Hello,

I have had the same or similar issue to the topic titled "Win32 Trojan TDSS, can't get rid of it" (topic 27016) earlier this week. I reviewed the string and have taken similar steps including the following:

1) Obtaining Inital HijackThis Logs
2) Running ComboFix
3) Obtaining updated HijackThis Logs

I tried to run Kaspersky Online Scanner, but this apears to be temporarily unavailable.

Attached are the Inital and post ComboFix HijackThis Logs and the ComboFix Log.

The Trojan seems to have been removed (Ad-Aware no longer is finding the virus), but I am trying to find out if there is anything else I should do and if I should go ahead in uninstall ComboFix.

Thank you for your help!

Click to view attachment
Click to view attachment
Click to view attachment

Hi,

One should never follow instructions given for some other user by oneself (especially ComboFix should be run under supervision of trained helper only!)

Generate an Uninstall List

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.

Attached is the requested uninstall list from HijackThis.

I also produced DSS and Attach files initially and after using ComboFix if they are of use.

Thank you.

Click to view attachment

Hi,

Start hjt, do a system scan only, checkmark:
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

Close browsers and fix checked.

Use removal tool to remove Norton remnants there.


Open notepad and copy/paste the text in the quotebox below into it:




Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Get updates 8.1.3 and 8.1.6 for Adobe Reader here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Uninstall Macromedia Flash Player. Fresh version can be obtained here.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


* Go here to run an online scanner from ESET.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic, along with a fresh hjt log and above mentioned ComboFix resultant log.

I have followed the steps you suggested. Attached are the log files (combofix, Eset scan file, and hjt latest log file).

When I ran Eset scan, there was not a "scan unwaterd programs" option, but there was a scan archives option so I checked that. I did uncheck the "Remove found threats" option.

Prior to your last post, I performed a scan wth McAfee to see if it found anything. It did quarantine a file in the following directory:
C:\Qoobox\Quarantine\C\WINDOWS\system32. Looks like these are the files that ComboFix fix found initially. Can this directory be deleted or maybe it will when ComboFix is uninstalled eventually?

Thanks for all your help.

Click to view attachment
Click to view attachment
Click to view attachment

Yes, I'll provide instructions for uninstalling below in this post.


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

• Click START then RUN
• Now copy-paste "c:\documents and settings\Mandy\Desktop\KillMalware.exe" /u in the runbox and click OK

Please download OTC and save it to desktop.

• Double-click OTC.exe.
• Click the CleanUp! button.
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• hosts file:
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  1. Click the start button (at the lower left hand corner of your screen)
  2. Click run
  3. In the dialog box, type services.msc
  4. hit enter, then locate dns client
  5. Highlight it, then double-click it.
  6. On the dropdown box, change the setting from automatic to manual.
  7. Click ok

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

Thank you so much for all your help . My computer seems to be running to its pre-infection condition and I have followed all the steps recommended in your last post, including the hosts file. A few final questions if you have time to answer:

1) I still have a few of the programs installed on my computer that you recommended such as ATF Cleaner and ESET online Scanner. Do you recommend keeping these on the computer and using periodically (especially the cleaner) or deleting?

2) I have an external backup hardrive that I disconnected immediately upon recognizing that the computer was infected. The last backup performed of any files on my comuter was over 3 days before I saw any issues with the computer. Also, it does not backup the system files so I suspect it would not have backed up anything malicious but do you recommend any scans to be sure.

3) I beleive this virus made it though an email attachment that should not have been opened, but regardless McAfee did not detect it. Is this virus program adequate (supplied by my internet provider) with the additional security measures you have recommended or do you recommend something different. Also should I have anything else running regularly to supplement McAfee?

4) Finally, my computer does take awhile to boot up (this was also the case before the virus). Did ComboFix cleanup the registry as good as it is going to get or is there something else I should be doing to make it run as efficiently as possible. I recognize that it may just be my machine as it is a few yrs old now.

Thanks Again!!!

You're welcome

1) I'd leave ATF Cleaner installed and run it occasionally. The online scanner can be uninstalled.
2) Would make no harm to check backups with your scanner.
3) Probably definitions didn't contain the threat yet. This is possible with any email scanner. One should be careful with email attachments. Only open those you know are from reliable sources. If attachment looks dubious it's better to ask from sender if it was really sent by him/her.
4) Registry cleaners are not key to smoother performance. See hints for performance improving here.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !