\\tsclient\a\a.dll

[Brickstin]

I dont know what is going on but.. I keep getting a pop up from Avast saying a Win32:morto-l [wrm] is found.. a virus worm..

and its from \\tsclient\a\a.dll

NO matter what i do It doesn't stop..

What is TSClient?

I just came back to my PC and I noticed Administrator was logged in; its never been logged in before.

[mikaelrask]

hey there is another thread about this here.

http://forum.avast.com/index.php?topic=19767.0

might be something to look at.

but as avast is warning best to be on the safe side please follow this guide and attach your logs

a malware expert will guide you from there.

http://forum.avast.com/index.php?topic=53253.0

[Brickstin]

Definately the Worm:Win32/Morto.B ... did some research on these files and registries... I have most of those symptoms on this system.

ok so its Terminal Services.. alright

I also thought i would include a Avast log too.. as it found  some items.I included the log here : Its traffic and general log information through out the past 60 days.
Please see Avast.txt attachment.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/24/2013 at 01:53 PM

Application Version : 5.6.1014

Core Rules Database Version : 10046
Trace Rules Database Version: 7858

Scan type       : Custom Scan
Total Scan Time : 07:56:05

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 566
Memory threats detected   : 0
Registry items scanned    : 38694
Registry threats detected : 0
File items scanned        : 292486
File threats detected     : 53

Adware.Tracking Cookie
   statse.webtrendslive.com [ C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\7GLR2UA5.DEFAULT\COOKIES.SQLITE ]
   www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\7GLR2UA5.DEFAULT\COOKIES.SQLITE ]
   .doubleclick.net [ C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\7GLR2UA5.DEFAULT\COOKIES.SQLITE ]
   .doubleclick.net [ C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\7GLR2UA5.DEFAULT\COOKIES.SQLITE ]
   .kontera.com [ C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\7GLR2UA5.DEFAULT\COOKIES.SQLITE ]
   track.prd.inpwrd.com [ C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\7GLR2UA5.DEFAULT\COOKIES.SQLITE ]
   .eset.122.2o7.net [ C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\7GLR2UA5.DEFAULT\COOKIES.SQLITE ]
   .hearstugo.112.2o7.net [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .ru4.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .ru4.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .media.xfire.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .media.xfire.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .media.xfire.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .stats.popscreen.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .stats.popscreen.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .stats.popscreen.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .stats.popscreen.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .stats.popscreen.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .stats.popscreen.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .stats.popscreen.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .microsoftsto.112.2o7.net [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .fastclick.net [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .doubleclick.net [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .animetoplist.org [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   ww5.mtoplist.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .dmtracker.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .c1.atdmt.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .doubleclick.net [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .2o7.net [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .2o7.net [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .atdmt.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .h.atdmt.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .h.atdmt.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .atdmt.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .atdmt.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .h.atdmt.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .h.atdmt.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .xiti.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .2o7.net [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   elite.callofduty.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   www.qsstats.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   www.qsstats.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .flagcounter.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]
   .statcounter.com [ C:\DOCUMENTS AND SETTINGS\BRICKSTIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0NFNTH0A.DEFAULT\COOKIES.SQLITE ]

Trojan.Agent/Gen-Nullo[Short]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{8AFBC45B-2A12-4EF6-8C1A-A547198A8DC0}\RP294\A0077714.EXE

This.. worried me... that restore point was infected..


Then malwarebytes found a Trojan inside a legitimate Game?... from Aeria games.. which shocked me...

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.24.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Administrator :: PC-F73B8DFDD649 [administrator]

2/24/2013 1:41:23 AM
mbam-log-2013-02-24 (01-41-23).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 505103
Time elapsed: 3 hour(s), 37 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\AeriaGames\Shaiya\game.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

[Brickstin]

ran out of Attachment space.

Sorry for taking long to reply: had other things to deal with.. x.,x Like telling the bank about my PC being hacked.... Ive used this for Banking.. so yeah.. Pretty iffy a out this PC now..

[mikaelrask]

hey again thanks for attaching the necessary logs now we wait for a malware expert to help you from here.

[mikaelrask]

update: I have send a massage to one of our malware expert here on the forum. named essexbox he will help you when he comes online later today.

[essexboy]

Hi nothing readily apparent in the logs apart from the question mark that RogueKiller raises on the LL2 so I will run a programme to check that out
I will also remove the bad restore point for you and create a fresh one

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  
  

  :Commands
  [resethosts]
  [emptytemp]
  [CLEARALLRESTOREPOINTS]
   [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application
  
  
  
• Then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
• Click the Start Scan button.
   
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
• Get the report by selecting Reports

 

• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please copy and paste its contents on your next reply.

[Brickstin]

Sorry for taking so long to reply; i had to deal with other things and work.

But im back now and here is the results.

Anyhow TDDSKiller keeps freezing my computer and every time I restart the PC forcefully it takes forever to load now: it takes like 4 minutes just to load windows sometimes 5.

I don't know what all has happened but now my computer is worse then what it used to be: I am starting to get close to just re installing windows and see if that fixes the operating system: I don't see why its taking so long just to load.


during the scan it goes to 40 objects scanned then freezes on ashWebSv.exe it just stays there and doesnt do anything that is all it keeps doing every time.

[Brickstin]

I must say im sorry for never getting back to anyone here; A Lot of personal things happened; as my Uncle has Stage 3 inoperable lung cancer and my grandmother also passed away.

I was going in and out of town for nearly a year and had my own personal issues that I had to attend to.. But other then that.. if anyone can help me finish this i would appreciate it

essexboy was the last person to help me and here is my first log in response to this.. Again I deeply apologies for wasting anyone's time x.x

I have attached the first log and the others of OTL and then I will post TDSKiller Log in a moment

[Brickstin]

Here is the result of TDSSkiller, Only delete or quarantine was available or skip.

So I just skipped for now please let me know if any of these are to be deleted next time or quarantined.

Please check attachment for TDssKiller Log.

[essexboy]

Hi could you let me know what the current situation is please