Win32.TDSS Trojans! PLEASE HELP!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Nishant5456, Jan 26, 2010.

  1. Nishant5456

    Nishant5456 Private E-2

    Hey
    I'm new to Major Geeks but I joined because I see a lot of people's problems being solved. So I would please like it if anyone can help me here.
    My problem is that I have the Win32.TDSS Trojans. :cry
    I have used programs like SUPERantispyware and Spybot Search and Destroy.
    I cannot update any of them because of the Trojans. I can't even run it! Well unless I rename it which I have already done.
    SUPERantispyware does not get anything except cookies.
    But Spybot always finds the Win32.TDSS Trojans. It removes it but after reboot they come back for some reason.
    This is what Spybot picks up on:

    Fraud.AntiMalware-1 entry Malware
    Microsoft.WindowsSecurityCenter_disabled- 1 entry Security
    Win32.TDSS.reg- 4 entries TrojansC
    Win32.TDSS.rtk- 9 entries TrojansC

    I would really like it if anyone can help.Also let me know for anything I need to do. Also some of the websites are blocked like Yahoo Answers and BleepingComputer. :cry

    So I came here! PLEASE PLEASE HELP ME! I would not like to reformat since I have family pictures and other stuff. Also this IS a family computer so I would like this fixed ASAP.

    P.S. I have said this before but I will say it again! I cannot update anything! :cry

    Please Help ASAP.
     
    Nishant5456, Jan 26, 2010
    #1
  2. Nishant5456

    Nishant5456 Private E-2

    Guys I also get Redirected to random search websites. :(

    I cannot post any logs since I cannot update anything like SUPERAntiSpyware or Spybot Search & Destroy. Malware AntiMalware Bytes was working before but it would not update so i tried manual update but now I keep getting Error 732 as soon I start it.

    Please help me! I searched the internet for ways to remove Win32.TDSS.rtk but most of the websites ask me to buy their software. :(

    If I need to post any logs such as HJT or any other information please let me know I would really like this thing to go away.
     
    Nishant5456, Jan 27, 2010
    #2
  3. Nishant5456

    Nishant5456 Private E-2

    Any idea how to solve this? Please I read the READ & RUN ME thread but did not download anything since im not sure if I should. Please let me know what to do. Also the Win32.TDSS things all have H8SRT files. So if that can help please let me know.
     
    Nishant5456, Jan 27, 2010
    #3
  4. Nishant5456

    Nishant5456 Private E-2

    Clean or Still Infected?

    Hi guys! Well I did not get any replys on my other thread which I said that I had a Win32.TDSS.rtk (Rootkit) trojan.I couldn't run any programs like MalwareBytes Anti-Malware.So I reinstalled SUPERAntiSpyware Free Edition. Then I renamed the SUPERAntiSpyware.exe to SAS.exe. This allowed me to run it. :)
    I updated it and ran and it found both of the Rootkit and Trojans which I had :) . Internet seems to run way faster and I am not getting redirected anymore. I just wanna make sure I am clean. Im gonna run a MalwareBytes Anti-Malware scan. I just made a fresh HJT logs and I would like someone to see my SUPERAntiSpyware log as well.

    All is attached! :) Thanks a lot to chaslang for the renaming tip ;) !
     

    Attached Files:

    Nishant5456, Jan 27, 2010
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You should have read the sticky/pinned threads since you are causing yourself additional delay by adding unnecessary posts instead of waiting your turn in the queue. See: Don't Bump! It Only Hurts You!!!

    Your second thread was deleted since it is a dupe and it wasn't going to get answer before you first thread anyway.


    Also you should have run the READ & RUN ME FIRST cleaning process as required; however do the below.



    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Click Start > Run and copy/paste the following bold command into Run box and hit Enter.
    "%userprofile%\Desktop\TDSSKiller.exe" -v
    • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    • When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
     
    chaslang, Jan 27, 2010
    #5
  6. Nishant5456

    Nishant5456 Private E-2

    Hey first of all I got rid of the Rootkit virus using SUPERAntiSpyware and MalwareBytes Anti-Malware. I also got rid of this thing called Fraud.AntiMalware using Spybot S&D and CCleaner. But even though I got rid of that stuff I still have these 2 files:

    C:\Documents and Settings\All Users\Application Data\h8srtmainqt.dll
    C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll

    They were found while I was just checking all of the Documents and Settings folder.This was not found by any programs.Should I delete it manually or should I use a program?

    But I ran TDSS Remover and it finished in about 2 seconds.Im not sure if this normal.I have attached SUPERAntiSpyware Log, MalwareBytes Anti-Malware Log, A fresh HJT Log and the TDSS Killer Log.Please check if they I am still infected or not.Also let me know about the two h8srt dlls I have told you about.

    Thanks in advance!

    Um I can't attach my SUPERAntiSpyware log. It says that I already attached it in another post. (http://forums.majorgeeks.com/showthread.php?t=209133)
     

    Attached Files:

    Nishant5456, Jan 28, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please remember to stay in one thread.

    Also please only follow the instructions given. Run only what we request. We did not ask for nor do we need a HijackThis log. You need to finish running things in the READ & RUN ME sticky thread. You need to run ComboFix, RootRepeal and MGtools and attach the requested logs. See the cleaning procedure part of the below sticky:

    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, Jan 29, 2010
    #7
  8. Nishant5456

    Nishant5456 Private E-2

    Hey! Sorry for the thread thing.

    I ran RootRepeal and I did what it said.After I clicked "Scan" on the "Files" Tab I guess it did a scan but I really don't know since nothing showed up in the box.But I attached the log anyways.GMtools ran smoothly and I got the logs.Also AVG is acting weird.When I opened it today it says No Active Components.This seems weird because AVG was working fine the day before.Also do I HAVE to run Combofix because there have been a lot of issues saying that it has wiped out their important files or wiped out other files.I just don't wanna risk my computer.If I HAVE to run it please let me know.

    Thanks In Advance!
     

    Attached Files:

    Nishant5456, Jan 29, 2010
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The problems with ComboFix were resolved last Sunday night. We would not be asking you to run it if there were still problems.

    There are no malware problems showing in any of your logs other than "Messenger Plus! Live" which we consider unsafe as stated in the READ & RUN ME.

    Are you actually still having malware problems? If yes, what exactly are they.

    If you had run ComboFix, it most likely would have removed the below files you complained about but you can delete them yourself if they let you delete them
    C:\Documents and Settings\All Users\Application Data\h8srtmainqt.dll
    C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll
     
    chaslang, Jan 30, 2010
    #9
  10. Nishant5456

    Nishant5456 Private E-2

    Ok Thanx!
    I already deleted the files but How do I remove Messenger Plus! Live? and how is it unsafe? Its a addon for Windows Live Messenger.
    Please let me know.
    Also every time I shut down my computer there is always 1 Update.I don't know what it is but it just comes there EVERY shutdown.Is it the malware?If so let me know please.
     
    Nishant5456, Jan 30, 2010
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes we know what it is and we know that lots of people use it. It is unsafe due to the practices of having sponsor programs that install by default unless you are sure to tell them not to install. These sponsor programs install malware. Many thousands of PCs have been unknowingly infected by this program when people did not read the license agreement. While the program itself "may be fine", the problems that this program has caused for malware fighters for many years have given it a bad reputation in our eyes and we consider it unsafe for those reasons. It's up to you in the end, but just be very aware that if you are not careful with installing and updating this program, you could infect yourself. To remove it, you would just uninstall it.

    Problems with Windows Update should be posted in the Software Forum but what I sugest that you do is go to Windows Update yourself and see if you can figure out which update is not installing.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Feb 2, 2010
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds