Over 1 million tech questions and answers.

backdoor.tdss.565

Q: backdoor.tdss.565

First, thank you in advance for your time and attention to help me solve this issue.

So, my old roommate took over my old desktop for the past couple years, and now I've returned to it to find it riddled with viruses, but one that seems to be impossible for me to shake on my own.

Whatever it is (Dr Web called it backdoor.tdss.565) I figure it's running under an svchost. The svchost in question will sometimes be using over 3GB of system memory (often over 100 times the next closest process) which makes it pretty obvious. It also uses about 50% of my CPU, which is far beyond anything I've ever seen before.

I've run avast, SBS&D, MWBAM, ad-aware, drweb cureit, kaspersky (only the virus removal tool, as the main program fails to load telling me to run the virus removal tool again), spyware terminator, and I've went through my HJT log several times googling every process. So, long story short, I hope you can help

Symptoms: Very slow system speed. New tabs open up randomly while web browsing directing me to ads. Sometimes the internet is completely unavailable via either of my browsers (Opera and IE). When searching for specific things via google, like windows updates, or answers to questions about viruses, instead of going to my chosen link I'm redirected to some scam sites that are set up to look like a microsoft site, or an antivirus site. Some are cheesy and obvious, some are good enough that it's shocking. Windows Update is completely crippled. Clicking on it does nothing, and trying to even see a cached page of anything close to a real microsoft webpage is blocked by whatever virus this is. I can kill the svchost process in question from the task manager, but it starts right back up using similar system resources as other processes, but eventually ramps up to at least a few hundred mbs of memory in use. Every antivirus program I've run claims to have found and fixed the problem, but the only real result I had was with DrWeb, after running a complete scan, but before rebooting, windows update kicked on finally and showed me scores of updates before crashing and the svchost process starting up again.

I noticed that a lot of programs and logs are saying I have AVG 2011 installed, but it has been uninstalled for a couple months now.

When using gmer, it did not give me the option to change the file extension or enter my own, the only option was to save it as a .log. I'm not sure if that indicates I missed something somewhere or not.

Following is the DDS log requested in the preparation guide:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Travis at 4:12:10 on 2011-06-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.3062.2194 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera 9\opera.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig
mStart Page = www.google.ca
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [cdloader] "c:\documents and settings\travis.prime-c0912bdd6\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SW20] c:\windows\system32\sw20.exe
mRun: [SW24] c:\windows\system32\sw24.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [avp6_post_install] msiexec.exe /i"c:\documents and settings\travis.prime-c0912bdd6\desktop\av\kavkis.msi" SKIPPRODUCTCHECK=1 REINSTALL="ALL" REINSTALLMODE="voums"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10p_ActiveX.exe -update activex
uPolicies-explorer: ExSearchOptions = 170970 (0x29bda)
uPolicies-explorer: SpecifyDefaultButtons = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266108105562
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266107960812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{7BEC5A5F-E23D-4D2B-9E0C-B033B072BC87} : DhcpNameServer = 192.168.0.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 95406822;95406822 Boot Guard Driver;c:\windows\system32\drivers\95406822.sys [2011-6-27 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-6-17 64512]
R1 95406821;95406821;c:\windows\system32\drivers\95406821.sys [2011-6-27 128016]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-8 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-8 307928]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2011-6-20 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-8 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-8 42184]
R4 setup_9.0.0.722_28.06.2011_01-11drv;setup_9.0.0.722_28.06.2011_01-11drv;c:\windows\system32\drivers\9540682.sys --> c:\windows\system32\drivers\9540682.sys [?]
RUnknown DwProt;DwProt; [x]
S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2008-7-8 347648]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-6-17 2151128]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-6-17 15232]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AVGIDSDriver;AVGIDSDriver; [x]
S4 AVGIDSEH;AVGIDSEH; [x]
S4 AVGIDSFilter;AVGIDSFilter; [x]
S4 AVGIDSShim;AVGIDSShim; [x]
S4 Avgrkx86;AVG Anti-Rootkit Driver; [x]
S4 Avgtdix;AVG TDI Driver; [x]
.
=============== Created Last 30 ================
.
2011-06-28 05:07:03 -------- d-sha-r- C:\cmdcons
2011-06-28 04:10:25 208896 ----a-w- c:\windows\MBR.exe
2011-06-28 04:10:24 98816 ----a-w- c:\windows\sed.exe
2011-06-28 04:10:24 518144 ----a-w- c:\windows\SWREG.exe
2011-06-28 04:10:24 256512 ----a-w- c:\windows\PEV.exe
2011-06-27 21:42:17 37392 ----a-w- c:\windows\system32\drivers\95406822.sys
2011-06-27 21:42:17 128016 ----a-w- c:\windows\system32\drivers\95406821.sys
2011-06-27 19:55:12 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-06-27 19:10:03 -------- d-----w- c:\documents and settings\all users.windows\application data\Kaspersky Lab Setup Files
2011-06-27 08:07:56 -------- d-----w- c:\documents and settings\travis.prime-c0912bdd6\DoctorWeb
2011-06-27 06:56:17 388096 ----a-r- c:\documents and settings\travis.prime-c0912bdd6\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-27 06:56:17 -------- d-----w- c:\program files\Trend Micro
2011-06-23 20:03:23 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-23 16:24:13 -------- d-----w- c:\documents and settings\travis.prime-c0912bdd6\local settings\application data\Sunbelt Software
2011-06-20 20:51:03 -------- d-----w- c:\program files\WinClamAVShield
2011-06-20 20:48:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-20 20:48:08 -------- d-----w- c:\documents and settings\all users.windows\application data\Spybot - Search & Destroy
2011-06-20 20:45:31 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2011-06-20 20:45:31 -------- d-----w- c:\documents and settings\travis.prime-c0912bdd6\application data\Spyware Terminator
2011-06-20 20:45:29 -------- d-----w- c:\documents and settings\all users.windows\application data\Spyware Terminator
2011-06-20 20:45:28 -------- d-----w- c:\program files\Spyware Terminator
2011-06-17 18:24:24 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-17 18:21:08 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-06-11 20:03:31 -------- d-----w- c:\documents and settings\travis.prime-c0912bdd6\application data\Malwarebytes
2011-06-11 20:02:29 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-11 20:02:28 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes
2011-06-11 20:02:23 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-11 20:02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-09 00:12:38 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-09 00:12:27 40112 ----a-w- c:\windows\avastSS.scr
2011-06-09 00:12:20 -------- d-----w- c:\program files\AVAST Software
2011-06-09 00:12:20 -------- d-----w- c:\documents and settings\all users.windows\application data\AVAST Software
2011-05-30 11:14:29 -------- d-----w- c:\documents and settings\travis.prime-c0912bdd6\application data\Stardock
2011-05-30 09:26:40 -------- d-----w- c:\documents and settings\all users.windows\application data\Gibraltar
2011-05-30 05:58:41 -------- d-----w- c:\program files\common files\DivX Shared
2011-05-30 05:49:56 -------- d-----w- c:\documents and settings\all users.windows\application data\DivX
.
==================== Find3M ====================
.
2011-06-24 18:23:48 26112 ----a-w- c:\windows\system32\userinit.exe
2011-05-04 10:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 08:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320620AS rev.3.AAJ -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA09730]<<
c:\docume~1\travis~1.pri\locals~1\temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8aa0fa10]; MOV EAX, [0x8aa0fa8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AACBAB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000074[0x8AA88948]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AA4DB00]
\Driver\atapi[0x8AAF3288] -> IRP_MJ_CREATE -> 0x8AA09730
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AA0957B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 4:17:14.82 ===============

RELEVANCY SCORE 200
Preferred Solution: backdoor.tdss.565

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: backdoor.tdss.565

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
Because of this, you must reply within three days failure to reply will result in the topic being closed!
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.____________________________________________________Rootkit UnHooker (RkU)Please download Rootkit Unhooker from one of the following links and save it to your desktop.Link 1 (.exe file)Link 2 (zipped file)Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.Double-click on RKUnhookerLE.exe to start the program.
Vista/Windows 7 users right-click and select Run As Administrator.Click the Report tab, then click Scan.Check Drivers, Stealth Code, and uncheck the rest.Click OK.Wait until it's finished and then go to File > Save Report.Save the report to your Desktop.Copy and paste the contents of the report into your next reply.-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".NEXT:Running OTLWe need to create a FULL OTL ReportPlease download OTL from here:
Main MirrorMirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Change the "Extra Registry" option to "SafeList"Push the button.Two reports will open, copy and paste them in a reply here:
OTL.txt <-- Will be openedExtras.txt <-- Will be minimizedNEXT:Please provide an update on how things are running in your next reply.

Read other 18 answers
RELEVANCY SCORE 62.8

Anyone who has any knwoledge of this please let me know, I am getting very nervous.

A:BackDoor.Tdss.565 & BackDoor.Tdss.2459

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller

Read other 8 answers
RELEVANCY SCORE 54.8

Just ran combo fix and it fixed the redirect virus. I was wondering who is suppose to look at the log file? let me know tomorrow, i am going to bed.been working on this bleeping computer all day trying to get it fixed.at least i will sleep knowing it is fixed.
(i hope)
Nasaman

Good Morning
I have XP Home Edition.Google was redirecting and not showing fire fox on opening page just some phony looking Google page.It would redirect me to 302 and click here.The virus would not let me on Microsoft windows update or update Windows Essentials.I worked on this all week and was desperate. I ran TDSS and it worked until Wife used guest account and it came back on all users(3).I found a topic while surfing the web for a fix that had the combofix link. I downloaded it and ran it without knowing all the other stuff I was suppose to do. I guess I got lucky(thank god)and it worked.
My question is does it take care of all users on this computer? I am afraid to open wife's account or kids guest user thinking it might not be removed like the Tdss killer did. I have the log file txt of what it did and will post it if someone would kindly tell me what to do.I am not a computer whiz by any means but know enough to really mess some stuff up.I have XP home but do not have the disk so I couldn't back up files any way.I have not run ANY thing but combo fix.
Thanks
Nasaman

A:BACKDOOR TDSS

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

Read other 6 answers
RELEVANCY SCORE 54.8

Hello to the wonderful BC community!I have had a couple problems solved here before, and I am confident that you will be able to be of great help to me again. (I couldn't remember my exact user name and password because it's been so long, so I had to start a new account - sorry!)Before I begin, here are the basics of the computer:It is my dad's computer, in his office at work. I and the other employees (there are only a few of us) use it as well.It is a Dell desktop computer, and we have Windows XP with Service Pack 3.For AV, we have Norton Internet Security. We also have MBAM and SAS, and I recently downloaded ATF Cleaner as well. There is also Spybot S&D on here, but we never use it anymore, and I believe the TeaTimer has been disabled. Now, onto the symptoms:In the middle of last week, my dad called from work and said the computer was running very, very slowly. The next day, I ran an MBAM scan and it came back clean. Then, I ran a full scan using SAS, but it wasn't over when I had to go home for the night, so I left the scan on overnight. When my dad came in the next morning, SAS had been shut down. I found that odd.I tried logging into SafeMode so I could run SAS from there, as I have been told that it is more effective in SafeMode. However, something curious happened:After tapping F8, the usual list of options (Normal Mode, Safe Mode, Safe Mode with Networking, etc.) came up strangely - it was as if the list had been cut in half, and the botto... Read more

A:Backdoor.TDSS

Status: Hooked by "<unknown>" at address 0x85cad050Rootkit ThreatUnfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How... Read more

Read other 5 answers
RELEVANCY SCORE 54.8

pleasefollow the link to see what we have already done...http://www.bleepingcomputer.com/forums/t/321310/backdoortdss565-virus/I have included 2 files for review.... attach.txt and Ark.txt thanks,Jon

A:backdoor.tdss.565

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 16 answers
RELEVANCY SCORE 54.8

Hello,

Hoping to find some answers here.
My pc has a backdoor tdss 565 problem.

I've googled for anwers, downloaded some programmes but nothing has helped.
Dr. Web does find the problem and eradicates but then it returns again.

I've a webdesign assignment and I really need my pc

A:Backdoor TDSS 565

Please follow the instructions in ==>This Guide<==.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Once you have created the new topic, please reply back here with a link to the new topic.

Read other 1 answers
RELEVANCY SCORE 54.8

OS: Windows XP SP2

First I need to apologize. I did run combofix.exe, but that was before learning of this site. I was not aware that I should not run it before asking for advise.

The problem started I beleive on 11/12/09. I was infected with a virus(es) by an advertisement on deviantart.com. The first thing I noticed was being redirected to random websites after clicking on search results in google. Other problems include not being able to open any local folders. Booting to "Safe Mode" allows me to open folders on the hard drive. One of this first things I tried was running malwarebytes. The malwarebytes application would not run. I downloaded and installed the latest version but the mbam.exe was magically deleted by the end of the installation. I was able to rename the mbam.exe to mbam2.exe before the installation was complete. This allowed me to run the application which found many viruses and repaired them. However, my problems mentioned before did not go away. I then ran Dr. Web Cureit and also (I'm sorry) Combofix.exe. Dr. Web Cureit would find the backdoor.tdss.565 on running applications and would eradicate it, but it kept coming back. It also found backdoor.tdss.1133, which I haven't been able to find anything about. I've also tried running Rootkit Buster and Spybot S&D but neither of these applications will even install. I'm not sure what, but I'm sure I've attempted many other things. I've been working... Read more

Read other answers
RELEVANCY SCORE 54.8

Attaching the dds log because the site craps out every time I try to post it (it unfortunately has the same effect when I try to attach ark.txt). It seems like everyone else on the internet is having this problem as well!
Spybot and MalwareBytes don't find it, TDSSKiller doesn't run, and Dr. Web identifies and "eradicates" it, only for it to return automatically. It is causing internet search redirects that I can get around by opening the search links in new tabs. In addition to these, I seem to have difficulty starting in Safe Mode (it usually goes to start-up repair when I try, or just ignores that I'm holding f8).

A:backdoor tdss 565

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 3 answers
RELEVANCY SCORE 54.8

Like a few others that have been before me, I have feel victim to the Backdoor.TDSS.565 virus, at least that is what Dr. Web is calling it. Like the others, Dr. Web claims to remove it, but it returns in the very next process that is run on the machine. Also I am be re-directed from any favorites or any clicks from a google search.

Others with a similar problems have claimed to fix it but their post do not give an indication on what needed to be done to make that happen.

Here is the requested DDS log:
--------------------------------------

DDS (Ver_09-11-29.01) - NTFSx86
Run by Kris at 23:12:51.75 on Sun 11/29/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.457 [GMT -7:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:&... Read more

A:Backdoor.TDSS.565

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.We need to create an OTL ReportPlease download OTL from hereSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
%SYSTEMDRIVE%\viamraid.sys /s /md5
%SYSTEMDRIVE%\nvata.sys /s /md5
CREATERESTOREPOINT

Click the "Quick Scan" button.The scan should take just a few minutes.Please copy and paste both logs back here in your next reply.=============The next log will show us any hidden files that are pres... Read more

Read other 14 answers
RELEVANCY SCORE 54.8

I am unable to update Malwarebytes or SuperAntiSpyware in regular or safe mode.It had the computer locked out of booting into safe mode, but Boopme helped me get past that one, and then refered me here. To see what has been done thus far:http://www.bleepingcomputer.com/forums/t/297907/xp-unable-to-boot-into-safe-mode/I ran Cure-it which found and deleted Backdoor.Tdss.565I'm having to work in safe mode now. Defogger has been run also. DDS (Ver_09-12-01.01) - NTFSx86 Run by tndavis at 21:27:05.23 on Tue 02/23/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.84 [GMT -6:00]AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exeC:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exeC:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exeC:\PROGRA~1\DrWeb\spidernt.exeC:\... Read more

A:Backdoor.Tdss.565

Hello,My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if youwould let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.Therefore please go to add/remove in the control panel and remove either Dr Web or Trend Micro.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.%systemroot%\system32\*.dll /lockedfiles%systemroot%\Tasks... Read more

Read other 18 answers
RELEVANCY SCORE 54.4

Hello. My laptop PC was infected with a variety of viruses. Upon the advice of several sites, I downloaded Dr. Web which removed many of them. Previously, I had fake Windows security pop-ups telling me my computer was infected and to download certain softwares. The remaining issue appears to be Backdoor.TDSS.565 which I understand to be a virus in the root directory that manages to avoid complete eradication. Dr. Web's scan finds it associated with explorer.exe and eradicates Backdoor.TDSS.565 each time the computer is restarted and scanned. Occasionally when Windows Explorer opens, unwanted websites open up. I also now have Norton Security Suite running which tells me of attacks it is blocking. The fake Windows security pop-ups have stopped appearing.The ark.log from GMER appears to show the modifications to imapi.sys and atapi.sys. I will await your staff's instructions before pursuing any other actions. Thank you for providing this service. It is much appreciated as my wife and I take back our computer.-TallRunnerDDS (Ver_10-03-17.01) - NTFSx86 Run by Heather Walker at 17:45:07.92 on Sat 04/24/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.159 [GMT -4:00]AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}============== Running Processes =====... Read more

A:Infected with Backdoor TDSS.565

Hello tallrunner, Welcome to Bleeping Computer. My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix: Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.One or more of the identified infections is a backdoor trojan.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely comprom... Read more

Read other 14 answers
RELEVANCY SCORE 54.4

Attached is a DDS log of a Vista 32bit computer, it had some form of fake AV infection that attempted to block Malwarebytes, Spybot etc... The system gradually became less and less stable and is now only booting into safemode reliably, choosing to BSOD with a stop error when safemode is not chosen, Dr Web CUREIT found and "eradicated" a backdoor tdss infection but it does not seem to have fixed the problem. Below is a DDS log, attached in a zip file is the GMER log, a minidump of the bsod I get when attempting to boot regularly and the full attach DDS log. I had tried to get rid of it with TDSSkiller, but it was unable to find a problem.

EDIT: To further my woes, it combofix wont run unless renamed, meaning it cannot update itself as that is blocked. Looking into it I realized this may be the newest variant, which seems to only be removed by hitman pro. That was able to detect it, but before it could take any action, a DEP error closed it, it did this again upon a repeat scan. If it is the latest I don't know if a reinstall would be safe unless I level the hard drive b/c of the way the rootkit evades the filesystem.

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Owner at 17:47:03.27 on Sat 12/26/2009
Internet Explorer: 8.0.6001.18865
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3062.2516 [GMT -8:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3... Read more

A:Looks like a backdoor.tdss.565 infection

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No inp... Read more

Read other 2 answers
RELEVANCY SCORE 54.4

Hi guys!!!!Yeah I got it also....Backdoor.TDSS.565 virus....Dr Web found it but it comes back as "process in memory" after it is eradicated....Malwarebytes and superatnispyware also ran...The fix looks like it has to be specific for each infection so I stopped the cleaning process after running each scanner 2x. All where clean except for Backdoor.TDSS.565 virus on Dr Web(as expected). I am now rerunning Dr Web a third time.Thanks in advance for your helpEDIT: Moved from XP to more appropriate malware forum ~ Hamluis.

A:Backdoor.TDSS.565 virus

Hello let's do this and review the logs,TDDS Killer Please read carefully and follow these steps. Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.It may ask you to reboot the computer to complete the process. Allow it to do so.When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.Rerun MBAM (MalwareBytes) like this:Open MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan (normal mode).After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Read other 16 answers
RELEVANCY SCORE 54.4

As requested per setup instructions, I have executed GMER and DDS. I am not sure that GMER executed all the way through, but I will post what log I do have. Since I was following a method to eradicate this infection from another site, I have also executed Combofix (I know now I was not supposed to, so please don't chastise me!), so I will also post that too. It seems that Combofix did not actually perform any actions, but it told me the most about what the infection has done to my PC. I have also executed Dr. Web Cureit and this is what identified the infection as backdoor.tdss.565, but I have my doubts as to that is what it really is as software like tdsskiller from Kaspersky finds nothing. Most malware scanners find nothing at all. Malwarebytes has never found anything. I have AVG installed, but of course it did not find anything. I have executed MBRcheck and it does find a fake MBR, but it also does not fix it even when I follow the instructions to do so. It seems it doesn't do much good to have all this protection software if it doesn't find anything! This is the first infection I have ever had on my PC.I have a data backup from 8/14 before I started having any issues, but I cannot perform another backup via the Vista backup because it thinks that my C and D drives are missing. The 8/14 backup will suffice as I had not done much to add to my PC between 8/14 and the onset of this infection. SYMPTOMS: BSOD at startup when the desktop comes up - most of t... Read more

A:Infected with backdoor.tdss.565 - I THINK!

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

Read other 25 answers
RELEVANCY SCORE 54.4

HiI had a bad infection on my laptop with multiple popups and misdirections - basically only able to use in safe mode. After normal scans on malware, avg, spybot and adaware i used drweb cure-it which found backdoor.tdss.565 which it eradicated. This basically solved all the computer's symptoms. It also found exploit.pdf.1654 which it moved but did not eliminate.I then re-ran 8 other programs - all normal. I re-ran drweb and it now found trojan.downloader1.15090 which it eradicated and it again found the pdf file.the computer runs fine but I wanted to have you tell me if the computer is really cured.I am attaching the DDS and attach files, but your system is telling me that the gmer file is too big to upload.Thanks for your help.EricDDS (Ver_10-10-31.01) - NTFSx86 Run by doctor berman at 13:47:06.07 on Sun 10/31/2010Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.1978.756 [GMT -4:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\... Read more

A:backdoor.tdss.565 found in dr web

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Do not Attach logs unless I ask you to.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.I would like to get a better look at your system, please do the following so I can get some more detailed logs.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will a... Read more

Read other 28 answers
RELEVANCY SCORE 54.4

I have had some problems past week with a redirection when searching in Google. After several virus scans and malware scans seems to be the backdoor tdss 565. Have tried several things thought I had it gone but last time it was not. I havent check it since last scan but dont think I got it gone.

DDS (Ver_09-12-01.01) - NTFSx86
Run by larry at 18:39:23.54 on Fri 12/25/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.91 [GMT -6:00]

AV: avast! antivirus 4.8.1368 [VPS 091225-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:... Read more

A:Infected with backdoor tdss 565

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.We need to create an OTL ReportPlease download OTL from hereSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT


Click the "Quick Scan" button.The scan should take just a few minutes.Please copy and paste both logs back here in your next reply.=============The next log will show us any hidden files that are present.Download GMER from here:Unzip it to the desktop.Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for ?Show All?.Click on Scan.When the scan has run click Copy and paste the results (if any) into this thread.

Read other 10 answers
RELEVANCY SCORE 54.4

Symptoms:
At one point all google searches were directing to ad websites - no longer happens.
Hidden files could not be seen - after recent scan below fixed
I cannot run RootRepeal without cancelling before end and blue-screening.
Peerguardian will not show on screen.
Images cannot be seen in internet explorer - im guessing thats to do with http.

Below is the last MBAM scan i ran!
Malwarebytes' Anti-Malware 1.40
Database version: 2737
Windows 6.0.6001 Service Pack 1

03/09/2009 23:11:51
mbam-log-2009-09-03 (23-11-51).txt

Scan type: Quick Scan
Objects scanned: 87201
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 8
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42... Read more

A:Rootkit.TDSS & Backdoor.Bot!!

Hello,first I must advise you of this.One or more of the identified infections is a backdoor trojan.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.Please download Sophos Anti-rootkit & save it to your desktop.alternate download linkNote: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.Be sure ... Read more

Read other 7 answers
RELEVANCY SCORE 54.4

Hi, About two weeks ago, my PC (Dell, XP Professional, SP3) was (still is !)infected by malware. We got a green screen with "you are infected" etc. I had the following anti-virus running on the PC.McAfee Security Centre - Up to DateSpybot - Not up to dateAdware - Not up to dateI could not get into task Manager via Crtl-Alt-Del and I couldnot boot into Safe mode.I ran Dr-Web, superAntiSpyware and MalwareBytes which detected and clearedmany viruses !The only one which could not be removed was "Backdoor.TDSS.565 virus" whichwas detected by Dr Web.I took the hard drive into work and the IT guys connected the hard drive toanother PC, which was then scanned with Dr Web and it seemed to clear the virus !I can now boot into save mode and task manager is now working!However, when I rescanned the PC at home, using the above, MalwareBytesfound the following in the registry.Worm-autorun and malware-trace. (which was removed)I am getting the following "McAfee VirusScan is turned off. Click this baloon to fix this problem" !While, McAfee Security Centre is saying that the system "protected" !I not convinced that "whatever" infected the PC two weeks ago has beenremoved.Can anyone help to verify all is okay. Thanks, in advance.DDS (Ver_09-12-01.01) - NTFSx86 Run by Peter at 22:40:45.18 on 01/02/2010Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.1... Read more

A:Backdoor.TDSS.565 virus and others.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 11 answers
RELEVANCY SCORE 54.4

I did all the steps kris_h did (http://www.bleepingcomputer.com/forums/topic275086.html) and even run without permission the combofix, no matter what I do I still have the trojan Backdoor.TDSS.565 modify my atapi.sys and all the programs and process it also create a virtual (non accessible file) to download all the updates!!

:S

Can somebody please help me with this???

A:Backdoor.TDSS.565 [Moved]

Pleaseee?

No one?

Read other 5 answers
RELEVANCY SCORE 54.4

Hi there, i turned my computer on the other day to find my Norton does not start up. When i start it it says Norton has stopped working. My windows defender has stopped working aswell, everytime i go to open that it says windows defender has stopped. Same thing happens when i load up Malwares anti malware program. None of my anti spyware/malware prgrams seem to run exept dr.webs cure it.

I ran dr.webs cure it and it came up with backdoor.tdss.565 but has no option to cure or remove the suspected trojan. it only says 'Eradicated'

Any of you guys care to help please??

Thanks in advance!!

A:Backdoor.tdss trojan???

Hello ,please run.. TDDS Killer Please download TDSSKiller.zip and save it to your desktop.Extract the zip file to your desktop Doubleclick tdsskiller.exe to run it.When it finished press any key to continue.If needed reboot the computer.Let me know if after a reboot you are still having redirects.Next run MBAM (MalwareBytes):NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to ... Read more

Read other 9 answers
RELEVANCY SCORE 54.4

I am trying to help a friend with his infected computer. I am writing this from my uninfected XP computer. The infected computer is running Windows Vista Home Premium with SP1. The Vista computer has Norton Internet Security 2009 and Malwarebyte's Anti-Malware software installed.

The first problem was that running any executable will display an error message with Bad Image and a .dll file. The body of the message states that the program is not designed to run on Windows or it contains an error. The .dll file is UACseivgbvwbf.dll and supposedly in the globalroot\systemroot\system32 directory. I looked in the C:\Windows\System32 directory and could not find the .dll file, even with a hidden attribute check.

Downloaded and burned a CD with Dr. Web CureIt! on my clean XP computer. I booted the Vista computer into Safe Mode and copied the file to the desktop. CureIt! found that C:\Windows\System32\UACyehytpomjp.dll was infected with Backdoor.Tdss.433 and deleted the file. I decided to reboot the Vista computer and run Malwarebyte's. Malwarebyte's would not run. No error messages. Nothing happened.

I read about changing the name of the Malwarebyte's .exe file and chaged it to Fred.com. Now, I had 2 errors. Run time error '0' and Run time error '440'. I downloaded and installed Malwarebyte's on my clean XP computer and tried the renaming. No problem on my clean computer. Malwarebyte... Read more

A:Backdoor.Tdss.433 Disappeared

You have a rootkit infectionlet's see if we can get a log producedPlease download Win32kDiag.exe by AD and save it to your desktop.alternate download 1alternate download 2This tool will create a diagnostic report for me to review.Double-click on Win32kDiag.exe to run and let it finish. When it states Finished! Press any key to exit..., press any key on your keyboard to close the program. A file called Win32kDiag.txt should be created on your Desktop.Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

--------------------------------------Go to > Run..., then copy and paste this command into the open box: cmdClick OK.At the command prompt C:\>, copy and paste the following command and press Enter:DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txtA file called log.txt should be created on your Desktop.Open that file and copy/paste the contents in your next reply.

Read other 7 answers
RELEVANCY SCORE 54.4

I have been using Spybot, Malwarebytes' Anti-Malware, SUPERAntiSpyware Free Edition, Ad-Ware, RemoveIT Pro v4 - SE, Nod32, Dr. Web, Kerpasky online scan, Nortan online scan.
They have picked up a few bugs here and there and cleaned them. But this backdoor.tdss.565 keeps coming back and keeps redirect my google links and ads pop-up.

I tried to follow the preparation guide but stuck on RootRepeal. When I click on it, there's a error message pop up.
14:10:03: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000f4)
14:10:04: DeviceIoControl Error! Error Code = 0x1e7
14:10:04: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000f4)

I have DDS and Hijackthis log ready.
plz save my computer ><

---------
*Edit: just saw dyms's "Firefox Google Search Hijack" thread. looks like we have the similar problem. I'll post GMER's log instead.

A:backdoor.tdss.565 and others infected

just saw another similar thread. and ran RSIT. here's the log.Hello nestle123,We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.Thank you for understanding.Regards,The weatherman (Moderator)

Read other 15 answers
RELEVANCY SCORE 54.4

Dispite all due precautions I still became infected by the BackDoor.Tdss.565 virus. This was off a website that McAfee Site Advisor deemed "Okay!" DrWeb found the infection while McAfee and MBAM did not.Attached is a HJT log:Thanks for the help....AGAIN! Frustrated in Philly!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:11:13 PM, on 11/21/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COM... Read more

A:BackDoor.Tdss.565 Infected

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until ... Read more

Read other 5 answers
RELEVANCY SCORE 54.4

All three computers are infected with this trojan. I've tried Dr. Web cureit, then Malwarebytes. It did get rid of the virus only to return when I rebooted. System restore was turned off at that time. I've tried other software; Spyware Doctor and a few more. AV Security Suite also tried to install on this computer, even though I would not allow through McAfee, it did get in. I used Spyware Doctor and I believe I did get that removed. When I open a browser another one opens with seach.google-analytics.com is in the address box. I tried running GMER a number of times and it always crashed (computer turned off and back on). The log I included one run that I stopped just before the crash. If it didn't crash before, then it always crashed when scanning Program Files, Java or Javasoft. Thes computers are on a home network McAfee virus protection software provided by the cable company, was running on all the computers. I've been working on this problem for over a week and haven't gotten anywhere. I really need help desperately especially because it is on all of our computers. I won't send email from the computers for fear of sending the trojan with it. Help please,Ann

A:Infected with BackDoor.Tdss.565

hi annmeris,Your logs are a few days old. If you still need help simply reply to my post.

Read other 47 answers
RELEVANCY SCORE 54.4

When I click on search results, I am constantly redirected to some other site. Cureit keeps detecting BackDoor.Tdss.565 in C:\windows\system32\svchost.exe:1160 (the number seems to change everytime i scan) and it says the infection has been "eradicated" but I still get redirected and cureit continues to detect the infection. I have posted/attached the logs as instructed. DDS (Ver_10-12-12.02) - NTFSx86 Run by Billy at 9:33:28.18 on Wed 12/15/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2416 [GMT -6:00]============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\svchost.exe -k hpdevmgmtC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exeC:\WINDOWS\System32\svchost.exe -k HPZ12C:\WINDOWS\System32\svchost.exe -k HPZ12C:\Prog... Read more

A:Infected with Backdoor.TDSS.565

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the resu... Read more

Read other 3 answers
RELEVANCY SCORE 54.4

Running Windows XP Pro SP3 with McAfee anti virus that was 5 days out of date.Got hit with multiple virus / malware / spyware while surfing the internet on April 26, 2010. Not sure what I clicked on, but it was the wrong thing. I was looking for an instruction manual in pdf format.All sorts of warnings were poping up on the screen. Fake virus warnings were popping up. Random programs started running. Random web pages would open. Web redirects. Cntrl-alt-del was disabled. System restore tab was removed. Start Run was disabled. Porno shortcuts on desktop. Computer would shut down when virus scan was getting close to it. ........Etc.Could not update McAfee.Have tried all sorts of things to solve the problems. 99% of the problems are solved but a few remain.Things I have tried multiple times in both normal and safe mode:(not in the order shown)-MalwareBytes Anti-Malware ver. 1.46-Simplysup.com Trojan Remover ver. 6.8.1-freedrweb.com cure-it.exe ver. 6.00.1.03150-Kaspersky tdsskiller.exe root kit removing tool-combofix.exe-Microsoft Malware Tool windows-KB890830-v3.6.exe-New version of McAfee Internet security 2010-Rkill-fake alert stinger-reinstalled Internet Explorer IE8The remaining problem is:-IE8 still redirects on some web pages or just does not work. Specifically update.microsoft.com and windowsupdate.microsoft.com-Can not perform microsoft updates from start menu for same reason as above.-Of the above mentioned items used to fix most of the problem... Read more

A:Infected with BackDoor.Tdss.565

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 30 answers
RELEVANCY SCORE 53.6

Hello. I come to you with my DDS log after having been helped extensively over on this topic: http://www.bleepingcomputer.com/forums/t/278713/search-redirect-and-popups-problems/ and it being determined that I have a TDSS that cannot be killed without HJC. I would greatly appreciate any help you can give me in cleaning up my laptop. I should add that since the last time I posted on that topic I have new symptoms. When I click on a link from a google search in Firefox, I get 4 additional tabs that pop up. The original tab and 3 of the 4 others have server not found messages with long strings of characters, some of which aren't English. The other tab is file:///C:/Program Files/Mozilla Firefox/ and contains a list of files. I have no idea what this means or whether it's helpful at all but I thought I'd include it just in case it is relevant. Thanks in advance and happy holidays!Here is the DDS log:DDS (Ver_09-12-01.01) - NTFSx86 Run by Rachel at 21:37:09.56 on Wed 12/23/2009Internet Explorer: 6.0.2900.5512Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.246.115 [GMT -8:00]============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exesvchost.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\Program File... Read more

A:BackDoor.Tdss.565 and browser redirects

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 20 answers
RELEVANCY SCORE 53.6

Greetings,I Booted up my computer this morning and upon opening my first browser (ie 7) i was redirected on my first google search. Obvious redirections are usually related to spyware or malware. Due to these known problems i started my scans with the tools i have and none seem to have picked up anything at all. Problem being unsolved i further conducted researches online to find other sources of soultions. i have read a few forums on this website however, none has provided a pin point soultion. I must however add that my computer knowledge is limited so perhaps i was not conducting the right actions specially when it comes to virus/trojans/malware. During my researches on bleeping computers i have however been able to determine 2 things.A. When i run Drweb It comes up with: C:\windows\system32\svchost.exe:952 being infected and has been labeled eradicated.B. i have used TDSS killer which tells me that C:\windows\system32\drivers\nvata.sys has been infected.Below are my log files:Based on these parameters (which i got from bleeping computer forum):netsvcs%SYSTEMDRIVE%\*.exe%SYSTEMDRIVE%\eventlog.dll /s /md5%SYSTEMDRIVE%\scecli.dll /s /md5%SYSTEMDRIVE%\netlogon.dll /s /md5%SYSTEMDRIVE%\cngaudit.dll /s /md5%SYSTEMDRIVE%\sceclt.dll /s /md5%SYSTEMDRIVE%\ntelogon.dll /s /md5%SYSTEMDRIVE%\logevent.dll /s /md5%SYSTEMDRIVE%\iaStor.sys /s /md5%SYSTEMDRIVE%\nvstor.sys /s /md5%SYSTEMDRIVE%\atapi.sy... Read more

A:Help! Backdoor Tdss 565 infected nvata.sys

Download DDS and save it to your desktop from here or here or here.Disable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txtSave both reports to your desktop. Post them back to your topic.---Download GMER here by clicking download exe -button and then saving it your desktop:Double-click .exe that you downloadedClick rootkit-tab, uncheck files option and then click scan.Don't check Show All box while scanning in progress!When scanning is ready, click Copy.This copies log to clipboardPost log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

Read other 3 answers
RELEVANCY SCORE 53.6

Ello chaps,

Recently I attempted to mount some iso, when my avari & comodo suddenly notified me that i was under attack, thinking they were false positives, I told them to 'ignore' & 'allow' ..BIG mistake, my screen went black, after a few reboots, getting the same result i decided to go onto safe mode. Avari found 18 viruses, I thought that was it, rebooted, went onto normal mode and avari suddenly alerted me of something called TDSS.nnrg 'backdoor' virus, but couldnt delete it. now even on safemode, i cannout even get malewarebytes or combofix to even run, but avari runs, except its canout delete this danm virus..

Any help would be massively appreciated!!

Bulljun

A:BSOD due to TDSS backdoor virus. help :(

Hello Bulljun and welcome to BleepingComputer forum.As I'm sure you noticed, the HJT board here is superbusy. If the issues are still around, then do the following.I'll be your helper while we attempt to remove the malware infection.You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!These steps are for this member only. If you are a lurker, do NOT try this on your system! These steps are for member Bulljun only. If you are not Bulljun and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use!Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.At some point in time, perhaps after the Avenger run, you must re-try to get back into Normal mode of Windows, if not able, then restart and try for Safe Mode with Networking.You will most likey have to do downloads from a different pc, use a clean USB-thumb-pen drive or CD/DVD to copy and then transfer to the DESKTOP of infected machine.=1. Set Windows to show all files and all folders. On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders. Under ... Read more

Read other 22 answers
RELEVANCY SCORE 53.6

BackGround:1. Running Win XP / Sp3, IE 72. Several viruses-trojans over the past year. Usually able to kill them.3. Practice very safe surfing. Scan all email attachments. Only suspects are myspace and windows messaging.4. Running Malewarebytes, SAS, AdAware, Spybot, and McAfee.What's happening: (also can't attach gmer log - see below)1. Started getting browser redirects 4-5 days ago.2. Ran all scans. Turned up a FakeAlert trojan (I think with Spybot) and removed.3. Browser redirects started again.4. Tried to update maleware programs but sites were blocked.5. Did a system restore to 5 days ago. Then Maleware websites were unblocked. Updated all programs.6. Ran all scans. All clean. But website redirects continued.7. Downloaded and ran HiJack and reviewed results (Nothing suspicious to me - untrained eye)8. Tried to reboot to safemode but can't.9. Uninstalled McAfee and Installed Norton?... Nothing on the Norton Scan.10. Did more research and found the suspect might be TDSS.11. Downloaded and ran TDSSKiller from Kasperski. Found a TDSS infection in c:\Windows\Sys32|drivers\iastor.sys. but?.cure failed. 1Memory object infected and 1 File object infected.12. Norton then detected and Blocked "Backdoor.Tidserv!inf".13. GMER won't run. First time the system locked up half way thru scan. Next two times system crashed. Got a page fault in nonpaged area caused by "pwtoapob.sys". Searched computer and internet for this file name - ... Read more

A:TDSS and Backdoor.Tidserv!inf ……and probably other nasties.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 15 answers
RELEVANCY SCORE 53.6

So....I've been infected with Backdoor.tdss.565 and I've read all the gloomy news about polymorphic trojans and how it is categorically impossible to remove them completely.I use my computer for online banking so a complete reformat seems the only option for me. (unless these really can be completely removed)I've read these reccomendations about backing up my files before i do:From geekstogo.com - i thinkThis infection can and will infect all the machine's executable files, document files, and media files. Malware experts say that only a complete reformat and reinstall is the only way to clean the infection. DO NOT back up ANY files containing these extentions: .exe, .bat, .scr, .rar, .zip, .htm, .html, .mp3, .wma, .ogg, .mp4, .jpg, .gif, .doc, .xls, .ppt. Anything that is an executable, document, or media file can and probably is infected.//Doesn't leave much does it??In addition:Close all your bank accounts and open new ones and alert your bank that you may be a victim of identity theftChange all your passwords on every website you use from another computerPerform a factory reset on your router [if you have one]Check all networked computers for infection, if infection is found, reformat them using the guidelines above.So two questions:-Really? ALL my documents and music are infected?? I can't back up anything?? This sounds too extreme to me. i can believe executable files and some documents but everything?-I have an HP Pavilion with a recovery partit... Read more

A:Infected with Backdoor.Tdss.565 - How far is too far in removal?

Hello, Most dovs, photos and music are OK. As long as they weren't dpwnloaded off a file sharer. I use this reformat advice.In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you. Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.Use the free version of [email protected] KillDisk.Or Darik's Boot And NukeThe best sources of Information on this areReformatting Windows XPMichael Stevens Tech Windows XP: Clean Install==============================2 guidelines/rules when backing up1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...2) Do not b... Read more

Read other 1 answers
RELEVANCY SCORE 53.6

Hi,

I visited a website and now I've got TDSS root variant. Malware Bytes cannot see it, Symantec Corporate cannot see it, Doctor Web can remove it from memory but it reinfects itself in a few minutes.

GMER:
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-04-29 07:37:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 HITACHI_ rev.PC3Z
Running: gmer.exe; Driver: C:\DOCUME~1\WJORAL~1\LOCALS~1\Temp\kxtdypow.sys
---- System - GMER 1.0.15 ----

SSDT 8896BA78 ZwAlertResumeThread
SSDT 8896BB38 ZwAlertThread
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwAllocateVirtualMemory [0xAFFD8088]
SSDT 889B6B28 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB524C3C0]
SSDT 889E5B28 ... Read more

A:Backdoor.TDSS.565 , Google redirect

Here are the logs - had trouble uploading before.

Read other 5 answers
RELEVANCY SCORE 53.6

Hello Everyone. I originally posted this in the HJT Forum but I think that was in error. I think it more approprirate for this forum. If I am wrong please accept my appologies.

I started getting virus/malware notices from McAfee Total Protection 2009 this week. I've tried all of the tools below, and all had a similar result. The virus would be found and removed, but would come back usually after I opened up IE8 and clicked on any link either from my ?Favorites List? or from ?Google? or after rebooting.

With the IE8 or after I had rolled back IE8 to IE7 or IE6, I would still have the issue of IE6, IE7, or IE8 ?Redirecting? to another website. Consecutive scans would not find the virus, and then trying another tool would find it.
Things that I've tried:
-----------
McAfee Total Protection v.9.15 (Found "Backdoor.Tdss.565, & GenericFakeAlert!.cw and deleted them)
Ad-Aware Free Anti-Malware 8.1.0 (Found Nothing)
MalwareBytes v. 1.41 (Found Trojans and deleted them but they came back.)
VundoFix v. 7.0.6 (Found nothing)
SuperAntiSpamware v.4.29.1004 (Found Trojans and removed)
ATF Cleaner (Cleaned all areas of temp files and such)
Dr. Web v.5.00 (Found and Deleted Vundo Trojan, Found Backdoor.Tdss.565 in Memory and eradicated...always comes back.)
DDS (Ver_09-10-26.01) - NTFSx86

I also tried to boot into ?Safe Mode?, with all of the same results as before. IE8 still ?Redirects? but virus is gone. I've had different combinations of the programs listed ... Read more

A:Backdoor.Tdss.565 & IE8 Redirecting issue

hello OregonSNOBTry this http://vundofix.atribune.org/RegardsD_N_M

Read other 5 answers
RELEVANCY SCORE 53.6

I started seeing the following 3 new items in my task list yesterday:C:\Documents and Settings\troy\Application Data\Microsoft\Windows\shell.exeC:\Documents and Settings\troy\Application Data\Microsoft\svchost.exeC:\DOCUME~1\troy\LOCALS~1\Temp\dwm.exe I tried to run MBAM, but it would not start, and my browser was redirected whenever I tried to connect to any sites that offered MBAM downloads or any anti-malware discussions. Once I renamed MBAM.exe I was able to run it with the following results:Memory Processes Infected:C:\Documents and Settings\troy\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.87,93.188.161.227 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{31988cec-020e-4508-9f2e-387f68ec65ac}\NameServer (Trojan.DNSChanger) -> Data: 93.188.1... Read more

A:Rootkit.TDSS, Backdoor.bot, etc. Infections

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.We need to create an OTL report,Please downloa... Read more

Read other 8 answers
RELEVANCY SCORE 53.6

Greetings:multiple Anti Virus programs: It looks like you are operating your computer with multiple Anti Virus programs running in memory at once: COMODO Antivirus avast! AntivirusESET NOD32 Antivirus 4.0 Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove two of them.One or more of the identified infections is a Backdoor Trojan. - TDSS rootkitThis could allow hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC could be compromised and there is no way to be sure that your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:... Read more

A:BackDoor.Tdss.565 rootkit is detected

thanks, ran the scan with dr. Web nothing found. Works faster, tried to find nod32 to remove - could not find it in add/remove progsthe rest are disabled. Only Comodo firewall is activeAvast I will need to re-installHere is the log:ComboFix 10-07-10.02 - Alan 07/11/2010 9:18:58.6.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.2815.2389 [GMT -5:00]Running from: C:\Documents and Settings\Alan\Desktop\ComboFix.exeAV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\system32\awwwwx.dllC:\WINDOWS\system32\bywwxy.dllC:\WINDOWS\system32\cbxwxw.dllC:\WINDOWS\system32\cbyaay.dllC:\WINDOWS\system32\efccyx.dllC:\WINDOWS\system32\fcbbax.dllC:\WINDOWS\system32\fcbxuv.dllC:\WINDOWS\system32\fcyvtq.dllC:\WINDOWS\system32\geeede.dllC:\WINDOWS\system32\hgggec.dllC:\WINDOWS\system32\jkhhhi.dllC:\WINDOWS\system32\kheedb.dllC:\WIND... Read more

Read other 5 answers
RELEVANCY SCORE 53.6

This is my last computer that I'm working on. I've gone a lttle far based on what I learned with the other 2 computers. ddsDDS (Ver_10-03-17.01) - NTFSx86 Run by Compaq_Administrator at 12:09:04.73 on Wed 07/14/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.406 [GMT -7:00]AV: Webroot Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}============== Running Processes ===============C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exeC:\WINDOWS\system32\ctfmon.exesvchost.exeC:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exeC:\WINDOWS\arse... Read more

A:Browser redirect - Backdoor.Tdss.565

Hi again,Those logs look ok. Looks like it the 3rd time you ran combofix. Root kit utilities can show lots of normal processes. TDSSkiller didnt remove anything. You can download and run Malwarebytes:Please download Malwarebytes to your desktop.Double-click mbam-setup.exe and follow the prompts to install the program.Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select Perform FULL SCAN, then click Scan.When the scan is complete, click OK, then Show Results to view the results.Be sure that everything is checked, and click *Remove Selected.**A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txtPost the log in your reply.

Read other 5 answers
RELEVANCY SCORE 53.6

I am getting this everytime from DR.WEb Process in memory: C:\Program Files\Internet Explorer\IEXPLORE.EXE:464;;BackDoor.Tdss.565;Eradicated.;ran Malwarebytes - Malwarebytes' Anti-Malware 1.41Database version: 3143Windows 5.1.2600 Service Pack 3, v.331111/11/2009 12:21:13 AMmbam-log-2009-11-11 (00-21-10).txtScan type: Full Scan (C:\|D:\|E:\|F:\|)Objects scanned: 346785Time elapsed: 1 hour(s), 59 minute(s), 17 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 2Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.Folders Infected:(No malicious items detected)Files Infected:(No malicious item... Read more

A:infected by rootkit BackDoor.Tdss.565

Hello Tooz
your log shows "No action taken " with tha Malwarebytes log
Please update malwarebytes re-run a quick scan and let it fix anything it finds then post a new log back to this thread for review.

Thank you

D_N_M

Read other 11 answers
RELEVANCY SCORE 53.2

Hi there.

I have numerous problems with my computer.

I have posted it in this forum which i got referred to the HJT thread which i have recieved no help yet. (Been about a week)

I have a Backdoor Tdss trojan lurking in my computer, and it came with a rootkit variant.

I cannot run hardly any anti viral programs, they just say they have stopped working when i try to open them. Norton, Mbam and Windows Defender.

Ive tried to install Spybot S&D to which that don't work. Ive tried running RKill and tdss killer to which they don't work either.

I can run Dr.Webs CureIt which indicated that i have more than one virus/trojan. Some have been cured to which others haven't.

Ive ran WinDiag32 to which the logs about 5 lines long ( Im sure there should be more)

I can post the Dr.Web log but its over 100Mb as it scanned my whole computer. (It crashed before when i tried to copy and paste it in here)

Im tempted to run ComboFix but untill i get the go ahead to do so ill wait till one of you guys tell me to.

Please try and help me, its my only computer and i use it for alot of work.

Thanks in advance.

Read other answers
RELEVANCY SCORE 53.2

Folks,On a previous posting I was asked to run some DDS and GMER rootkit logs and post them here. They're at the end of this, DDS, Attach and ARK (rather long!).I have a recurring web browser problem, it gets identified by some av software including malwarebytes and Dr Web but does not get removed, it simply pops up again next time I start internet searches. Done the usual F8 boots etc. It seems to be attached to C\windows\system32\svchost.exe.584 and it seems to be called something like backdoor.dds.5665 or something like that.Many thanks, logs as follows:DDS (Ver_10-03-17.01) - NTFSx86 Run by Packard Bell at 9:58:03.59 on 22/07/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.1979 [GMT 1:00]AV: Virgin Media Security Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}FW: Virgin Media Security Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Virgin Media\Security\Fws.exesvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exeC:&#... Read more

A:rootkit backdoor.tdss.5455? logs

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

Read other 4 answers
RELEVANCY SCORE 53.2

No matter running CureIt, the virus comes back.CureIt keeps saying: C:\Windows\explorer.exe:2228 infected with BackDoor.Tdss.565 C:\Windows\system32\drivers\pciide.sys infected with BackDoor.Tdss.2459 C:\Windows\system32\drivers\pciide.sys infected with BackDoor.Tdss.2459It claims to have eradicated the first one and cured the second two, but upon reboot, if I do a Google search *twice* from within Firefox's native, in-browser search box, then it comes back.I have attached the Attach.txt and the DDS.txt is below. Please let me know if you want to see the CureIt log.I could not run GMER without BSOD. Happy to follow instructions on how to get it to work, but no good on my own.THANKS in advance.Jay#DDSDDS (Ver_10-03-17.01) - NTFSx86 Run by Jay Hirschson at 20:17:59.28 on Wed 08/04/2010Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17Microsoft? Windows Vista? Business 6.0.6001.1.1252.1.1033.18.3015.1813 [GMT -4:00]AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}SP: Symantec Endpoint Protection *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm... Read more

A:Search Results Hijacked - BackDoor.Tdss - Oy Vey!

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

Read other 21 answers
RELEVANCY SCORE 53.2

I have a similar problem that others have... Avast is finding a bredolab-aq virus in *.tmp files that are being created in the windows/temp directory.I am running windows Vista.DrWeb-cure fileProcess in memory: C:\Windows\system32\wininit.exe:444;;BackDoor.Tdss.565;Eradicated.;gasfkyqxcnsuwh.dll.xor;C:\Users\central\AppData\Local\Temp\MPSampleSubmit;BackDoor.Tdss.based.1;Deleted.;cvya.tmp;C:\Windows\temp;Trojan.Packed.682;Deleted.;igfg.tmp;C:\Windows\temp;Trojan.Packed.682;Deleted.;nqlp.tmp;C:\Windows\temp;Trojan.Packed.682;Deleted.;oiqb.tmp;C:\Windows\temp;Trojan.Packed.682;Deleted.;ppjx.tmp;C:\Windows\temp;Trojan.Packed.682;Deleted.;pwun.tmp;C:\Windows\temp;Trojan.Packed.682;Deleted.;tcre.tmp;C:\Windows\temp;Trojan.Packed.682;Deleted.;vegk.tmp;C:\Windows\temp;Trojan.Packed.682;Deleted.;vgre.tmp;C:\Windows\temp;Trojan.Packed.682;Deleted.;wpet.tmp;C:\Windows\temp;Trojan.Packed.682;Deleted.;yeop.tmp;C:\Windows\temp;Trojan.Packed.682;Deleted.;what do I need to do first, or next as the case may be? Marty

A:win32:bredolab-aq and backdoor.tdss.565 infection

Please download Malwarebytes Anti-Malware (v1.41) and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will... Read more

Read other 5 answers
RELEVANCY SCORE 53.2

Hello,I am working on a friend's Windows XP Home computer. I ran Dr. Web CureIt on the computer and found the following infections: BackDoor.Tdss.598 on C:WindowsSystem32UACsemuyiawcx.dll Trojan.Packed.2927 on C:WindowsSystem32UACqiitkiffnx.dll Trojan.Packed.2936 on C:WindowsSystem32UACycqivqhsjn.dllI have run DDS on the computer and am pasting the dds.log file here:DDS (Ver_09-10-13.01) - NTFSx86 Run by Kelsey Kenel at 15:28:00.53 on Fri 10/23/2009Internet Explorer: 6.0.2900.2180============== Pseudo HJT Report ===============uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptopuSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptopmDefault_Search_URL = hxxp://www.google.com/ieuInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptopuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieuURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:program filesasksearchbinDefaultSearch.dlluURLSearchHooks: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:program filestoggleentbTog1.dlluUR... Read more

A:BackDoor.Tdss and Trojan.Packed Infection

Hello again,

I am writing this from my clean XP desktop.

Last night, I turned on the infected XP laptop. After the system loaded, the hard drive continued to run. When the hard drive stopped, I received a message from the Microsoft Windows Malicious Software Removal Tool - Oct. 2009. The software found and removed Trojan:WinNt/Alureon.D. Next, I installed Malwarebytes' Anti-Malware. Previously, I was unable to install the software. Because I do not have the notebook connected to the internet, I did not update Malwarebytes'. The database date was 09-10-2009 and the database version was 2775. I ran the quick scan and found additional malware infections. I am including the log file at the end of this posting. I was only able to run the quick scan. I ran the notebook on battery (the power supply cord has to be held just right for charging). Today, I will attempt to update and run Malwarebytes' in a complete scan. I will let you know what I find.

If you have any additional tips on what to do next, please let me know.

Here is the Malwarebytes' log file -

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

10/27/2009 1:47:01 AM
mbam-log-2009-10-27 (01-47-01).txt

Scan type: Quick Scan
Objects scanned: 96283
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Me... Read more

Read other 14 answers
RELEVANCY SCORE 52.4

see this http://www.bleepingcomputer.com/forums/t/316538/unknown-infection-seemingly-benign-popups-to-unknown-sites-followed-by-more-extensive-problems/for background infoDDS log:DDS (Ver_10-03-17.01) - NTFSx86 Run by Alexander Kreider at 18:31:53.81 on Tue 05/18/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2705 [GMT -6:00]AV: Data Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exesvchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\WINDOWS\system32\HPZipm12.exec:\Program Files\Common Files\Protexis\License Service\PsiService_2.exec:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\system32\wuauclt.exeC:\Program Files\... Read more

A:unknown, drweb lists BackDoor.Tdss, in memory

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 20 answers
RELEVANCY SCORE 52.4

---I was running Iobit's Advanced SystemCare Free and Security 360. I had been using Avast Pro, but there was an error in the program that would report every startup file as a virus and they suggested in their FAQs when something of this nature happens, it is an error in teh program and to uninstall the program until they fix the error (because it could damage the OS eventually), so I grabbed a free AVP for the time being. No one on the PC but myself has admitted/made mention of any false reports to update programs like Flash Player, so I believe, since this infection has been noted to come from forums and such, that it either came from Craigslist, MySpace or EVONY forums. Those AFAIK are the only places anyone visits with exception to the normal email clients and such, which no one has preview plane activated and everyone knows to avoid suspicious eMails, as this has been the normal practice for the past 10+ years.---I got up early this morning and logged into my desktop. While rubbing my eyes, I clicked the Okay for the Flash Player Update that I knew better than to click due to warnings 3 months ago, then I clicked the okay for restarting Firefox so the installation of the plug-in could finish and low and behold, when I restarted firefox, search result pages had been hijacked (obvious by the different font) and the browser was redirected to sites such as realsimple dot come, hxxp://64.21.20.248, hxxp/wwwmoevenpickhotels dot com, filterchemical. dot com and from the beginni... Read more

A:Can't Shake BackDoor.tdss.565 or Access Safe Mode

This is all I got in the report from RootkitReveal.

HKLM\SECURITY\Policy\Secrets\SAC* 6/28/2009 11:59 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 6/28/2009 11:59 PM 0 bytes Key name contains embedded nulls (*)

Read other 5 answers
RELEVANCY SCORE 52.4

Hi,

I am really hoping that someone can help me with my problem, as now it has almost brought me to tears.
I should say beforehand that I am a total computer newbie, I know absolutely nothing of computers, only the bare minimum. I use my computer to surf the internet and for Word.

So, my problem:

I downloaded an episode of a tv show using Vuze (I know, bad behaviour and after this I will certainly never do it again!). The file must have been infected, cause when I opened it to play, my virusscanner (Avast) gave the following warning:

Virus found:
Filename: C:\\windows\temp\lhvm.tmp\svchost.exe
Malware name: Win32 Malware-gen
Malware type: Virus/Worm

I put the file in quarantine and that seemed it. I removed the infected episode.
Unfortunately, from that moment on, every 5 minutes the same Avast warning pops up. Everytime it gives the same virus in the same filename:

C:\\windows\temp\xxxx.tmp\svchost.exe The xxxx stand for a random 4 letter combination that keeps changing.

I did some research on the internet and found that this problem is caused by this virus: Backdoor.TDss.565.

I tried to run Dr. Web CureIt scanner, because it was said that that was the only virusscanner that could find and clean up this virus. I tried it 4 times, but every time the program shut itself down when it was trying to scan the file C:\windows\system32\drivers\atapi.sys

I concluded this atapi.sys file must be th... Read more

A:Backdoor TDSS 565 infection: svchost.exe keeps popping up as being infected

Ive got exactly the same virus/trojan.
This thing is driving me nuts, I can find where its hiding at all, and I always considered myself a fairly advanced computer user.

Norton Internet Security 2009 seems to thwart its attempts at connecting to the internet, but doesnt seem to be able to find the root of the problem.

Please somebody!!

Read other 3 answers
RELEVANCY SCORE 52.4

HelloI wish I found your site sooner. I've been having browser re-directs for last few days, and fraud anti-virus scanner pop-ups, and worm attacks and have fixed most problems by following Norton website instructions. But I can see I might be leaving crumbs behind now that can flare up as I read what all other members are posting in this malware forum about same problems. (The thread by ?not2much? on Jul 14 2010, 03:37 PM sounds just like me.) Wasted 2 work days already fighting this on my own.I thought it was a ?google re-direct? trojan problem, and Malwarebytes has found and cleaned a bunch of trojans and fraud.avsuite stuff. I restored computer to the day before problems started which helped, and then found a whole topic on ?Backdoor.tidserv? on Norton website which talked about worm attacks. I was seeing those everytime I searched on google or yahoo and one of the IP addresses matched Norton?s list in that topic which makes me sure I got something worse than a run of the mill trojan. (At least Norton blocked the worm attacks as they came up).This is link to Norton /Symantec site that I followed:http://www.symantec.com/security_response/...-99&tabid=3Symantec did not stop the thing from getting in, but they seem to know about it. It places itself in any of these common files and keeps doing damage behind the scenes: ?File modificationThe following file(s) may be modified on the compromised computer. atapi.sys (file infection)  advapi32.dll (... Read more

A:TDSS rootkit backdoor.TIDSERV removal and cleanup

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

Read other 23 answers