Search hijack, hard to remove

[sherritp]

I'm helping my dad with a malware infection. I've read through the 8-step malware removal guide and followed those that weren't blocked.

I'm unable to go to any on-line virus checks (such as TrendMicro Housecall).

I cannot remove old copies of Java or install the newest update.

Running a manual scan of Avast AntiVirus (free home edition) shows many files that are locked/password protected. It also appeard that there's an RPC error when trying to open the 'chest' before starting the scan.

Below is the HijackThis log, but I was not able to run the HJTInstall (so I copied over the HiJackThis.exe manually. I've downloaded the Malwarebytes install, but it won't run. I can double-click it and then nothing happens. On a whim I made a copy of the install (now called Copy of mbam-setup.exe) and this will install, at least up to when the progress bar is complete (but I never see the Finish button enable).

Booting into safe mode with Networking does not seem to provide a benefit.

I've attached a hijackthis log.

I've cleaned this computer before and never had this much trouble. Usually I've been able to do on-line scans using the IP of the scanning service or otherwise find ways around the blocks in place, but this one has me stumped.

Thanks,

Tim

 

[raybay]

What do you mean by, "Booting into safe mode with Networking does not seem to provide a benefit." ?

 

[sherritp]

Booting into safe mode still blocks the ability to run programs like Malwarebyes Anti-Malware.

 

[raybay]

Does it block other programs such as SuperAntiSpyware and Avira Antivir?
You might try running a Windows disk in "Repair" mode... not Repair Console mode....
or put it in another system as a USB external enclosure and run your first scans there.

 

[sherritp]

Scanners won't run at all, whether in a normal boot or in safe mode.

I was able to get MBAM to run by renaming the executable. Progress!

Here's the log from MBAM (quick scan--full scan is still running):

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

1/23/2009 2:51:10 PM
mbam-log-2009-01-23 (14-51-10).txt

Scan type: Quick Scan
Objects scanned: 55343
Time elapsed: 12 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\nfpinit_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\1130.dat (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSkrxx.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSnpur.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSoitu.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSyaqu.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\DRIVERS\TDSSpxfe.sys (Trojan.TDSS) -> Delete on reboot.
C:\Documents and Settings\Home\Local Settings\Temp\TDSSdb3c.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Help\mgr.chmn (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Help\amsxm.ahp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Help\mxs.hl (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSixgp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSStkdu.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSwkod.log (Trojan.TDSS) -> Delete on reboot.



Tim

 

[raybay]

So you know you have a relatively serious infestation of Trojan's and perhaps other junk... and are on the way to removal.
I would look at the 8 Step program on this forum... It is a very good, very helpful way to address the issue.
But at least run your scans again in Safe Mode.... and again immediately after running a re-boot.
We like MalwareBytres, SuperAntiSpyware, Spyware Doctor, Spy Sweeper, and Avast Antivirus or Avira Antivir antivirus run multiple times.

 

[sherritp]

Thanks raybay.

By renaming some of the scanners, I was able to clear out a long list of nasties. I've added a firewall and will ensure they run scanners regularly.

I'm not sure everything is gone yet, but at least the major symptoms have been treated.

Tim