Problems removing Win32.TDSS.rtk and other malware

Status
Not open for further replies.
I eliminated those files and I did the FixServices.bat operation, and everything was ok, but I couldn't find this folder: C:\ARCHIV~1\AVG, it just isn't there



Here is the report of the malware found by Avira:


Exported events:

01/06/2009 14:43 [Scanner] Malware found
The file
'C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthxtpkbmqrm.sys.vir'
contained a virus or unwanted program 'TR/Dropper.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:43 [Scanner] Scan
Scan ended [The scan has been done completely.].
Number of files: 283009
Number of folders: 6662
Number of malware: 8
Number of errors: 10

01/06/2009 14:43 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxymdbnpil.dll.vir'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:42 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxkogmedvg.dll.vir'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:42 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxftjcbfoo.dll.vir'
contained a virus or unwanted program 'TR/TDss.GG' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:42 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126332.dll'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:41 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126331.dll'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:38 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126330.dll'
contained a virus or unwanted program 'TR/TDss.GG' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:38 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126328.sys'
contained a virus or unwanted program 'TR/Dropper.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126331.dll'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
The file was moved to '4bf48c57.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126332.dll'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
The file was moved to '4bc86d37.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126328.sys'
contained a virus or unwanted program 'TR/Dropper.Gen' [trojan]
Action(s) taken:
The file was moved to '4a55120e.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126330.dll'
contained a virus or unwanted program 'TR/TDss.GG' [trojan]
Action(s) taken:
The file was moved to '4bf5849f.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxftjcbfoo.dll.vir'
contained a virus or unwanted program 'TR/TDss.GG' [trojan]
Action(s) taken:
The file was moved to '4a8a1254.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file
'C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthxtpkbmqrm.sys.vir'
contained a virus or unwanted program 'TR/Dropper.Gen' [trojan]
Action(s) taken:
The file was moved to '494af0a5.qua'!

01/06/2009 14:37 [Scanner] Scan
Scan ended [The scan has been done completely.].
Number of files: 283211
Number of folders: 6663
Number of malware: 8
Number of errors: 2

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxkogmedvg.dll.vir'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
The file was moved to '4b1075b5.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxymdbnpil.dll.vir'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
The file was moved to '4b166525.qua'!



Here is the report by Malwarebytes:


Malwarebytes' Anti-Malware 1.37
Versión de la Base de Datos: 2211
Windows 5.1.2600 Service Pack 2

02/06/2009 12:31:53 a.m.
mbam-log-2009-06-02 (00-31-53).txt

Tipo de examen : Examen Rápido
Objetos examinados: 88921
Tiempo transcurrido: 5 minute(s), 53 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 4
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 1

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_CLASSES_ROOT\slidershow.slidershowctrl (Adware.LuckyTender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\slidershow.slidershowctrl.1 (Adware.LuckyTender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3794345d-c731-4fbb-8471-73ddc8dffdd2} (Adware.LuckyTender) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2062c6b9-9015-34e4-2f08-63dae0dcf2d0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
c:\WINDOWS\system32\2062c6b9-9015-34e4-2f08-63dae0dcf2d0.exe (Adware.Adrotator) -> Quarantined and deleted successfully.



And finally here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:45 a.m., on 02/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 6369 bytes
 
Latrodectus,

That folder may be gone, you said that you deleted it in the past and the rest of AVG is gone also so you should be ok,

C:\Qoobox\Quarantine <---What Alvira found where the backups from running Combofix, these will be flushed out when we're done.

C:\System VolumeInformation\_restore{ <--These are all entries in your Windows System Restore program, there harmless unless you use the program to restore your system to an earlier date , but we're going to flush them all out now.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

  • Right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore on all Drives.
  • Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

  • Right-click My Computer.
  • ClickProperties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore on all Drives.
  • Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

  • Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point
System Restore Tutorial <-- If you need it


Everything else looks fine, how are things running now??
 
Everything looks just fine thanks to you. I want to have a baby with you, will you marry me? And by the way... Should I uninstall Ad-Aware too? Cause I thought it was an antispyware but it is a whole antivirus. Tell me WHAT antivirus and antimalware should I have on my computer, please!
 
Hello,

Glad all is well :bigthumb: I appreciate your offer :laugh:

You should never have more than One Anti Virus program and One Firewall installed, more would be overkill and can cause problems . You have Avira Anti Virus and the Comodo Firewall so your fine with those.

Ad-Aware is a fine program, its not a virus so you can keep it. You also have Spybot Search and Destroy installed and that is another great program, so keep these both.

Malwarebytes is another great program so I would keep it, run it every few weeks, check for updates and run the scan.

This will clean you up, it will remove Combofix and the Qoobox folder.


ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • CF_Cleanup.png

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Click to expand...


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken
 
Sorry, with all the programs we ran I forgot to add this. This is a great free tool that cleans out your temp files and Temporary Internet files that tend to clog a system down. You should run this tool every few weeks or so to keep your system running nice and smooth.


Please download ATF Cleaner by Atribune to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.


Take care,

ken :)
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
 
Status
Not open for further replies.
Back
Top