BleepingComputer.com: Trojan.tdsserv + Vundo/Virtumonde!

Hey guys,

Recently I've been encountering some problems with my computer. Things had slowed down a lot (mainly due to Virtumonde and a host of other malware I think) and I've since managed to improve my performance but am unsure of whether I'm still affected with the named viruses. Firefox especially seemed to go a lot slower after I was affected and when I ran various spyware removal tools, its speed did not increase.

The main problem I'm experiencing at the moment is trying to install the latest Automatic Updates for Windows. It just won't work. It says they're ready to install, but when I try installing them I get a message from Spyware Doctor saying it's found a threat, Trojan.tdsserv. and asks me about blocking or allowing it. This message only ever comes up when trying to install the updates. So I was wondering how I can stop this and install the updates and get rid of this trojan?

I've included a HijackThis log with the post and for your information in the recent past, I've ran Spyware Doctor, Registry Mechanic, CCleaner, Spybot S+D and Malwarebyte's Anti-Malware and fixed everything that's come up/cleaned everything I can. My main anti-virus software is McAfee and again, I've fixed everything that's found yet things are still going a little strange.

Thanks for any help in advance!

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
  
  
• Save both reports to your desktop. Post them back to your topic.

Download GMER and save it your desktop:

• Extract it to your desktop and double-click GMER.exe
  
• Click rootkit-tab and then scan.
  
• Don't check
  Show All
  box while scanning in progress!
  
• When scanning is ready, click Copy.
  
• This copies log to clipboard
  
• Post log in your reply.

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Topic re-opened upon user's request.

I've attached the logs as requested.

The problem now seems to be centered around Trojan.tdsserv - I don't think Virtumonde is giving me a problem now.

Every now and then, I'll get a pop up from Spyware Doctor saying it's found Trojan.tdsserv and asks me to block or allow. Straight after this I'm alerted about automatic updates and get given the "Your computer must be restarted message" and a five minute count down each time. This is the problem I want to stop because I can't keep delaying a restart on my computer every time I want to use it.

Thank you,

Jonny

I seem to be having problems posting the GMER results, could someone suggest how I go about posting them? The file is too large to attach and too long for a post...

This post has been edited by Jonny03: 11 May 2009 - 12:46 PM

Hi Jonny,

You may archive GMER log into a zip file and then attach it

Thank you!

If I've done it right, the GMER results should be attached to this post now!

Hi again,

You seem to have P2P file sharing software installed there. Nowadays major part of infections are received from P2P networks and that's why I recommend to uninstall such software. If you don't want to uninstall then please make sure any of those programs isn't running during this whole fixing process.


Are you familiar with this url (link obfuscated on purpose):
hxxp://127.0.0.1:4664/first_usage&s=wsAaFra-mUyJCSJ5wzstrGtkn8o ?



Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

• Run Spybot-S&D in Advanced Mode
  
• If it is not already set to do this, go to the Mode menu
  select
  Advanced Mode
  
  
• On the left hand side, click on Tools
  
• Then click on the Resident icon in the list
  
• Uncheck
  Resident TeaTimer
  and OK any prompts.
  
• Restart your computer

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
  Remember to re-enable them afterwards.
  
  
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

I'm sure you can imagine I'm a bit wary of doing all of these fixes especially with warnings so before I attempt to run these programs I'd just like to ask a couple of questions.

The P2P software you mention, are you talking about Bittorrent? Because That's the only software I can think of that would be classed as P2P. I will remove it anyway as I've been meaning to.

Secondly, that link you posted... Although you've obfuscated it, when changing the hxxp to http (which I assumed is what I'm meant to do?) I get a broken link page. So I'm unsure of what I'm doing there. I'm a little computer illiterate with certain things, sorry!

Quote

Yes, BitTorrent is the client in your case (uninstall DNA -entry as well).

Quote

I didn't mean you should visit it. Just wanted to know if the link looked familiar to you

I've uninstalled BitTorrent as well as DNA and that link does not look familiar to me.

I'm just posting to ask if you could not close this topic again if I don't reply straight away? Just I'm a little busy and may not be able to do the scan and post the results for a little while. Shouldn't be for too long, maybe a few days or so! Just asking in advance is all, cheers!

Hi

Topics that have been inactive more than 5 days will be closed. So, if it will take only a few days then it should be ok

Sorry to do this again bit there is just one last thing I'm confused about. I've read the tutorial for ComboFix and how it says to turn off all the anti-virus software you have. While I know how to do the majority of it, I'm stumped with Spyware Doctor 6.0. The instructions on how to disable it running at start up and the "On-guard" settings appear to be for previous versions. The instructions say:

SPYWARE DOCTOR
Click the Spyware Doctor icon in the System Tray.
Click Settings.
Click Startup Settings under Pick a Category.
Uncheck "Run at Windows startup".
Click Apply and Exit Spyware Doctor.
From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".
(When we are done, you can reenable Spyware Doctor)


I have a checkbox for "Run Scan on Windows Startup" in the General tab of 'Settings' but nothing about running the actual program. And the whole "OnGuard" things seems to be incorporated into this IntelliGuard feature.


Is there something I should do with all of this? Do I leave it on? Or is there another way to disable it?

Hi

See if you can shut Spyware Doctor down completely until ComboFix has run. If not, then let ComboFix run without minding about SD.