Trojan tdss

June 14, 2009 at 15:45:46
Specs: Windows XP, 1.25G
Hello Everyone,

Although i run scans on my computer regularly my PC has been acting weird lately, this prompted me to run a virus scan along with Adaware and Malwarebytes. Upon running the scans i care across the Trojan TDSS in which i have been unsuccessful in trying to remove. Now when i try to do a re-scan my MCafee doesnt even want to run, i keep getting an error. Can anyone help me out?


See More: Trojan tdss

Report •


#1
June 14, 2009 at 16:35:31

Report •

#2
June 15, 2009 at 02:58:30
How? Can i get some help please?

Report •

#3
June 15, 2009 at 04:46:21
First:
Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:
# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Attach Scan log/Summary to your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
June 16, 2009 at 01:47:32
Hey neoark,

Thanks for helping me out, The virus scan took over 10 hours. I copied the Scan Report to my desktop and was about to paste it on here but its incredible long. Do you still want me to paste it or is there something specific that i should look for in the report?


Report •

#5
June 16, 2009 at 06:35:03
Zip/compress log file and upload it rapidshare.com .

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
June 16, 2009 at 15:49:44

Report •

#7
June 16, 2009 at 16:05:02
Does it still show you have rootkit?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#8
June 16, 2009 at 17:50:44
where do I confirm this?


Report •

#9
June 16, 2009 at 18:05:58
Re-scan with mcafee?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#10
June 16, 2009 at 19:28:19
Open Device Manager >view>show hidden , scroll down to

TDSSsever.sys or anything else that says TDSS right click

and disable , do not remove ! , as it will only put itself back on

next run Malwarebytes Antimalware

http://www.malwarebytes.org/mbam.php

Choose save and rename mbamsetup.exe , to say

bumsetup.exe , d\l update and run the short scan ,

That may be all you need to do .


Report •

#11
June 17, 2009 at 01:45:23
Neoark,

I am unable to run a full Mcafee Virus Scan, it freezes at the very begining when it checks "Rootkits & Other Stealth Devices".

Jack Frost46,

When i open up Device Manager I dont see anything under TDSS. I checked everywhere including plug and play devices. I am able to run Malwarebytes. Can i post a copy of the report?


Report •

#12
June 17, 2009 at 06:02:07
Yes run full scan with malwarebytes and post scan result.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#13
June 17, 2009 at 06:57:58
toicy4ya

Look in Non Plug and Play Devices , It should be there .


Report •

#14
June 17, 2009 at 07:34:20
Neoark,
Im running the malwarebytes scan now, ill post the results once its done.

Jack Frost46,
Thats the first place i looked, there isnt anything listed under TDSS. I checked it twice.


Report •

#15
Report •

#16
June 17, 2009 at 11:26:41
Jack Frost46,

Thanks for all your assistance but im lost what exactly do you want me to do with the mcafee link?


Report •

#17
June 17, 2009 at 15:12:40
NeoArk,

These are my finding after running the scans;

Kaspersky - No Threats Found

Mcafee - 1 NTOSKRNL-HOOK Trojan Found (removed)

Ad-Aware - 4 Trojan Win32TrojanTDSS ( After trying to remove it keeps popping up after numerous scans)

This is the last MalwareBytes Report:

Malwarebytes' Anti-Malware 1.37
Database version: 2295
Windows 5.1.2600 Service Pack 2

2009-06-17 17:59:46
mbam-log-2009-06-17 (17-59-46).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 179532
Time elapsed: 1 hour(s), 23 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


Report •

#18
June 17, 2009 at 15:20:51
Do you want to remove it manually? If its still there.. or your problem is fixed? If you want to remove it manually i would require some logs.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#19
June 17, 2009 at 16:09:33
Whichever is the most effecient way to remove it would be great. What do you recommend?

Report •

#20
June 17, 2009 at 16:35:02
Hi,
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#21
June 18, 2009 at 01:44:32

I noticed i am gettng a lot more virus alerts some look fake which i try to close, however it automatically runs some form of virus scan. In addition anytime i do a search on google for anything related to virus i get redirected.

Report •

#22
June 18, 2009 at 05:25:58
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DeleteService('driverdrv');
 StopService('driverdrv');
 DelBHO('{7CE793CA-D16F-4e25-B347-50AAC438750C}');
 QuarantineFile('c:\windows\mstre19.exe','');
 QuarantineFile('C:\windows\ld09.exe','');
 QuarantineFile('C:\Program Files\driver\driver.sys','');
 QuarantineFile('c:\windows\sysguard.exe','');
 QuarantineFile('c:\program files\driver\driver.dll','');
 QuarantineFile('\\?\globalroot\systemroot\system32\UACkoabgigdhqwodjx.dll','');
 QuarantineFile('C:\WINDOWS\system32\iehelper.dll','');
 DeleteFile('C:\WINDOWS\system32\iehelper.dll');
 DeleteFile('\\?\globalroot\systemroot\system32\UACkoabgigdhqwodjx.dll');
 DeleteFile('c:\program files\driver\driver.dll');
 DeleteFile('c:\windows\sysguard.exe');
 DeleteFile('C:\Program Files\driver\driver.sys');
 DeleteFile('C:\windows\ld09.exe');
 DeleteFile('c:\windows\mstre19.exe');
BC_ImportAll;
ExecuteSysClean;
ExecuteRepair(13);
ExecuteRepair(14);
ExecuteRepair(15);
BC_Activate;
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine1.zip');    
end.


A file called quarantine1.zip should be created in C:\.


3) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#23
June 18, 2009 at 06:50:30
http://rapidshare.com/files/2459229...

http://rapidshare.com/files/2459241...

I tried my best to shut down my Mcafee antivirus & Spybot. However Mcafee does not offer an option to turn off as listed in the link. What i did was manually disable it. I hope this is the same. I was unable to shut off spybot, for some reason i am unable to open it. It may be virus related. I will be running combofix now.

im not done yet. still working on it...


Report •

#24
June 18, 2009 at 07:19:47
spybot just disable tea timer. Also can you delete above links its not wise to post virus infected files open in public.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#25
June 18, 2009 at 08:19:28
NeoArk,

Thanks for your constant assistance. I removed the above link, i wasnt aware of that had you not told me.

Here is the combofix.txt

http://rapidshare.com/files/2459500...


Report •

#26
June 18, 2009 at 08:43:56
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Please zip up C:\qoobox\quarantine and upload it to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.

2) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#27
June 18, 2009 at 08:58:00
neoark,

i pm'd you the link. Combo fix was uninstalled successfully.

one question, what security programs should i have running all the time to help against these viruses? currently i only have mcafee security center running all the time. I always keep the definitions updated. Should i have any additional security programs running?


Report •

#28
June 18, 2009 at 09:15:44
Thanks for the files. Please follow these steps in order numbered and post summary log after each step.

1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Run a full scan with http://www.eset.com/onlinescan/

# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan archives
    * Scan for potentially unwanted applications (Advance Settings).
    * Enable Anti-Stealth technology (Advance Settings).

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\ESET\ESET Online Scanner\log.txt
# Attach this logfile to your next message.

Illustrated tutorial: http://img155.imageshack.us/img155/...

Note: Turn system restore back on, if you wish; this to remove malware from system volume information files.

2) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

3) House cleaning. Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

PS: One AV and one Spyware is good combo to have.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#29
June 18, 2009 at 17:00:35
ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=dcef6133e35e624faf62c3e05e130208
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-06-19 12:59:01
# local_time=2009-06-18 07:59:01 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5121 21 100 88 67593538125000
# scanned=74678
# found=3
# cleaned=3
# scan_time=10884
C:\Documents and Settings\Noel\Desktop\avz4\avz4\Quarantine\2009-06-18\avz00002.dta a variant of Win32/Kryptik.UE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\Documents and Settings\Noel\Desktop\avz4\avz4\Quarantine\2009-06-18\avz00003.dta Win32/TrojanProxy.Small.NDY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\Documents and Settings\Noel\Desktop\avz4\avz4\Quarantine\2009-06-18\avz00005.dta Win32/Tinxy.AF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000


Malwarebytes' Anti-Malware 1.38
Database version: 2306
Windows 5.1.2600 Service Pack 2

6/18/2009 9:08:59 PM
mbam-log-2009-06-18 (21-08-59).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 168141
Time elapsed: 1 hour(s), 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\driver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8085:tcp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I ran SUPERAntiSpyware twice and keep getting an error after it quarantines and removes the items which prevents me from saving the scan log. The error message i get is, Microsoft Visual C++ Runtime Library Runtime Error! Program: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
R6025
- pure virtual function call

The only option it offers me is to click ok, when i do that it shuts down SUPERAntiSpyware.


Report •

#30
Report •

#31
June 23, 2009 at 23:31:07
Trojan TDSS also known as Trojan TidServ is a backdoor trojan.to remove it manually, see the steps here http://darfuns.com/remove-trojan-td...

Report •

#32
June 24, 2009 at 03:18:15
Neoark,

last time I upgraded to service pack three I ran into a lot of
conflicts with some of my other programs to the point where I
had to reformat my pc because I couldn't uninstall it SP3. Is it
absolutely necessary to upgrade to SP3?


Report •


Ask Question