Subscribe to
Posts
Comments

TDSS Malware, Compalusa.com and Disk Defragmenter Could Not Start

March 5th, 2009 by Andrew Chen

If you are brought to this post from search engine then most likely you are looking for a way to get rid of the virus or malware infected your PC or you want to make your disk defragmenter works.

I didn’t remember since when I start feeling

my internet connection did not work as fast as it was. So I complained to my internet service provider, AT&T, and told them the internet speed I got was not what I was paying for and I even threatened to cancel the service if they didn’t raised the speed of my internet connection. However when I tested my internet speed online it was always in the range so I upgraded my internet connection up to 5M. Nothing changed and I still felt the same on connection speed. Then I started looking on my computer to see if it was the cause. I tried to defragment my hard drive. But I couldn’t. An error always said “Disk Defragmenter could not start”. I was busy on other things and put that problem on hold for a long while.

A few days ago I started to notice Google and Yahoo didn’t look quite the same as before. When I did a search on Google or Yahoo and clicked on the result links I was brought to sites different from the links and in some cases the site was totally unrelated to what I was searching for. I was scratching my head and wondering what was going on with Google and Yahoo. I right clicked on Google and Yahoo links and looked at their properties. They were either linked to go.google.com or go.yahoo.com. So I ping these two host names. Guess what the responded host was Compalusa.com at IP address 72.36.238.83. Obviously it was not a Google or Yahoo IP. All of a sudden I understood that my computer was infected with malware.

The clever thing about this malware was it was able to hide itself almost completely. I couldn’t see anything abnormal in task manager. Neither could I see anything abnormal in my start up folder and registry. Usually virus or malware would have registry entries in the following registry keys so that they could be launched on boot time. I went ahead and use a rootkit detecting tools. But nothing was detected.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Further more I found I was having trouble installing Hijackthis and Spybot. I was able to overcome this problem and installed them later on and I will tell you how. So in effect Google and Yahoo’s money generating traffic was hijacked by this guy called Compalusa. Ironically I was frequently brought to a web site called shoplocal.com which was a client of a company that I worked previously. So Shoplocal is probably paying Compalusa to get internet traffic. Don’t under estimate the money being pay by this type of advertisers like shoplocal. And Compalusa could be making over 100 thousands daily. It equals robbing Google and Yahoo which is better than robbing banks nowadays. :lol:

I deal with terrible malware like wintems and hldrrr before but this one is a lot smarter then them. It hides itself from virtually every tools that I used except Spybot. I didn’t know why Spybot was able to see it. The malware is called TDSS. It contains a driver file in %System Root%\system32\drivers\ directory, serveral dlls and a log file in the %System Root%\system32\ directory. All their file names contain “TDSS”. The command dir *TDSS*.* will give you nothing if your PC is infected with this malware. But Spybot was able to point out TDSS infected my computer. See the following screen shot. But Spybot wasn’t able to clean it.

spybot result

So going back to the previous question how to install Hijackthis or Spybot in this case? By the way Hijackthis doesn’t help in anything way. To install them you will have to rename the installation file to something else. And to launch Spybot you have to download updates manually and rename the Spybot executable file to something else. The malware wouldn’t allow me to start Spybot and run updates. It seemed to know its file name and prevent it from being launched and it seemed to know from where Spybot downloads updates and blocked the download site.

How do I get rid of it? Fortunately I have a boot disk handy. The tool I use to make the boot disk was Winternal’s ERD Commander. I just found out that it is part of Microsoft now. Microsoft really has eagle’s eye finding gem out of stones. Anyway I used the boot disk to boot my computer on CD. After that I was able to exam the registry and files and deleted any suspected registry entries and files named with “TDSS”.

My internet connection returned to blazing speed. :grin:


Related Posts:

  • External USB Drive (Disk) Is Not Working
  • What is Fragmentation and How to Defragment a Table Being Used Consistently?
  • Task Manager Has Been Disabled by Your Administrator - Malware Behavior?
  • Hard to Kill Malware: Wintems.exe, Hldrrr.exe and Random Number.exe
  • GMER - the Antirookit Software is Getting Internet Recognition


    • Posted in System Admin, Technology | 4,657 views

    1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5 out of 5)
    Loading ... Loading ...

    RSS feed | Trackback URI

    Comments »

    No comments yet.

    Name (required)
    E-mail (required - never shown publicly)
    URI
    Subscribe to comments via email
    Your Comment (smaller size | larger size)
    You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.