:53 256000 ----a-w- c:\windows\PEV.exe
2011-12-24 03:30:53 208896 ----a-w- c:\windows\MBR.exe
2011-12-15 20:56:20 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 00:17:58 -------- d-----w- c:\program files\iPod
==================== Find3M ====================
2011-12-09 03:36:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-15 19:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2006-11-20 13:01:08 163840 ----a-w- c:\program files\common files\AMCap.exe
============= FINISH: 16:03:52.80 ===============

Attached Files

Edited by oldhand, 03 January 2012 - 12:19 AM.

BC AdBot (Login to Remove)


#2 oldhand

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:36 PM

Posted 02 January 2012 - 09:34 PM

Additional info - ESET Online scan in Safe Mode w/Networking turned up the following:

C:\Download\WMA to MP3 Converter.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
C:\Users\LeRoy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\14369f3a-7e93a579 a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Users\LeRoy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\511051c6-15bcf01a a variant of Java/Agent.DZ trojan deleted - quarantined

Told the scanner to delete all items in the quarantine. Going to reboot and then re-run the scan, will post result.

#3 oldhand

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:36 PM

Posted 03 January 2012 - 11:22 AM

Following are end-to-end results of AV scans and other activity run since my initial post. These were all done in the order shown, one behind the other. No reboots yet.

ESET Online - Run 1 - viruses found in 3 files.

C:\Download\WMA to MP3 Converter.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
C:\Users\LeRoy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\14369f3a-7e93a579 a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Users\LeRoy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\511051c6-15bcf01a a variant of Java/Agent.DZ trojan deleted - quarantined

Told the scanner to delete these files from the quarantine.

ESET Online - Run 2 (immediately after) - clear.

BitDefender Online Run 1 - clear.

Panda Online Run 1 (full scan chosen) - virus/trojan found in 1 file, suspect false positive

c:\acer\acertour\reminder.exe - no action taken - suspect false positive ("Generic Trj")
25 tracking cookies found - no action taken - will delete these manually
1 suspicious - ots.exe (Old Timer Scanner - not a threat)

MBRCheck run - still clear.

F-Secure Online Run 1 - clear.

CA Threat Scanner Online - "Quick Scan" 1 - spyware/adware hits (7)

- Bifrost - Threat level High - Key "hkey_current_user \software\wget"
- Grokster - Threat level Medium - Key "hkey_classes_root \magnet"
- WinAntiVirus Pro 2006 - Threat level Medium - key "hkey_classes_root \*\shellex\contextmenuhandlers\shellextension"
- WinSpywareProtect - Threat level Medium - Key "hkey_current_user \software\microsoft\windows\currentversion\drivers"
- Aureate/Radiate - Threat level High - Folder "c:\program files\mediaring talk"
- Ezula - Threat level Medium - File "c:\users\leroy\favorites\links\ebay.url"
- Limewire - Threat level Medium - Folder "c:\users\leroy\appdata\local\VirtualStore\program files\limewire"

Will delete all these manually after finishing scans (still have CA "Spyware" and "Anti-Virus" scans, in addition to four other vendor scans, to go - I'm throwing everything I can at this box).

Edited by oldhand, 03 January 2012 - 11:28 AM.

#4 oldhand

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:36 PM

Posted 04 January 2012 - 06:55 PM

Round 1 of malware/AV scanning done. Additional results:

CA Threat Scanner (Spyware Scan) - Turned up 4 more items (tracking cookies).

CA Threat Scanner (Virus Scan) - Claims roughly 4000 files are infected, mostly with two or three generic names that aren't in CA's threat encyclopedia. Appears to be the same batch of weird false positives with this particular scanner as what is discussed in this post at another website: (change the "hxxp" to see it if desired) hxxp://www.justanswer.com/computer/5xljt-hi-there-i-need-help-when-running-line-virus-checker.html

Trend Micro Housecall Online - 1 likely false positive (OTS.EXE identified as "troj.hidefil.bmc").

Symantec Security Check - clear.

MalwareBytes - clear.

Validation (or invalidation) of various results:

Submitted c:\acer\acertour\reminder.exe to VirusTotal. Panda and eSafe think it's some kind of "generic Trojan." 41 other scan engines on the site say not so much. Thinking this is a false positive.

Submitted OTS.EXE to VirusTotal. 7 out of 43 virus engines don't like it. 1 doesn't like what was used to pack the exe (if I have my lingo correct), 3 seem to dislike it strictly based on heuristics, Trend Micro is in the list twice claiming it is "TROJ_HIDEFIL.BMC", and Jiangmin claims it is "TrojanSpy.Banker.ocp". I smell false positive but I leave a final determination to other expertise. Worth noting that I downloaded this tool from geekstogo.com as part of this cleanup effort, *after* zapping TDSS from the system.

Submitted c:\users\leroy\favorites\links\ebay.url to VirusTotal. Nothing found, but blew the file away anyway.

Deleted ALL IE cookies and Temporary Internet Files (via IE9 Options dialog box).

Now, booting from CD to facilitate zapping registry entries found in scans (see prior post).

Edited by oldhand, 04 January 2012 - 06:55 PM.

#5 oldhand

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:36 PM

Posted 04 January 2012 - 08:01 PM

Next update:

Booted from CD to edit registry files and deal with some filesystem-contained concerns.

Loaded up registry files from C drive and deleted:

Bifrost - Key "hkey_current_user \software\wget"
Grokster - Threat level Medium - Key "hkey_classes_root \magnet"

Also deleted from hard drive:

Aureate/Radiate - Threat level High - Folder "c:\program files\mediaring talk"
(had no files within, deleted folder)

Limewire - Threat level Medium - Folder "c:\users\leroy\appdata\local\VirtualStore\program files\limewire"
(deleted folder and all files/subfolders contained; had to turn off read-only directory attribute to do this)

Looked at the following and left them alone:

WinAntiVirus Pro 2006 - Threat level Medium - key "hkey_classes_root \*\shellex\contextmenuhandlers\shellextension"
(Other research indicated that this key is valid and that the contents were the issue - no data was found under the key). Reference: Microsoft

WinSpywareProtect - Threat level Medium - Key "hkey_current_user \software\microsoft\windows\currentversion\drivers"
(Other research indicated that this key is valid and that the contents were the issue - no data was found under the key excepting subkeys, which also had no data). Reference: Microsoft

Booted successfully into Safe Mode w/Networking. Still got the System Properties dialog upon selecting a user.
Booted into normal mode. Same STOP error.
Booted back into Safe Mode w/Networking. Same dialog box issue.

Rerunning scans. Will post results.

Edited by oldhand, 04 January 2012 - 09:57 PM.

#6 oldhand

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:36 PM

Posted 05 January 2012 - 06:50 PM

Round 2 scans

ESET Online - clear.
Bitdefender Online - clear.
Panda Online:

- 2 tracking cookies (deleted)
- False positive on c:\acer\acertour\reminder.exe (ignored)
- an exploitable Java cache item referencing CVE-2011-3544 (deleted the file, which turned out not to be such a good idea - see later).

MBRCheck - clear.
F-Secure Online - clear.
Trend Housecall online - clear.
Symantec Security Check (online) - won't run due to Java error.
MalwareBytes - clear.
Kaspersky Rescue Disk 10 - clear.

Java is not happy anymore due to deleting the supposedly-infected file that Panda complained about (which had a long cryptic name, of course). Can't reinstall Java due to being in Safe Mode. :(

So. The originally reported post-TDSS-removal problems remain, unchanged.

I'm out of grenades to lob at this bad boy. Looking forward to guidance from someone.

Oh, the original MBR virus was identified by Kaspersky as: Rootkit.Boot.SST.a.

Edited by oldhand, 05 January 2012 - 11:33 PM.

#7 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,769 posts
  • Gender:Male
  • Local time:11:36 PM

Posted 08 January 2012 - 05:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/435848 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#8 oldhand

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:36 PM

Posted 10 January 2012 - 05:34 PM

Thanks guys. Unfortunately, in the time since my last post, the PC has succumbed to its wounds. All those crash-boots finally torched its MFT and a few other things. Managed to salvage the directory tree, but it won't boot from the Windows install in any meaningful fashion any more. Not to a command prompt, not to Explorer.

Since the system did not come with a "real" Vista CD, it's time to turn to the manufacturer rescue CDs, which do a full nuke-and-pave (i.e., repartition, reformat, reinstall, remake this PC from scratch).

Good luck to whoever is reading this thread because they wound up with one of these TDSS/Alureon jobbies and a similar set of post-removal symptoms. It ain't pretty.

#9 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,769 posts
  • Gender:Male
  • Local time:11:36 PM

Posted 10 January 2012 - 05:34 PM

You have stated that you no longer need help with this issue, therefore I am closing this topic. If that is not the case and you need or wish to continue with this topic, please send any Moderator a Personal Message (PM) that you would like this topic re-opened.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users