"Tdss" Trojan Horse

It seems like the PC the kids go on is infected with a TDss Trojan Horse. Running in Safe Mode, Avast was able to detect and clean (put into the Virus Chest) two of the buggers, but during repeated scans, the computer just keeps rebooting.

I’ve scanned through a couple of threads here that seem to be related to this problem, and oh boy, it sounds difficult to get rid of. I’m wondering if it would be faster to so a clean install of the op system (XP)?

What do you folks think? If it’s a matter of downloading a couple of programs and running them, I can do that, but I don’t have the time to spend hours trying to fix this bug.

For security I’m running:

Avast 5.0 free
Spysweeper
PC Tools Firewall

and I keep everything updated and I scan regularly.

Thanks in advance for your help!

If you’re on a 32bit system, run a boot time scan with avast.
Also run free Mbam. http://www.malwarebytes.org/mbam.php
asyn

It’s a rootkit (hidden virus) that generally replicates. Difficult to clean.
Hope Essexboy could guide you and help on cleaning.
I can’t go further, just suggest you the general cleaning procedure:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Clean your Hosts file (replacing it) with HostsMan tool.
  7. Disable System Restore and then reenable it again.
  8. Immunize your system with SpywareBlaster.
  9. Check if you have insecure applications with Secunia Software Inspector.

Good morning everybody! It’s looking like it’s going to be a beautiful day here in northern Wisconsin USA

I wish I could say the same for the infected eMachines computer! ???

I did step 1 and used Programs-accessories-system tools-disk cleanup to clean the PC. The virus didn’t like that and rebooted the PC after the process was done.

I then went to step 2 (Avast boot scan) and now no matter what I do, I can’t get the PC to get to the main Windows screen without rebooting. If I try to boot in safe mode, I get about 2 screens where it scrolls thru boot path (dont think this is the right term and I apologize) and just stops after one certain boot path.

As it sits there trying to boot, the HD is trying to do or doing something…but it just sits there.

Any ideas? or should I just reinstall the op system? I don’t want to give up but I don’t have time to be messing around…yes there will be some data lost, but nothing earth shattering.

UPDATE – I was able to do a safe boot…and get to the Avast program. I selected the Boot Scan option, hit “restart computer” and it started to reboot, only to reboot itself shortoly after the desktop picture that I have on the PC showed.

Thoughts?

How about trying Hitman Pro for TDSS/TDL3 removal?

There is also a TDSS cleaners

Norman TDSS Cleaner - Special program to clean TDSS rootkit from infected computers
http://www.norman.com/support/support_tools/77201/en-us

Kaspersky also have one, don`t have the link…

I burned Dr CureIt onto a CD on my computer that works, installed it on the infected PC, then tried to run it but the program locked up. I’m going to try Norman now.

When I tried to run Norman after installing it from a CD, it wouldn’t run.

Maybe neither of these programs like to be installed and ran from a CD?

I feel like such a computer noob… ???

Hi, is this the dr web you tried? This one runs from a bootable cd. http://www.freedrweb.com/livecd/how_it_works/

For step by step removal help, you can go here…
http://support.emsisoft.com/forum/6-malware-removal-help/
asyn

Well…the PC is back up and running without rebooting. I was able to run the Avast rootkit program and it found nothing.

Then I ran the Avast boot scan and on the first try it found nothing, then I checked two “advanced” boxes and ran it again and it found 2,989 rootkits, and also one infected file with the Tdss Trojan Horse.

I’m now running MBAM and it’s founf 2 infections so far. My plan is to run Dr. CureIt next (I forgot that I should have run this before MBAM).

But there’s another posted who suggests to runt he Combo program.

I guess I’ll run everything until I blow the processor! :wink:

Any more thoughts out there?

What avast anti-rootkit program are you talking about ?

If it isn’t the one that is built into the avast5 application (and you are running it from there), then it is a very old stand alone beta version. This was used for the very early development of what went into avast 4.8 and produced many such detections. It hasn’t been developed as a stand alone application, only the one built into avast should be used.

It wasn’t me…it was the other guy. I did run the Avast program from the link and now I see it was a 2008 Beta version.

Yes, very outdated beta version which hasn’t been updated as stand alone beta application, which really shouln’t be used outside of a beta environment (e.g. test system).

The simplest way is to run this small programme

Download TDSSKiller and save it to your Desktop.

[*]Extract the file and run it.
[*]Once completed it will create a log in your [b]C:[/b] drive
[]Reboot your computer
[
]Please post the contents of that log

The log is attached.

Let me know if I need to do anything else.

Also - I want to use the proper combination of anti virus, malware, etc. programs. The Avast forums have been so good to me over the years that I want to support their products.

What should I be using please? If I need to post this question elsewhere, please tell me where.

I use Avast with the ocasional scan with MBAM - works for me :smiley: What are your current problems ?

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in

netsvcs
drivers32 /all
%SYSTEMDRIVE%*.*
%systemroot%\system32\Spool\prtprocs\w32x86*.dll
%systemroot%\system32*.wt
%systemroot%\system32*.ruy
%systemroot%\Fonts*.com
%systemroot%\system32\spool\prtprocs\w32x86*.tmp
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.