0

A couple of days ago, I noticed that the AVG daily update on my XP-SP3 PC couldn't connect, and then realised I couldn't access AV sites such as www.avg.com, www.symantec.com etc. from either IE or Firefox, but I could access sites like www.hp.com.

When 'googling' for help on the internet, all the results looked ok but the actual links were redirected to go.google.... then onto other weird destinations.

Fortunately I had access to an other PC and was able to find relevant help on the DaniWeb forum. Several contributors had experienced almost identical symptoms, and by looking at these and your "general guide for dealing with virus problems", I was able to resolve the problem and get my PC working again (avoiding a full re-load).

Many thanks for the clear instructions, time and patience you offer in our time of need!

I must confess on the day in question I was searching for several items of shareware and visited a number of different sites. I am however somewhat puzzled that I got this infection despite having fully up to date AVG IS8.0 installed. I notice that other members with the TDSS.. trojan were also using AVG - is there a correlation?. I logged a help request with AVG 2 days ago but there's been no response other than a receipt confirmation.

Are there any other checks/steps I should take or do you think I'm 'cured' ? (see Logs below).

Finally, would you recommend any utility(s) for checking / correcting / the Registry? I've spotted a tool called Remove Restrictions Tool (RRT) v2.0 which claims to correct/reset basic registry values for changes caused by malware e.g. disabling the user from viewing hidden files. It is downloadable from:
http://www.softpedia.com/get/Security/Security-Related/RRT-Remove-Ristrictions-Tool.shtml I did try to have a look at it but my AVG Resident Shield claims it is a "Potentially harmful program HackTool.EHZ" so I didn't proceed.

Thanks, Allan


Summary of Steps Taken:
- Tried to run AVG virus check, received program error message "avgwdsvc.exe has encountered a problem and needs to close. We are sorry for the inconvenience".

- Tried Micro Soft OneCare Safety Scanner (online) - Some registry corrections made, but no fix.

- Found DaniWeb
- Ran ATF-Cleaner
- Ran MBA-M which found TDSSS... Trojan infection, allowed it to fix and reboot.
- Ran ESET Online Scanner - found a TDSS30da.tmp file leftover, deleted manually.
I spotted a second file TDSS30ca.tmp which I also deleted.

- Reboot, now everything works ok, AVG can get updates and internet access ok again.
- AVG scans ok and are clear (other than a few tracking cookies which were deleted)


Logs below for reference.
-------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

25/10/2008 20:14:40
mbam-log-2008-10-25 (20-14-40).txt

Scan type: Full Scan (C:\|D:\|E:\|V:\|W:\|)
Objects scanned: 123297
Time elapsed: 18 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) ->

Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent)

-> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent)

-> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Support Tools\bitsadmin.exe (Trojan.Agent) -> Quarantined and deleted

successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSbutv.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSShrsr.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSofxh.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoiqn.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSrhyp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSrtqp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Rootkit.Agent) -> Delete on reboot.
----------------------------------------------------------------------------------
ESET Online Scanner
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3555 (20081025)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ab041bb22fd21d40b7babcc0496863c8
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-25 07:59:20
# local_time=2008-10-25 08:59:20 (+0000, GMT Daylight Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=214968
# found=1
# scan_time=1381
C:\Documents and Settings\Allan\Local Settings\Temp\TDSS30da.tmp Win32/Agent.ODG virus

00000000000000000000000000000000
-------------------------------------------------------------------------------------------
end of document.

4
Contributors
6
Replies
7
Views
9 Years
Discussion Span
Last Post by OCDataSavers
0

We rarely recommend registry tools. Many of the fix tools we note do correct registry problems when fixing. If you will note your MBA-M log registry problems WERE fixed and removed.
The warning you received from AVG notes this tool was not a good one and you were wise to follow the warning from AVG. Unless specific problems are noted which have not been fixed it is wise to leave the registry alone. Playing with the registry can very often cause major problems.

0

Point taken about treating the the registry with caution.

AVG have replied (after 2 days) and sent some diagnostic tools to run and report back, but by that time the problem was fixed with your help.

As you suggested in other posts, I've installed SpywareBlaster and run the latest update. I'm impressed by the way it fills-in the Firefox (and IE) settings to block cookies/sites. Previously I'd been doing that manually (and not to well) but this tool saves all that trouble. Thanks for pointing it out.

Allan

0

Happy to have helped Allan, even somewhat indirectly. You will definitely continue to be pleased with SpywareBlaster. Be sure to use the Restricted Sites portion of the program too.
Judy

0

This thread finally answered my VERY FRUSTRATING questions on how to remove this most tenacious trojan. I was experiencing all of the symptoms talked about here, and did hours and hours of research to find the solution. Finally ran across this.. and voila!

I'm back connecting and updating the machine. Everything working great now. MBAM is quite a tool. I'm a true Eset fan (thanks to Leo Laporte) and it has done quite well up till now. However, MBAM did the trick that none of the others could manage.

Thanks all.. great work.

0

its a browser hijacker that redirects google or yahoo search results to another site. heres how to remove search result redirecting virus

0

Uhm... We've already solved it. Hence the subject of this post.

its a browser hijacker that redirects google or yahoo search results to another site. heres how to remove search result redirecting virus

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.