Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

TDSS Rootkit (possibly others too)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

TDSS Rootkit (possibly others too)

Unread postby b.t. Tony » September 10th, 2009, 4:17 pm

I just wanted to start out by saying thanks for the anticipated help I am hoping to receive from the helpers on this forum. What you guys do here is pretty cool and you're all decent people for all that you do to help others out.

Jump to HijackThis Scan Results

Initial symptoms:
-IE redirects from Google search results;
-Fake Windows security balloon and dialogue box warning of infected system and prompting to click and have "Windows" download software to fix infection;
-Windows Disc Defragmenter GUI initialized but Analyze and Defragment buttons both yielded a dialogue box "Defragmenter could not start";
-Windows Task Manager would not load;
-BSOD "Driver_irq_not_less_or_equal" crashes, for the most part, at random, but when clearing cache with CCleaner, clicking the "Clear" command button was guaranteed to immediately cause the same BSOD;
-Spybot SD would not update and initializing caused same BSOD described above
-Zone Alarm (free) would initialize, but GUI failed to load
-Slow system performance
-Numerous Command Prompt windows loaded prior to Windows Explorer loading

What I've done so far:
-When I first noticed the command prompt windows, I was finally able to gain some control over my computer. I took notice of the name of the executable running the command scripts: ntvdm.exe. I searched for all files (hidden, etc) and found three instances. I deleted the 2 that were not the legitimate Windows OS file (Properties - Compatibility: Valid Windows OS files' compatibility cannot be set, the rogue files' compatibility can).

Then I attempted to run Spybot SD. Initialization caused one more BSOD. Upon reboot, I chose not to close the Error Report Dialogue box and for some reason, I was able to run a full scan with Spybot and found multiple infections (Password stealers, TDSS rootkits, backdoor trojans, adware, and others). I was not able to update Spybot at this time however. After the scan, I rebooted and everything was back to normal except:
-CCleaner caused BSOD "Driver_irq_not_less_or_equal"
-Defrag still wouldn't work
-IE still redirected links in Google search results (Firefox never gave me a problem this whole time)

Then I downloaded Malwarebytes AntiMalware, ran a full scan, fixed the problems found, rebooted, and defrag was working again and CCleaner no longer caused the BSOD. However, IE still was redirecting the links in Google searches. So I again ran Spybot (now able to update from TeaTimer's right-click menu from taskbar) but nothing serious found in Spybot scan. I then ran MBAM again, and it found the same TDSS Rootkit it found before. Finally, I downloaded HijackThis, scanned, and saved the .log file in order to get some help from someone this forum.

Please note: I've also already downloaded gmer.exe and performed a rootkit scan as prescribed by helpers in other, similar posts from this forum. All I have done thus far with gmer.exe is generate a .txt file and .log file of the rootkit scan performed (the "Show All" check box was not ticked).

Anyway, here is my HijackThis scan:

Scan saved at 12:48:24 PM, on 9/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

End of file - 3474 bytes

Thanks again.
b.t. Tony
Active Member
Posts: 2
Joined: September 10th, 2009, 2:00 pm
Register to Remove

Re: TDSS Rootkit (possibly others too)

Unread postby b.t. Tony » September 10th, 2009, 7:21 pm

Ok, nevermind. I'm going to reformat/reinstall my OS; it's really not that much more work than most of the malware removal techniques outlined in other posts I've read anyway. Not mention, there's no guarantee this type of infection can even be eradicated completely. I think a clean install is my best option. Thanks anyway.
b.t. Tony
Active Member
Posts: 2
Joined: September 10th, 2009, 2:00 pm

  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 18 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware