Hi, I’ve been having problems with my search results being redirected for the last couple days and have tried to figure out what the problem was but have had no success. The redirecting happens with any search engine I use. I’ve been trying to scan my computer with Malbytes Anti-malware and it keeps finding: C:\Windows\System32\tdlcmd.dll (Trojan.TDSS)

I delete this file and restart my computer but it always seems to find its way back. I’d appreciate it if anyone could help me out with this. Thanks in advance!

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

Hey Tech, I did a Hijackthis scan and here’s the logfile for that:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:49 PM, on 1/11/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18349)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Administrator\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Administrator\Favorites\Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15450&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU..\Run: [BitTorrent DNA] “C:\Program Files\DNA\btdna.exe”
O4 - HKCU..\Run: [VeohPlugin] “C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe”
O4 - HKCU..\Run: [Octoshape Streaming Services] “C:\Users\Administrator\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe” -inv:bootrun
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Update Service (gupdate1ca91e94df83b03) (gupdate1ca91e94df83b03) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

–
End of file - 4280 bytes

I’m not sure, as I’m not an expert on cleaning. But your log seems clean.
Maybe the problem is on hosts file?
Did you follow the other steps?

Hi Padedc

You could try tdss killer from kapersky. I havent used the tool myself but here is a link that may help.

http://forum.avast.com/index.php?topic=52161.msg442176#msg442176

There is more info to be found on tdss in virus and worms section of forum

Yes you could. I’m no expert with rootkits, but I believe the tdss killer is only the start.You will probably find that Atapi.sys is infected, and must be replaced. I have read posts where combofix can achieve this.

http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html

Welcome to the forums, padedc.

An analysis of your HJT log shows the following problems :

It seems that you don’t use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses. (this probably contributed to why your computer is infected)

We couldn’t detect any active process of a firewall on your system. Possible reasons:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own firewall.

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. LinkScannerIE.dll

Overview of running tasks :

Dwm.exe
System task
Desktop Window Manager

Explorer.EXE
System task
Microsoft Windows Explorer

taskeng.exe
System task
Task Scheduler Engine

MSASCui.exe
Anti Add/Spyware software
Microsoft Windows Defender Antispyware

RtHDVCpl.exe
System task
High definition audio codec driver from Realtek Semiconductor

rundll32.exe
System task
Microsoft Rundll32

jusched.exe
Backgroundtask
Sun Java Update Scheduler

sidebar.exe
Backgroundtask
Vista sidebar

btdna.exe
Suspicious task
Bittorrend DNA

veohwebplayer.exe
Application
Veoh Web Player

unsecapp.exe
System task
Microsoft Windows Management Instrumentation

OctoshapeClient.exe
Backgroundtask
Octoshape Live Streaming

soffice.exe
Backgroundtask ( this is very out-dated as OpenOffice is now at 3.0 )
OpenOffice.org (1.1.0)

soffice.bin
Backgroundtask
OpenOffice Module

firefox.exe
Application
Mozilla Firefox

spywareblaster.exe
Anti Add/Spyware software
Spyware Blaster

spywareblaster.exe
Anti Add/Spyware software
Spyware Blaster

SearchFilterHost.exe
System task
Microsoft® Windows® Operating System

HijackThis.exe
Application
Merijn Hijackthis