Worm_downad.a

[ladyknight]

I was directed here to start a thread regarding my issue.

This morning when I turned on the pc, TrendMicro popped up saying I needed to reboot to get rid of this trojan. I did that.

Then about 1 hr. later I noticed that my pc was running at 52% and I didn't have anything open. I tried to update Trend again and could not get to the site. I tried other antivirus sites, all blocked.

I found this site and proceded to do the 8 steps, but to no avail. I did manage to get MBAM. I ran that and it found several. It cleaned it. It said it needed to reboot to finish deleting the files. I had already turn system restore off.

I rebooted and once again tried to get to Trend...could not. I did manage to get the manual removal from Trend through someone else.

When I looked up the files, they were not on my pc.

Then I came back here and found that I had a reply. I was given a link to this:
How to Disable ‘tdssserv.sys’ Trojan Identified With Update Failure and Redirected Searches.

I did what it said, but the file did not exist.

Can anyone help?

 

[rf6647]

Did you try the secondary link - Unable to run or update via TechSpot 8 Steps or manually run MBAM or SAS

This is another method to break free of the infection blocking web sites with antimalware cleaning tools.

Loading the tools from a CD or a flash memory is another option which you exercised. Post the logs so an assessment can be given.

 

[ladyknight]

I was up till 4:30am with this.

This is what I have done so far:

I was able to download AVAST, MBAM and SAS through download.com. Deleted files as it said. Logs attached.

Start in safe mode with networking. I was able to get to TREND and used HOUSE CALL.
In the middle of the scan, I was unable to get to get to support or info regarding this trojan. HOUSE CALL did find 2. Worm_download.A and a file in system32 called X. It deleted both. Still could not update.

I went to another pc and was able to get solution for this trojan and followed all it said. Rebooted and still cannot get to any anti-virus site

I will upload hijack this next. I am tired.

View attachment 40743

View attachment 40745

View attachment 40746

I tried to edit the other post to put in the 2nd SAS but it wouldn't allow me.

2nd SAS log
HJT log

 

[rf6647]

Another member gave us feedback about his case - re-installed the fireware & adjusted some settings.

Like that case, the infection on your computer appears to be handled. Quick scans disable the threats; Full scan cleans files / folders.

zroni99 Fixed Back on online >> will give you an idea what he went through.

 

[ladyknight]

If it is handled then why can't I get to any antivirus sites? Are you saying that I should reinstall Trend?

 

[rf6647]

Where do you want to push on this problem? Test the firewall later with numeric URL in place of text URL. Test with direct manual entry.

Here is a stronger scanner -
Please run ComboFix & HJT. ComboFix cleans & provides diagnostic information that is used to find enabling infection that remain or just residue. As with most scans, the repeat scan looks for any infection that is now unmasked or a clean run. Always assess if symptoms remain.

Supporting information

Uninstall Combofix

Simplified Instructions for ComboFix + link to download
How-to-use instructions - full version

Please see this for instructions:
:Temporarily Disable Real Time Monitoring Programs

• 1 Spybot S&D (Teatimer)
• 2 Ad-Aware Ad-Watch
• 3 Spywareguard
• 4 Windows Defender
• 5 TrojanHunter Guard
• 6 Disable SpySweeper
• 7 WinPatrol
• 8 CounterSpy
• 9 AVG Anti-Spyware (formerly ewido)
• 10 Spyware Doctor
• 11 Prevx
• 12 ProcessGuard
• 13 ZoneAlarm's OS Firewall
• 14 Ad-Aware 2007 Service

 

[ladyknight]

I wasn't trying to push a problem. Thanks for the help

 

[rf6647]

Oh! I think I understand it now. TY is bidding a farewell.

My meaning is that the exploit to frustrate reaching anti-malware sites is not understood by me at this time. Re-installing the FW was considering the possibility that the infection compromised the firewall by inserting new security policies. After raising concerns, Combo_fix was suggested as a way to check that possibility, but not always effective as evident in the cited case.

 

[bobbydiaz]

A laptop user has brought the same worm into my network. I am still working on getting it off the servers and clients. But as for internet access to all of the Anti-virus websites and Windows update, if you disable the DNS Client in Services, you will be able to get to all sites again.

To get to services, Go to Start/Run type in services.msc then hit ok. Look for DNS Client and Stop it. This will allow you to get all Windows Updates and TrendMicro updates. You can leave DNS Client disabled, it is only to help have less traffic over the network.

But from my experience it causes more problems.