Rootkit.TDSS.Gen - had it, not sure its gone

[kepi117]

My computer started lagging a bit last night and google searches begin to be redirected. So I updated my malwarebyte's, which found and deleted "Rootkit.TDSS.Gen" hidden in some weird "c:\documents and settings\owner...". Afterward malwarebytes found no problems but it took hours to finish searching and my computer lagged to the point I had to shut it down, because nothing would execute. Restarting holds off the lagging for a few hours now, but multiple scans find nothing and I am still being redirected with my google searches.

Here are my logs for most recent quick scan and my Hijackthis logs. Any help would be greatly appreciated.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6460

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

4/27/2011 4:53:32 PM

mbam-log-2011-04-27 (16-53-32).txt

Scan type: Quick scan

Objects scanned: 169203

Time elapsed: 19 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 4:45:40 PM, on 4/27/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17096)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Perfect World Entertainment\Perfect World International\element\ElementClient.exe

C:\Perfect World Entertainment\Perfect World International\element\reportbugs\pwprotector.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z023&form=ZGAPHP

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.html'>http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}%

[screen317]

Hi and welcome to Malwarebytes.

Please download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

[kepi117]

Cool, thanks. Heres that log.

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Owner at 20:24:24.15 on Wed 04/27/2011

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.112 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe

C:\Program Files\Viewpoint\Common\ViewpointSe

[screen317]

Hi,

The log appears to have been cut off. Please post it in its entirety.

[kepi117]

I'm not sure why it didn't copy in the entire log. But now when the post wont go through when I try to list the entire log. Any idea if this is this an error with the forums or the virus messing with my computer?

[kepi117]

The connection is constantly cut off run I try to post the logs ._.

[screen317]

Hi,

It's likely your connection, and not an infection or the forum. Please zip up your logs and attach them instead.

[kepi117]

Kay here's the .zip version

DDS.zip

[screen317]

Hi,

• Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  
• Execute the file TDSSKiller.exe by double-clicking on it.
  
• Wait for the scan and disinfection process to be over.
  
• When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Also update MBAM, run a Quick Scan, and post its log.

-screen317

[kepi117]

Here are all four logs. After running all of these, the google redirects and random tabs opening have apparently stopped. Thank you so much :3

log.zip

DDS.zip

mbam-log-2011-05-03 (03-03-23).zip

TDSSKiller.2.5.0.0_03.05.2011_02.31.31_log.txt

[screen317]

Hi,

In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[kepi117]

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17096 (vista_gdr.110211-1830)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=be303fd47aa7ac40a2d8f5862bc72080

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-05-06 01:21:30

# local_time=2011-05-05 06:21:30 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 41295055 41295055 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=12547

# found=0

# cleaned=0

# scan_time=4353

# version=7

# iexplore.exe=7.00.6000.17096 (vista_gdr.110211-1830)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=be303fd47aa7ac40a2d8f5862bc72080

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-06 12:02:59

# local_time=2011-05-06 05:02:59 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 41329342 41329342 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=76180

# found=0

# cleaned=0

# scan_time=8553

and

Results of screen317's Security Check version 0.99.10

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

CCleaner

Java 6 Update 21

Out of date Java installed!

Adobe Flash Player 10.1.102.64

Adobe Reader 9.1

Out of date Adobe Reader installed!

Mozilla Firefox (3.5.19) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

[screen317]

Hi,

Navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

HijackThis 2.0.2

Java