Crypt-FMV Trojan coming in through svchost.exe

Viruses and worms
1

Since monday morning Avast has been going off about every 5 minutes alerting to a Crypt-FMV trojan in a randomly created directory in c:\windows\temp\

ie; c:\windows\temp####.tmp\svchost.exe (where #### is a 4 letter random combination)

This file is being created by c:\windows\system32\svchost.exe

services:
DCOM Server Process Launcher [DcomLaunch]
Plug and Play [PlugPlay]

OS is Windows Vista SP 2

Avast finds no viruses except during creation of this file

2

do a boot time scan
do a cure by dr.web cure it
do a scan by mbam

3

I had done a boot time scan and run mbam before making this post, neither found anything.

Dr.Web cure found and fixed the problem.

It found trojan backdoor.tdss.565 in memory and trojan backdoor.tdss.1365 in c:\windows\system\drivers\atapi.sys

thanks for your help

4

you are welcome
enter here to ensure you wont got a virus again
http://forum.avast.com/index.php?topic=50106.0

5

It’s my exact problem. (download a movie by torrent is the source.)
But if I tray to run Dr.Web again, its found another .EXE. and then Another, and another…

Avast, don’t detect this BackDoor.Tdss.565 ???
Any sugestions?

Thanks.

6

Hi fula5,

BackDoor.Tdss.565 is a Trojan that may allow a remote attacker to gain full access on the compromised computer. BackDoor.Tdss.565 is a new modification of the backdoor program which enables cyber criminals to get full control over infected machines. What makes BackDoor.Tdss.565 unique is the rootkit technology which is used to conceal its presence in a victimized system. BackDoor.Tdss.565 files were known to be undetected by antivirus programs because of its rootkit functionalities. The only anti-virus which helps get rid of this very dangerous Troj is Dr.Web. Dr.Web CureIt! utility should be downloaded anew.

Manual removal instructions example:

Step 1 : Use Windows Task Manager to Remove Backdoor.TDSS Processes

Remove the “Backdoor.TDSS” processes files:
wow64main.exe
%ALLUSERSPROFILE%\Application Data\Microsoft\Network\svchost.exe

Step 2 : Use Registry Editor to Remove Backdoor.TDSS Registry Values

Locate and delete “Backdoor.TDSS” registry entries:
Microsoft\Windows NT\CurrentVersion\tdssdata

Step 3 : Use Windows Command Prompt to Unregister Backdoor.TDSS DLL Files

Search and unregister “Backdoor.TDSS” DLL files:

%SYSTEMROOT%\system32\lasmcnyjaa.dll
%SYSTEMROOT%\system32\osajuhzzwtyo.dll
%SYSTEMROOT%\system32\mdqhqxcejju.dll
TDSSnrse.dll
TDSSfpmp.dll
TDSSoeqh.dll
TDSSliqp.dll
TDSSciou.dll
TDSScfgb.dll
TDSSnrsr.dll
TDSSriqp.dll
TDSScfub.dll

Step 4 : Detect and Delete Other Backdoor.TDSS Files

Remove the “Backdoor.TDSS” processes files:
wow64main.exe
TDSSnrse.dll
TDSSfpmp.dll
TDSSoeqh.dll
TDSSliqp.dll
TDSSmhct.sys
TDSSciou.dll
TDSScfgb.dll
TDSSosvn.dat
TDSSmhxt.sys
TDSSmaxt.sys
TDSSnrsr.dll
TDSSriqp.dll
TDSScfub.dll
%ALLUSERSPROFILE%\Application Data\Microsoft\Network\svchost.exe
%SYSTEMROOT%\system32\lasmcnyjaa.dll
%SYSTEMROOT%\system32\osajuhzzwtyo.dll
%SYSTEMROOT%\system32\mdqhqxcejju.dllStep 5 : View the Backdoor.TDSS Components with its MD5s

Remove the “Backdoor.TDSS” components:
File Name File Size MD5
TDSSfpmp.dll 2271 b97a8b53bb298025fff5a817cef83c57
TDSSliqp.dll 31232 151ff4cdf759481534a1535f0f03160d
TDSSnrse.dll 29696 0eaf34f90b433a3c5642ecea7fd70d1f
file.exe 35840 ad440aa8e7a3f1cc4574acf2447a8022
install[1].exe 47104 857fe3b30bc1f8a7ec4b73cb8dd38d3d
osajuhzzwtyo.dll 134144 dea7ae96da06a20737d052498ec7f079
UACqxtiekcnbouoins.dll 19968 45eb74a8b5be4238e6cc561ba3c8b795
UACyctgyibvpiextci.dll 17408 34d4a43a970cc558508c74804a295e8e
ytasfwkoslyqdk.dll 20480 13ae37ef2a7cdd215f0665115e77d186
gasfkydovvwqoh.dll 19456 01a45c33177509afc09d99bf05998639
wow64main.exe 1146880 b02eafc95218d62d2fb60bfb61382867
TDSSfpmp.dll 2276 e5fe92762403322934b3946fa9532cd6
TDSSosvn.dat 527 e9ad80d5a1328bf5b48b2226da1ecbde
TDSSfpmp.dll 2271 ebe3dbad4f62b1fc9db8060f8c2801ec
winlogon.exe 35840 ad440aa8e7a3f1cc4574acf2447a8022
install[1].exe 47616 215a9feab9289950cf19245f7f143c35
mdqhqxcejju.dll 134144 4b81f8821cb48870e6f41d0eda95f1bc
UACwusibnevxscvntv.dll 66560 96f56cae7d77cae83e70487b28869494
svchost.exe 350720 3875bfc00b2c6053065cdaec623c470c
googletoolbar_download.exe 61440 1bc09e91c70a6a9ccbaae4d27ce71ca6
ktk57D9.tmp.exe 467456 a34d514b84b97d75c54584dcb690b292
TDSSmhct.sys 60416 9679cbb6fb2104010efb44910e08a563
TDSSfpmp.dll 2271 c9eae3fc10318713a3d5616d9634f1bf
TDSSofxh.dll 36864 d68510fa4a59413d7b7a4add74c59358
services.exe 199680 38490d717f495417eac59a2c6cb01290
winlogon.exe 69637 860a96b3c442b5f3316d671dc7ec177e
svchost.exe 350720 e83435e1590e7016903059022a5bef9f
UACqkppyodbawkldgu.dll 19968 cc6e356af29b9e5f1cb3485c8fb02b67
hapldpbpoz.dll 134144 5ce50b9147cbd6cd22aacf12750ea0ab
gasfkyfpcrnmxg.dll 19968 959fd9367450aaca972f346df9ee28ae
wscsvc32.exe 1002496 09ea9196890c912a2cf040498ed63a56
TDSSciou.dll 73728 697de522509c28c9998d9933e3fa6fb7
TDSSoeqh.dll 35840 3f28e5e6a394e7f668d701b1f7125b64
TDSSosvd.dll 36864 d68510fa4a59413d7b7a4add74c59358
iv.exe 42496 7a8ca5e4742f7a8930798796137748cf
file.exe,winlogon.exe 35840 dc073ddbb1dd45f17a2fa2a828a405ae
lasmcnyjaa.dll 134144 e0b9786878344598f099c337808f0dbd
UACnqxnsethfqsyxcr.dll 24064 8842a4193abc5d412442247c6dba3045
tdssadw.dll 32768 ed38233137323e0291f3cae405620157
kbiwkmvttkqppj.dll 19968 8966eb3f8a03c014426def4449312ea2
wow64main.exe 1257472 35c1926d4b4cc0d9fb1124e45f880f79

Rule #1: Ensure that your Windows Security is up-to-date.

Every week Microsoft provides their new updates that can always be downloaded manually from the Microsoft website. To get Microsoft Update, you should do the following steps:

Go to IE > Tools > Windows Update > Product Updates,

Select “ALL High-Priority Security Updates” from the list,

Open IE and go to Internet Options > Security > Internet,

Press “Default Level” and then OK,

Press “Custom Level.”
Rule #2: Download and install a reliable anti-spyware software,

polonus

7

Hi all,

I am really hoping you can help me. I have the exact same problem as stated in the first post.

Every 5 minutes Avast gives a warning that it found Malware (Virus/Worm) in C:\Windows\Temp\xxxx.tmp\svchost.exe. The xxxx are made out of letters that change every time.

My computer runs on Windows Vista, I think it has Service Pack 2? No idea really.

So, I tried the solutions you gave already. I downloaded Dr. Web CureIt and it found BackDoor.Tdss.565, exactly as was said. But then all of a sudden the Dr.Web scanner was cut off with the message that the program didn’t function properly and that my computer had to shut it down. This happened 3 times, every time when Dr.Web tried to scan the file: C:\Windows\system32\drivers\atapi.sys. So, it still didn’t get to finish the scan.

I really don’t know what to do know. I tried scanning with Dr. Web for 4 times now and everytime the program shuts itself down when it reaches that atapi.sys file and it will not scan to the end.

I tried to get rid of BackDoor.Tdss.565 by doing it manually, the way Polonus suggested, but I can’t find any of the processes (like: wow64main.exe %ALLUSERSPROFILE%\Application Data\Microsoft\Network\svchost.exe) in the Windows Task Manager… They are just not there.

I really don’t know what else to do and this Backdoor thing is driving me mad :'(. I probably got it through downloading an infected torrentfile. I am actually afraid that C:\Windows\system32\drivers\atapi.sys might be infected as well. Why else would Dr. Web cut itself off there?

Note: I am totally not into computers, therefore I cannot give you any specific logs or information (I wouldn’t even know how to get a log from a scanner…sorry!). I really hope that someone can give me some hands-on information how to get rid of this thing. Oh yeah: My computer runs on Windows Vista, I think it has Service Pack 2?

Thanks a lot!

Lieke

8

right-click on “computer” and click properties. Your system info (you can find service pack information here) will be shown.

As for the virus, try scanning with dr.web cure it in safe mode. (restart computer, before windows starts booting up, press the F8 key a few times. A menu should show up, listing several options. Choose safe mode.

9

Try this tool ( as a start ) http://support.kaspersky.com/viruses/solutions?qid=208280684
Another poster claims success. Its incredibly fast, on my clean system, literally 1 second. Unzip the file, then either execute or press start > run . then copy/paste this

“%userprofile%\Desktop\TDSSKiller.exe” -l C:\report.txt -v

A report can be found in C\report.txt

10

Wrong thread, sorry.

11

Hi!

Thanks for the input guys. The situation is now somewhat different.

After posting my previous post I thought I should be patient and wait for some answers, so I turned my computer off. When I turned it back on (an hour or so later), Avast didn’t give me the 5 minutes alerts with the svhost.exe anymore… so I tried running Dr. Web again and it worked! It spotted Backdoor.Tdss.565 and Backdoor.Tdss.1360 (this one was in 3 different atapi.sys files ? hmm).

Dr. Web said it cleaned the atapi.sys files and eradicted the backdoor.tdss.565 file.

I rebooted my computer and here I am, my computer functions normally, Avast doesn’t give me any more alerts. Seems like the virus is gone right? To be sure I ran Dr. Web again and it gave the exact same files again as being infected by this backdoor.tdss.1360 thing. Again it said that it repaired it, and I rebooted again.

So, it seems like its gone, but I’m not really buying it… does anyone of you know how to make sure that the backdoor.tdss is gone?

Thanks again!

Lieke