DSL Modem virus?

I have DSL and I just reformatted my brand new computer due to Virtumonde being on it. My other computer had virtumonde on it too, and even running all the reccomended stuff from here would not completely remove it from either computer. That computer is being reformatted as well, but I didnt have time to wait on getting it back, so I bought a new one. I now believe that my DSL modem may be infected, because I havent used my new computer for ANYTHING yet other than downloading updates, and it popped up with having Virtumonde on my Spysweeper scan within 2 days of being turned on. Is it possible that I do have an infection on my modem and If so how can I get rid of it? Do I need to get a new modem? My modem is a Westell. Thanks!

 

Re: Malware and other help needed

Well after reformatting the new computer andscanning so far with just Spysweeper (paid) it found a Hacktool app/Killit. I also noticed some other people here are having the same problem that I am having with their DSL stopping working after a few hours. Mine does the same thing. I disconnect the ethernet cable and reconnect it and then it starts back working.

 

Malware on Vista64 that wont die

Well so far I have tried all of the reccomended things that will work for 64. I couldnt run Combofix because It doesnt work with 64, and I bought Malwarebytes, but the realtime protection doesnt work with 64 either. I am currently running Spysweeper (purchased) as the realtime protection with Norton Internet Security Suite. I started off with a different computer that Spysweeper found Virtumonde on. I am getting that computer reformatted. I went ahead and bought a brand new computer, and after turning it on and updating it, I ran Spysweeper and it found Virtumonde on it. Im afraid that my modem or router may have been infected. I then reverted the new computer back to out of the box status (HPs reformat I guess you call it) and reupdated everythig, and ran the sweeps, and it still has Malware. This time I didnt use my wireless router, I connected directly to the modem. This time it founf a Hacktool called Killit. I re ran all the reccomended things and have the logs. Please let me know If it is ok to attach them. Im currently running Kaspersky online scanner to see if it picks up anything. With me having 64 what do you reccomend for real tim protection? Obviously my Spysweeper is seeing it but not stopping it or removing it. I have been working on this thing for days and Im at my wits end. I am ready to return it to the store and get another new coputer. I also already ordered a new cable modem. Should I revert the new computer back to new before I hook up my new cable modem? Sorry for the wall of text but I really appreciate your guys help more than I can tell you.

Edit: After seeing some other posts on here I guess it is ok to go ahead and post the logs. Thanks!
Edit#2: Kaspersky online scanner wouldnt work. It said Invalid File Signature! I don know what that meant but do I need to turn something on or off to make it work?

 

http://www.majorgeeks.com/images/grenade.gifWelcome! to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
  • TDSSserv Non-Plug & Play Driver Disable
• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in Safe Mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. To avoid additional delay in getting a response, it is advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!
4. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

 

Also, I wanted to add that if your DSL Modem/Router is infected you will need to restore the factory settings and reconfigure for your connection.

 

I didnt find the TDSSserv.sys file. I have already reset my modem to factory settings (held down on button for 30 seconds) and re logged in to my DSL. I am re running all the Malware scans right now, as last time they found some things, and I want to be sure they are gone. I am also having an Issue that I read that others are having with Youtube videos saying "not available" some people seem to say it started for them when they installed different spyware or antivirus softwares. Im wondering if you know which if anyone Im using may be causing it? Can you please take a look at my logs? Thanks!

 

Sorry for the minor bump, I tried to edit but ran out of time. What do you cerromend for realtime protection with Vista64? I bought MalwareBytes, which wont work with 64 for realtime, and I bought Spysweeper which found the Malware but couldnt delete it properly. Thanks so much for all the help!

 

You can view the thread How to Protect yourself from malware! for a list of programs we recommend.

Yes, please attach all of the requested logs once you have completed all of the scans.

 

My logs are posted in this thread a couple of posts up. About the realtime protection, I meant is there a good one that will actually work in realtime on Vista 64 specifically? Thanks!

 

I need a few more logs.

• ComboFix Log
• SUPERAntiSpyware Log

I know Spy Sweeper will work on Vista x64 and I think SUPERAntiSpyware does as well. They both require a subscription before they provide real-time protection.

 

Like I stated earlier Combofix wont run on 64. Here is the SAS log. All the sweeps that would run that were reccomended have obviously not removed something because I am getting constant, and I mean constant pop ups from Spysweeper telling me various sites acess have been blocked. All the sites it shows look like fake sites that would say they are anti spyware type sites.

 

Im beginning to thins Spybot S&D has something to do with the pop ups from Spysweeper. When I ran Spybot, Spysweeper kept popping up and asking me if I wanted to allow Spybot to change my settings for various sites. If I get the disks form HP and just rewrite the computer will I still have issues?

 

Yes, if you immunize with Spybot, Spy Sweeper will attempt to block it and alert you of the change. It's because of what Spybot is doing, it's adding entries to your HOSTS file, etc;.

Yes, if you format/reinstall but in this case I don't think it's necessary unless you just feel like it.

 

Step 1:

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

​

Step 2:

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.​

Step 3:

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\Windows\System32\drivers\gtuy.sys into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

​

Step 4:

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

​

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Thanks! Ill get back to you!

 

Np! I would recommend running this ASAP as a reboot can change things sometimes. Just attach new logs once complete.

 

OK I guess I am going to have to take the machine back to the store and get them (geek squad) to work on it. I ended up reformatting the computer again, and I have never hooked it to anything, I just installed Spysweeper (found nothing), then Malware Bytes, and MB found "hijack.displayproperties" . Is this an actual Malware or ia a program that is supposed to be on the computer making this show up this way?

 

It's possibly a false positive however if you formatted the partition there shouldn't be anything on there. The only way is if you're using a USB drive and the USB drive is infeceted.

If you feel like you need to waste your money on Geek Squad then go ahead. Let me know what you want to do.

 

After reading on MBs site some, Im beginning to believe that this was just a false positive. It seem alot of people with Vista64 on notebooks are experienceing the same issue. Im still about to rerun all the reccomendations and get back to you. Keep fighting the good fight brother!

 

LOL! I understand about the waste of money. I know some of them have to be OK right? I wish some of the fixes that work for 32 would work for 64. I have fought this thing so long now that Its hard for me to be confident about it being fixed even is the scans come bcak clean. I haven connected anything to it whatsoever, and havent even connected it to the internet, and wont till my new modem arrives. Do you know if MalwareBytes plans on releasing a patch for the program to work for 64? Thanks!

 

This is something you will have to contact them about.

If you formatted, there is no need to run the procedures again.

Honestly...no!

 

Attach the log from MBAM so I can see what is being detected.

 

I would think that too, except I started off with a brand new computer with malware (somehow, Modem I guess) and then have reformatted, had malware again, then reformatted, and not reconnected to the modem and so far so good other than the possible false positive. I know one thing Im getting an education!

 

Attach the log so I can confirm. You can't believe everything you see in the logs of these programs, that's why we request them and read the results.

 

Im working on it right now!

 

Okay! Attach whatever is showing the detections after a format.

 

Nevermind. Working on it

 

I only want to see the logs that detected something, the detections you were talking about. Like I have said before, there will be no infections if you have formatted.

 

OK it didnt show up in blue, but I rebooted anyway. My concern about the reformatting not getting it all is that I am reformatting from the files stored on the computer itself, not from a disk. I dont have backup disks because my computer was infected bofore I could make them. When I get my new modem should I have AT&T reset my password before I install it? Will I automatically get a different IP? I never requested a static one. I worried about someone trying to hack my new modem, or my computer again. Why do people have to be so malicious? Like life isnt hard enough as it is.

 

Could the backup files stored on the hard drive, or the bios or memory be storing the crap? It has a partition I guess, that is D.

 

Okay, that may be your problem. If your system files are infected then doing a restore from them would therefore reinfect you. I would recommend getting a disc and restore from it as you will be getting fresh clean files.

Also, I don't think you need a new modem because if you restore to factory settings then everything is defaulted meaning any infections are removed.

 

Well I returned it back to factory settings with a disk, and returned it to the store. I didnt even set the computer back up again to see if it was still infected. They said they will take care of it so, I guess that is that. I also got a new modem. Ill hook up my new notebook and new modem at the same time tomorrow, after I pick the new computer up. Do you think I should call the DSL co and have my password and settings reset before I hook up the new stuff? Im beginning to believe that I may have been getting false positives. Im 99% sure the desktop deal was a false positive, that others with Vista 64 on a notebook, have had, and I couldnt find any reliable information on the hacktools app/killit-A either. Have you or has anyone here ever heard of that? Thanks!

 

You should be able to change your password yourself instead of calling your ISP.

To prevent furture infections I would recommend running the below thread.

How to Protect yourself from malware!

 

Well I just set up the new computer, new modem, and updated Windows, Norton, and Spysweeper. Did not install ANY software other than Spysweeper this time, and guess What? Spysweeper found the same exact thing on a brand new computer. Im beginning to believe this has to be a false positive, unless someone is hacking me the instant I get online, or the virus is in my USB wireless mouse LOL. I have searched around the net, and It seems only Spysweeper finds this. It is the Hacktools App/Killit-A . Is there someone that can help us with a definitive answer as to exactly what this is?

 

If you would attach the log I could tell you but you havn't attached it yet. I want to see exactly what SS is detecting.

 

Here is the spysweeper log. Thanks!

 

Can you please delete all my logs from these posts after you are done with them? I have no clue, but Im just worried about security risks of having the information posted in public. Im sure its safe or you guys wouldnt do it, but I would feel better all the same. Thanks for all your help!

 

Sure! Also, FYI, this is a false positive, don't worry about it.

 

Thanks! It was also verified to be a false positive by GS, when they unpacked 2 brand new notebooks and installed SpySweeper AV and they both came up with it too. Thanks for all the time and help. I guess you can delete the logs now. Thanks!:major

 

Well how do you like this? I have Virtumonde again according to SpySweeper. How am I getting this so easy and fast. I have only been to a car forum that is well known that no one else has complained about getting anything, Youtube, Google, Google image, Google Maps, weather.com, ccleaners site, HP, Cisco, and here. Spysweeper immeadiatly started quarantining Virtumonde when I started running CCleaner.

 

You need to understand that Malware is everywhere on the internet. You must have an up-to-date antivirus, antispyware and firewall installed. You must also have a full up-to-date OS with the latest version of the browser your're using with all updated plugins such as the latest version of Java.

The most important part of staying clean is surfing the internet wisley, knowing where to go and where not to go.

Attach the log from SS so I can see what's being detected.

 

LOL! I have all that stuff! Here is the log. It doesnt have breakdowns of what it showed in the quarintine panel, it just shows Virtumonde version 1. There is something more to this. These are false positives, or something I am downloading like Ccleaner is triggering it. This is happening too fast and too easy. I have never had a Malware problem before. I dont do any funny stuff on the computer whatsoever, no P2P, no bad sites, no bad software. Once again, I appreciate all the help.

 

It looks like the shield blocked it? Are you having any problems? It doesn't appear you're infeceted, it appears it was blocked/deleted before it had time to infect you.

 

BAM! Just installed Ccleaner on my other machine and as soon as I clicked for it to run its cleaning cycle, Spy Sweeper popped up Virtumonde! All the exact files it showed on this machine. ircb-adk.ide.zip fakea-ju.ide.zip bho.jz.ide.zip adcli.fi.ide.zip . I have been to no sites other than MG on that machine since setting it up brand new. It was set up at the store where it was purchased and all the updates were downloaded there and no other sites were visited, and no other software installed. What is the deal???!!!!

 

From day one with all this stuff, I have never had symptom 1. Not 1. the only issues I have had were from one of the reccomended softwares blocking out Youtube, making it show "video no longer available" (most likely Super Anti Spyware) and from another one making Spysweeper show a ton of times that is was blocking some other program from acessing known trouble sites (most likely SpyBot). Please let me know what you need me to do to either machine as far as logs, scans, ETC.. I have been using CCleaner for a long time on several different machines, but never had this issue. Do you think it may be due to my OS, or something? I had SS show Virtumonde on Vista32 at the beginning of all this. I ended up buying 2 new computers this time so I could have one as a backup. My old machine will end up getting used by my son. On a side note what do you reccomend for parental control software?

 

Ill check back here in the morning. I have to get some sleep. You guys really are saints for giving so much of your time to help other people. I know what its like a little, I moderate on an automotive forum. Thanks!

 

Malwarebytes found more. Also I believe that something in MGTools is what was causing the Youtube error. I havent installed it yet and Youtube is still working.

 

Here is the latest SpySweeper log. I still have had no symptoms. Are these all just false positives? Are any of the owners or mods or admin here running the combination of CCleaner and Webroot Antivirus with anti Spyware? I would like to know if I am the only person with this combination that keeps getting these things that look like false positives. Today after a little surfing I go to run CCleaner and Webroot pops up showing it quarintined Virtumonde 5 instances as follows: moderator[1].htm , mail[2] , forumdisplay[1].htm , user16751_pic1004_12345659[1].jpg , 173[1].jpg . The only common thing I see in all of these is the brackets. Im posting the SS log but I know it wont really help. Thanks!

 

It appears SS is having issues with false positives.

Where are these files located?

 

I totally forgot to post that they are in the temp internet files, and as CCleaner deletes them I get the warnings from SpySweeper.