Jump to content

Malwarebytes

Cannot remove trojan.tdss

- - - - -
Started by czraptor, Aug 30 2009 10:04 PM

9 replies to this topic

#1
czraptor
Posted 30 August 2009 - 10:04 PM

    New Member

  • Members
  • Pip
  • 5 posts
Every time I scan it finds this same trojan after removal and restart.


Malwarebytes' Anti-Malware 1.40
Database version: 2719
Windows 5.1.2600 Service Pack 3

8/30/2009 4:53:51 PM
mbam-log-2009-08-30 (16-53-51).txt

Scan type: Quick Scan
Objects scanned: 86110
Time elapsed: 1 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmiqxnssww (Trojan.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#2
czraptor
Posted 30 August 2009 - 10:50 PM

    New Member

  • Members
  • Pip
  • 5 posts

View Postczraptor, on Aug 30 2009, 11:04 PM, said:

Every time I scan it finds this same trojan after removal and restart.


Malwarebytes' Anti-Malware 1.40
Database version: 2719
Windows 5.1.2600 Service Pack 3

8/30/2009 4:53:51 PM
mbam-log-2009-08-30 (16-53-51).txt

Scan type: Quick Scan
Objects scanned: 86110
Time elapsed: 1 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmiqxnssww (Trojan.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#3
czraptor
Posted 30 August 2009 - 11:22 PM

    New Member

  • Members
  • Pip
  • 5 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:45 PM, on 8/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Razer\Lycosa\razertra.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maingearforums.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1225983594250
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 3661 bytes

#4
czraptor
Posted 31 August 2009 - 01:18 AM

    New Member

  • Members
  • Pip
  • 5 posts
Never had to do this so I am not sure when to expect a response to my post, sorry if I am posting too often and not giving adequate time for a response.

#5
czraptor
Posted 31 August 2009 - 11:22 PM

    New Member

  • Members
  • Pip
  • 5 posts
Still needing some help on this issue.

#6
kulasoft
Posted 01 September 2009 - 09:55 PM

    New Member

  • Members
  • Pip
  • 3 posts
I was having a very similar problem.

Yesterday, I tried spyhunter from another link, but the version downloaded only detects but does not remove the threat. So I uninstalled it.

Then I tried updating the malwarebyte's anti-malware and ran the scan and left it running while I went to do something else.

And when I checked today, the scan found nothing! Looking in regedit, the offending registry key is now gone!

Maybe malwarebytes updated it to take care of the problem?

- mike

View Postczraptor, on Aug 31 2009, 01:22 PM, said:

Still needing some help on this issue.

#7
kulasoft
Posted 01 September 2009 - 10:31 PM

    New Member

  • Members
  • Pip
  • 3 posts
To be a little more accurate, come to think of it, I updated and ran the malwarebytes scan yesterday and it found the infected key as usual. Then it asked to reboot to delete it. Then I guess I must have reboot and left the computer running.

Until I checked again today. Running a full scan now to double-check. "No malicious items were detected."


View Postkulasoft, on Sep 1 2009, 11:55 AM, said:

I was having a very similar problem.

Yesterday, I tried spyhunter from another link, but the version downloaded only detects but does not remove the threat. So I uninstalled it.

Then I tried updating the malwarebyte's anti-malware and ran the scan and left it running while I went to do something else.

And when I checked today, the scan found nothing! Looking in regedit, the offending registry key is now gone!

Maybe malwarebytes updated it to take care of the problem?

- mike

#8
kulasoft
Posted 01 September 2009 - 10:34 PM

    New Member

  • Members
  • Pip
  • 3 posts
I think I also ran ccleaner yesterday too and cleaned out the cookies, etc. Don't know if that did anything.

View Postkulasoft, on Sep 1 2009, 12:31 PM, said:

To be a little more accurate, come to think of it, I updated and ran the malwarebytes scan yesterday and it found the infected key as usual. Then it asked to reboot to delete it. Then I guess I must have reboot and left the computer running.

Until I checked again today. Running a full scan now to double-check. "No malicious items were detected."

#9
LonnyRJ
Posted 06 September 2009 - 01:26 PM

    True Member

  • Experts
  • PipPipPipPip
  • 353 posts
  • Gender:Male
  • Location:pugent sound
czraptor
Post back if your still in need of assitance

kulasoft, do not post to other than your own topics in this area please

#10
AdvancedSetup
Posted 23 September 2009 - 08:35 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us