Confused!! Deleted bug keeps coming back!!

Hey guys,

This nasty keeps reappearing on my computer… “TrojWare.Win32.Rootkit.TDSS.cig@2554649” in my “System 32” folder under the name “TDSSotqt.dll”. Comodo first detected it two weeks ago, so I deleted the file. I ran another scan right after and my computer came out clean. I normally do a full scan once a week, so the following Monday it was flagged again. So I deleted it again. I regularly delete my System Restore points, the Registry is free from anything resembling this name, so I don’t know why it keeps coming back. Then this morning, I scanned and lone behold, it came back again!! So I deleted and ran another scan, and Comodo says that I’m clean. But I know that when I run a scan in a couple more days, it’ll some how mysteriously come back.

I did some searching on the web for similar incidents, but half the forums out there are crooked and junk anyways. Does anyone know what this “Trojware.Win32” nasty is? Why it keeps reappearing? And how I can permanently delete the bug?



There is obviously a deeper problem than that as it comes back.

You could try this:

Please download F-Secure Blacklight (fsbl.exe) from here

Run the program and see what it finds.

Thanks James.

I ran the program and it found nothing.

Have any other ideas?

We could look at a HijackThis log to maybe see what else is going on:

Click here to download HJTsetup.exe and download the installer.
[]Save HJTsetup.exe to your desktop.
]Double click on the HJTsetup.exe icon on your desktop.
[]By default it will install to C:\Program Files\Hijack This.
]Click on the Do a system scan and save a log file button. It will scan and then the log will open in notepad.
[]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Okay, here’s the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:42 AM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Comodo Secure Search protects you from infected websites
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Comodo Secure Search protects you from infected websites
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
O2 - BHO: (no name) - {C5BF49A2-94F3-42BD-F434-3604812C897D} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] “C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe”
O4 - HKLM..\Run: [itype] “C:\Program Files\Microsoft IntelliType Pro\itype.exe”
O4 - HKLM..\Run: [IntelliPoint] “C:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [COMODO SafeSurf] “C:\Program Files\COMODO\SafeSurf\cssurf.exe” -s
O4 - HKLM..\Run: [COMODO Internet Security] “C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\RunOnce: [] C:\PROGRA~1\MOZILL~1\FIREFOX.EXE Please select your identity provider. - Support Portal
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\Program Files\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Send to OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F756A28D-DCD5-46be-BCAB-17C088D07227} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: DSBrokerService (dsbrokerservice) - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

End of file - 6646 bytes

I don’t see any current problems in the log unless something is hiding from HijackThis. You could try renaming HijackThis.exe to say HijackNew.exe and run it again to see if there are any changes.

Otherwise if you have no problems with your computer, if it comes back again, try uploading the file to Virustotal:

Thanks for taking a look James.

This morning Comodo alerted me of a bug on my system that wasn’t present before. I’ve attached a screen shot of the dialogue box. You said to upload the suspicious file to VirusTotal, but here’s the thing, these files in question, they won’t upload, won’t delete, and won’t allow themselves to be moved or renamed, so I’m stuck.

Any more ideas?

P.S - I haven’t even been on my computer and only logged onto the net to check this forum as I’ve been busy at work. How is it that this bug keeps popping out of nowhere?!?!

[attachment deleted by admin]

Hi paradiseyes, There seem to be signs of a malware program called Antivirus 2009, so you could try running Malwarebytes to see if it can delete your bad files. You could follow the instructions here:

If it doesn’t find anything, I think you need to post on a specialist help forum where they will guide you better than I can.

There are good people on this one who will answer you quickly if you join and post your HijackThis log as directed:

Good luck,

Actually James you just solved my problem ^_^.

I installed and ran Malwarebytes and found 8 infected registry keys. One of the keys was infected by the TrojWare.Win32.Rookit (which is the nasty who kept coming back, now I know why), and the others were of the problems I just had this morning.

So it’s all fixed now. No more nasty bugs, and thanks to your advice, I won’t have to worry about them coming back again!!

Thanks bud!!


I can’t tell you how many times I’ve seen Malwayebytes as the savior. :-TU