Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.tdsserv + Vundo/Virtumonde!


  • This topic is locked This topic is locked
17 replies to this topic

#1 Jonny03

Jonny03

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 20 April 2009 - 09:40 PM

Hey guys,

Recently I've been encountering some problems with my computer. Things had slowed down a lot (mainly due to Virtumonde and a host of other malware I think) and I've since managed to improve my performance but am unsure of whether I'm still affected with the named viruses. Firefox especially seemed to go a lot slower after I was affected and when I ran various spyware removal tools, its speed did not increase.

The main problem I'm experiencing at the moment is trying to install the latest Automatic Updates for Windows. It just won't work. It says they're ready to install, but when I try installing them I get a message from Spyware Doctor saying it's found a threat, Trojan.tdsserv. and asks me about blocking or allowing it. This message only ever comes up when trying to install the updates. So I was wondering how I can stop this and install the updates and get rid of this trojan?

I've included a HijackThis log with the post and for your information in the recent past, I've ran Spyware Doctor, Registry Mechanic, CCleaner, Spybot S+D and Malwarebyte's Anti-Malware and fixed everything that's come up/cleaned everything I can. My main anti-virus software is McAfee and again, I've fixed everything that's found yet things are still going a little strange.

Thanks for any help in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:13 PM

Posted 28 April 2009 - 04:08 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Download GMER and save it your desktop:
  • Extract it to your desktop and double-click GMER.exe
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:13 PM

Posted 08 May 2009 - 11:07 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:13 PM

Posted 11 May 2009 - 11:39 AM

Topic re-opened upon user's request.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Jonny03

Jonny03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 11 May 2009 - 12:31 PM

I've attached the logs as requested.

The problem now seems to be centered around Trojan.tdsserv - I don't think Virtumonde is giving me a problem now.

Every now and then, I'll get a pop up from Spyware Doctor saying it's found Trojan.tdsserv and asks me to block or allow. Straight after this I'm alerted about automatic updates and get given the "Your computer must be restarted message" and a five minute count down each time. This is the problem I want to stop because I can't keep delaying a restart on my computer every time I want to use it.

Thank you,

Jonny

Attached Files



#6 Jonny03

Jonny03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 11 May 2009 - 12:39 PM

I seem to be having problems posting the GMER results, could someone suggest how I go about posting them? The file is too large to attach and too long for a post...

Edited by Jonny03, 11 May 2009 - 12:46 PM.


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:13 PM

Posted 11 May 2009 - 02:41 PM

Hi Jonny,

You may archive GMER log into a zip file and then attach it :thumbup2:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 Jonny03

Jonny03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 11 May 2009 - 04:00 PM

Thank you!

If I've done it right, the GMER results should be attached to this post now!

Attached Files



#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:13 PM

Posted 12 May 2009 - 10:30 AM

Hi again,

You seem to have P2P file sharing software installed there. Nowadays major part of infections are received from P2P networks and that's why I recommend to uninstall such software. If you don't want to uninstall then please make sure any of those programs isn't running during this whole fixing process.


Are you familiar with this url (link obfuscated on purpose):
hxxp://127.0.0.1:4664/first_usage&s=wsAaFra-mUyJCSJ5wzstrGtkn8o ?



Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 Jonny03

Jonny03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 12 May 2009 - 04:00 PM

I'm sure you can imagine I'm a bit wary of doing all of these fixes especially with warnings so before I attempt to run these programs I'd just like to ask a couple of questions.

The P2P software you mention, are you talking about Bittorrent? Because That's the only software I can think of that would be classed as P2P. I will remove it anyway as I've been meaning to.

Secondly, that link you posted... Although you've obfuscated it, when changing the hxxp to http (which I assumed is what I'm meant to do?) I get a broken link page. So I'm unsure of what I'm doing there. I'm a little computer illiterate with certain things, sorry!

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:13 PM

Posted 13 May 2009 - 10:39 AM

The P2P software you mention, are you talking about Bittorrent? Because That's the only software I can think of that would be classed as P2P. I will remove it anyway as I've been meaning to.

Yes, BitTorrent is the client in your case (uninstall DNA -entry as well).


Secondly, that link you posted... Although you've obfuscated it, when changing the hxxp to http (which I assumed is what I'm meant to do?) I get a broken link page. So I'm unsure of what I'm doing there. I'm a little computer illiterate with certain things, sorry!

I didn't mean you should visit it. Just wanted to know if the link looked familiar to you :thumbup2:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 Jonny03

Jonny03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 15 May 2009 - 03:02 PM

I've uninstalled BitTorrent as well as DNA and that link does not look familiar to me.

I'm just posting to ask if you could not close this topic again if I don't reply straight away? Just I'm a little busy and may not be able to do the scan and post the results for a little while. Shouldn't be for too long, maybe a few days or so! Just asking in advance is all, cheers!

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:13 PM

Posted 15 May 2009 - 03:09 PM

Hi

Topics that have been inactive more than 5 days will be closed. So, if it will take only a few days then it should be ok :thumbup2:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 Jonny03

Jonny03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 18 May 2009 - 06:40 PM

Sorry to do this again bit there is just one last thing I'm confused about. I've read the tutorial for ComboFix and how it says to turn off all the anti-virus software you have. While I know how to do the majority of it, I'm stumped with Spyware Doctor 6.0. The instructions on how to disable it running at start up and the "On-guard" settings appear to be for previous versions. The instructions say:

SPYWARE DOCTOR
Click the Spyware Doctor icon in the System Tray.
Click Settings.
Click Startup Settings under Pick a Category.
Uncheck "Run at Windows startup".
Click Apply and Exit Spyware Doctor.
From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".
(When we are done, you can reenable Spyware Doctor)


I have a checkbox for "Run Scan on Windows Startup" in the General tab of 'Settings' but nothing about running the actual program. And the whole "OnGuard" things seems to be incorporated into this IntelliGuard feature.


Is there something I should do with all of this? Do I leave it on? Or is there another way to disable it?

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:13 PM

Posted 19 May 2009 - 09:59 AM

Hi

See if you can shut Spyware Doctor down completely until ComboFix has run. If not, then let ComboFix run without minding about SD.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users