Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Backdoor TDSS 565 infection: svchost.exe keeps popping up as being infected

  • Please log in to reply
3 replies to this topic

#1 Lieke


  • Members
  • 1 posts
  • Gender:Female
  • Location:Shanghai, China
  • Local time:06:48 AM

Posted 15 December 2009 - 05:44 AM


I am really hoping that someone can help me with my problem, as now it has almost brought me to tears.
I should say beforehand that I am a total computer newbie, I know absolutely nothing of computers, only the bare minimum. I use my computer to surf the internet and for Word.

So, my problem:

I downloaded an episode of a tv show using Vuze (I know, bad behaviour and after this I will certainly never do it again!). The file must have been infected, cause when I opened it to play, my virusscanner (Avast) gave the following warning:

Virus found:
Filename: C:\\windows\temp\lhvm.tmp\svchost.exe
Malware name: Win32 Malware-gen
Malware type: Virus/Worm

I put the file in quarantine and that seemed it. I removed the infected episode.
Unfortunately, from that moment on, every 5 minutes the same Avast warning pops up. Everytime it gives the same virus in the same filename:

C:\\windows\temp\xxxx.tmp\svchost.exe The xxxx stand for a random 4 letter combination that keeps changing.

I did some research on the internet and found that this problem is caused by this virus: Backdoor.TDss.565.

I tried to run Dr. Web CureIt scanner, because it was said that that was the only virusscanner that could find and clean up this virus. I tried it 4 times, but every time the program shut itself down when it was trying to scan the file C:\windows\system32\drivers\atapi.sys

I concluded this atapi.sys file must be the one that is really infected. It somehow prevents Web CureIt from finding and cleaning it.

When I am offline Avast gives no virus pop ups anymore, but it keeps on creating the weird xxxx.tmp\svchost.exe files.
When I am online I get a viruswarning every 5 minutes.

So, to be conclusive: I definitely have this virus, although my computer still behaves normal (except for the 5 minute pop ups from Avast). I read somewhere that my computer still functions properly because Avast is holding back the virus, it keeps placing it in quarantine.
Online I read that Dr. Web CureIt would do the trick but it doesn't, it shuts down when scanning atapi.sys

At the moment I am abroad for 4 months, so I do not have any backups or system CDs or anything with me, they are all back home.

I really don't know what to do anymore. I read something about Combofix, but it scares the hell out of me. I cannot afford to crash my computer.

Please help me with this.

Thank you so much in advance!


BC AdBot (Login to Remove)


#2 intercosmos


  • Members
  • 1 posts
  • Local time:07:48 AM

Posted 16 December 2009 - 06:18 AM

Ive got exactly the same virus/trojan.
This thing is driving me nuts, I can find where its hiding at all, and I always considered myself a fairly advanced computer user.

Norton Internet Security 2009 seems to thwart its attempts at connecting to the internet, but doesnt seem to be able to find the root of the problem.

Please somebody!!

#3 pete_C


  • Members
  • 2 posts
  • Local time:05:48 PM

Posted 14 February 2010 - 09:13 AM

We have this virus and and many others have found nothing seems to stop the virus
from recreating the *.tmp/svchost.exe and doing whatever it does. I have found out
that this svchost.exe executes and removes itself fast enough to avoid antivirus software
from doing anything.

Using Microsoft's free download tool TCPview I was able to watch this virus as it repeatedly
started up a xxx.tmp/svchost.exe connects to Russian URL (or a few others)
and then deletes itself. It's fast enough to be gone by the time antivirus
tools like Windows Security Essentials can quarantine it or remove it. They may detect it,
and report it, BUT, it self deletes before the antivirus tools can do anything. That's why nobody
sees an svchost.exe file with or without antivirus tools doing anything about it.

It looks like it just may be waiting for a signal from the Russian URL or the other control locations
before activating. Thus the sneaky quick connect and remove

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,011 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:48 PM

Posted 20 February 2010 - 09:25 PM


TDSS is a very bad rootkit. Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you can produce some of the logs, please create the new topic. If you cannot produce any of the logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users