Articles

win32 trojan TDSS & Google Redirect Viruses

June 30, 2009 at 14:49:36
Specs: Windows XP

My son used my computer & brought in several viruses. First was Security Systems--killed that. Now am stuck with win32 trojan TDSS & Google Redirect. Can't run any fixes (Malwarebytes, etc.); they download but won't run. Also can't type anything in Safe Mode. I'm really stuck. Any help would be greatly appreciated.

See More: win32 trojan TDSS & Google Redirect Viruses

Report •


#1
June 30, 2009 at 14:56:07

Follow these steps in order numbered:

1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#2
July 1, 2009 at 00:13:16

Could you please tell me how you got rid of the security systems virus? i'm currently dealing with both that and Win32 trojan TDSS

Report •

#3
July 1, 2009 at 06:45:15

JDK,

Scan took several hours. Here is the link to the uploaded file:

http://rapidshare.com/files/2506885...

The name of the file that I downloaded in Step 1 is: mcu4x808.

Thank you for helping me out. I'm off to work but will check in during the day & will be able to work on the infected computer when I get home this evening.

Bill


Report •

Related Solutions

#4
July 1, 2009 at 06:49:18

Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','','');
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#5
July 1, 2009 at 07:34:30

Here is the first link: http://rapidshare.com/files/2507003...

DDS: http://rapidshare.com/files/2507042...

attach: http://rapidshare.com/files/2507044...

Off to work. Will check in on your further instructions.

Many thanks again.

Bill


Report •

#6
July 1, 2009 at 08:00:00

Follow these steps in order numbered:

1) Open Gmer like before.
2) Click on the >>> tab. This will open up the rest of the tabs for you.
3) Click on the CMD tab and make sure CMD.EXE is selected.
4) Now highlight the contents of the below codebox and copy it to the clipboard by pressing ctrl+c

mcu4x808.exe -killall
mcu4x808.exe -del service UACd.sys
mcu4x808.exe -del file "C:\WINDOWS\SYSTEM32\DRIVERS\UACldwtaitxjxtniyv.sys"
mcu4x808.exe -del file "C:\WINDOWS\SYSTEM32\UACawkrxddxmnttkly.dll"
mcu4x808.exe -del file "C:\WINDOWS\SYSTEM32\UACedtpqjkdxlabocp.dll"
mcu4x808.exe -del file "C:\WINDOWS\SYSTEM32\UACgwbgxvnlwdyjywq.dll"
mcu4x808.exe -del file "C:\WINDOWS\SYSTEM32\UAChrlnnpcjmdrvujw.dll"
mcu4x808.exe -del file "C:\WINDOWS\SYSTEM32\uacinit.dll"
mcu4x808.exe -del file "C:\WINDOWS\SYSTEM32\UACmjtemxwwshtkmxe.dat"
mcu4x808.exe -del file "C:\WINDOWS\SYSTEM32\UACpyiyvefuoeiouhw.dll"
mcu4x808.exe -del file "C:\Documents and Settings\Bill Paxton\Local Settings\Temp\nsq26F.tmp\UAC.dll"
mcu4x808.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys"
mcu4x808.exe -del reg "HKLM\SYSTEM\ControlSet004\Services\UACd.sys"
mcu4x808.exe -reboot


5) Now paste the contents into the top black box in GMER by using ctrl+v.
6) Click Run, the script will run and then your PC will be rebooted
7) After rebooted, rerun GMER like before and attach the new log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#7
July 1, 2009 at 09:32:28

I will do this as soon as I get home. Do you want the log uploaded to Rapidshare as before with the link posted in my reply?

Report •

#8
Report •

#9
July 2, 2009 at 07:10:10

Ran the program as you suggested. The PC did not reboot so I did it manually. Ran GMER again. Here is the log: http://rapidshare.com/files/2510636...

I am now getting a massive amount of phony IE porno pages & fake Windows security pop-ups. They come non-stop. One is called Antivirius System Pro, the other is a Windows security alert that is related to a "shield" icon in the tool tray.


Report •

#10
July 2, 2009 at 13:30:56

What is the filename of gmer you downloaded? mcu4x808.exe?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#11
July 2, 2009 at 13:58:19

That is correct.

Report •

#12
July 2, 2009 at 14:10:02

------

Report •

#13
July 2, 2009 at 16:39:10

Figured out how to change the name before the download (tools-options). However, it still doesn't work. Once I download the software to the desktop the Combofix icon still shows up. It starts to do the install & the green bar shows up. It appears in the toolbar then disappears. Can't seem to figure a workaround for this.

Report •

#14
July 2, 2009 at 16:59:56

Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 StopService('iMSPCLOj');
 DeleteService('iMSPCLOj');
 StopService('jryjdrtjj6sjjyh4rthgdf80');
 DeleteService('jryjdrtjj6sjjyh4rthgdf80');
 QuarantineFile('c:\progra~1\Manson\liser.dll','');
 QuarantineFile('C:\WINDOWS\system32\net.net','');
 QuarantineFile('C:\DOCUME~1\BILLYP~1\LOCALS~1\Temp\iMSPCLOj.sys','');
 QuarantineFile('C:\WINDOWS\jryjdrtjj6sjjyh4rthgdf81.exe','');
 QuarantineFile('\\?\globalroot\systemroot\system32\UACgwbgxvnlwdyjywq.dll','');
 QuarantineFile('c:\program files\manson\liser.exe','');
 DeleteFile('c:\program files\manson\liser.exe');
 DeleteFile('\\?\globalroot\systemroot\system32\UACgwbgxvnlwdyjywq.dll');
 DeleteFile('C:\WINDOWS\jryjdrtjj6sjjyh4rthgdf81.exe');
 DeleteFile('C:\DOCUME~1\BILLYP~1\LOCALS~1\Temp\iMSPCLOj.sys');
 DeleteFile('C:\WINDOWS\system32\net.net');
 DeleteFile('c:\progra~1\Manson\liser.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(true);
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine1.zip');    
end.


A file called quarantine1.zip should be created in C:\. Upload that file to rapidshare.com and Private message me download link.

3) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

4) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#15
July 2, 2009 at 17:15:38

Got it. Will commence immediately.

Report •

#16
July 2, 2009 at 17:21:39

Won't run. Get the following error message:

Undeclared identifier: 'SetAVZPM' at position 23:19


Report •

#17
July 2, 2009 at 17:31:38

Sorry redo Response Number 14 fixed.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#18
July 2, 2009 at 17:36:20

No problem. You have no idea how much I appreciate your help.

Will run it now.


Report •

#19
July 2, 2009 at 18:03:33

redo Response Number 1.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#20
July 2, 2009 at 18:07:26

Will do.

Report •

#21
July 2, 2009 at 18:15:17

After it finishes try to do these and see if you can.

1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

2) Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#22
July 3, 2009 at 06:03:43

GMER3 uploaded. Link: http://rapidshare.com/files/2514344...

Will now try other steps from your last response.


Report •

#23
July 3, 2009 at 06:06:40

Virus disables Malwarebytes. Renamed it prior to download & it downloads as Microsoft Picture It File.

Will now try step 2 of response 21.


Report •

#24
July 3, 2009 at 06:12:38

What is gmer filename for Response Number 22 ?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#25
July 3, 2009 at 06:12:39

I can't download Superantispyware either. Renamed it prior to download, looked good on the desktop. I double click on the icon & the download window pops up again.

Nuts.

Have to go out for a few hours. Will check back upon return.


Report •

#26
July 3, 2009 at 12:35:23

Follow these steps in order numbered:

1) Open Gmer like before.
2) Click on the >>> tab. This will open up the rest of the tabs for you.
3) Click on the CMD tab and make sure CMD.EXE is selected.
4) Now highlight the contents of the below codebox and copy it to the clipboard by pressing ctrl+c

mcu4x808.exe -killall
mcu4x808.exe -del service UACd.sys
mcu4x808.exe -del file C:\WINDOWS\SYSTEM32\DRIVERS\UACldwtaitxjxtniyv.sys
mcu4x808.exe -del file C:\WINDOWS\SYSTEM32\UACawkrxddxmnttkly.dll
mcu4x808.exe -del file C:\WINDOWS\SYSTEM32\UACedtpqjkdxlabocp.dll
mcu4x808.exe -del file C:\WINDOWS\SYSTEM32\UACgwbgxvnlwdyjywq.dll
mcu4x808.exe -del file C:\WINDOWS\SYSTEM32\UAChrlnnpcjmdrvujw.dll
mcu4x808.exe -del file C:\WINDOWS\SYSTEM32\uacinit.dll
mcu4x808.exe -del file C:\WINDOWS\SYSTEM32\UACmjtemxwwshtkmxe.dat
mcu4x808.exe -del file C:\WINDOWS\SYSTEM32\UACpyiyvefuoeiouhw.dll
mcu4x808.exe -del file C:\Documents and Settings\Bill Paxton\Local Settings\Temp\nsq26F.tmp\UAC.dll
mcu4x808.exe -del file C:\Documents and Settings\Billy Paxton\Local Settings\Temp\UACb554.tmp
mcu4x808.exe -del file C:\WINDOWS\Temp\UACdca5.tmp
mcu4x808.exe -del file C:\WINDOWS\Temp\UAC9694.tmp
mcu4x808.exe -del reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
mcu4x808.exe -del reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys
mcu4x808.exe -reboot


5) Now paste the contents into the top black box in GMER by using ctrl+v.
6) Click Run, the script will run and then your PC will be rebooted.
7) After rebooted, rerun GMER like before and attach the new log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#27
July 3, 2009 at 12:44:55

Will do.

Report •

#28
July 3, 2009 at 13:33:44

Follow these steps carefully and in order numbered:

1) Download The Avenger by Swandog46 from here.

2) Unzip/extract it to a folder on your desktop.

3) Double click on avenger.exe to run The Avenger.

4) Click OK.

5) Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

6) Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\SYSTEM32\DRIVERS\UACldwtaitxjxtniyv.sys
C:\WINDOWS\SYSTEM32\UACawkrxddxmnttkly.dll
C:\WINDOWS\SYSTEM32\UACedtpqjkdxlabocp.dll
C:\WINDOWS\SYSTEM32\UACgwbgxvnlwdyjywq.dll
C:\WINDOWS\SYSTEM32\UAChrlnnpcjmdrvujw.dll
C:\WINDOWS\SYSTEM32\uacinit.dll
C:\WINDOWS\SYSTEM32\UACmjtemxwwshtkmxe.dat
C:\WINDOWS\SYSTEM32\UACpyiyvefuoeiouhw.dll
C:\Documents and Settings\Bill Paxton\Local Settings\Temp\nsq26F.tmp\UAC.dll
C:\Documents and Settings\Billy Paxton\Local Settings\Temp\UACb554.tmp
C:\WINDOWS\Temp\UACdca5.tmp
C:\WINDOWS\Temp\UAC9694.tmp


7) In the avenger window, click the Paste Script from Clipboard, button.

8) Click the Execute button.

9) You will be asked Are you sure you want to execute the current script?.

10) Click Yes.

11) You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.

12) Click Yes.

13) Your PC will now be rebooted.

Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.

14) After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

15) Please upload this log to rapidshare.com and post a download link to the uploaded file.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#29
July 3, 2009 at 14:05:43

Your running out of options. Try to run this in safe mode.

Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:

# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#30
July 3, 2009 at 22:23:57

Update: I tried Kaspersky in Normal mode. Was able to download & run. Program identified 16 objects but scan would not complete. Virus popped up windows with regard to each object requesting that each be skipped or deleted. I tried to neutralize them but couldn't. Scan just got stuck at 99%.

However, I was able to resolve the typing problem in Safe Mode. It is a Dell Keyboard flaw--you can only push F8 once after the Dell logo appears, otherwise you get a keyboard failure. So I will now try to download Kaspersky & run it in Safe Mode. Keep your fingers crossed. It took over 6 hours on the last attempt so you will not be hearing from me until the morning.

Thanks for hanging with me on this. I'm not giving up.


Report •

#31
July 4, 2009 at 07:26:35

Post the scan results like instructed once it finishes.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#32
July 4, 2009 at 07:45:33

Kaspersky Scan will not finish. It just keeps going at 99%. I have loaded a screen shot for your reference. It appears that the virus is preventing it from completing as is evidenced by the phony scan alert in the lower right hand corner.

I tried to use "neutralize" but it will not work. I have left the scan running and have not shut it down. Will await further instructions. I realize that things are not looking good.

The link to the screen shot is: http://rapidshare.com/files/2518592...


Report •

#33
July 4, 2009 at 07:53:15

Can you please maximize it so that name of the virus and full path of the file infected is visible. Also the alert on lower right hand corner is not phony that alert is by kaspersky. You press disinfect if it can't disinfect you have to press Delete. Note: before you delete any files in c:\windows you should have windows CD to restore that file later via recovery console if needed.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#34
July 4, 2009 at 09:25:45

Sorry for the misinformation. There are so many pop-ups that I am not sure what is real & what isn't. I will rerun Kaspersky & maximize as you suggested.

However, I did try to use Combofix in Safe Mode and it appears to have worked. Everything worked as your instructions indicated. A log was generated and I uploaded it to Rapidshare: http://rapidshare.com/files/2518749...

I also found the c:\quoobox\quarantine folder and uploaded that as well: http://rapidshare.com/files/2518899...

During Combofix these two messages showed up: 1. System cannot find the file NIRCMD.com; 2. System cannot find the file NIECMD.exe

Hopefully this will help. Again, my apologies for any foul-ups on my part. Your continued help is much appreciated. I will wait to hear from you.


Report •

#35
July 4, 2009 at 09:53:47

I never told you to run combofix in safe mode .... I suggest you do it your own way now since i prefer not clean up after other people's mess as it creates more problems.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#36
July 4, 2009 at 10:23:33

I'm sorry, I tried my best and didn't mean to tick you off. No offense meant. I will not bother you again & will see if I can rectify this on my own.

Report •

#37
July 4, 2009 at 11:27:44

Its not about ticking anyone off. If i wanted you do that i would have told you :). Its about not creating more mess then it is. Certain tools are meant to be ran in certain way at certain stage. If that wasn't the case there would only be 1 tool for all your problems. Anyways good luck fixing and if you hit a road block send me a private message. I suggest you read Response Number 4 Note: again.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •


Ask Question