Possible Browser Hijack tdss type

View previous topic View next topic Go down

Solved Possible Browser Hijack tdss type

Post by gdansk on 23rd December 2008, 4:45 pm

hello guys,
while I was away last week my wife used my work pc to google something. She must have entered a wrong address and the screen started telling her that she had a virus and would she like to run a Microsoft 2009 antivirus check. She said yes but when it repeated she called me and i told her to immediately stop, log out and run a virus scan. Since then every time I go to google and click on a link i get redirected to various sites, mostly anti virus sites. Now if I try to go to any anti virus web site such as yours it refuses to allow me. If I use the command prompt to ping a known website it redirects the ping to a local host. Only by using my laptop to obtain an IP address can I go to a website. Also if I try to download any form of anti virus or spyware programs the .exe files just hang and won't run. I did manage to run a rootkit tool which found a load of files dated the day my wife 1st went onto the web these all end in .adss but now even this rootkit finder wont run. It now takes several attempt to boot up and I have had to disconnect my network cable to stop access to the internet. I am writing this report from my laptop.

My Hijack this file is posted below:

Many thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:22:00, on 23/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\Act for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.ex_
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ActLink - {2A0C35F4-82A3-4C80-919D-7879FEE79DF6} - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FYTVTSG - Sysinternals - [You must be registered and logged in to see this link.] - C:\DOCUME~1\Nigel\LOCALS~1\Temp\FYTVTSG.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MQYK - Sysinternals - [You must be registered and logged in to see this link.] - C:\DOCUME~1\Nigel\LOCALS~1\Temp\MQYK.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - Unknown owner - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe (file missing)
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\program files\common files\protexis\license service\psiservice_2.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: XBBFSSPO - Sysinternals - [You must be registered and logged in to see this link.] - C:\DOCUME~1\Nigel\LOCALS~1\Temp\XBBFSSPO.exe
O23 - Service: XCZA - Sysinternals - [You must be registered and logged in to see this link.] - C:\DOCUME~1\Nigel\LOCALS~1\Temp\XCZA.exe

--
End of file - 13132 bytes

gdansk
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-23
OS OS : Windows XP SP2
Points Points : 29090
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by Belahzur on 23rd December 2008, 4:51 pm

Hello.
Yep, the tdss rootkit is a pain in the neck aint it? Annoyed or Unimpress

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by gdansk on 23rd December 2008, 5:05 pm

Hi,

As I explained I cannot go to any link or website. I tried the link above but I am stopped from going to the site by the pice of sh*t that has infected my pc.

gdansk
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-23
OS OS : Windows XP SP2
Points Points : 29090
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by Belahzur on 23rd December 2008, 5:23 pm

Hello.
I have uploaded it here:
[You must be registered and logged in to see this link.]

Download from there and run it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by gdansk on 23rd December 2008, 5:27 pm

Hi managed to do it by loading to a flash pen and then transfering to PC


Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSmblt.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

gdansk
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-23
OS OS : Windows XP SP2
Points Points : 29090
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by Belahzur on 23rd December 2008, 5:31 pm

Hello.
The rootkit has been disabled now, you can access links you couldn't before.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by gdansk on 24th December 2008, 9:56 am

Hi guys. So far so good.


Malwarebytes' Anti-Malware 1.31
Database version: 1540
Windows 5.1.2600 Service Pack 3

24/12/2008 09:14:51
mbam-log-2008-12-24 (09-14-51).txt

Scan type: Quick Scan
Objects scanned: 75752
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\TDSShrxx.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSvkql.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\TDSSmblt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS71f7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svschost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svŮshost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS71e8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.

gdansk
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-23
OS OS : Windows XP SP2
Points Points : 29090
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by Belahzur on 24th December 2008, 1:36 pm

Hello.
That should of cleared it all up, just one last look around and see what's left.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by gdansk on 24th December 2008, 2:22 pm

Hi

ran the combo fix and as you said it created the windows recovery prgram. All seemed to go well until the restart. It just came back to the windows screen but all icons were missing. I left it for a while but nothing happened. Pulled up the task manager but nothing was running. Had to restart machine and all was good but I cannot locate the combofix text file. I have looked at the C:\combofix.txt but nothing is there. I tried running combofix again but I am getting a denied acess error. Also after rebooting my Spybot noted a lot of registry changes. I allowed all to go through.

PC appears to be fine just cant post the log you need.

gdansk
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-23
OS OS : Windows XP SP2
Points Points : 29090
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by Belahzur on 24th December 2008, 2:25 pm

No problem.
Combofix saves unfinished logs in it's folder instead of the root of C:
See if there is a report here:
C:\Combofix\combofix.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by gdansk on 24th December 2008, 2:34 pm

There is no folder called Combofix just the desktop icon. Ran a search and found a folder called Qoobox. This contains 2 folders called BackEnv and Quarantine. A text document called Add-Remove programs and a Text Doc called ComboFix-quarantined-files. I have posted the contents below.

Also has 2 DAT files called [You must be registered and logged in to see this link.] and [You must be registered and logged in to see this link.]


Found this in a folder called Qoobox

2008-06-24 07:54:46 A------- 1,185 C:\Qoobox\Quarantine\C\WINDOWS\IE4 Error Log.txt.vir
2008-12-11 12:15:23 A------- 441 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSmtvd.dat.vir
2008-12-24 13:56:30 A------- 54 C:\Qoobox\Quarantine\catchme.log
2008-12-24 14:00:44 A------- 6,179 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-12-24 14:00:50 A------- 1,382 C:\Qoobox\Quarantine\Registry_backups\Legacy_TDSSSERV.SYS.reg.dat
2008-12-24 14:00:50 A------- 2,572 C:\Qoobox\Quarantine\Registry_backups\Service_TDSSserv.sys.reg.dat
2008-12-24 14:05:37 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-12-24 14:05:37 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-12-24 14:05:37 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-12-24 14:05:38 A------- 164 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-swg.reg.dat
2008-12-24 14:05:39 A------- 130 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-ECenter.reg.dat
2008-12-24 14:05:39 A------- 164 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-MVS Splash.reg.dat
2008-12-24 14:05:39 A------- 189 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-McAfee Managed Services Tray.reg.dat

gdansk
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-23
OS OS : Windows XP SP2
Points Points : 29090
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by Belahzur on 24th December 2008, 2:39 pm

Okay.
Delete this folder:
C:\Qoobox


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. I only need to see log.txt (<< will be maximized)


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by gdansk on 24th December 2008, 2:55 pm

OK Deleted folder.

Have RSIT on my desktop but when I click on it to run I get Autollt Error Unable to open the script file. Click OK and back to desktop.

gdansk
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-23
OS OS : Windows XP SP2
Points Points : 29090
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by Belahzur on 24th December 2008, 3:00 pm

Okay, we'll do it this way.
Run MBAM again, and we'll see if the scan comes back clean this time.

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by gdansk on 24th December 2008, 4:37 pm

Finally done.

Need to go now as christamas awaits. will pick up message on Saturday 27th. have a very happy Christmas and many thanks for your help so far. MAY THE FORCE BE WITH YOU.




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 24, 2008 01:11:44
Records in database: 1507057
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 95160
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:05:22


File name / Threat name / Threats count
C:\Program Files\UltraVnc\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.n 1

The selected area was scanned.

gdansk
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-23
OS OS : Windows XP SP2
Points Points : 29090
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by Belahzur on 24th December 2008, 4:52 pm

Haha.
Yeah, christmas is coming.

But anyway, Kaspersky only shows one file, and that's not even a virus.
Unless it's finding the tdss leftover as the temp file, I'd say this is a rap.

Merry christmas to you too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by gdansk on 25th December 2008, 5:12 pm

Many thanks for all your effort. Hopefully you are now drunk and full of Christmas pudding.

What antivirus/ security would you recommend for future probs. I was going to buy the Kaspersky suite as my old useless McAfee runs out in 7 days.

gdansk
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-23
OS OS : Windows XP SP2
Points Points : 29090
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by Belahzur on 25th December 2008, 5:14 pm

I'd choose from one of these free AV's.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) [You must be registered and logged in to see this link.]
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.
3) [You must be registered and logged in to see this link.]
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by Doctor Inferno on 24th January 2009, 10:27 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Browser Hijack tdss type

Post by Doctor Inferno on 24th January 2009, 10:27 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104640
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum