TechSpot - PC Technology News and Analysis

rf6647 · #1 11-27-2008

How to Disable ‘tdssserv.sys’ Trojan Identified With Update Failure and Redirected Searches

Key Symptoms: (any of the following)
applying software updates does not work

Google searches /Yahoo searches are redirected

AntiVirus / AntiMalware programs are just 'spinning'

often associated with Antivirus XP 2008, Antivirus XP 2009

Predicted Outcome:
Ability to complete the UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Ability to update your protection programs: Antivirus, AntiMalware, Rootkit, etc.

Procedural Steps
1.

Start->Run-> Devmgmt.msc ->ok
On the toolbar, Click on View -> "Show hidden devices"

2.

Scroll down and locate Non-plug and Play Drivers
Click the + sign to expand

3.

Search for “TDSSserv.sys”
- More exploits: clbdriver.sys, oUltraf, seneka.sys,
Right click on it, and select “Disable”

4. Restart your computer

5. Confirm 'TDSSserv.sys' is disabled. Repeat Step 1-3. Cancel to exit.

6. Begin or resume UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Aknowledgement: Mike, humble PC users everywhere

Technical Details:
Common Names: gogoogle, goyahoo

O20 - AppInit_DLLs: karna.dat is apparent in HJT log

Detected in various scanning programs:
C:\WINDOWS\system32\wini10894.exe

C:\WINDOWS\brastk.exe

C:\WINDOWS\system32\brastk.exe

C:\WINDOWS\karna.dat

C:\WINDOWS\system32\karna.dat

TDSSserv.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | brastk

all software updates redirected to 127.0.0.1 (your own computer) so they won't update.

Modification History

2.2 Add more service names
2.1 Modify title
1.1 Source material from Kimsland
1.2 This is pretty much my limit for addressing technical details for rooting out the infection

kimsland · #2 11-27-2008

Excellent guide

rf6647

This thread will be used as an excellent starting point, with this specific infection

mflynn · #3 11-28-2008

Absolutly well witten Guide good Job.

And much simpler than the Attachment download I wrote.

What we are after is to get MBAM and SAS to update and run. If this does it then it is the way to go.

What needs to be seen is if it does in fact break them loose.

TDSSserv has been aurond a long time without causing this recent issue and at this point I am not sure it is only TDSServ , if so it has been modified recently to do so.

It may be a new TDSSserv or brastk.exe alone or brastk.exe in combo with TDSSserv that causes the no update no run issue.

If in fact it works the MBAM and SAS need to be run immediately after the device is stopped as I believe on reboot TDSSserv will reinstall.

I think in severe cases the Fixit download should be considered as it does much more such as defaulting the HOST file, clearing the Trusted sites, deep clean of Windows Internet Temps as well as resetting permissions for Taskmgr Regedit and Associations plus more.

In fact I modified Fixit a couple of days ago to include more.

I also have more modifications I am testing now. Including removing Index.dat and cleaning of the c:\Windows\system32\config\systemprofile.

In addition to terminating Windows Explorer, Winlogon will be terminated as well, first to prevent Explorer from being restarted by Windows which it will do after a few minutes. And second to allow cleaning of malware attached to Winlogon.

When Winlogon it terminated the computer can not be shutdown or rebooted by any command and will need to be powered off manually.

I am also preparing a more formal guide and will add the above to it.

Mike

Bobbye · #4 11-28-2008

Thank you for this excellent guide. Seems like sometimes we have to wring our hands to figure out what to do! (Guess ?I should just say "I" do anyway) SO the extra assist is always welcome.

rf6647, this is very well set up. Sometimes I see instructions that are too spaced out, no emphasis on a section or difficult to follow. You didn't do any of that . Thanks!

rf6647 · #5 11-29-2008

Quote:

Originally Posted by mflynn

Absolutly well witten Guide good Job.............And much simpler than the Attachment download I wrote...............I am also preparing a more formal guide and will add the above to it.......Mike

Mike,
Kimsland gave me a template to start my guide. The attachment is a template I started using content from your 'fixit' post.

I think I finally understand how using 'quote' can be put on the clipboard and pasted into a text file. I then kept repeating 'preview post' while I did editing.

There must be an easier way.

When you are ready to post your 'how to', message # 1 automatically becomes the document. In violation of one of the rules, post a reply (message # 2) and add title - Technical Details and change history. All other replies become modification requests and words of encouragement. As far as I know, you can edit message # 1 forever. Once upon a time, I thought there was a 24-hour timer. After posting this reply, I guess I should verify my view on this.

Rich

kimsland · #6 11-29-2008

Quote:

Originally Posted by rf6647

I thought there was a 24-hour timer. After posting this reply

There was. It was lifted some time back

This was to allow modifications to outdated posts, ie the 8-Step removal guide
Although the Edit function will not work on closed threads
Therefore guides can be written, and then closed, to stop any further modifications, on any post in the thread.
This is beneficial where a thread should not be edited
To close a thread, requires Admin approval, or request.

rf6647 · #7 12-01-2008

Here is recent feedback -

Quote:

Originally Posted by Boomslang1982

I actually found another way and it is using combofix.

Additionally, I reviewed cases from the last week where the TDSSserv trojan was most suspect. ComboFix was called in on most of those cases. Two cases, ComboFix did not run. One case, the log results were absent of most of the usual sections.

While ‘disabling the trojan’ in the device manager is effective in reducing symptoms of the infection, it appears that ComboFix is needed to clean the infection. Additionally, coincidental with using this method, SAS informs this as a rootkit trojan while MBAM is clean.

It has not been decided if this method can stand, or does it reduce the effectiveness of the MBAM/SAS combination. In any event, I believe we should recognize that SAS is informing that ComboFix should be used.

The question I see is a matter of procedure / protocol. Based on input from boomslang, ComboFix is fully effective against the infection. At what point is it appropriate to direct using the tool. And, is it sufficient to accept that the infection has been cleaned, or do we need a knowledgable interpretation of the log?

Futhermore, in those cases, problems with Task Manager, Regedit, cmd, etc. was not addressed. How do we make this part of the checks before giving the all clear? The script developed by mflynn probably has much of this covered.

wayne001 · #8 02-16-2009

I tried to download and run the fixit but my computer wont run it. It comes up with an error that the file can't be found.

kimsland · #9 02-16-2009

Here is the location of "Fixit" attachment: http://www.techspot.com/vb/post684649-3.html

But if this does not resolve the issue
Or trying Safe Mode with Networking
Then the only option is to remove the Harddrive itself, and scan it in another computer

If you require any further help please start your own New Thread in the Virus & Malware removal forum
All users with Virus\Malware issues should first try to resolve their issue by following the guide:

UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Any support questions cannot be answered in this guide

nlarchey · #10 02-17-2009

Hello,

I disabled TDSSServ.sys on an XP machine and now am unable to log in, even in safe mode. It allows me to enter the login credentials and then it just hangs without loading the profile. I took the hard drive out and scanned it from another computer with Malwarebytes. I was able to remove all instances of TDSSServ.sys in the registry, scanned again and it found nothing. I replaced the hard drive in its original chassis and it still will not load the profile. I'm at a loss

mflynn · #11 02-17-2009

1. Try Safe Mode networking if that works begin with #3 below and do all from there down, if not do #2

2. Try Last know good configuration on Advanced Boot menu (same that starts safe mode) no go stop here report back and we will take other steps

3.Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

Code:

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del  tdss*.* /f /q /s
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del c:\program files\xwdxqu.txt  /f /q
del c:\windows\x  /f /q
del c:\windows\SxsCaPendDel  /f /q

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop WinSvchostManager
sc delete WinSvchostManager

sc stop ntndis
sc delete ntndis

attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"

del  /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
del  /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"

attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"

del  /f /q "C:\WINDOWS\system32\svcprs32.exe"
del  /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del  /f /q "C:\WINDOWS\system32\mdmcls32.exe"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

4.Do the TechSpot 8 steps: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).

Most importantly update MalwareBytes and SuperAntiSpyware!

Mike

nlarchey · #12 02-17-2009

1 and 2 are not working either. Can I run 3 if the HDD is hooked up as a slave to another machine?

Also, after it hangs on login I can get to task manager and try to open the CMD prompt and it gives an Application Error:

The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.

This was happening before I removed the malware etc.

mflynn · #13 02-17-2009

No, operation #3 is only valid if run from the booted live OS.

But you gave some valuable info.

If you can get Taskmgr, try running Explorer.

Let me know!

Mike

nlarchey · #14 02-17-2009

That loaded the desktop and the rest of the services, and is now giving a security warning asking if I want to run _A00FCCFD3B.exe. No sounds good to me for this one and I will begin doing step 4.

mflynn · #15 02-17-2009

Yes! Answer NO!

Ok if you still can't get the cmd prompt!

Then the 8 Steps.

Mike

nlarchey · #16 02-17-2009

After running Avira in safe mode and having it delete everything it found I was able to open the CMD prompt and run the previously posted script. I am now running the SUPERAntiSpyware and it has found even more infections. Dang Vundo variants. I believe we are well on the way to solving this and if I have any other issues I will be sure to post them here. Thanks Mike, much appreciated.

mflynn · #17 02-17-2009

No continue here, attach all logs you WILL need more help.

Mike

nlarchey · #18 02-17-2009

I'll post them when they are ready to be run. Thanks.

nlarchey · #19 02-17-2009

Here they are. Hopefully this message is now long enough.

mflynn · #20 02-17-2009

OK good job!

Another run indicated!

OK there were found/removed items in both MBAM and SAS so we need to run again, as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan with both will likely find more. So UPDATE run them again

Only when the above is done and log attached then do the below.

Download SDFix to Desktop.

http://downloads.andymanchesta.com/R...ools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike.

Similar Topics
Topic	Category	Replies	Last Post
Google redirect	Virus & Malware removal	32	11-29-2008 11:38 PM
Google redirect: out of ideas, have HJT log	Virus & Malware removal	3	10-29-2008 05:22 PM
Google Redirect	Virus & Malware removal	1	10-17-2008 04:27 AM
Google redirect	Virus & Malware removal	10	05-15-2007 06:14 PM
Google redirect	Virus & Malware removal	17	03-01-2007 10:06 PM

TechSpot - PC Technology News and Analysis

Google Yahoo redirect TDSSserv.sys