TechSpot

Search hijack, hard to remove

By sherritp
Jan 23, 2009
  1. I'm helping my dad with a malware infection. I've read through the 8-step malware removal guide and followed those that weren't blocked.

    I'm unable to go to any on-line virus checks (such as TrendMicro Housecall).

    I cannot remove old copies of Java or install the newest update.

    Running a manual scan of Avast AntiVirus (free home edition) shows many files that are locked/password protected. It also appeard that there's an RPC error when trying to open the 'chest' before starting the scan.

    Below is the HijackThis log, but I was not able to run the HJTInstall (so I copied over the HiJackThis.exe manually. I've downloaded the Malwarebytes install, but it won't run. I can double-click it and then nothing happens. On a whim I made a copy of the install (now called Copy of mbam-setup.exe) and this will install, at least up to when the progress bar is complete (but I never see the Finish button enable).

    Booting into safe mode with Networking does not seem to provide a benefit.

    I've attached a hijackthis log.

    I've cleaned this computer before and never had this much trouble. Usually I've been able to do on-line scans using the IP of the scanning service or otherwise find ways around the blocks in place, but this one has me stumped.

    Thanks,

    Tim
     
  2. raybay

    raybay TS Evangelist Posts: 7,241   +9

    What do you mean by, "Booting into safe mode with Networking does not seem to provide a benefit." ?
     
  3. sherritp

    sherritp TS Rookie Topic Starter

    Booting into safe mode still blocks the ability to run programs like Malwarebyes Anti-Malware.
     
  4. raybay

    raybay TS Evangelist Posts: 7,241   +9

    Does it block other programs such as SuperAntiSpyware and Avira Antivir?
    You might try running a Windows disk in "Repair" mode... not Repair Console mode....
    or put it in another system as a USB external enclosure and run your first scans there.
     
  5. sherritp

    sherritp TS Rookie Topic Starter

    Scanners won't run at all, whether in a normal boot or in safe mode.

    I was able to get MBAM to run by renaming the executable. Progress!

    Here's the log from MBAM (quick scan--full scan is still running):

    Malwarebytes' Anti-Malware 1.33
    Database version: 1654
    Windows 5.1.2600 Service Pack 3

    1/23/2009 2:51:10 PM
    mbam-log-2009-01-23 (14-51-10).txt

    Scan type: Quick Scan
    Objects scanned: 55343
    Time elapsed: 12 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 2
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 15

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\nfpinit_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\SYSTEM32\1130.dat (Spyware.Passwords) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\TDSSkrxx.dll (Trojan.TDSS) -> Delete on reboot.
    C:\WINDOWS\SYSTEM32\TDSSnpur.dll (Trojan.TDSS) -> Delete on reboot.
    C:\WINDOWS\SYSTEM32\TDSSoitu.dll (Trojan.TDSS) -> Delete on reboot.
    C:\WINDOWS\SYSTEM32\TDSSyaqu.dll (Trojan.TDSS) -> Delete on reboot.
    C:\WINDOWS\SYSTEM32\DRIVERS\TDSSpxfe.sys (Trojan.TDSS) -> Delete on reboot.
    C:\Documents and Settings\Home\Local Settings\Temp\TDSSdb3c.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\ (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\Help\mgr.chmn (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Help\amsxm.ahp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Help\mxs.hl (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\TDSSixgp.dll (Rootkit.Agent) -> Delete on reboot.
    C:\WINDOWS\SYSTEM32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.
    C:\WINDOWS\SYSTEM32\TDSStkdu.log (Trojan.TDSS) -> Delete on reboot.
    C:\WINDOWS\SYSTEM32\TDSSwkod.log (Trojan.TDSS) -> Delete on reboot.



    Tim
     
  6. raybay

    raybay TS Evangelist Posts: 7,241   +9

    So you know you have a relatively serious infestation of Trojan's and perhaps other junk... and are on the way to removal.
    I would look at the 8 Step program on this forum... It is a very good, very helpful way to address the issue.
    But at least run your scans again in Safe Mode.... and again immediately after running a re-boot.
    We like MalwareBytres, SuperAntiSpyware, Spyware Doctor, Spy Sweeper, and Avast Antivirus or Avira Antivir antivirus run multiple times.
     
  7. sherritp

    sherritp TS Rookie Topic Starter

    Thanks raybay.

    By renaming some of the scanners, I was able to clear out a long list of nasties. I've added a firewall and will ensure they run scanners regularly.

    I'm not sure everything is gone yet, but at least the major symptoms have been treated.

    Tim
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...