Author Topic: tdlcmd.dll Search Engine Redirection  (Read 4789 times)

0 Members and 1 Guest are viewing this topic.

Offline padedc

  • Newbie
  • *
  • Posts: 2
tdlcmd.dll Search Engine Redirection
« on: January 12, 2010, 01:16:32 AM »
Hi, I've been having problems with my search results being redirected for the last couple days and have tried to figure out what the problem was but have had no success. The redirecting happens with any search engine I use. I've been trying to scan my computer with Malbytes Anti-malware and it keeps finding: C:\Windows\System32\tdlcmd.dll (Trojan.TDSS)

I delete this file and restart my computer but it always seems to find its way back. I'd appreciate it if anyone could help me out with this. Thanks in advance!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67282
Re: tdlcmd.dll Search Engine Redirection
« Reply #1 on: January 12, 2010, 01:29:22 AM »
I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

Offline padedc

  • Newbie
  • *
  • Posts: 2
Re: tdlcmd.dll Search Engine Redirection
« Reply #2 on: January 12, 2010, 01:52:17 AM »
Hey Tech, I did a Hijackthis scan and here's the logfile for that:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:49 PM, on 1/11/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18349)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Administrator\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Administrator\Favorites\Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15450&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Users\Administrator\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Update Service (gupdate1ca91e94df83b03) (gupdate1ca91e94df83b03) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 4280 bytes

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67282
Re: tdlcmd.dll Search Engine Redirection
« Reply #3 on: January 12, 2010, 11:25:44 AM »
I'm not sure, as I'm not an expert on cleaning. But your log seems clean.
Maybe the problem is on hosts file?
Did you follow the other steps?
The best things in life are free.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1620
Re: tdlcmd.dll Search Engine Redirection
« Reply #4 on: January 12, 2010, 01:24:12 PM »
Hi Padedc

You could try tdss killer from kapersky. I havent used the tool myself but here is a link that may help.

http://forum.avast.com/index.php?topic=52161.msg442176#msg442176

There is more info to be found on tdss in virus and worms section of forum
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline micky77

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Trust no program
Re: tdlcmd.dll Search Engine Redirection
« Reply #5 on: January 12, 2010, 05:50:04 PM »
You could try tdss killer from kapersky.
Yes you could. I'm no expert with rootkits, but I believe the tdss killer is only the start.You will probably  find that Atapi.sys is infected, and must be replaced. I have read posts where combofix can achieve this.

http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html
I Sandboxie

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7088
  • Be alert for error code - ID 10T
Re: tdlcmd.dll Search Engine Redirection
« Reply #6 on: January 14, 2010, 08:29:44 AM »
***

Welcome to the forums, padedc.   :)

An analysis of your HJT log shows the following problems :

It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses. (this probably contributed to why your computer is infected)

We couldn't detect any active process of a firewall on your system. Possible reasons:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own firewall.

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. LinkScannerIE.dll



Overview of running tasks :

Dwm.exe   
System task   
Desktop Window Manager

Explorer.EXE   
System task   
Microsoft Windows Explorer

taskeng.exe   
System task   
Task Scheduler Engine

MSASCui.exe   
Anti Add/Spyware software   
Microsoft Windows Defender Antispyware

RtHDVCpl.exe   
System task   
High definition audio codec driver from Realtek Semiconductor

rundll32.exe   
System task   
Microsoft Rundll32

jusched.exe   
Backgroundtask   
Sun Java Update Scheduler

sidebar.exe   
Backgroundtask   
Vista sidebar

btdna.exe   
Suspicious task   
Bittorrend DNA

veohwebplayer.exe   
Application   
Veoh Web Player

unsecapp.exe   
System task   
Microsoft Windows Management Instrumentation

OctoshapeClient.exe   
Backgroundtask   
Octoshape Live Streaming

soffice.exe   
Backgroundtask             ( this is very out-dated as OpenOffice is now at 3.0 )
OpenOffice.org (1.1.0)

soffice.bin   
Backgroundtask   
OpenOffice Module

firefox.exe   
Application   
Mozilla Firefox

spywareblaster.exe   
Anti Add/Spyware software   
Spyware Blaster

spywareblaster.exe   
Anti Add/Spyware software   
Spyware Blaster

SearchFilterHost.exe   
System task   
Microsoft® Windows® Operating System

HijackThis.exe   
Application   
Merijn Hijackthis


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM