Browser/Connection still hijacked after trojan attack

By eamoniski ยท 7 replies
Nov 9, 2008
  1. Hello everyone,

    First of all, thank you for taking the time to read this fairly typical cry for help. Yesterday morning, my computer was attacked by a really nasty trojan or suite of trojans related to the Antivirus 2009 fraud... after 12 hours of running numerous antispyware programs and doing the typical fixes, I have my computer "mostly" back to normal, but my browsers still get redirected if I use Google and Spybot Search and Destroy is unable to install because it can't connect to the server it needs and AVG can't download any updates... Safari seems to be less affected than the others (I also have and use IE and Firefox), but it is nonetheless affected; for example, I was unable to download the most recent version of Hijackthis because no matter what I do, I'm not allowed to browse any source for it. Firefox is virtually useless, and IE refuses to let me do anything out of concern for my security (wow, thanks!). Some other internet programs work normally (Skype, MSN/Windows Live Messenger...)

    For what it's worth, some of the fun programs it installed were called brastk.exe and mkrnl.exe along with scntqtdl.exe and rjwnw64s.exe and numerous other nuisances. I seem to have successfully uninstalled all of that and regained most of the normalcy except for the browser problem... I've done all of the suggested CoolWWWSearch.Smartsearch solutions, but none of that seems to be the problem. CWShredder, for example, finds nothing wrong.

    I've attached my Hijackthis log, and if someone can take a look at it and give some advice, I'd be eternally grateful. I'm at my wits end and I have a lot of work to try to accomplish before tomorrow and lost a whole day screwing around with this thing...

    Thanks again,
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Hello eamoniski

    Welcome aboard!

    Reboot clean run no other Apps.

    Go here and do all 8 Steps carefully and completely!
    The 8 steps:

    Attach all the logs.

    Then Reboot to Safe Mode only (not with networking) and run MalwareBytes and SAS Full Scans again until they either come up clean or find something they can not clean.

    Then reboot back to normal and attach yet another HJT log.


    EDIT: Uninstall your old HJT when I saw it was old I did not even read it.
  3. eamoniski

    eamoniski TS Rookie Topic Starter

    Hi Mike, thank you so much for your help and quick reply.

    I've followed the 8 steps. I attach here a new HijackThis log; I had to use another computer to download the latest version because my browsers wouldn't let me. This log is, in fact, from the latest version.

    Antivir PE, SuperAntiSpyware and Malwarebytes all only found a handful of things each; I paste their findings below rather than upload so many files. I hope this is okay.

    I will now continue with your instructions, rebooting in safe mode and re-running Malwarebytes and SAS. I will then upload another HJT log.

    Thank you again!

    Avira AntiVir:

    C:\WINDOWS\system32\mlJAtQIC.dll BDS/Agent.tlr.2
    C:\WINDOWS\system32\vtUlJdBs.dll BDS/Agent.tlr
    C:\WINDOWS\system32\wvUmkjJc.dll BDS/Agent.tlr.2
    C:\WINDWOS\system32\svm\crten4li.exe TR/Crypt.XPACK.Gen
    HTML/Infected.WebPage.Gen HTML script virus

    Malewarebytes' Anti-Malware:

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.



    Adware.Vundo Variant/Rel


    Adware.Vundo Variant


    Trojan.Unknown Origin
  4. eamoniski

    eamoniski TS Rookie Topic Starter

    Hello again, I did full scans again with Malwarebytes and SAS. SAS didn't find anything, but Malware bytes found the following (again):

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

    After having Malwarebytes remove these, I then ran HijackThis. The new HJT log is attached to this message.

    Thanks again for your time!
  5. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi eamoniski

    Sorry I missed your reply somehow.

    I wanted all the logs not just the HJT log.

    But OK do this.

    Run HJT Scan only and select the below and remove.

    O4 - HKCU\..\Run: [SpywareStop] C:\Program Files\SpywareStop\SpywareStop.exe -boot
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE}
    O20 - Winlogon Notify: c0087e89 - C:\WINDOWS\SYSTEM32\c0087E89.mat
    Note a couple of these will not go under normal circumstances so no problem

    In Add/Remove unistall SpywareStop a Rogue and RAMASST (not a baddie but useless)


    Update and run both MWBAM and SAS again until the both come up clean or finds something it cannot clean. If either do find something they cannot remove then boot to Safe Mode and try there,

    Then boot back to normal and immediately run HJT and post a new log.

    Other things we will address later is you having 2 full fledges active online Virus scanners.

  6. eamoniski

    eamoniski TS Rookie Topic Starter

    Hi again Mike, I can't thank you enough for your continued help and patience. I followed those steps as directed and new logs for Malwarebytes and HJT are attached. SUPERAntiSpyware did not find anything. Malwarebytes found the same two registry keys related to "tdss (Trojan.Agent)" that it removed last time.

  7. mflynn

    mflynn TS Rookie Posts: 2,655

    No my friend it could not clean it last time but did this time you are clean!

    The following is some cleanup and tweaking to finish up.
    The Malware is saved in your System Restore so we need to clean that

    Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs. Note: if you minimize now go to My Computer and note the free space and check this again after the run you will be able to see the likely large difference.

    This is if you have the Volume Shadow Copy running which is the default.

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Once the new Restore point is made run the Disk Cleanup again and it will then only leave the clean "After cleanup at TechSpot" point!

    Run CCleaner again, twice then on left click Registry then Scan for issues backup save and clean. Repeat until no more found.

    Cleanup old Java and update to newest version this program will do it all for you.

    Download JavaRa

    Unzip it, run it, to update chose Jucheck (Suns updater) first, and if you do not have Jucheck then chose Update using Sun.

    After update chose Cleanup old versions. Give it a minute and after it pops up the log file you will see what it removed.

    Then click "Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

    After that run Search for Updates again to confirm you are up to date.
    After that run remove older versions again. This time the Log file should be empty.

    Some redundant Registry protection (optional but if System restore gets Whacked can be a life saver) you would be surprised how often there are no restore points when needed or the Point will not restore.

    Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

    Yes! Even if you use system restore and other backups Registry and Images.

    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

    Run OTScanit and chose Cleanup.
    This will remove it and some other repair tools (those that we used that need to be updated before running again later) from your HD

    To Remove SDFix boot to Safe Mode and delete the SDFix folder.
    In closing You should uninstall one of the Virus scanners Avg or Avira it is not a good thing to have 2 major competing online Virus scanners it can actually lower your protection.

    After one of them is uninstalled you can add ThreatFire 4.0

    ThreatFire was designed to co-exist with other Virus Scanners and operates on a threat activity recognition instead of definitions like other Virus scanners.

    It works differently also in that it prompts for approval like say a FireWall or Windows Defender and asks for Approval and if to remember the approval. So for a day or so it will ask about certain programs for you to approve or block.

    After all this disk cleanup a Defrag is in order.

    Glad we could help give us some feed back in a day or so of computer use.

    You did a fantasic job.

    Thank you

  8. eamoniski

    eamoniski TS Rookie Topic Starter

    Hi Mike,

    Sorry for the lateness, but I just wanted to thank you so much for your help. Everything seems to be just fine, in fact it is (predictably) working better than before.

    Thanks again. I truly appreciate it!
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...