Trojan.TDSServ Is Back

View previous topic View next topic Go down

Solved Trojan.TDSServ Is Back

Post by Ritsuko on 26th January 2009, 3:45 pm

After Yesterday's Help Everything Went Well
Until Not Long Ago When I On My Computer Again
Trojan.TDSServ Is Back =[

Ritsuko
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-01-25
OS OS : Desktop
Points Points : 28772
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Belahzur on 26th January 2009, 3:55 pm

Submit a new DDS log please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Ritsuko on 26th January 2009, 4:01 pm

DDS (Ver_09-01-19.01) - NTFSx86
Run by D-Secrets at 0:00:38.31 on Tue 01/27/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1562 [GMT 8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k bthsvcs
D:\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Professer Help\DDS\DDS.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = [You must be registered and logged in to see this link.]
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - d:\hotspot shield\hssie\HssIE.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus g dwl-g120 wireless usb\120UTIL.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\d-secr~1\applic~1\mozilla\firefox\profiles\tcjaqupc.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-11-14 40840]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-11-14 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-11-14 81288]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-14 356920]
R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-11-14 1079176]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\d:\maplesea hacks\ilvmoney1224.sys --> d:\maplesea hacks\IlvMoney1224.sys [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

=============== Created Last 30 ================

2009-01-26 23:48 268 a---h--- C:\sqmdata01.sqm
2009-01-26 23:48 244 a---h--- C:\sqmnoopt01.sqm
2009-01-26 23:33 268 a---h--- C:\sqmdata00.sqm
2009-01-26 23:33 244 a---h--- C:\sqmnoopt00.sqm
2009-01-26 01:53 --d----- c:\program files\common files\Wise Installation Wizard
2009-01-26 00:49 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-24 13:33 --d----- c:\docume~1\d-secr~1\applic~1\Malwarebytes
2009-01-24 13:33 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-24 05:14 90,624 ac------ c:\windows\system32\dllcache\kswdmcap.ax
2009-01-24 05:14 28,672 ac------ c:\windows\system32\dllcache\vidcap.ax
2009-01-24 05:14 90,624 a------- c:\windows\system32\kswdmcap.ax
2009-01-24 05:14 28,672 a------- c:\windows\system32\vidcap.ax
2009-01-24 05:14 61,952 ac------ c:\windows\system32\dllcache\kstvtune.ax
2009-01-24 05:14 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2009-01-24 05:14 61,952 a------- c:\windows\system32\kstvtune.ax
2009-01-24 05:14 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-01-24 05:14 43,008 ac------ c:\windows\system32\dllcache\ksxbar.ax
2009-01-24 05:14 43,008 a------- c:\windows\system32\ksxbar.ax
2009-01-18 23:40 --d----- c:\program files\Retro64 Games
2009-01-04 21:47 --d----- c:\windows\system32\CatRoot_bak
2009-01-04 21:38 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-01-04 21:38 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-04 21:38 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-01-04 21:38 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-01-04 21:38 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-01-04 21:38 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-01-04 21:38 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-01-04 21:38 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-04 21:38 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-01-04 21:35 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-04 21:34 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-04 21:34 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-04 21:34 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-04 21:33 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-04 21:30 --d----- c:\windows\system32\PreInstall
2009-01-04 19:10 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-01-04 19:10 268,648 a------- c:\windows\system32\mucltui.dll
2009-01-02 22:36 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-01-02 22:33 --d----- c:\program files\Windows Journal Viewer
2009-01-01 02:32 --d----- C:\Nexon
2008-12-30 18:53 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2008-12-30 00:36 --d----- c:\docume~1\alluse~1\applic~1\Messenger Plus!

==================== Find3M ====================

2008-12-11 19:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-05 22:18 499,712 a------- c:\windows\system32\msvcp71.dll
2008-12-05 22:18 348,160 a------- c:\windows\system32\msvcr71.dll
2008-11-14 15:03 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 0:01:14.59 ===============

Ritsuko
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-01-25
OS OS : Desktop
Points Points : 28772
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Belahzur on 26th January 2009, 4:12 pm

Okay, lets do another rootkit scan and remove this suspicious object.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - D:\Hotspot Shield\hssie\HssIE.dll


  • Press "Fix Checked"
  • Close Hijack This.


Delete this folder in bold:
D:\Hotspot Shield

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Ritsuko on 26th January 2009, 4:24 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\sqmdata01.sqm" deleted successfully.
File "C:\sqmnoopt01.sqm" deleted successfully.
File "C:\sqmdata00.sqm" deleted successfully.
File "C:\sqmnoopt00.sqm" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Ritsuko
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-01-25
OS OS : Desktop
Points Points : 28772
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Belahzur on 26th January 2009, 4:28 pm

Any change now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Ritsuko on 26th January 2009, 4:36 pm

Trojan.TDSServ Still There.

Ritsuko
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-01-25
OS OS : Desktop
Points Points : 28772
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Belahzur on 26th January 2009, 4:38 pm

It's still finding it in temp folder?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Ritsuko on 26th January 2009, 4:39 pm

Yea
C:\Documents And Setting\D-Secrets\Local Settings\Temp\np3A.tmp
And Another 2
Same But Random np.tmp

Ritsuko
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-01-25
OS OS : Desktop
Points Points : 28772
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Belahzur on 26th January 2009, 4:47 pm

Hmm.

If this folder in bold below is present, delete it.
C:\Program Files\Conduit

Press Start > Run
Type in:
cmd
Press enter.
When the command prompt opens, type in:
ipconfig /flushdns <== note the space between the g and /
Press enter.

Close the command prompt.
Any change now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Ritsuko on 26th January 2009, 5:05 pm

Can't Find This File C:\Program Files\Conduit

How To Make The Command Prompt?
It Gives Me One Black Screen Like A Box
And Nothing Else
I'm Not Very Sure How To Use This Function

Ritsuko
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-01-25
OS OS : Desktop
Points Points : 28772
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Belahzur on 26th January 2009, 5:28 pm

Yeah, it's a black box, that has this line (or should)

C:\documents and settings\username>

That's where you type the command.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Ritsuko on 27th January 2009, 1:02 pm

Yaps Done Still There Lols
Trojan TDSServ ==''
Ahhh

Ritsuko
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-01-25
OS OS : Desktop
Points Points : 28772
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Belahzur on 27th January 2009, 5:53 pm

Then I wouldn't worry, the machine is fine.
Try this.

Now open a new notepad file.
Input this into the notepad file:

@echo off
sc config "HotspotShieldService" start= disabled
sc stop "HotspotShieldService"
sc delete "HotspotShieldService"
del fix.bat
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Ritsuko on 28th January 2009, 7:56 am

Yaps Done

Ritsuko
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-01-25
OS OS : Desktop
Points Points : 28772
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Belahzur on 28th January 2009, 1:45 pm

Then it should be fine now, even if it detected tdss files.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Doctor Inferno on 9th May 2009, 9:59 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.TDSServ Is Back

Post by Doctor Inferno on 9th May 2009, 10:00 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104640
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum