A couple of days ago, I noticed that the AVG daily update on my XP-SP3 PC couldn't connect, and then realised I couldn't access AV sites such as
www.avg.com,
www.symantec.com etc. from either IE or Firefox, but I could access sites like
www.hp.com.
When 'googling' for help on the internet, all the results looked ok but the actual links were redirected to go.google.... then onto other weird destinations.
Fortunately I had access to an other PC and was able to find relevant help on the DaniWeb forum. Several contributors had experienced almost identical symptoms, and by looking at these and your "general guide for dealing with virus problems", I was able to resolve the problem and get my PC working again (avoiding a full re-load).
Many thanks for the clear instructions, time and patience you offer in our time of need!
I must confess on the day in question I was searching for several items of shareware and visited a number of different sites. I am however somewhat puzzled that I got this infection despite having fully up to date AVG IS8.0 installed. I notice that other members with the TDSS.. trojan were also using AVG - is there a correlation?. I logged a help request with AVG 2 days ago but there's been no response other than a receipt confirmation.
Are there any other checks/steps I should take or do you think I'm 'cured' ? (see Logs below).
Finally, would you recommend any utility(s) for checking / correcting / the Registry? I've spotted a tool called Remove Restrictions Tool (RRT) v2.0 which claims to correct/reset basic registry values for changes caused by malware e.g. disabling the user from viewing hidden files. It is downloadable from:
http://www.softpedia.com/get/Securit...ons-Tool.shtml I did try to have a look at it but my AVG Resident Shield claims it is a "Potentially harmful program HackTool.EHZ" so I didn't proceed.
Thanks, Allan
Summary of Steps Taken:
- Tried to run AVG virus check, received program error message "avgwdsvc.exe has encountered a problem and needs to close. We are sorry for the inconvenience".
- Tried Micro Soft OneCare Safety Scanner (online) - Some registry corrections made, but no fix.
- Found DaniWeb
- Ran ATF-Cleaner
- Ran MBA-M which found TDSSS... Trojan infection, allowed it to fix and reboot.
- Ran ESET Online Scanner - found a TDSS30da.tmp file leftover, deleted manually.
I spotted a second file TDSS30ca.tmp which I also deleted.
- Reboot, now everything works ok, AVG can get updates and internet access ok again.
- AVG scans ok and are clear (other than a few tracking cookies which were deleted)
Logs below for reference.
-------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3
25/10/2008 20:14:40
mbam-log-2008-10-25 (20-14-40).txt
Scan type: Full Scan (C:\|D:\|E:\|V:\|W:\|)
Objects scanned: 123297
Time elapsed: 18 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent)
-> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent)
-> Data: system32\ -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Support Tools\bitsadmin.exe (Trojan.Agent) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSbutv.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSShrsr.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSofxh.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoiqn.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSrhyp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSrtqp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Rootkit.Agent) -> Delete on reboot.
----------------------------------------------------------------------------------
ESET Online Scanner
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3555 (20081025)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ab041bb22fd21d40b7babcc0496863c8
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-25 07:59:20
# local_time=2008-10-25 08:59:20 (+0000, GMT Daylight Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=214968
# found=1
# scan_time=1381
C:\Documents and Settings\Allan\Local Settings\Temp\TDSS30da.tmp Win32/Agent.ODG virus
00000000000000000000000000000000
-------------------------------------------------------------------------------------------
end of document.
Marked Solved 
Offline 
