I have spent the last two days trying to get rid of the TDSSserv Rootkit that redirects all links to Antivirus websites to the localhost. This completely stopped me from performing most of the 8-Step Removal Instructions. I had to use an uninfected laptop to download the installs for all of the programs listed in 8-Step and then transfer them to the infected computer. No installs worked until I found a thread here to disable TDSSserv.sys using device manager. When I disabled this driver, rebooted, and logged in I was able to briefly access the desired websites but Windows then locked up. I finally had to use safe mode to install Malwarebytes' Anti-Malware program which found some of the problem. Thereafter I was able to launch Windows and carry out each of the 8-Steps.

I think this board, TechSpot, is fantastic. I would not have been able to get this far without it. Thanks to all of you.

Now, I would appreciate it if you would review the attached logs to see if there are any remaining problems and thanks in advance.

Attached Files

	mbam-log-2008-11-27 (17-03-21).txt (1.5 KB, 3 views)
	SUPERAntiSpyware Scan Log - 11-27-2008 - 17-21-54.log (2.5 KB, 2 views)
	hijackthis.log (8.0 KB, 4 views)

Welcome to TS. That’s progress. Your logs show found and removed items. We will proceed along a typical path.

Update both MBAM & SAS. Rerun them both.

This effort is complete when logs report NO infections/threats, or reporting something it can not clean.

Restart the computer. Scan with HJT.

Posts logs. Report progress & what changes are observed.

Further discussion
Thanks for the feedback regarding this post. In that thread, message #3 link to 'fixit download' is being developed as a more comprehensive tool. Your reported difficulty reveals how quickly threats evolve.

The MBAM version used for the scan is 'ancient' when judged by the multi-updates made daily to that tool.

Attempt to follow the typical path. In case of difficulties due to resurgence of the infection, then visit message #3.

I updated MBAM and SAS and reran them. I've attached the appropriate log files for your review.

It seems that SAS always finds registry traces of Rootkit TDSSserv so I think it is being reinstalled. Also TDSSserv.sys is still showing up in Device Manager although it is still disabled. Should I uninstall this driver?

I have a few additional questions that I'd like your advice on:

1. What Antivirus program would you recommend? I have gone from AVG, to Avast!, and now I'm using Avira AntiVir Personal as my sole antivirus program.
2. I'm using ZoneAlarm for my firewall. Would you recommend anything else in it's place?
3. I have Windows Defender and Lavasoft Ad-Aware installed prior to my problems. Should I uninstall them since I'm now using MBAM and SAS?
4. For your information, I've installed SpywareBlaster, CCleaner, and WinPatrol based on recommendations made on this forum. Not really sure what WinPatrol is doing since I haven't had time to review the documentation yet.

Again, thanks for your continued help.

Attached Files

	hijackthis.log (8.2 KB, 2 views)
	mbam-log-2008-11-29 (14-45-51).txt (857 Bytes, 2 views)
	SUPERAntiSpyware Scan Log - 11-29-2008 - 16-17-39.log (781 Bytes, 2 views)

Your SAS log shows it may still be there.

Do this..

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Then update SAS and scan again but with the changes below:

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore are checked.

Mike

Mflynn – Combofix is a good call on this. It will be a speedy route to a clean computer.

I believe this case proves the need to develop your instructions into a procedure. The ‘disable tdssserv’ procedure was developed with the belief that installation of another tool could be avoided. However, several cases following your instructions permit MBAM & SAS to run clean. It’s difficult to comprehend how a ‘disabled trojan’ escapes full treatment from MBAM & SAS.

While I was considering asking gmpederson to conduct an experiment to prove my observation, the effect would have distrupted the flow of the 8-step guide that is preached here.

Okay....I've run ComboFix and it deleted ODCTOOLS files and folder as well as C:\windows\system32\TDSSitpe.dat. Everything else appears to be clean. Here are the logs you requested.

Attached Files

	SUPERAntiSpyware Scan Log - 11-30-2008 - 10-22-13.log (465 Bytes, 2 views)
	ComboFix.txt (17.5 KB, 2 views)
	hijackthis.log (8.9 KB, 2 views)

OK but I require a clean Combofix log, just because it shows removed deleted items does not mean it is clean until log says so, so run it again and post new log

Run HJT Scan only Select and remove the below.

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

You have evidence that you once had Norton/Symantec. It is not completely gone.

To remove it do this..

OK lets see if we can't get rid of norton (Norton/Symantec is extremely hard to eradicate)

Drag mouse copy for pasting all inside the box below

Code:

Then open the command prompt and paste directly to the Black screen.

Attach the norton and symantec files created on the desktop.

Then go here do all in this post except the registry editing we will do that differently and deeper.

http://www.techspot.com/vb/post560473-8.html
Note when you run rnav2003 do all versions but decline to reboot until the last one (no need to reboot 4 times)
----------------------------------------------------------------------------------------------------------------------------------

SYMMSICLEANUP.reg ftp://ftp.symantec.com/public/englis...MSICLEANUP.reg
Save the file to the Windows desktop.
If using Firefox. Right-click the following link and then click Save Link As to download the file.

On the Windows desktop, double-click SYMMSICLEANUP.reg,
Click Yes when prompted, and then click OK.

Download RegSeeker http://www.hoverdesk.net/dl/en/RegSeeker.zip

Unzip install and run.

Click Find in Registry
type
norton
delete all it finds

do same process with Symantec

You are finally clean of Norton/Symantec.

Now post ne HJT log. We may be finished!

Mike

Alright Mike. I tried following your instructions but I did run into problems with the Symantec instructions:

* When running SYMNRT.exe a message is displayed that the tool has expired and cannot run Norton_removal_tool.exe
* Received a download error for SYMMSICLEANUP.reg (using FireFox Save Link As): \englis...MSICLEANUP.reg could not be saved, because the source file could not be read. Couldn't run this.
* Access denied when trying to delete: C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine folder.

I was able to do everything else so here are the files you requested. Let me know what to do next. (BTW I hate Norton and Symantec - I hope I'm rid of it forever).

Attached Files

	ComboFix.txt (20.1 KB, 1 views)
	NortonLeftOvers.txt (1.2 KB, 3 views)
	SymantecLeftOvers.txt (1.2 KB, 1 views)
	hijackthis.log (9.2 KB, 2 views)

Ok good job, Combofix looks good

Download the MSICleanup with Internet Explorer and execute it approve all prompts.

Get the Norton Removal tool from her http://service1.symantec.com/Support...05033108162039

But don't run.

Boot to Safe mode and rerun all the Norton processes again and that should do it.

Boot back to normal mode and send the norto and symantec files from desktop again.

Mike

Mike,

Where is "Download the MSICleanup". Do I need to use MS IE or can I use Firefox. I tried downloading MSICleanup before and was unsuccessful. I end up at a Symantec FTP site based on your prior link but then I don't know what to do next.

Forget about this post. I googled it and found the path to the file. I'll run everything and get back to you shortly.

Well I ran the SYMMSICleanup.reg and rebooted to safe mode to do the Norton removal tool and Windows will no longer start.

Error message is: "Windows could not start because the following file is missing or corrupt: \Windows\System32\Config\System. You can attempt to repari this file by starting Windows Setup using the original Setup CD-ROM. Select 'r' at the first screen to start repair. "

What next. I'm tired tonight so let me know if you have any suggestions and I'll review tomorrow night. It looks like I need to reload Windows.

Hi GM

That was a bad link don't know why, had used it before tested when posted.

I have edited and posted a new address.

Do not install but lets us do a Repair/Overlay install.

Boot from your Windows CD and proceed to install. You will get a prompt to Hit R to use Recovery console. Do not chose that one, continue until Windows finds an Existing Installation and offers R to Repair the existing installation. Chose this R. and from there it will look like a normal install.

The Repair of existing installation will fix only the Windows Folder and keep all your data. Everything should be normal when you get back up.

A link to follow: http://www.techspot.com/vb/topic8356.html

Another one for insight: http://pcsupport.about.com/od/operat...txprepair1.htm

The only issue is your HJT log shows you have SP3. You should use the same SP level you have on the HD.

Did you make a SP3 CD by slipstreaming or install SP3 from downloading the full SP3 or from Windows update.

I am going to assume you only have the SP1 or 2 disk.

So here is steps to slipstream, from a working computer with CD burner, this can be done from Vista
Download Autostreamer http://majorgeeks.com/download4444.html
then
Download the full SP3 package: http://www.microsoft.com/downloads/d...displaylang=en

Once you have both of the above it is simple.

With your older XP CD in the CD drive run AutoStreamer and it will ask for the location of the original Windows install CD any version SP1 Sp2

It will ask for the location of the SP3 file and offer to burn to CD.

Mike

Hi Mike,

Windows XP Pro came with the HP computer that's in trouble. I have CDs of all programs loaded on the original computer so I'll have to figure out which ones are the OS with my work laptop. I'm pretty sure it will be SP1 or SP2. SP3 was loaded via Windows Update.

I'll follow your instructions tonight and let you know the results. The OS on my work laptop is XP Pro. The only thing I'm a little confused on is your last statement
"It will ask for the location of the SP3 file and offer to burn to CD." What do you mean by this? I understand now what is meant. The Autosteaming program will create a new install CD with SP3 on it. So I'll give it a try.

Gary

Uhh oh sounds like you do not have a Microsoft XP Pro install CD.

The restore disks that come with some of these have been modified and may not produce a usable Slipstreamed CD.

Yet some when booted offer to repair windows while retaining your data. If unsure post names of the disks you have.

Worst case if you can get a successful repair you will need to install SP3 again.

Don't know what happened, but the repair install can, I say can delete some malware but the process needs to be run again.

Sorry late getting back but had to travel to a clients office today. I have a busy day tomorrow but will try to check in.

Mike

Well here's the sad story.

My HP sytem recovery disks consist of 8 CDs. I was able to restore Windows with CD #1. When I checked DM/ System, XP did not have an SP (ii.e. SP=0).

I tried to use Windows Update but ended up in an endless loop of "Files required to use Windows Update are no loner registered or installed on you computer. To continue:

( ) Register or reinstall all the files for me now (Recommended)
or
( ) Let me read about more steps that might be required to solve the problem

The first choice resumes the loop the second choice is an absolute dead end.

My computer is almost 7 years old. What do you think about deep sixing this guy and getting an i7 Core CPU based new computer running Vista Home Premium 64 bit (ugh).

I did download SP3 to my work laptop. Is there any way to use it to update the old beast?

Gary

Hi Gary

Sorry so long getting back. Had to leave early and work out of town today.

OK confirm you did a non destructive repair that kept all your data, documents and Email?

Oh yeah! But what to do till then?
----------------------------------------------------------------------------------------------------------------------------------
OK to prep for SP3.

Do the below:

Download Dial-A-Fix (DAF)
http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/so...v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When finished click Flush Software Distribution and answer no.

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Reinstall Automatic Updates service
Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset WMI/WBEM

Watch for any File not found or other errors and make note as this may lead to the fix!

Reboot

Run CCleaner Temp and Registry (both until clean) may get a lot here since we reverted from SP3.

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html

Do not try Winupdate until after SP3 if possible.

Now run the SP3 file on your DeskTop. We may need to do a couple more things first but try.

Your Ball!


Mike

Hi Mike,

Thanks for the reply. I got to thinking about my predicament last night and remembered that I created a full Acronis backup on 10/2/2008 (also have one in 8/08) to an external USB drive. Since I have Windows somewhat functional again, I think I can just restore that image and then run through the cleaning procedures again. I'm pretty sure I was not having the redirection problems until near the end of Oct. What do you think about that plan?

Gary

That is good glad you have that backup.

Restore and bring it forward with the scans in this thread afterwords

Just get any documents, emails, favorites and address books backed up before the restore.

Mike

Mike....Just an update. I successfully restored the system this morning. I will start Windows update (must be 15 updates since 10/3...insane) and will start the cleaning process tonight. I'll post the logs as soon as I can get everything run. Thanks for hanging in there.

Gary

Actually you shouldn't install anything until you are clean.

Malware could cause issues with the updates installing at all or correctly and could get infected as soon as they hit the computer!

Mike

Okay....I'll hold off on Windows Update and just install the 8-Step stuff.

Gary