Help with Virus or Malware

[CBR954RR]

Well, I have scoured through these forums trying to find an answer to my problems but have yet to get my laptop back to normal. Some how, I have managed to get infected with something that has taken control of my browser and is stopping me from running any application that helps to rid viruses and malware.

I have managed to remove from the registry anything that was loading a file called brastk.exe as well as pointers to av.dat, delself.bat, karna.dat and replaced the infected beep.sys with a fresh copy. Now, these files no longer appear on reboot, nor do they appear in the registry anymore, but my browser still will not let me navigate to sites that will help to remove infections or even the windows update site. If I google something and then click on the link, either another browser window opens with new search results or a window opens with nothing in the window.

Also, I can not install or run applications like Anti-Malware, SuperAntiSpyware, Combofix, HijackThis, etc. They appear to start but then nothing happens.

The machine does boot up, be it Safe Mode, Safe Mode with Networking, or a Normal Boot and the symptoms are exhibited in all boot modes.

Can some one help me sort this out or do I need to do a complete reinstall to fix this? Any and all help greatly appreciated.

Thanks in advance.

- Dan

P.S. OS is Windows XP Pro with SP3
P.S.S I have tried following the Updated 8-step Viruses/Spyware/Malware Preliminary Removal Instructions but as stated above, I can't get the applications to install or run.

 

[nobardin]

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend 
that you temporarily turn off System Restore. Windows Me/XP 
uses this feature, which is enabled by default, to restore the 
files on your computer in case they become damaged. If a virus, 
worm, or Trojan infects a computer, System Restore may back 
up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus 
programs, from modifying System Restore. Therefore, 
antivirus programs or tools cannot remove threats in the 
System Restore folder. As a result, System Restore has 
the potential of restoring an infected file on your computer, 
even after you have cleaned the infected files from all the other locations.

  2. To delete the value from the registry
[B]Important: we strongly recommend that you back up the registry before making 
any changes to it. Incorrect changes to the registry can result in permanent 
data loss or corrupted files. Modify the specified subkeys only.[/B]

Click Start > Run.
Type regedit 
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry 
to prevent access to the registry editor.


Navigate to and delete the following registry entries:


HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"build" = "standart"
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"serversdown" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"type" = "popup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"affid" = "39"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"asubid" = "v2test7"


Navigate to and delete the following registry subkeys:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sys
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\version
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector


Exit the Registry Editor.

Note: If the risk creates or modifies registry subkeys or entries under 
HKEY_CURRENT_USER, it is possible that it created them for every 
user on the compromised computer. To ensure that all registry subkeys 
or entries are removed or restored, log on using each user account and 
check for any HKEY_CURRENT_USER items listed above

That is straight from the symantec site, I usually would not tell someone to go into the registry without seeing logs from following the steps here https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ However, I recently had to remove a variant of this trojan from a clients computer and no, it would not let me run anything until I got rid of thoes registry keys.

After you have gotten rid of thoes keys see the above link and please follow the steps in order not skipping any.

Please keep us up to date on this issue, and hopefully we can get this removed for you soon.

 

[mflynn]

Hi CBR954RR

Please do not remove System Restore for now a bad backup point is better than no restore pont. Do not burn that bridge yet. When you are clean then we will clear and create a new one.

This is the answer to your problems, if you can get the Attachment to download so please try?

Only post #3.

https://www.techspot.com/vb/topic115811.html

If per chance you cannot download the Attachment then boot to Safe Mode with Networking and try from there.

Mike

 

[aspirulito]

You can also try resetting your web settings, from the internet options in the control panel, that will make your browser go back to factory defaults.

 

[Bobbye]

Please refer to this: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Can you download the programs to a flash drive? If yes, do that, then install on our system. Once done, run a scan with each of the three, attach the 3 logs here for help. A bad malware infection can prevent direct download of cleaning programs as well as the updating of current security programs on the system.

 

[CBR954RR]

nobardin,

Thanks for your suggestion. I searched through the registry and found nothing that matched what you wanted me to delete. Since every registry key that you suggested I delete had TDSS in it, I did a search for that and this is what showed up.

HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\Root\Legacy_TDSSserv.sys\000
with DeviceDesc=TDSSserv.sys and Service=TDSSserv.sys
HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\Root\Legacy_TDSSserv.sys\000
with DeviceDesc=TDSSserv.sys and Service=TDSSserv.sys
HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\Legacy_TDSSserv.sys\000
with DeviceDesc=TDSSserv.sys and Service=TDSSserv.sys
HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\Legacy_TDSSserv.sys\000\Control
with AcitveService=TDSSserv.sys
HKEY_LOCAL_MACHINE\System\ControlSet\Enum\Root\Legacy_TDSSserv.sys\000
with DeviceDesc=TDSSserv.sys and Service=TDSSserv.sys
HKEY_LOCAL_MACHINE\System\ControlSet\Enum\Root\Legacy_TDSSserv.sys\000\Control
with ActiveService=TDSSserv.sys

This is all that I have found and since I don't know if this should be there or not, I have not deleted them.

Any other thoughts?

- Dan

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend 
that you temporarily turn off System Restore. Windows Me/XP 
uses this feature, which is enabled by default, to restore the 
files on your computer in case they become damaged. If a virus, 
worm, or Trojan infects a computer, System Restore may back 
up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus 
programs, from modifying System Restore. Therefore, 
antivirus programs or tools cannot remove threats in the 
System Restore folder. As a result, System Restore has 
the potential of restoring an infected file on your computer, 
even after you have cleaned the infected files from all the other locations.

  2. To delete the value from the registry
[B]Important: we strongly recommend that you back up the registry before making 
any changes to it. Incorrect changes to the registry can result in permanent 
data loss or corrupted files. Modify the specified subkeys only.[/B]

Click Start > Run.
Type regedit 
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry 
to prevent access to the registry editor.


Navigate to and delete the following registry entries:


HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"build" = "standart"
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"serversdown" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"type" = "popup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"affid" = "39"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"asubid" = "v2test7"


Navigate to and delete the following registry subkeys:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sys
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\version
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector


Exit the Registry Editor.

Note: If the risk creates or modifies registry subkeys or entries under 
HKEY_CURRENT_USER, it is possible that it created them for every 
user on the compromised computer. To ensure that all registry subkeys 
or entries are removed or restored, log on using each user account and 
check for any HKEY_CURRENT_USER items listed above

However, I recently had to remove a variant of this trojan from a clients computer and no, it would not let me run anything until I got rid of thoes registry keys.

After you have gotten rid of thoes keys see the above link and please follow the steps in order not skipping any.

Please keep us up to date on this issue, and hopefully we can get this removed for you soon.

 

[CBR954RR]

mflynn,

Thanks for the response. I have attempted to download the file, but every time I get it, it will not unzip. An error message says the file is corrupt. I have tried this on multiple machines and tried opening it with winzip and the builtin compressed folders option of XP. No go. Is it possible to get it any other way?

- Dan

Hi CBR954RR

Please do not remove System Restore for now a bad backup point is better than no restore pont. Do not burn that bridge yet. When you are clean then we will clear and create a new one.

This is the answer to your problems, if you can get the Attachment to download so please try?

Only post #3.


If per chance you cannot download the Attachment then boot to Safe Mode with Networking and try from there.

Mike

 

[CBR954RR]

Bobbye,

Thanks for your thoughts. I have downloaded all the files and put them on a CD but they still won't install on the system. Also, the CD drive won't open to show me the contents of the CD. I have to browse by way of a command prompt. I think if I can just get one of these programs to fire up, I can start to tackle this problem.

- Dan


Can you download the programs to a flash drive? If yes, do that, then install on our system. Once done, run a scan with each of the three, attach the 3 logs here for help. A bad malware infection can prevent direct download of cleaning programs as well as the updating of current security programs on the system.[/quote]

 

[CBR954RR]

Aspirulito,

Can you elaborate a bit on how to reset the browser back to factory defaults. Is there one place to look or is there a place in each tab that needs to be reset?

Thanks.

- Dan

You can also try resetting your web settings, from the internet options in the control panel, that will make your browser go back to factory defaults.

 

[aspirulito]

From the browser window choose tools --> internet options on the window that opens go to the advanced tab and at the botton there should be a button that says 'reset' on it. click on the button and just wait until it finishes.
I am assuming you have internet explorer 7. I believe on 6 is similar but the button is on the tab previous to the last.

 

[CBR954RR]

Aspirulito,

Thanks much. I will give this a shot when I get home from work and see how it goes.

- Dan

From the browser window choose tools --> internet options on the window that opens go to the advanced tab and at the botton there should be a button that says 'reset' on it. click on the button and just wait until it finishes.
I am assuming you have internet explorer 7. I believe on 6 is similar but the button is on the tab previous to the last.

 

[Bobbye]

To use RIES in Internet Explorer 7, follow these steps:
1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.
Note If you cannot start Internet Explorer 7 for some reason, use RIES from Internet Options in Control Panel.

 

[mflynn]

If still needed the Fixit file has been replaced with a self extracting exe!

Some downloaded and ran OK, others would be corupted? Who knows.

This one is still named Fixit.zip but must be renamed Fixit.exe to run.

Mike

 

[CBR954RR]

Just wanted to let everyone know that I was able to get my machine back under control. I was able to run SDFix.exe by renaming it to SDFix.bat. This allowed it to extract its files and then I was able to run the bat file within the SDFix folder. I ran this a few times until it came up clean and then was able to run ComboFix. Ran that a couple of times until it came up clean and now all seems back to normal.

Thanks to all that offered suggestions.

- Dan