Jump to content

AntivirusXP 2008 infection


John G Jr

Recommended Posts

OK, here we go.

My laptop got infected with AntivirusXP 2008 a few days ago. Browser links are hijacked and I can't access any antivirus sites. After doing some reading here, I got a tip that I could rename the MBAM setup program and QUICKLY execute it. I tried that and it seemed to work, although the install program hung at the end. I cancelled it, and looked in \program files\malwarebytes anti-malware, and it does seems like it loaded. But then I couldn't run MBAM.EXE Even if I renamed it and tried to run it quickly like I did with the install. So I figured I'd try rebooting and trying my luck again. Bad move.

My laptop won't come back up. It tries... the startup music plays... my wallpaper appears... some small icons appear down on the bottom bar on the right... the START button appears on the bottom left... my mouse moves around the screen... but that's it. None of my icons appear on the desktop. It just hangs. You can't click on anything. I've tried turning it off and back on a dozen times. It's an overpriced anchor at this point.

Is there any hope for me? Or am I looking at scorched earth here?

John

Link to post
Share on other sites

  • Root Admin

Hello and Welcome to Malwarebytes.org

Please read and follow the instructions provided here: Pre- HJT Post Instructions

When ready please post your logs here: Malware Removal - HijackThis Logs

Someone will be happy to assist you further with cleaning your system.

During this scan and cleanup process you should not install any other software unless requested to do so.

There has been a rash of the TDSS malware that might be the culprit of not being able to install or run MBAM. If it is then this solution below might help. If it does then start in Normal Windows mode and try to update MBAM and do a scan. Then follow the directions above and post the requested information.

  • Click on
    Start
    , click
    Run
    , and then type
    devmgmt.msc
    and click OK
  • On the
    View
    menu click on
    Show hidden devices

  • Browse to
    Non-Plug and Play Drivers
    and you should see something like
    TDSSserv.sys

  • Highlight that driver and right click on it and select
    DISABLE

  • Now
    RESTART
    your computer.

  • Download a copy of
    Malwarebytes
    but
    DO NOT
    run it yet.

  • Rename the downloaded installer file to any generic name such as your own name but keep the
    .EXE
    extension on the file and run it.

  • Once the program is installed go to the
    UPDATE
    tab and try to update the program if you can.

  • Then go to the
    SCANNER
    tab and run a
    Quick Scan
    and allow MBAM to fix anything found.

Link to post
Share on other sites

OK. We're off to a good start here. I followed the instructions to disable TDSSserv.sys then rebooted. Normal Windows came up fine. I succesfully installed MBAM. It launched, and I was able to do an update. I'm doing the "quick scan" now. It's been running for about 2 hours and is still going. It's identified 7 infected object so far.

It's after midnight here. I'm going to retire for the night... we'll see where we are in the morning.

Thank you so much for your help.

John

Link to post
Share on other sites

OK, here are the results of this initial quick scan. Do I now continue with the steps outlined in?: Pre- HJT Post Instructions?

Malwarebytes' Anti-Malware 1.30

Database version: 1412

Windows 5.1.2600 Service Pack 3

11/20/2008 7:20:16 AM

mbam-log-2008-11-20 (07-20-16).txt

Scan type: Quick Scan

Objects scanned: 105107

Time elapsed: 5 hour(s), 25 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 20

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\AntivirusPro2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\TDSSarxx.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSScfmn.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSotty.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSvoql.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\TDSSmhct.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro2009\AntivirusPro2009.cfg (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro2009\AVEngn.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro2009\htmlayout.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSlxcp.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\av.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\TDSS38f8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\TDSS3907.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\wrdwn4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\wrdwn5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\wrdwn6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\wrdwn7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\wrdwn8 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.

Link to post
Share on other sites

I rebooted and now spyhunter security suite fires up automaticallly. I don't recall downloading this (although maybe I did?) Is this a legitimate program or spyware? Should I just remove this through "add remove programs"? (I use McAfee for firewall and antivirus)

John

Link to post
Share on other sites

Hi guys ,

so it seems that all of this installation problem with Mbam was due to that TDSServ.sys.

Well it atleast let us download Mbam, it didnt let me goto microsoft website or download any other tool.When i click on a link it would immediatly say that page cannot be displayed.

Seems to work after disabling TDSServ.sys.

i also tried install Malwarebytes without renaming but after disabling TDSServ.sys. it seesm to work.

So dont bother about changing the name of the setup file.

Link to post
Share on other sites

OK. I need more help.

I uninstalled Spyhunter security suite and that went fine.

I downloaded Spybot and installed it. It saw that I had Ad-Aware installed and didn't like that, so I uninstalled Ad-Aware. No problem.

At the very end of installing Spybot, the Windows Form said "finishing istallation", and a black DOS window opened (blank inside) and it just hung there. I waited nearly 10 minutes, and nothing happened, so I manually closed it. It presented a Windows Form telling me I could give it more time or just cancel, and I cancelled it. Spybot does run when I click on the desktop icon so it "seems" like it installed OK.

I turned off Teatimer as instructed. No problem.

But here's where I run into problems. I run "Update", and it says there are no new updates available. But then I try to run a scan, and it says "You need to install the detection updates first by using the integrated update or the manual updater". I tried running the scan with "Immunize" on... and off... and got the same results.

Could this be a problem as a result of the installation program hanging at the end? Or could it be a result of the infections I have? Or am I just doing something stupid?

John

Link to post
Share on other sites

  • Root Admin

Hi John,

Go ahead and move forward with the other tasks and post in the HJT forum where someone will continue to assist you with this. this forum is just a general support forum and not really for working on the actual removal of Malware.

Just do what you can do with the logs and start a new post. You can post a link back to here as well if you like so that who ever does assist you can see the history.

Thanks again.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.