Unknown Adware, Unable to locate!!

Hello,

Hopefully someone can help with this...

SYMPTOMS: (Windows XP Pro SP3)
1. Google search links redirect me to ads
2. I am unable to install majority of AV software.
3. I am unable to access all major Anti-Virus websites.
4. All AV Software installed fails to retrieve updates.

The programs that will install are AdAware, CounterSpy, Spyware Terminator, and AVG 8.0, although all of them fail to retrieve updates. I have updated both AdAware and AVG manually and still no results on scans. Sometimes errors are generated during scans.

The following programs either generate an error when I click the setup file or they just hang in task manager until I close them... Super AntiSpyware, MalWareBytes, Spybot S&D, and new version of Hi-Jack This.

I have an older version of Hi-Jack This that didn't include a setup, it will run and scan if you would like a log. I didn't see any odd files on startup.

I was able to fix the Google links using the reset option on IE, but it starts all over again after reboot. I have a clean PC that I've used to download the software and manual updates and transferred them to the infected PC.

Any ideas would be great!!
Thanks!

 

I was able to run AdAware, Spyware Terminator, and AVG 8.0, AVG generates an error unless I scan in safe mode, the other two did scan in normal mode but none of them returned anything useful.

Also tried using "Safe Mode with Networking" but it doesn't help me get to any AV sites or updates.

I was able to run MGTools in normal mode. The only error msg I got was this:
Error: Key: SOFTWARE\swearware does not exist!

Logs should be attached.

Thanks,

 

I haven't tried scanning with CounterSpy because I was unable to get the updates for it. I have uninstalled it, it was a free/trial version.

Fixme.reg entered successfully.

Windows Messenger uninstalled successfully.

Getfn32.dll, getwn32.dll, and wertyu.dll deleted successfully.

Uninstalled the following successfully:
J2SE Runtime Environment 5.0 Update 11"
J2SE Runtime Environment 5.0 Update 3"
Java(TM) 6 Update 5"
Java(TM) 6 Update 7

Rebooted and installed Java Runtime

Super Anti-Spyware generates a Microsoft Error Report when I click on the setup file.

MalwareBytes setup still hangs in the task manager like I never clicked it

New logs should be attached.
So far no changes. AVG updates fail, and AV sites are still not found. Google searches also remain screwed.

Thanks,

 

I renamed both setup files for Malwarebytes and Super Anti-Spyware. Both setups worked and installed, Malwarebytes froze towards the end.

I downloaded the updates manually for Super Anti-Spyware, updated definition files in "Safe Mode with Networking" because the task bar wouldn't load in regular safe mode for some reason.

I also had to rename the actual program in order for it to run in Safe Mode (C:\Program Files\SuperAntiSpyware\SuperAntiSpyware.exe) I just renamed it to "Super.exe"... Started a complete scan with Super Anti-Spyware after I updated it.

Super Anti-Spyware found 59 registry entries, called it TDSServ. Majority was under HKLM\Software\TDSS.
Apparently there were no actual files, only registry hacks.

After a reboot, all of my symptoms are still there, it's still blocking the programs, I checked the registry and the entries had not returned. So I searched the registry and found entries with TDSSserv.sys listed as a Legacy Driver. I figure this is the problem. I'm going to continue and try to get rid of this, at least now that I know what it is, I have a lot better chance of getting rid of it. Surely there's gotta be some details on this beast.

Thanks,

 

Alright, so I looked up TDSSserv and it recommended using SDFix.

SDFix worked great and deleted the following:

C:\WINDOWS\system32\drivers\TDSSmqlt.sys
C:\WINDOWS\system32\TDSSoiqt.dll
C:\WINDOWS\system32\TDSShrxm.dll
C:\WINDOWS\system32\TDSSvkql.dll
C:\WINDOWS\system32\TDSSxfum.dll
C:\WINDOWS\system32\TDSSlxwp.dll
C:\WINDOWS\system32\TDSSmtvd.dat
C:\WINDOWS\system32\TDSSkkai.log

Here are the registry entires and programs TDSSserv blocks:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKLM\SOFTWARE\TDSS
HKLM\SOFTWARE\TDSS\disallowed (catchme.exe)
HKLM\SOFTWARE\TDSS\disallowed (cbo_setup.exe)
HKLM\SOFTWARE\TDSS\disallowed (combofix.exe)
HKLM\SOFTWARE\TDSS\disallowed (daft.exe)
HKLM\SOFTWARE\TDSS\disallowed (download_mabam-setup.exe)
HKLM\SOFTWARE\TDSS\disallowed (emergencyutil.exe)
HKLM\SOFTWARE\TDSS\disallowed (fixpolicies.exe)
HKLM\SOFTWARE\TDSS\disallowed (flash_disinfector.exe)
HKLM\SOFTWARE\TDSS\disallowed (gmer.exe)
HKLM\SOFTWARE\TDSS\disallowed (GoogleUpdate.exe)
HKLM\SOFTWARE\TDSS\disallowed (hjtinstall.exe)
HKLM\SOFTWARE\TDSS\disallowed (mbam.exe)
HKLM\SOFTWARE\TDSS\disallowed (mbam-setup.exe)
HKLM\SOFTWARE\TDSS\disallowed (mcpr.exe)
HKLM\SOFTWARE\TDSS\disallowed (otmoveit2.exe)
HKLM\SOFTWARE\TDSS\disallowed (otscanit.exe)
HKLM\SOFTWARE\TDSS\disallowed (prevxcsifree.exe)
HKLM\SOFTWARE\TDSS\disallowed (rminstall.exe)
HKLM\SOFTWARE\TDSS\disallowed (sdfix.exe)
HKLM\SOFTWARE\TDSS\disallowed (sdsetup.exe)
HKLM\SOFTWARE\TDSS\disallowed (smitfraudfix.exe)
HKLM\SOFTWARE\TDSS\disallowed (spybotsd.exe)
HKLM\SOFTWARE\TDSS\disallowed (SpyEraser.exe)
HKLM\SOFTWARE\TDSS\disallowed (SpyHunter3.exe)
HKLM\SOFTWARE\TDSS\disallowed (SpySub.exe)
HKLM\SOFTWARE\TDSS\disallowed (SpySweeper.exe)
HKLM\SOFTWARE\TDSS\disallowed (spywareblastersetup.exe)
HKLM\SOFTWARE\TDSS\disallowed (SpywareTerminatorShield.exe)
HKLM\SOFTWARE\TDSS\disallowed (SUPERAntiSpyware.exe)
HKLM\SOFTWARE\TDSS\disallowed (techweb.exe)
HKLM\SOFTWARE\TDSS\disallowed (trsetup.exe)
HKLM\SOFTWARE\TDSS\disallowed (ViewMgr.exe)
HKLM\SOFTWARE\TDSS\disallowed (ViewpointService.exe)
HKLM\SOFTWARE\TDSS\disallowed (vundofixsvc.exe)
HKLM\SOFTWARE\TDSS\disallowed (windowsdefender.exe)
HKLM\SOFTWARE\TDSS\disallowed (XoftSpy.exe)
----------------------------------------------

Everything is running good now, all symptoms are gone and scans are clean. I appreciate you walking me thru this. Thanks again,