Help removing the backdoor.tdss.aru trojan

[phantomphantom]

Hi,

Could someone give me a hand removing the backdoor.tdss.aru trojan?

 

I noticed google had started redirecting me to other website so downloaded and ran spyware terminator (I've only got AVG antivirus installed) and it found the following:

 

180searchassistant

windows\system32\TDSSoiqh.dll

 

It removed 180searchassistant but not the TDSSoiqh.dll

 

 

I downloaded malware bytes anti - malware but it wouldn't let me run the installer - I've read you can rename the .exe to either .bat .com or .scr

 

- haven’t done this yet - as I just wanted to check what's the best way to remove this trojan.

 

I'm in work at the mo - so on a clean computer and have changed all my passwords and spoke to my bank/credit card people - just in case.

 

What's the best course of action?

 

Thanks in advance,

Jim

[BeeCeeBee]

You need to do a complete disinfection process when you get back to your machine from work.

 

You may want to consider an alternative to AVG

 

The following process has proved highly effective please follow it carefully

 

Please let us know how you get on.

 

 

• Malware is software designed to infiltrate or damage a computer system without the owner's informed consent.
  It is a combination of the words malicious and software.
  The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
  

 

• Required Cleanup Steps
  
  1. Disable the Spybot Search & Destroy TEA TIMER if you use it and if it is enabled
     
  2. Run a Temporary file and cache cleaner (ATF)
     
  3. Run 2 Anti-Malware scanners (Listed Below)
     
  4. Run an Online Anti-Virus / Anti-Malware Scanner (Listed Below)
     
  5. Clear out old System Restore points
     
  6. If continued Malware type activity is present you may be asked to post a TrendMicro™ HijackThis™ Log file, do not do so unless requested.
     

   

The reason to run multiple scanners is to ensure that no single scanner is missing something.

The time it takes will vary depending on your system and your internet connection speed.

Typically the SUPERAntiSpyware and Malwarebytes scanners will take between 10 to 90 minutes.

The ESET online scan should take between 1 to 3 hours.

In most cases, these scans will suffice to clean and disinfect your computer.

Heavily infected systems or slower PCs can take much longer to scan and clean.

 

For best results print the following instructions and bookmark this Web page

To keep this guide printer-friendly, use your cursor to highlight the contents below.

From your browser select File - Print and in the printer dialog box under "Print range"

click the

Selection

choice to print out these instructions for removal of malware.

 

 

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/printer-selection.gif

 

____________________________________________

STEP 1

• Disable Spybot Search & Destroys' TEA TIMER: (if installed, if not go to Step 2)
  
  
  1. Run Spybot-S&D in Advanced Mode.
     
     
  2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
     
     
  3. On the left hand side, Click on Tools
     
     
  4. Then click on the Resident Icon in the List
     
     
  5. Uncheck "Resident TeaTimer" and OK any prompts.
     
     
  6. Restart your computer.
     
     
   

__________________________________________________

STEP 2

• Follow these instructions carefully.
  
  
• Download ATF-Cleaner from
  Snapfiles.com
  to remove un-needed temporary files from your computer that may contain malware.
  
  
• When you run ATF-Cleaner, check the items as shown below for Main.
  
  
• For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
  
  
• NOTE:
  If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
  
  
• Then click on "Empty Selected".
  
  

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner01.gif

.

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner02.gif

__________________________________________________

STEP 3

• Install and run the free version (not the Professional version) of SUPERAntiSpyware from
  SUPERAntiSpyware.com
  
  
  • Accept any prompts to allow SUPERAntiSpyware to install the latest rules and infection definition files.
    
    
  • You do not have to send them your e-mail address, just click next.
    
    
  • You can leave the automated check for updates on.
    
    
  • You can uncheck "Send a diagnostic report to research center" if you don't want to send the information.
    
    
  • DO NOT
    allow SUPERAntiSpyware to protect your Home Page settings.
    
    
  • On the
    Top Left
    select the
    Scan your computer
    button.
    
    
  • Make sure there is a CHECK MARK on all
    Fixed Drives
    .
    
    
  • Click "Perform a Complete Scan". Click "Next" to Repair issues found and reboot the computer when prompted to do so.
    
    
   

__________________________________________________

STEP 4

• Install and run
  Malwarebytes' Anti-Malware
  from
  Malwarebytes - (direct download)
  
  
  • Accept all defaults for the installer
    
    
  • Allow the program to update the definitions
    
    
  • Click on the
    Quick Scan
    and click Next.
    
    
  • If any items are found allow it to clean them and then Reboot your computer.
    
    
   

__________________________________________________

STEP 5

• Run an online scan with ESET from
  Free Virus Scan: Use ESET's Online Antivirus Scanner
  
  
  • You
    must
    use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan.
    
    
  • If your computer is running Window's Vista, then you
    must first
    start Internet Explorer as an Administrator. To do so, right-click on the
    Internet Explorer
    icon in the Start Menu and select "
    Run as administrator
    " from the popup context menu.
    
    
   
  • Accept the terms and click "Start".
    
    
  • Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications".
    
    
  • Click "Start" to begin the scan.
    
    
  • When completed restart your computer
    
    
   

__________________________________________________

Make sure your internet firewall security is enabled, and then please return to Extreme Tech Support - Free PC Help and tell us how the computer seems to be operating.

At that time, you will receive instructions to assist you in removing malicious programs from your Add/Remove program list if warranted.

 

If required this is the download link for TrendMicro™ HijackThis™

Unless instructed to by the Technician helping you then do not download this tool.

 

Once you and the Technician agree that your system appears to be clean then you should delete all your System Restore points and recreate a new one.

Please follow the instructions here

How to turn off and turn on System Restore in Windows XP

How to turn off and turn on System Restore in Windows Vista

[phantomphantom]

Excellent - thanks for that. I've follow ur instructions this eve and report back.

 

>internet firewall security

 

What free firewall s/w do you recommend?

 

Also someone suggested Avira Antivirus as a better alternative to AVG - what do you think?

 

Thanks,

Jim

[BeeCeeBee]

Have a look at this when you are done. You will find little argument over the Avira vs. AVG issue on this forum Phantom.

 

http://extremetechsupport.com/forum/malware-removal-av-firewalls-etc/3597-free-pc-help-recommended-security-products.html

[phantomphantom]

Smart - thanks for the prompt replies. Loving this website already! :)

[phantomphantom]

Right - went through the steps last night.

 

It wouldn't allow me to run some of the programs at first until I renamed them.

 

At step 3 it found 246 files infected (mainly adware) and 80 in the registry

(a harsh lesson in not having any spyware software installed.)

 

At step 4 it found 10 objects

 

At step 5 it found 1 file and deleted it.

 

After that I installed Avira AntiVir and removed AVG. Set up Comodo as my firewall.

 

System seemed to run a treat after that. MASSIVE THANKS beeceebee! Great advice - given really promptly.

 

My windows booted up ok and no annoying browser issues. :)

 

Couple of questions.

 

1) I started my Avira to do a scan this morning and it found

 

Boo/Sinowal. A boot sector virus.

 

I had to pause it before it was 100% and shut it as I had to leave for work.

 

Is Boo a problem and is there anything I can check this eve to definitely make sure any trojans etc are gone?

 

2) Also I have a router connected to my computer for wireless for 2 other people in my house. Could anything have been passed over to them via wireless? Housemate had done scan the other day with Norton and found nothing.

 

Btw your link to ATF-cleaner to snapfiles.com is outdated.

 

This was definitely a lesson in not having proper spyware & firewall software installed.

 

Will defo be making a donation as your advice was spot on! :)

 

Jim

[BeeCeeBee]

Glad it has worked out!!

 

Regarding your questions:

 

Allow Avira to remove or quarantine the boo/sinowal virus. It is unfortuanate that you didn't get to finish your scan.

 

As for the router, it has no hard drive and does not store data that passes through it. Unless your house mates have gone to the same source as you there is no cause for concern.

 

By the way thanks for the heads up on the link, it will be amended.

Edited January 14, 2009 by BeeCeeBee

[phantomphantom]

- Boo Sinowal

 

I finished the scan with Avira and it recommended their Antivir Boot Sector Repair Tool or the Antivir Rescue System to fix it.

 

Downloaded both and tried both. It runs to the point of asking for cd. I've put in several blank cds - the cd spins for a little bit and then windows locks up. Tried this several times but no progress.

 

Is there another way or another program to remove Boo Sinowal?

 

Thanks,

Jim

[phantomphantom]

Just doing a google and it seems a few people have cleared up Boo using

Dr.Web Cure It.

 

is Dr.Web Cure It safe to use? Or effective?

[Guest Wolfeymole]

What cd does it ask for?

 

The windows cd?

 

It may well be that the repair tool needs burning as an ISO then booting from that.

[phantomphantom]

It doesn't specfically say...

 

Is it worth trying the windows cd?

[DirtyPolo]

I doubt a 3rd party program would be asking for you to insert the Windows CD without specifying.

 

Do both of the programs you mentioned ask for this CD?

Edited January 15, 2009 by DirtyPolo

[BeeCeeBee]

Just to be sure Phantom is this the tool you are trying to get?

 

Avira Boot Sector Repair Tool

[phantomphantom]

Just to be sure Phantom is this the tool you are trying to get?

 

Avira Boot Sector Repair Tool

 

Yep - that's the one. It just asks you to select the burning device.

[BeeCeeBee]

Ok that is because you are required to create an iso on a cd. What software do you use to burn CDs and DVDs?

[phantomphantom]

Ok that is because you are required to create an iso on a cd. What software do you use to burn CDs and DVDs?

 

Nero (for my sins) ;-)

[RandyL]

First of all stick with the Avira tools for now. Webcurit is an advanced tool.

 

Run the exe Removal tool first. Also read the manual first.

 

Next run the repair tool. You will need to burn it to a CD as an ISO image or to a floppy disk.

 

After that boot up with the CD or floppy in and follow the steps.

[BeeCeeBee]

I think I see the problem you are having Phantom.

 

When you try to run the tool it asks you to put a blank CD in your drive and confirm the device. That is all well and good but will not work since XPcan not simply burn an ISO directly to a disc.

 

If you exit it will ask you if you want to save it as an ISO and you should say yes to that. After that is complete you must go to where you have saved the ISO and burn that to your CD using Nero.

 

You should then be able to run the tool.

Edited January 15, 2009 by BeeCeeBee

[phantomphantom]

Ah right - I think that makes sense. :)

 

So I exit the program - it asks me if I want to save the ISO. I save it somewhere on my h/d.

 

I then burn that ISO file to a cd. Then I insert that cd once Avira Boot Sector Repair Tool starts up.

 

Is that correct?

 

 

 

I think I see the problem you are having Phantom.

 

When you try to run the tool it asks you to put a blank CD in your drive and confirm the device. That is all well and good but will not work since XPcan not simply burn an ISO directly to a disc.

 

If you exit it will ask you if you want to save it as an ISO and you should say yes to that. After that is complete you must go to where you have saved the ISO and burn that to your CD using Nero.

 

You should then be able to run the tool.

[BeeCeeBee]

That is correct. Just exit the window where it asks you to put a cd in the drive using the exit button (do not just close the window.) I would simply save it to my desktop.

 

There is, however one issue.

This is a boot sector repair tool. So once you have burned the ISO you should shut down the pc, put the cd you created into the drive and reboot and follow any directions you may receive. ( I have never seen this tool in action so I have no idea what, if anything , it may ask you to do.)

 

If that does not work you may have to adjust the boot sequence in your bios. Unfortunatly Avira seems to give little by way of instruction on the site.

 

Before you concern yourself with the bios, however, first see if the program works when you reboot and if not then try it again after a normal reboot and while you are in windows.

Edited January 15, 2009 by BeeCeeBee

[phantomphantom]

Update - i saved the iso and burnt it as test.iso to a cd (does it matter what it's called as it didn't supply a default?)

 

Turned off computer with cd in and let it boot. It was definitely accessing the cd on bootup and it went straight through to windows fine.

 

Did a scan with Avira and it found the Boo Sinowal again on Masterboot sector HD1

 

Was I doing something wrong? Or is there anything else to try?

 

Thanks for ya continued help. Appreciate it.

 

Jim

 

 

 

 

That is correct. Just exit the window where it asks you to put a cd in the drive using the exit button (do not just close the window.) I would simply save it to my desktop.

 

There is, however one issue.

This is a boot sector repair tool. So once you have burned the ISO you should shut down the pc, put the cd you created into the drive and reboot and follow any directions you may receive. ( I have never seen this tool in action so I have no idea what, if anything , it may ask you to do.)

 

If that does not work you may have to adjust the boot sequence in your bios. Unfortunatly Avira seems to give little by way of instruction on the site.

 

Before you concern yourself with the bios, however, first see if the program works when you reboot and if not then try it again after a normal reboot and while you are in windows.

[Guest Wolfeymole]

Did you go into the bios and change the first boot option to the CDROM first.

 

At the same time pop the disk in and make sure you save the changes in the bios by pressing usually F10.

[phantomphantom]

Hi Wolfeymole,

 

Yes I checked again that the Bios was set to boot to cd drive first and it was...

 

Again it booted up fine from cd straight through to windows.

 

Should it have written a new boot sector or something?

 

 

 

Did you go into the bios and change the first boot option to the CDROM first.

 

At the same time pop the disk in and make sure you save the changes in the bios by pressing usually F10.

[BeeCeeBee]

Well phantom I thought I knew what was wrong but you have already discounted that.

 

Since I do not know what directions there are for that tool I am going to suggest one more thing.

 

Try to run the program from the disc while you are in windows. There is a chance that it may need to start from windows and then may direct you to do a restart. That is a guess, pure and simple but it cannot hurt to try.

[phantomphantom]

If I double click on that Iso file it opens up similar to a .rar or .zip file.

 

In it is a folder called CVS

 

and once that folder is open it contains the following files:

 

Template (size 0)

Root (size 55k)

Repository (size 47k)

Entries.Old (size 0)

Entries.Extra.Old (size 0)

Entries.Extra (size 65)

Entries (size 140)

 

 

Do you think its a case of extracting these files and putting them on another cd and giving that a go?

 

 

 

Well phantom I thought I knew what was wrong but you have already discounted that.

 

Since I do not know what directions there are for that tool I am going to suggest one more thing.

 

Try to run the program from the disc while you are in windows. There is a chance that it may need to start from windows and then may direct you to do a restart. That is a guess, pure and simple but it cannot hurt to try.