Google Yahoo redirect TDSSserv.sys

By rf6647
Nov 27, 2008
Topic Status:
Not open for further replies.
  1. How to Disable ‘tdssserv.sys’ Trojan Identified With Update Failure and Redirected Searches
    Key Symptoms: (any of the following)
    • applying software updates does not work
    • Google searches /Yahoo searches are redirected
    • AntiVirus / AntiMalware programs are just 'spinning'
    • often associated with Antivirus XP 2008, Antivirus XP 2009
    Predicted Outcome:
    Procedural Steps
    1.
    • Start->Run-> Devmgmt.msc ->ok
    • On the toolbar, Click on View -> "Show hidden devices"
    2.
    • Scroll down and locate Non-plug and Play Drivers
    • Click the + sign to expand
    3.
    • Search for “TDSSserv.sys
      • More exploits: clbdriver.sys, oUltraf, seneka.sys,

    • Right click on it, and select “Disable”

    4. Restart your computer

    5. Confirm 'TDSSserv.sys' is disabled. Repeat Step 1-3. Cancel to exit.

    6. Begin or resume UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions
    Aknowledgement: Mike, humble PC users everywhere

    Technical Details:
    • Common Names: gogoogle, goyahoo
    • O20 - AppInit_DLLs: karna.dat is apparent in HJT log
    • Detected in various scanning programs:
      • C:\WINDOWS\system32\wini10894.exe
      • C:\WINDOWS\brastk.exe
      • C:\WINDOWS\system32\brastk.exe
      • C:\WINDOWS\karna.dat
      • C:\WINDOWS\system32\karna.dat
      • TDSSserv.sys
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | brastk
    • all software updates redirected to 127.0.0.1 (your own computer) so they won't update.
    Modification History
    2.2 Add more service names
    2.1 Modify title
    1.1 Source material from Kimsland
    1.2 This is pretty much my limit for addressing technical details for rooting out the infection​

  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Excellent guide :grinthumb rf6647

    This thread will be used as an excellent starting point, with this specific infection
  3. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Absolutly well witten Guide good Job.

    And much simpler than the Attachment download I wrote.

    What we are after is to get MBAM and SAS to update and run. If this does it then it is the way to go.

    What needs to be seen is if it does in fact break them loose.

    TDSSserv has been aurond a long time without causing this recent issue and at this point I am not sure it is only TDSServ , if so it has been modified recently to do so.

    It may be a new TDSSserv or brastk.exe alone or brastk.exe in combo with TDSSserv that causes the no update no run issue.

    If in fact it works the MBAM and SAS need to be run immediately after the device is stopped as I believe on reboot TDSSserv will reinstall.

    I think in severe cases the Fixit download should be considered as it does much more such as defaulting the HOST file, clearing the Trusted sites, deep clean of Windows Internet Temps as well as resetting permissions for Taskmgr Regedit and Associations plus more.

    In fact I modified Fixit a couple of days ago to include more.

    I also have more modifications I am testing now. Including removing Index.dat and cleaning of the c:\Windows\system32\config\systemprofile.

    In addition to terminating Windows Explorer, Winlogon will be terminated as well, first to prevent Explorer from being restarted by Windows which it will do after a few minutes. And second to allow cleaning of malware attached to Winlogon.

    When Winlogon it terminated the computer can not be shutdown or rebooted by any command and will need to be powered off manually.

    I am also preparing a more formal guide and will add the above to it.

    Mike
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you for this excellent guide. Seems like sometimes we have to wring our hands to figure out what to do! (Guess ?I should just say "I" do anyway) SO the extra assist is always welcome.

    rf6647, this is very well set up. Sometimes I see instructions that are too spaced out, no emphasis on a section or difficult to follow. You didn't do any of that . Thanks!
  5. rf6647

    rf6647 TechSpot Maniac Topic Starter Posts: 931

    another draft possibility

    Mike,
    Kimsland gave me a template to start my guide. The attachment is a template I started using content from your 'fixit' post.

    I think I finally understand how using 'quote' can be put on the clipboard and pasted into a text file. I then kept repeating 'preview post' while I did editing.

    There must be an easier way.

    When you are ready to post your 'how to', message # 1 automatically becomes the document. In violation of one of the rules, post a reply (message # 2) and add title - Technical Details and change history. All other replies become modification requests and words of encouragement. As far as I know, you can edit message # 1 forever. Once upon a time, I thought there was a 24-hour timer. After posting this reply, I guess I should verify my view on this.

    Rich

    Attached Files:

  6. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    There was. It was lifted some time back ;)
    This was to allow modifications to outdated posts, ie the 8-Step removal guide
    Although the Edit function will not work on closed threads
    Therefore guides can be written, and then closed, to stop any further modifications, on any post in the thread.
    This is beneficial where a thread should not be edited
    To close a thread, requires Admin approval, or request.
  7. rf6647

    rf6647 TechSpot Maniac Topic Starter Posts: 931

    Rethink the use of this method

    Here is recent feedback -
    Additionally, I reviewed cases from the last week where the TDSSserv trojan was most suspect. ComboFix was called in on most of those cases. Two cases, ComboFix did not run. One case, the log results were absent of most of the usual sections.

    While ‘disabling the trojan’ in the device manager is effective in reducing symptoms of the infection, it appears that ComboFix is needed to clean the infection. Additionally, coincidental with using this method, SAS informs this as a rootkit trojan while MBAM is clean.

    It has not been decided if this method can stand, or does it reduce the effectiveness of the MBAM/SAS combination. In any event, I believe we should recognize that SAS is informing that ComboFix should be used.

    The question I see is a matter of procedure / protocol. Based on input from boomslang, ComboFix is fully effective against the infection. At what point is it appropriate to direct using the tool. And, is it sufficient to accept that the infection has been cleaned, or do we need a knowledgable interpretation of the log?

    Futhermore, in those cases, problems with Task Manager, Regedit, cmd, etc. was not addressed. How do we make this part of the checks before giving the all clear? The script developed by mflynn probably has much of this covered.
  8. wayne001

    wayne001 Newcomer, in training

    I tried to download and run the fixit but my computer wont run it. It comes up with an error that the file can't be found.
  9. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Here is the location of "Fixit" attachment: http://www.techspot.com/vb/post684649-3.html

    But if this does not resolve the issue
    Or trying Safe Mode with Networking
    Then the only option is to remove the Harddrive itself, and scan it in another computer

    If you require any further help please start your own New Thread in the Virus & Malware removal forum
    All users with Virus\Malware issues should first try to resolve their issue by following the guide:

    UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    Any support questions cannot be answered in this guide
  10. nlarchey

    nlarchey Newcomer, in training

    Windows does not load profile after disabling/removing TDSSServ.sys

    Hello,

    I disabled TDSSServ.sys on an XP machine and now am unable to log in, even in safe mode. It allows me to enter the login credentials and then it just hangs without loading the profile. I took the hard drive out and scanned it from another computer with Malwarebytes. I was able to remove all instances of TDSSServ.sys in the registry, scanned again and it found nothing. I replaced the hard drive in its original chassis and it still will not load the profile. I'm at a loss :(
  11. mflynn

    mflynn Newcomer, in training Posts: 2,793

    1. Try Safe Mode networking if that works begin with #3 below and do all from there down, if not do #2

    2. Try Last know good configuration on Advanced Boot menu (same that starts safe mode) no go stop here report back and we will take other steps

    3.Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del  tdss*.* /f /q /s
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
    del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del c:\WINDOWS\system32\ieupdates.exe /f /q
    del c:\WINDOWS\system32\scui.cpl /f /q
    del c:\WINDOWS\system32\winsrc.dll /f /q
    
    attrib -h -s -r c:\program files\xwdxqu.txt
    attrib -h -s -r c:\windows\x
    attrib -h -s -r c:\windows\SxsCaPendDel
    
    del c:\program files\xwdxqu.txt  /f /q
    del c:\windows\x  /f /q
    del c:\windows\SxsCaPendDel  /f /q
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    :: rootkit gaopdxserv
    attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
    attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop gaopdxserv.sys.sys
    sc delete gaopdxserv.sys.sys
    
    del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
    del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop WinSvchostManager
    sc delete WinSvchostManager
    
    sc stop ntndis
    sc delete ntndis
    
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    del  /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
    del  /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
    attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
    
    del  /f /q "C:\WINDOWS\system32\svcprs32.exe"
    del  /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    del  /f /q "C:\WINDOWS\system32\mdmcls32.exe"
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This should run and exit!

    It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

    4.Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).

    Most importantly update MalwareBytes and SuperAntiSpyware!

    Mike
     
  12. nlarchey

    nlarchey Newcomer, in training

    Thanks, but

    1 and 2 are not working either. Can I run 3 if the HDD is hooked up as a slave to another machine?

    Also, after it hangs on login I can get to task manager and try to open the CMD prompt and it gives an Application Error:

    The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.

    This was happening before I removed the malware etc.
  13. mflynn

    mflynn Newcomer, in training Posts: 2,793

    No, operation #3 is only valid if run from the booted live OS.

    But you gave some valuable info.

    If you can get Taskmgr, try running Explorer.

    Let me know!

    Mike
  14. nlarchey

    nlarchey Newcomer, in training

    Cool

    That loaded the desktop and the rest of the services, and is now giving a security warning asking if I want to run _A00FCCFD3B.exe. No sounds good to me for this one and I will begin doing step 4.
  15. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Yes! Answer NO!

    Ok if you still can't get the cmd prompt!

    Then the 8 Steps.

    Mike
  16. nlarchey

    nlarchey Newcomer, in training

    Thanks,

    After running Avira in safe mode and having it delete everything it found I was able to open the CMD prompt and run the previously posted script. I am now running the SUPERAntiSpyware and it has found even more infections. Dang Vundo variants. I believe we are well on the way to solving this and if I have any other issues I will be sure to post them here. Thanks Mike, much appreciated.
  17. mflynn

    mflynn Newcomer, in training Posts: 2,793

    No continue here, attach all logs you WILL need more help.

    Mike
  18. nlarchey

    nlarchey Newcomer, in training

    Sounds good.

    I'll post them when they are ready to be run. Thanks.
  19. nlarchey

    nlarchey Newcomer, in training

    Here they are

    Here they are. Hopefully this message is now long enough.
  20. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK good job!

    Another run indicated!

    OK there were found/removed items in both MBAM and SAS so we need to run again, as the first run likely exposed things that were not even seen the first time.

    So another run Quick Scan with both will likely find more. So UPDATE run them again

    Only when the above is done and log attached then do the below.

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    =========================================
    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike.
  21. nlarchey

    nlarchey Newcomer, in training

    Updated logs

    Here they are, only SAS found 5 tracking cookies.
  22. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Should have removed the tracking cookies but basically harmless..

    OK the SDFix and combofix if they are clean we are finished.

    Mike
  23. banged

    banged Newcomer, in training

    Here they are. Please let me know if we are finished, thanks.

    I removed the two RegCure entries in the Tasks folder in Windows.

    you are lucky you didn't have recent virut version
    win32virut56? so far nothing picks it up, rmvirut.exe completely useless, same as drweb
    seems like you had older one that was solved
  24. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK we may be finished but ComboFix found several and cleaned.

    I need another combofix run and log to confirn it found no more and now has clean log.

    You had mor ethan you thought!

    Mike
  25. nlarchey

    nlarchey Newcomer, in training

    Combo log

    Here it is...I'm not sure exactly how this one is to be read though.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.