program blocking, popups, admin right removed

pjw · Dec 29, 2008

Hi everyone, im Donna

I have gone through the 'what to do first' thread, and i cant get anything running, i know this is generally frowned upon but i really cant get things working.. programs cannot connect to the net except for opera on my pc.

symptoms are:

unable to change hidden/unhidden files
unable to use regedit
unable to run most .exes
messages saying 'your computer has been infected with a regenerative trojan horse virus which could cause a total system crash. click here to remove it'
popups for spyware sites

i use nod32 which first alerted me to the problem by posting this:

Address has been blocked.

URL: yourblognews.net/tdss/crcmds/main
IP
64.69.33.140:80

Since then when i google anything it takes over the results. I can run regedit in safemode and have cleaned the registry using cccleaner.

I did get a program called avenger running which came up with this:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSmaxt.sys
Start Type: 1 (System)

Rootkit scan completed.

Completed script processing.

*******************

Finished! Terminate.

But the above file is not there in safe mode, i cant access it in normal and i cant even delete it through DOS as i get access denied.

The only program i have found to have work and produce a logfile is random's system information tool 1.05 (written by random/random) so i can post this long log if required. im at a loss. please can someone help before i go ahead and format the bloody thing!

dr.moriarty · Dec 29, 2008

Welcome to Major Geeks, pjw

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.

Then search for TDSSserv.sys

Let me know if you find this or not.

If you do find it, right click on it, and select Disable. Do not try to uninstall it.

Also if this is found and you disable it, then reboot and see if you can run our removal procedures shown next.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Links are given in the Step 2: Installing Tools and Running Scans section for downloading the definitions for the MBAM & SAS scanners. Then copy them to the problem PC. Yes, you could use a flash drive too but flash drives are writeable and infections can spread to them.

Here's a guide on how to attach the logs HOW TO: Attach Items To Your Post

** Be advised that after doing the above, your thread will be in the work queue... our system works the oldest threads FIRST.

Thanks!
dr.m

pjw · Dec 30, 2008

Forgot to add i keep getting a homepage change to 'http://google.com' (sic)

It was in the non plug and play devices, and i disabled it, then restarted my computer.

No malware in add/remove programs.

MSConfig set to normal startup.

CCleaner ran and cleaned out.

CANNOT view hidden folders, the 'Folder options' menu item is no longer in the drop down menu from Tools.

Superantispyware scaned and found 84 matches all detailing Rootkit.TDSServ however my pc crashes i all modes
when i try and access the scan preferences and i cant get a logfile.

combo fix starts to work and then sticks. i have ran everything else in safemode and it seems to have been successful when i reenter normal mode, except for my browser homepage. no more annoying messages about trojans!

dr.moriarty · Dec 31, 2008

pjw

Please run the Windows XP Cleaning Procedure. There has been an update to the MGTools.zip - download the new one and let it over-write the older version. Also - be sure to update the definitions for both MBAM & SAS.

You need to attach (See: HOW TO: Attach Items To Your Post ) the below logs created while running the requested scans

SASlog.txt log from SuperAntiSpyware.

Malwarebytes Anti-Malware log

ComboFix.txt (normally C:\ComboFix.txt)

MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.

You will need to post 2 messages to attach all four logs since only 3 attachments are allowed in any single message. Post all of them in one thread.

Delaying getting us the requested logs delays any help we can give you.

Be patient after posting your logs and wait for one of the helpers to get to you. It can take a while to read thru all of the logs and to create individual fixes for you.

Log in or Sign up

program blocking, popups, admin right removed

pjw Private E-2

dr.moriarty Malware Super Sleuth Staff Member

pjw Private E-2

Attached Files:

mbam-log-2008-12-30 (09-16-49).txt

dr.moriarty Malware Super Sleuth Staff Member