Hi experts! My wife's computer was recently infected with the trojan that tries to get you to install Antivirus2009 with the system tray warnings, etc. We never clicked on the "install me now" dialog, and when I tried to do a scan these were the results: AVG: couldn't update (no net connection, though Firefox could get out); ran a full scan and it found & cleaned 7 threats and of course I didn't write them down (dummy) but I do remember that two of them were the brastk.exe and karna.dat that were in c:\windows\system32. It didn't give any mention of the TDSS rootkit which I heard was nasty. Subsequent scan after reboot was clean. Spybot S&D: wouldn't run (double-click, momentary hourglass, then nothing) Ad-Aware: same as Spybot S&D HijackThis: ran, uploaded my log at the site, fixed three issues, one of which was a svchost.exe running from the \drivers folder of system32 (rather than in system32). Subsequent scan was clean. I'm getting the "page won't load" errors for sites like AVG & Norton, etc., and the Google result redirect nonsense. I downloaded Malwarebytes on another PC & sneaker-netted it to the infected PC but couldn't install it (the installer just wouldn't run) until I renamed the installer .exe. Then it ran all the way until the very end where it hung on the "Finishing installation" screen. It appeared to install all the files, so I tried to run the app but just like Spybot it wouldn't respond. So I renamed the .exe but that didn't help this time. So I can't run Malwarebytes at all unless someone has another suggestion for me. I checked the hosts file in \system32\drivers\etc but it's unmodified (just the "home" entry), and tried the ipconfig /flushdns, but that was no help either. Help?

Navigate to: C:\Program Files\Malwarebytes' Ant-Malware and rename mbam.exe to something else like dog.exe and see if it will run.

Same thing here. Seems everyone has this, as thats what most of the threads lately seem to be. Have not seen it fixed yet. Tried the renaming thing. Cant even restore sys.

Thanks jabuck - I had already tried renaming the main .exe with no change, but then read another thread where it was suggested to rename every .exe in the MBAM folder. That did the trick, and MBAM was able to run, and did indeed find the TDSS rootkit agent (damn!). I set it to clean it up, then MBAM said it needed to reboot - it hung at the Windows "exit" splash screen ("Windows is shutting down") and didn't actually restart. After 10 minutes I manually powered down, and back up, re-scanned with MBAM and saw that there were still several TDSS entries it found (fewer than the first scan). I let it clean everything, but then selected "restart later", and double-checked the \system32 folder - and found one more visible TDSS file, which it let me manually delete. Then I shut down normally, brought it back up, and re-scanned, got a clean result. I can now access AVG.com & Symantec, etc., can update my AVG, Google search results are no longer redirected, etc. I'll certainly be enforcing a weekly spyware scan on her PC from now on, and adding MBAM to the mix.

Good job, we have update the procedure to show the various ways of getting around this baddie. It is doubtful that you have completely cleaned your computer. You should do the following: Run SDFix, go offline, turn off your antivirus and all antispyware programs. It may come up clean, that will be ok but you need to let it check your system. Download SDFix.exe and save it to your Desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. Remember to re-enable the protection again afterwards before connecting to the Internet. 1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. 2. Open the c:\SDFix folder and double click RunThis.cmd to start the script. Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC. 3. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. 4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt Then we will continue.

Ran the SDfix tool, found Tdsserv root kit, looks like it delete it. See below for log file. [b]SDFix: Version 1.240 [/b] Run by Administrator on Wed 11/19/2008 at 10:57 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix [b]Checking Services [/b]: Restoring Default Security Values Restoring Default Hosts File Rebooting [b]Checking Files [/b]: Trojan Files Found: C:\WINDOWS\system32\drivers\TDSSpxfe.sys - Deleted C:\WINDOWS\system32\TDSSoitu.dll - Deleted Removing Temp Files [b]ADS Check [/b]: [b]Final Check [/b]: catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-19 11:05:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 [b]Remaining Services [/b]: Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" "C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX" "C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook" "C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service" "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" "C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard" "C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX" "C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program" "C:\\Program Files\\EFI Logic\\SFDC\\DCManager.exe"="C:\\Program Files\\EFI Logic\\SFDC\\DCManager.exe:*:Enabled:DCManager.exe" [b]Remaining Files [/b]: File Backups: - C:\SDFix\backups\backups.zip [b]Files with Hidden Attributes [/b]: Mon 17 Jan 2005 20,992 A..H. --- "C:\Documents and Settings\tcorriga\My Documents\My Word\~WRL0151.tmp" Mon 17 Jan 2005 22,528 A..H. --- "C:\Documents and Settings\tcorriga\My Documents\My Word\~WRL2632.tmp" Mon 17 Jan 2005 23,040 A..H. --- "C:\Documents and Settings\tcorriga\My Documents\My Word\~WRL3913.tmp" Mon 17 Jan 2005 20,992 A..H. --- "C:\Ted Files\tcorriga\My Documents\My Word\~WRL0151.tmp" Mon 17 Jan 2005 22,528 A..H. --- "C:\Ted Files\tcorriga\My Documents\My Word\~WRL2632.tmp" Mon 17 Jan 2005 23,040 A..H. --- "C:\Ted Files\tcorriga\My Documents\My Word\~WRL3913.tmp" Wed 19 Nov 2008 23,454,528 A..H. --- "C:\Documents and Settings\All Users\Application Data\Google Updater\cache\BIT3.tmp" Tue 29 Jul 2008 37,376 A..H. --- "C:\Documents and Settings\tcorriga\My Documents\My Word\Staffing HR\~WRL0005.tmp" Thu 14 Aug 2008 49,152 A..H. --- "C:\Documents and Settings\tcorriga\My Documents\My Word\Staffing HR\~WRL0632.tmp" Tue 29 Jul 2008 37,376 A..H. --- "C:\Ted Files\tcorriga\My Documents\My Word\Staffing HR\~WRL0005.tmp" [b]Finished![/b]

Please download and install the latest version of HijackThis v2.0.2: Download the "HijackThis" Installer from this link: Hijack This 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.