Does it still show you have rootkit? If I'm helping you and I don't reply within 24 hours send me a PM.

0

where do I confirm this?

0

Re-scan with mcafee? If I'm helping you and I don't reply within 24 hours send me a PM.

0

Open Device Manager >view>show hidden , scroll down to TDSSsever.sys or anything else that says TDSS right click and disable , do not remove ! , as it will only put itself back on next run Malwarebytes Antimalware http://www.malwarebytes.org/mbam.php Choose save and rename mbamsetup.exe , to say bumsetup.exe , d\l update and run the short scan , That may be all you need to do .

0

Neoark, I am unable to run a full Mcafee Virus Scan, it freezes at the very begining when it checks "Rootkits & Other Stealth Devices". Jack Frost46, When i open up Device Manager I dont see anything under TDSS. I checked everywhere including plug and play devices. I am able to run Malwarebytes. Can i post a copy of the report?

0

Yes run full scan with malwarebytes and post scan result. If I'm helping you and I don't reply within 24 hours send me a PM.

0

toicy4ya Look in Non Plug and Play Devices , It should be there .

0

Neoark, Im running the malwarebytes scan now, ill post the results once its done. Jack Frost46, Thats the first place i looked, there isnt anything listed under TDSS. I checked it twice.

0

http://service.mcafee.com/FAQDocume... http://free.avg.com/

0

Jack Frost46, Thanks for all your assistance but im lost what exactly do you want me to do with the mcafee link?

0

NeoArk, These are my finding after running the scans; Kaspersky - No Threats Found Mcafee - 1 NTOSKRNL-HOOK Trojan Found (removed) Ad-Aware - 4 Trojan Win32TrojanTDSS ( After trying to remove it keeps popping up after numerous scans) This is the last MalwareBytes Report: Malwarebytes' Anti-Malware 1.37 Database version: 2295 Windows 5.1.2600 Service Pack 2 2009-06-17 17:59:46 mbam-log-2009-06-17 (17-59-46).txt Scan type: Full Scan (C:\|F:\|) Objects scanned: 179532 Time elapsed: 1 hour(s), 23 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

0

Do you want to remove it manually? If its still there.. or your problem is fixed? If you want to remove it manually i would require some logs. If I'm helping you and I don't reply within 24 hours send me a PM.

0

Whichever is the most effecient way to remove it would be great. What do you recommend?

0

Hi, Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow: 1) Can you please post your AVZ log: Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below. i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder. ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice. iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open. Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator. You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click. begin ExecuteStdScr(3); RebootWindows(true); end. Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here. Image Tutorial 2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs 1. DDS.txt 2. Attach.txt Upload the logs to rapidshare.com and paste download link in your next reply. Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so. If I'm helping you and I don't reply within 24 hours send me a PM.

0

I noticed i am gettng a lot more virus alerts some look fake which i try to close, however it automatically runs some form of virus scan. In addition anytime i do a search on google for anything related to virus i get redirected.

0

Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step: 1) Run this script in AVZ like before, your computer will reboot: begin SetAVZGuardStatus(True); SearchRootkit(true, true); DeleteService('driverdrv'); StopService('driverdrv'); DelBHO('{7CE793CA-D16F-4e25-B347-50AAC438750C}'); QuarantineFile('c:\windows\mstre19.exe',''); QuarantineFile('C:\windows\ld09.exe',''); QuarantineFile('C:\Program Files\driver\driver.sys',''); QuarantineFile('c:\windows\sysguard.exe',''); QuarantineFile('c:\program files\driver\driver.dll',''); QuarantineFile('\\?\globalroot\systemroot\system32\UACkoabgigdhqwodjx.dll',''); QuarantineFile('C:\WINDOWS\system32\iehelper.dll',''); DeleteFile('C:\WINDOWS\system32\iehelper.dll'); DeleteFile('\\?\globalroot\systemroot\system32\UACkoabgigdhqwodjx.dll'); DeleteFile('c:\program files\driver\driver.dll'); DeleteFile('c:\windows\sysguard.exe'); DeleteFile('C:\Program Files\driver\driver.sys'); DeleteFile('C:\windows\ld09.exe'); DeleteFile('c:\windows\mstre19.exe'); BC_ImportAll; ExecuteSysClean; ExecuteRepair(13); ExecuteRepair(14); ExecuteRepair(15); BC_Activate; RebootWindows(true); end. 2) After reboot execute following script in AVZ: begin CreateQurantineArchive('C:\quarantine1.zip'); end. A file called quarantine1.zip should be created in C:\. 3) Attach a Combofix log, please review and follow these instructions carefully. Download it here -> http://download.bleepingcomputer.co... Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it. Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place. Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal. You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed. Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here. If I'm helping you and I don't reply within 24 hours send me a PM.

0

http://rapidshare.com/files/2459229... http://rapidshare.com/files/2459241... I tried my best to shut down my Mcafee antivirus & Spybot. However Mcafee does not offer an option to turn off as listed in the link. What i did was manually disable it. I hope this is the same. I was unable to shut off spybot, for some reason i am unable to open it. It may be virus related. I will be running combofix now. im not done yet. still working on it...

0

spybot just disable tea timer. Also can you delete above links its not wise to post virus infected files open in public. If I'm helping you and I don't reply within 24 hours send me a PM.

0

NeoArk, Thanks for your constant assistance. I removed the above link, i wasnt aware of that had you not told me. Here is the combofix.txt http://rapidshare.com/files/2459500...

0

Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step: 1) Please zip up C:\qoobox\quarantine and upload it to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files. 2) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok. If I'm helping you and I don't reply within 24 hours send me a PM.

0

neoark, i pm'd you the link. Combo fix was uninstalled successfully. one question, what security programs should i have running all the time to help against these viruses? currently i only have mcafee security center running all the time. I always keep the definitions updated. Should i have any additional security programs running?

0

Thanks for the files. Please follow these steps in order numbered and post summary log after each step. 1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Run a full scan with http://www.eset.com/onlinescan/ # Check the box next to YES, I accept the Terms of Use. # Click Start # When asked, allow the activex control to be installed. # Click Start # Check below options: * Remove found threats * Scan archives * Scan for potentially unwanted applications (Advance Settings). * Enable Anti-Stealth technology (Advance Settings). # Click Scan # Wait for the scan to finish # When it finishes it will create a log file here: C:\Program Files\ESET\ESET Online Scanner\log.txt # Attach this logfile to your next message. Illustrated tutorial: http://img155.imageshack.us/img155/... Note: Turn system restore back on, if you wish; this to remove malware from system volume information files. 2) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected. 3) House cleaning. Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log. PS: One AV and one Spyware is good combo to have. If I'm helping you and I don't reply within 24 hours send me a PM.

0

ESETSmartInstaller@High as downloader log: all ok # version=6 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.5863 # api_version=3.0.2 # EOSSerial=dcef6133e35e624faf62c3e05e130208 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-06-19 12:59:01 # local_time=2009-06-18 07:59:01 (-0600, Central Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=5121 21 100 88 67593538125000 # scanned=74678 # found=3 # cleaned=3 # scan_time=10884 C:\Documents and Settings\Noel\Desktop\avz4\avz4\Quarantine\2009-06-18\avz00002.dta a variant of Win32/Kryptik.UE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C:\Documents and Settings\Noel\Desktop\avz4\avz4\Quarantine\2009-06-18\avz00003.dta Win32/TrojanProxy.Small.NDY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C:\Documents and Settings\Noel\Desktop\avz4\avz4\Quarantine\2009-06-18\avz00005.dta Win32/Tinxy.AF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 Malwarebytes' Anti-Malware 1.38 Database version: 2306 Windows 5.1.2600 Service Pack 2 6/18/2009 9:08:59 PM mbam-log-2009-06-18 (21-08-59).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|) Objects scanned: 168141 Time elapsed: 1 hour(s), 4 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\driver (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8085:tcp (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I ran SUPERAntiSpyware twice and keep getting an error after it quarantines and removes the items which prevents me from saving the scan log. The error message i get is, Microsoft Visual C++ Runtime Library Runtime Error! Program: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe R6025 - pure virtual function call The only option it offers me is to click ok, when i do that it shuts down SUPERAntiSpyware.

0

Upgrade to Service pack 3 and run these: 1) http://onecare.live.com/site/en-Us/... 2) http://onecare.live.com/site/en-Us/... If I'm helping you and I don't reply within 24 hours send me a PM.

0

Trojan TDSS also known as Trojan TidServ is a backdoor trojan.to remove it manually, see the steps here http://darfuns.com/remove-trojan-td...

0

Neoark, last time I upgraded to service pack three I ran into a lot of conflicts with some of my other programs to the point where I had to reformat my pc because I couldn't uninstall it SP3. Is it absolutely necessary to upgrade to SP3?

0