I have a virus that has taken over my desktop with a "Update your computer with Anti Virus software" kind of warning. It has taken over my browser and slowed down my computer. If I go to google, the results reflect certain bogus web sites. Others have shared this problem in the past, but I can't download an anti virus program. I can't get AVG to work even in safemode. Also, I can run Hijack this, but can not save the log to notepad or anything. I hit "save as" and it goes blank.
I'm using a work computer and here is what else I've done so far:
I found the bitmap file in my system32 folder that was used to display on my desktop, I've also deleted a few suspicious files that showed up with it last night. Although I don't know how I can get the entire hijack this code, I did run across 2 suspicious files
lphccvjoe99g (which is similar to 2 others I already deleted)
and
/system32/atizevxx
and
BHO:wormrader.com IESiteBLock.NAV
I'm probably going to delete these, along with others in the log, but will this completely get rid of the virus? (I somehow doubt it)
Can anyone help with the next steps, given that I couldn't run AVG in safemode, and perhaps others?
Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".
Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.
Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When finished, it will produce a logfile located at C:\combofix.txt.
Post the contents of that log in your next reply
NB. If you can´t run it from normal mode, try safe mode then
Thank you for replying and helping me. I'm writing from work because the virus blocks this and other web sites.
I think the problem may be a rootkit issue. I can't post the Combofix log because it says there is a rootkit error and shuts down my computer upon detecting this.
BUT, I downloaded Rootkit Revealer and found what appears to be the problem. With a lot of work, I was able to save the log:
HKLM\SECURITY\Policy\Secrets\SAC* 8/10/2004 8:23 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 8/10/2004 8:23 PM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\webcal\URL Protocol 12/9/2005 12:45 PM 13 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 8/22/2008 10:40 AM 80 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata 8/21/2008 11:08 PM 0 bytes Hidden from Windows API. HKLM\SOFTWARE\tdss 8/20/2008 9:53 PM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys 8/20/2008 9:50 PM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys 8/20/2008 9:50 PM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet001\Services\tdssserv 8/22/2008 10:34 AM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\tdssserv.sys 8/20/2008 9:50 PM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\tdssserv.sys 8/20/2008 9:50 PM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Services\tdssserv 8/22/2008 10:34 AM 0 bytes Hidden from Windows API. C: 0 bytes Error mounting volume
The virus would have occured around 9:50 on 8/20 because that's when errors started to occur. When I looked in the regedit, I couldn't find this tdsserv.sys fil or tdss.
Thanks for your help-I can only post from work, so hopefully I can get this resolved soon, or I can just come up to work this weekend. Hopefully, I won't have to wipe everything out and re-install windows.
and save it to your Desktop. (I´ll suggest you print out the instructions below)
Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)
When you have done this, please boot into Safe Mode (Tap F8 during startup).
Open the extracted folder- C:\ SDFixand doubleclick on RunThis.bat to start the script.
Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. When you hit any key, your computer will reboot. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When your desktop loads, the utility will complete the removal and display Finished. Press any key again to end the script and load your desktop icons.
Open the SDFix folder on your desktop and copy and paste the contents of Report.txt
I ran malwarebytes and it actually dedicated the series of tdsserv files. It could not remove them though, but it deleted some other files. Sometimes my start up is strange, sometimes it's okay.
Even though I enabled hidden files, I could not find the system32, drivers,tdsserv.sys file.
I found these through regedit: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys 8/20/2008 9:50 PM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys 8/20/2008 9:50 PM 0 bytes Hidden from Windows AP
may I delete these without harm?
Also, can I proceed to use SDFix, even though I can't remove tdsserv.sys through the system32/drivers folder?
Thank you again. This is helpful so I do not have to re-install windows again.
hello, as you can see in the log he posted, the virus is also in the safmode, therefore running in safemode without managing to delete the entries in the register for the safemode makes the SDFix faulty, believe me I've tried.
I recently had this god-awful virus on this newly installed machine and gave up. First I tried AVG, then Avira Antivir, Spybot, Hijack This, Malwarebytes Antimaleware, Ad-Aware, SDFix, Trojan Remover, and a bunch of others I cant remember. and in SDFix I tried all of the little 'helpful' (oh, Im sure they work 'normaly') little programs with noluck, in every safemode possible.
should'nt there be a dos-solution for this kind of problems? or a os from cd maybe that doesnt involve running the infected windows registry?
I know Im late at replying to this but dele what you can and get out of there :P then when you're sure nothing bootes in safemode, remove with SDFix or something in safemode.
but I guess you've allready given up as I have and long ago have reinstalled, but please, do tell.
OS From CD? You're talking KNOPPIX! Useful bugger. SHould use that to get rid of the problem. Of course, you'll need some knowledge of linux, but it's not that hard.
Spyware Doctor will remove this trojan virus and any parts of that have infected other areas of your computer, I know this from experience trying everything else to remove it and ran Spyware Doctor and it was the only thing to get rid of it even though other programs found it. Make sure in the settings of Spyware Doctor you have it set to do all the scans available to go through rootkit hidden files and everything so it can remove it all. Hope this helps.
This has got to be the worst malware I have ever ever seen. It has taken over my PC to such a degree that I can not really execute many of the remedies recommended here. The computer will run fine in safe mode, but I can't see the file in Safe Mode or in regular mode.... It's not int the system32\drivers directory....
Symptoms:
In normal mode, I can browse to pretty much any site, including AVG, Symantec, ect. In Safe Mode, when I try to get to AVG, it redirects me to some bogus Anti Virus site. In regular mode, it's hard really to get anything done because it goes to blue screen at random intervals, say between 3 and 10 minutes. I have tried to install SDFIX, Hijackthis, PCDoctor, GMER in normal mode and it does not appear to be installing them. Windows returns an error "This program may not have installed correctly."
If I install them in SAfe MOde will that be sufficient ?
I am going to try ComboFix now and will report back. Also, I will post a hijackthis log here if I can get it to run, but more than likely its going to be in Safemode - will this be sufficient to diagnose the problem?
This thing has really got me frustrated, it's devious and it looks like the basterds who wrote it thought of just about everything in terms of frustrating attempts at gettting rid of it...
I can NOT install Hijackthis, SDFix, Spyware Doctor even in Safe Mode. Now I will try Combo Fix. If this thing has made it such that I cannot even install the stuff thats meant to fix it, what the heck am i supposed to do ?
If I could boot to DOS I bet I could manually delete that TDSSERV.SYS file... The reason that I think this is the cause is that Windows searched the web for a cause for the blue screening and this was the malware detected. if anyone has had any success getting rid of this piece of dung I'd love to hear from you
OK it looks like I am going to have to re-install Vista .. UGH.. is there a way to do it without losing ALL my program data ? I have backed up docs etc but I don't want to have to re-install all the programs, search for updates, drivers, etc...
Currently it is Friday, January 09, 2009 3:20 AM (GMT +1) There are a total of 65.964 posts in 16.185 threads. In the last 3 days there were 23 new threads and 96 reply posts. View Active Threads
Who's Online
This forum has 27795 registered members. Please welcome our newest member, rey_rebs. 48 Guest(s), 0 Registered Member(s) are currently online. Details
|