Crypt-FMV Trojan coming in through svchost.exe

[sentico]

Since monday morning Avast has been going off about every 5 minutes alerting to a Crypt-FMV trojan in a randomly created directory in c:\windows\temp\

ie; c:\windows\temp\####.tmp\svchost.exe (where #### is a 4 letter random combination)

This file is being created by c:\windows\system32\svchost.exe

services:
DCOM Server Process Launcher [DcomLaunch]
Plug and Play [PlugPlay]

OS is Windows Vista SP 2

Avast finds no viruses except during creation of this file

[superhacker]

do a boot time scan
do a cure by dr.web cure it
do a scan by mbam

[sentico]

do a boot time scan
do a cure by dr.web cure it
do a scan by mbam

I had done a boot time scan and run mbam before making this post, neither found anything.

Dr.Web cure found and fixed the problem.

It found trojan backdoor.tdss.565 in memory and trojan backdoor.tdss.1365 in c:\windows\system\drivers\atapi.sys

thanks for your help

[superhacker]

you are welcome
enter here to ensure you wont got a virus again
http://forum.avast.com/index.php?topic=50106.0

[fula5]

It's my exact problem.  (download a movie by torrent is the source.)
But if I tray to run Dr.Web again, its found another .EXE.   and then Another, and another....

Avast, don't detect this      BackDoor.Tdss.565   
Any sugestions?

Thanks.

[polonus]

Hi fula5,

BackDoor.Tdss.565 is a Trojan that may allow a remote attacker to gain full access on the compromised computer. BackDoor.Tdss.565 is a new modification of the backdoor program which enables cyber criminals to get full control over infected machines. What makes BackDoor.Tdss.565 unique is the rootkit technology which is used to conceal its presence in a victimized system.  BackDoor.Tdss.565 files were known to be undetected by antivirus programs because of its rootkit functionalities. The only anti-virus which helps get rid of this very dangerous Troj is Dr.Web. Dr.Web CureIt! utility should be downloaded anew.

Manual removal instructions example:

Step 1 : Use Windows Task Manager to Remove Backdoor.TDSS Processes

Remove the "Backdoor.TDSS" processes files:
wow64main.exe
%ALLUSERSPROFILE%\Application Data\Microsoft\Network\svchost.exe

Step 2 : Use Registry Editor to Remove Backdoor.TDSS Registry Values

Locate and delete "Backdoor.TDSS" registry entries:
Microsoft\Windows NT\CurrentVersion\tdssdata

Step 3 : Use Windows Command Prompt to Unregister Backdoor.TDSS DLL Files

Search and unregister "Backdoor.TDSS" DLL files:


%SYSTEMROOT%\system32\lasmcnyjaa.dll
%SYSTEMROOT%\system32\osajuhzzwtyo.dll
%SYSTEMROOT%\system32\mdqhqxcejju.dll
TDSSnrse.dll
TDSSfpmp.dll
TDSSoeqh.dll
TDSSliqp.dll
TDSSciou.dll
TDSScfgb.dll
TDSSnrsr.dll
TDSSriqp.dll
TDSScfub.dll

Step 4 : Detect and Delete Other Backdoor.TDSS Files

Remove the "Backdoor.TDSS" processes files:
wow64main.exe
TDSSnrse.dll
TDSSfpmp.dll
TDSSoeqh.dll
TDSSliqp.dll
TDSSmhct.sys
TDSSciou.dll
TDSScfgb.dll
TDSSosvn.dat
TDSSmhxt.sys
TDSSmaxt.sys
TDSSnrsr.dll
TDSSriqp.dll
TDSScfub.dll
%ALLUSERSPROFILE%\Application Data\Microsoft\Network\svchost.exe
%SYSTEMROOT%\system32\lasmcnyjaa.dll
%SYSTEMROOT%\system32\osajuhzzwtyo.dll
%SYSTEMROOT%\system32\mdqhqxcejju.dllStep 5 : View the Backdoor.TDSS Components with its MD5s

Remove the "Backdoor.TDSS" components:
File Name   File Size   MD5
TDSSfpmp.dll   2271   b97a8b53bb298025fff5a817cef83c57
TDSSliqp.dll   31232   151ff4cdf759481534a1535f0f03160d
TDSSnrse.dll   29696   0eaf34f90b433a3c5642ecea7fd70d1f
file.exe   35840   ad440aa8e7a3f1cc4574acf2447a8022
install[1].exe   47104   857fe3b30bc1f8a7ec4b73cb8dd38d3d
osajuhzzwtyo.dll   134144   dea7ae96da06a20737d052498ec7f079
UACqxtiekcnbouoins.dll   19968   45eb74a8b5be4238e6cc561ba3c8b795
UACyctgyibvpiextci.dll   17408   34d4a43a970cc558508c74804a295e8e
ytasfwkoslyqdk.dll   20480   13ae37ef2a7cdd215f0665115e77d186
gasfkydovvwqoh.dll   19456   01a45c33177509afc09d99bf05998639
wow64main.exe   1146880   b02eafc95218d62d2fb60bfb61382867
TDSSfpmp.dll   2276   e5fe92762403322934b3946fa9532cd6
TDSSosvn.dat   527   e9ad80d5a1328bf5b48b2226da1ecbde
TDSSfpmp.dll   2271   ebe3dbad4f62b1fc9db8060f8c2801ec
winlogon.exe   35840   ad440aa8e7a3f1cc4574acf2447a8022
install[1].exe   47616   215a9feab9289950cf19245f7f143c35
mdqhqxcejju.dll   134144   4b81f8821cb48870e6f41d0eda95f1bc
UACwusibnevxscvntv.dll   66560   96f56cae7d77cae83e70487b28869494
svchost.exe   350720   3875bfc00b2c6053065cdaec623c470c
googletoolbar_download.exe   61440   1bc09e91c70a6a9ccbaae4d27ce71ca6
ktk57D9.tmp.exe   467456   a34d514b84b97d75c54584dcb690b292
TDSSmhct.sys   60416   9679cbb6fb2104010efb44910e08a563
TDSSfpmp.dll   2271   c9eae3fc10318713a3d5616d9634f1bf
TDSSofxh.dll   36864   d68510fa4a59413d7b7a4add74c59358
services.exe   199680   38490d717f495417eac59a2c6cb01290
winlogon.exe   69637   860a96b3c442b5f3316d671dc7ec177e
svchost.exe   350720   e83435e1590e7016903059022a5bef9f
UACqkppyodbawkldgu.dll   19968   cc6e356af29b9e5f1cb3485c8fb02b67
hapldpbpoz.dll   134144   5ce50b9147cbd6cd22aacf12750ea0ab
gasfkyfpcrnmxg.dll   19968   959fd9367450aaca972f346df9ee28ae
wscsvc32.exe   1002496   09ea9196890c912a2cf040498ed63a56
TDSSciou.dll   73728   697de522509c28c9998d9933e3fa6fb7
TDSSoeqh.dll   35840   3f28e5e6a394e7f668d701b1f7125b64
TDSSosvd.dll   36864   d68510fa4a59413d7b7a4add74c59358
iv.exe   42496   7a8ca5e4742f7a8930798796137748cf
file.exe,winlogon.exe   35840   dc073ddbb1dd45f17a2fa2a828a405ae
lasmcnyjaa.dll   134144   e0b9786878344598f099c337808f0dbd
UACnqxnsethfqsyxcr.dll   24064   8842a4193abc5d412442247c6dba3045
tdssadw.dll   32768   ed38233137323e0291f3cae405620157
kbiwkmvttkqppj.dll   19968   8966eb3f8a03c014426def4449312ea2
wow64main.exe   1257472   35c1926d4b4cc0d9fb1124e45f880f79


Rule #1: Ensure that your Windows Security is up-to-date.

Every week Microsoft provides their new updates that can always be downloaded manually from the Microsoft website. To get Microsoft Update, you should do the following steps:

Go to IE > Tools > Windows Update > Product Updates,

Select "ALL High-Priority Security Updates" from the list,

Open IE and go to Internet Options > Security > Internet,

Press "Default Level" and then OK,

Press "Custom Level."
Rule #2: Download and install a reliable anti-spyware software,

polonus

[lieke89]

Hi all,

I am really hoping you can help me. I have the exact same problem as stated in the first post.

Every 5 minutes Avast gives a warning that it found Malware (Virus/Worm) in C:\Windows\Temp\xxxx.tmp\svchost.exe. The xxxx are made out of letters that change every time.

My computer runs on Windows Vista, I think it has Service Pack 2? No idea really.

So, I tried the solutions you gave already. I downloaded Dr. Web CureIt and it found BackDoor.Tdss.565, exactly as was said. But then all of a sudden the Dr.Web scanner was cut off with the message that the program didn't function properly and that my computer had to shut it down. This happened 3 times, every time when Dr.Web tried to scan the file: C:\Windows\system32\drivers\atapi.sys. So, it still didn't get to finish the scan.

I really don't know what to do know. I tried scanning with Dr. Web for 4 times now and everytime the program shuts itself down when it reaches that atapi.sys file and it will not scan to the end.

I tried to get rid of BackDoor.Tdss.565 by doing it manually, the way Polonus suggested, but I can't find any of the processes (like: wow64main.exe %ALLUSERSPROFILE%\Application Data\Microsoft\Network\svchost.exe) in the Windows Task Manager... They are just not there.

I really don't know what else to do and this Backdoor thing is driving me mad :'(. I probably got it through downloading an infected torrentfile. I am actually afraid that C:\Windows\system32\drivers\atapi.sys might be infected as well. Why else would Dr. Web cut itself off there?

Note: I am totally not into computers, therefore I cannot give you any specific logs or information (I wouldn't even know how to get a log from a scanner...sorry!). I really hope that someone can give me some hands-on information how to get rid of this thing. Oh yeah: My computer runs on Windows Vista, I think it has Service Pack 2?

Thanks a lot!

Lieke

[scythe944]

right-click on "computer" and click properties.  Your system info (you can find service pack information here) will be shown.

As for the virus, try scanning with dr.web cure it in safe mode.  (restart computer, before windows starts booting up, press the F8 key a few times.  A menu should show up, listing several options.  Choose safe mode.

[micky77]

Try this tool ( as a start ) http://support.kaspersky.com/viruses/solutions?qid=208280684
Another poster claims success. Its incredibly fast, on my clean system, literally 1 second. Unzip the file, then either execute or press start > run . then copy/paste this

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v

A report can be found in C\report.txt

[JSHjet]

Wrong thread, sorry.

[lieke89]

Hi!

Thanks for the input guys. The situation is now somewhat different.

After posting my previous post I thought I should be patient and wait for some answers, so I turned my computer off. When I turned it back on (an hour or so later), Avast didn't give me the 5 minutes alerts with the svhost.exe anymore... so I tried running Dr. Web again and it worked! It spotted Backdoor.Tdss.565 and Backdoor.Tdss.1360 (this one was in 3 different atapi.sys files ? hmm).

Dr. Web said it cleaned the atapi.sys files and eradicted the backdoor.tdss.565 file.

I rebooted my computer and here I am, my computer functions normally, Avast doesn't give me any more alerts. Seems like the virus is gone right? To be sure I ran Dr. Web again and it gave the exact same files again as being infected by this backdoor.tdss.1360 thing. Again it said that it repaired it, and I rebooted again.

So, it seems like its gone, but I'm not really buying it... does anyone of you know how to make sure that the backdoor.tdss is gone?

Thanks again!

Lieke