Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » AVG & TDSS.CA: Removing Of Threat Has Failed
July 23, 2013 01:23 AVG & TDSS.CA: Removing Of Threat Has Failed #231673
Reply with Quote | Quick Reply | Top
AprilJ0y

Avatar

Novice
Join Date: 23.7.2013
Posts: 2
I'm looking for help in removing my Trojan horse TDSS.CA.

Computer: Windows 7 / HP Pavilion dv7-6135dx Entertainment PC
Virus Detection: AVG version 2013 build 3349 (free version); Avast! (free version)
Malware: Malwarebytes (free); SUPERAntiSpyWare (free)
Exact error message: see attached screenshots

In response to finding the White Trader icon on my desktop, I downloaded the above virus and malware software and spent the last 24 hours scanning my laptop with Avast! & the malware. When I found that White Trader was still on the desktop, I googled some more and found AVG. I downloaded it -- and it found the trojan. However, it could not remove the threat. I did a Safe Start and re-ran AVG. Nothing was found.

However – when I reboot my computer or when I left-click on the White Trader icon, the AVG detection box pops up, noting the presence of the Trojan Horse TDSS.CA. I click the “protect me” option, but then AVG says, “Removing of threat has failed.”

Please help. I'm not certain what my next step should be. Thank you, in advance, for whatever help/advice/thoughts you can provide!

Note: I am a relative newbie, though I can follow directions.
July 23, 2013 22:20 Re: AVG & TDSS.CA: Removing Of Threat Has Failed #231700
Reply with Quote | Quick Reply | Top
shadowsports

Avatar

Novice
Join Date: 19.7.2009
Posts: 97
Suggestions..

Try running your scanners in SAFE mode

Download and run GMER www.gmer.org

Try running an AVG Rescue CD or USB stick scan.

The Trojan is resident in memory and has set up several ways to replicate itself should you find a way to delete it without terminating the viral process

What is a "White Trader icon"?

I also found these additional steps which may help.

Press the "Ctrl," "Shift" and "Esc" keys at the same time to open Task Manager.

Click the "Processes" tab in the Task Manager window.

Select "wow64main.exe" from the list of processes and click "End Process" at the bottom of the window. Select "svchost.exe" from the list of processes and click "End Process" at the bottom of the window.

Close Task Manager.


Remove Registry Entry
Go to the "Start" menu, type "regedit" in the "Start Search" menu and press "Enter" to start the registry editor.

Delete the following registry entry:

Microsoft\Windows NT\CurrentVersion\tdssdata

Close the registry editor.


Unregister DLLs
Go to the "Start" menu, type "cmd" in the "Start Search" box and press "Enter" to open the command line window.

Type "regsvr32 /u lasmcnyjaa.dll" in the command line window and press "Enter" to unregister the DLL.

Repeat Step 2 for "osajuhzzwtyo.dll," "mdqhqxcejju.dll," "TDSSnrse.dll," "TDSSfpmp.dll," "TDSSoeqh.dll," "TDSSliqp.dll," "TDSSciou.dll," "TDSScfgb.dll," "TDSSnrsr.dll," "TDSSriqp.dll" and "TDSScfub.dll."

Close the command line window.


Find and Delete Files
Go to the "Start" menu, type "wow64main.exe" in the "Start Search" box and press "Enter." Delete all found files.

Repeat Step 1 for "TDSSnrse.dll," "TDSSfpmp.dll," "TDSSoeqh.dll," "TDSSliqp.dll," "TDSSmhct.sys," "TDSSciou.dll," "TDSScfgb.dll," "TDSSosvn.dat," "TDSSmhxt.sys," "TDSSmaxt.sys," "TDSSnrsr.dll," "TDSSriqp.dll," "TDSScfub.dll," "lasmcnyjaa.dll," "osajuhzzwtyo.dll" and "mdqhqxcejju.dll."

Restart your computer.


Suggest you also run sfc /scannow from an elevated command prompt to ensure windows file system integrity


Sys1: P8Z68 Deluxe/Gen3 (BIOS 3603), i7-2600k@3.5, 16GB Corsair Vengeance @1600+,
Corsair TX850w PSU, EVGA GTX660 FTW Sig2, 2x Corsair Force III 120's RAID0 (boot),
1 x Seagate 1T 6GB (data), Win7x64 Ult. Case: HAF 922 / Win8 Pro x64

Sys2: P8Z77V-LE Plus, i5-3570k, 16GB RAM, GTX560Ti DS SC, Intel 520SSD...

NAS
QNAP TS-219P-II 4TB
DNS-323 4TB

Router
2x WNDR4500 v1 f/w 1.0.20
July 23, 2013 23:32 Re: AVG & TDSS.CA: Removing Of Threat Has Failed #231702
Reply with Quote | Quick Reply | Top
AprilJ0y

Avatar

Novice
Join Date: 23.7.2013
Posts: 2
Thanks for getting back to me, Shadowsports. I deeply appreciate it.

White Trader seems to be a more recent malware that has popped up. Its presence on my desktop is what alerted me to the fact that I had a virus (or 3). http://www.enigmasoftware.com/whitetradervirus-removal/.

1. When I downloaded AVG, I ran a scan. Three viruses were quarantined. The White Trader icon was still there, though -- so then I restarted in SAFE mode and ran another scan. Nothing showed up.

2. Neither wow64main.exe or scvhost.exe show up under processes.

3. Remove Registry Entry: when I tried to follow these instructions, the window that showed up did not have Microsoft / Windows NT\CurrentVersion\ etc. I did not do this step.

4. Because I could not remove the registry entry, i hesitated to follow the rest of the instructions.

5. One of my questions is: why can't AVG remove the threat? It recognizes its presence but can't do anything about it... That confuses me smile

Thanks again for any further help you can provide.
July 25, 2013 02:38 Re: AVG & TDSS.CA: Removing Of Threat Has Failed #231754
Reply with Quote | Quick Reply | Top
shadowsports

Avatar

Novice
Join Date: 19.7.2009
Posts: 97
I understand your reluctance. If you are uncertain how to proceed, you should seek help from someone more experienced in removing threats. Unexpected results including data loss can result if you change or delete something you shouldn't.

Every virus and trojan are different. The tools and solutions effective today, may not work when a new variant is released. Some variants are introduced to defeat existing solutions. Others can actually spawn into new threats depending on how they are created. No one tool is 100% effective. This is why new definitions have to be created and updated regularly.

One of the guys in the office recommended this tool.

http://usa.kaspersky.com/downloads/tdsskiller

If successful, scan with a few different tools to ensure you are virus free. Then pick one to stick with. On a regular basis don't use more than one AV solution. The free version of malwarebytes is neutral. I usually install it on any system I clean... in conjunction with the AV product the client has chosen. Except McAfee... That I uninstall as soon as I have control of a system again. I just replace it with AVG unless they are using SEP, Avast... etc. AVG is one of the better products available.


Sys1: P8Z68 Deluxe/Gen3 (BIOS 3603), i7-2600k@3.5, 16GB Corsair Vengeance @1600+,
Corsair TX850w PSU, EVGA GTX660 FTW Sig2, 2x Corsair Force III 120's RAID0 (boot),
1 x Seagate 1T 6GB (data), Win7x64 Ult. Case: HAF 922 / Win8 Pro x64

Sys2: P8Z77V-LE Plus, i5-3570k, 16GB RAM, GTX560Ti DS SC, Intel 520SSD...

NAS
QNAP TS-219P-II 4TB
DNS-323 4TB

Router
2x WNDR4500 v1 f/w 1.0.20