Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with SUPERTDS.COM


  • Please log in to reply
12 replies to this topic

#1 Ali_bear

Ali_bear

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:01 PM

Posted 24 March 2009 - 09:02 PM

Hello!

My operating system is Windows XP.
The Anti-Spyware software that I have is CA Security.

I was surfing webpages and suddenly my system began running slowly and my windows firewall was disabled. I ran a quick scan and found out that I have a Spyware on my system called SuperTDS.com. My anti-spyware software confirms that the virus is located in the following Registry files:



AUTORUN REFERENCES:

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run updatewin
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices updatewin

REGISTRY ITEMS:

HKEY_CURRENT_USER\system\currentcontrolset\control\lsa updatewin
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices updatewin
HKEY_CURRENT_USER\software\microsoft\ole updatewin
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run updatewin
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run updatewin
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices updatewin

I tried going into the registry files using regedit and removing the files listed above manually. When I did a scan once again, it said that my system was clean. However, after I rebooted my system and did another scan, the same spyware was back again.

I have tried using the following programs by scanning my system with them, but they were unable to find the spyware:

--Avast AntiSpyware
--Uniblue Registry Booster 2
--Advanced Windows Care V2 Personal
--AdAware SE Personal

The following file was associated with the registry entries, but I could not delete it directly without it returning upon reboot: C:\WINDOWS\system32\1028d.exe

I should probably mention that each time I reboot, my firewall is automatically disabled. In addition, for some reason I am unable to go into safe mode by tapping F8 during reboot because my monitor mysteriously remains black during reboot and won't turn on until the WELCOME screen comes up.

PLS HELP ME! I'm just about desperate here. :thumbsup: Btw, I'm not extremely computer savvy when it comes to these things, so please, be gentle :flowers:

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 24 March 2009 - 10:07 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Ali_bear

Ali_bear
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:01 PM

Posted 25 March 2009 - 09:53 AM

Budapest:

Thank you so much for responding to me so promptly!

I ran the program and here is the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1895
Windows 5.1.2600 Service Pack 3

3/25/2009 9:07:27 AM
mbam-log-2009-03-25 (09-07-27).txt

Scan type: Quick Scan
Objects scanned: 69140
Time elapsed: 13 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\1028d.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\odb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Windows_update.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

I haven't done another scan yet, BUT my firewall wasn't disabled when I relogged this time. Seems to be gone...gonna cross my fingers! That pesky file that I couldn't seem to get rid of ( C:\WINDOWS\system32\1028d.exe ) was deleted after rebooting according to the log. We'll see :thumbsup:

#4 Ali_bear

Ali_bear
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:01 PM

Posted 25 March 2009 - 10:07 AM

One more question:

This particular virus, SuperTDS.com, is listed as a trojan spyware. Is it the type that I need to be worried about? I mean, should I believe that my computer will always be compromised now as far as the security? Could this be considered the same as a rootkit trojan? Or should I feel pretty safe now that it is gone?

Just wanna make sure. That's actually more than one question, isn't it? *chuckles* Thanks again!

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 25 March 2009 - 04:24 PM

Your log shows a Backdoor infection. Some of these can be very nasty (similar to a Rootkit) and your online passwords may have been compromised.

Reboot your computer, run the Malwarebytes full scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 Ali_bear

Ali_bear
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:01 PM

Posted 25 March 2009 - 07:33 PM

Hi Budapest :thumbsup:

Here is the new log from the scan that I did several times just to make sure:

Malwarebytes' Anti-Malware 1.34
Database version: 1895
Windows 5.1.2600 Service Pack 3

3/25/2009 4:48:33 PM
mbam-log-2009-03-25 (16-48-33).txt

Scan type: Quick Scan
Objects scanned: 69083
Time elapsed: 11 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Looks like I'm clean huh?

#7 Ali_bear

Ali_bear
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:01 PM

Posted 25 March 2009 - 07:36 PM

oh wait! Disregard that...that was a QUICK SCAN! I'll do a FULL one and get back to you.

#8 Ali_bear

Ali_bear
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:01 PM

Posted 26 March 2009 - 08:58 AM

Alrighty!

Here's the full scan:

Malwarebytes' Anti-Malware 1.34
Database version: 1895
Windows 5.1.2600 Service Pack 3

3/26/2009 8:54:23 AM
mbam-log-2009-03-26 (08-54-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 242262
Time elapsed: 2 hour(s), 55 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

So, looks like I'm okay...Thank you very much for your help. You helped me get my peace of mind back ...for now at least :thumbsup:

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 26 March 2009 - 06:09 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 Ali_bear

Ali_bear
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:01 PM

Posted 28 March 2009 - 09:33 AM

Hi Budapest :thumbsup:

Sorry for the delay...

I created the new restore point, cleaned away all other restore points...and here is the only java program that I have listed in my add/remove program list:

J2SE Runtime Environment 5.0 Update 3

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 29 March 2009 - 05:50 PM

That Java is out of date. Remove it and get the latest from here:

http://www.java.com/en/download/index.jsp
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 Ali_bear

Ali_bear
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:01 PM

Posted 02 April 2009 - 08:39 AM

Heya Buda:

I've downloaded the latest version of java, thank you once again :thumbsup: Is there anything else that you would suggest?

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 02 April 2009 - 04:37 PM

Run this scan as a double check:

Please print out and follow these instructions: "How to use SDFix". This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users