Author Topic: tdlcmd.dll Search Engine Redirection  (Read 4971 times)

0 Members and 1 Guest are viewing this topic.

Offline padedc

  • Newbie
  • *
  • Posts: 2
tdlcmd.dll Search Engine Redirection
« on: January 12, 2010, 01:16:32 AM »
Hi, I've been having problems with my search results being redirected for the last couple days and have tried to figure out what the problem was but have had no success. The redirecting happens with any search engine I use. I've been trying to scan my computer with Malbytes Anti-malware and it keeps finding: C:\Windows\System32\tdlcmd.dll (Trojan.TDSS)

I delete this file and restart my computer but it always seems to find its way back. I'd appreciate it if anyone could help me out with this. Thanks in advance!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: tdlcmd.dll Search Engine Redirection
« Reply #1 on: January 12, 2010, 01:29:22 AM »
I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

Offline padedc

  • Newbie
  • *
  • Posts: 2
Re: tdlcmd.dll Search Engine Redirection
« Reply #2 on: January 12, 2010, 01:52:17 AM »
Hey Tech, I did a Hijackthis scan and here's the logfile for that:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:49 PM, on 1/11/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18349)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Users\Administrator\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\ 3\program\soffice.exe
C:\Program Files\ 3\program\soffice.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Users\Administrator\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - Startup: 3.1.lnk = C:\Program Files\ 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Update Service (gupdate1ca91e94df83b03) (gupdate1ca91e94df83b03) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

End of file - 4280 bytes

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: tdlcmd.dll Search Engine Redirection
« Reply #3 on: January 12, 2010, 11:25:44 AM »
I'm not sure, as I'm not an expert on cleaning. But your log seems clean.
Maybe the problem is on hosts file?
Did you follow the other steps?
The best things in life are free.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1620
Re: tdlcmd.dll Search Engine Redirection
« Reply #4 on: January 12, 2010, 01:24:12 PM »
Hi Padedc

You could try tdss killer from kapersky. I havent used the tool myself but here is a link that may help.

There is more info to be found on tdss in virus and worms section of forum
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline micky77

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Trust no program
Re: tdlcmd.dll Search Engine Redirection
« Reply #5 on: January 12, 2010, 05:50:04 PM »
You could try tdss killer from kapersky.
Yes you could. I'm no expert with rootkits, but I believe the tdss killer is only the start.You will probably  find that Atapi.sys is infected, and must be replaced. I have read posts where combofix can achieve this.
I Sandboxie

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7087
  • Be alert for error code - ID 10T
Re: tdlcmd.dll Search Engine Redirection
« Reply #6 on: January 14, 2010, 08:29:44 AM »

Welcome to the forums, padedc.   :)

An analysis of your HJT log shows the following problems :

It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses. (this probably contributed to why your computer is infected)

We couldn't detect any active process of a firewall on your system. Possible reasons:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own firewall.

O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. LinkScannerIE.dll

Overview of running tasks :

System task   
Desktop Window Manager

System task   
Microsoft Windows Explorer

System task   
Task Scheduler Engine

Anti Add/Spyware software   
Microsoft Windows Defender Antispyware

System task   
High definition audio codec driver from Realtek Semiconductor

System task   
Microsoft Rundll32

Sun Java Update Scheduler

Vista sidebar

Suspicious task   
Bittorrend DNA

Veoh Web Player

System task   
Microsoft Windows Management Instrumentation

Octoshape Live Streaming

Backgroundtask             ( this is very out-dated as OpenOffice is now at 3.0 ) (1.1.0)

OpenOffice Module

Mozilla Firefox

Anti Add/Spyware software   
Spyware Blaster

Anti Add/Spyware software   
Spyware Blaster

System task   
Microsoft® Windows® Operating System

Merijn Hijackthis

Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM