Trojan.TDSServ Is Back

After Yesterday's Help Everything Went Well
Until Not Long Ago When I On My Computer Again
Trojan.TDSServ Is Back =[

Submit a new DDS log please.

DDS (Ver_09-01-19.01) - NTFSx86
Run by D-Secrets at 0:00:38.31 on Tue 01/27/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1562 [GMT 8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k bthsvcs
D:\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Professer Help\DDS\DDS.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com/
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - d:\hotspot shield\hssie\HssIE.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus g dwl-g120 wireless usb\120UTIL.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230906927421
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230906914562
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\d-secr~1\applic~1\mozilla\firefox\profiles\tcjaqupc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-11-14 40840]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-11-14 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-11-14 81288]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-14 356920]
R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-11-14 1079176]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\d:\maplesea hacks\ilvmoney1224.sys --> d:\maplesea hacks\IlvMoney1224.sys [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

=============== Created Last 30 ================

2009-01-26 23:48 268 a---h--- C:\sqmdata01.sqm
2009-01-26 23:48 244 a---h--- C:\sqmnoopt01.sqm
2009-01-26 23:33 268 a---h--- C:\sqmdata00.sqm
2009-01-26 23:33 244 a---h--- C:\sqmnoopt00.sqm
2009-01-26 01:53 --d----- c:\program files\common files\Wise Installation Wizard
2009-01-26 00:49 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-24 13:33 --d----- c:\docume~1\d-secr~1\applic~1\Malwarebytes
2009-01-24 13:33 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-24 05:14 90,624 ac------ c:\windows\system32\dllcache\kswdmcap.ax
2009-01-24 05:14 28,672 ac------ c:\windows\system32\dllcache\vidcap.ax
2009-01-24 05:14 90,624 a------- c:\windows\system32\kswdmcap.ax
2009-01-24 05:14 28,672 a------- c:\windows\system32\vidcap.ax
2009-01-24 05:14 61,952 ac------ c:\windows\system32\dllcache\kstvtune.ax
2009-01-24 05:14 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2009-01-24 05:14 61,952 a------- c:\windows\system32\kstvtune.ax
2009-01-24 05:14 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-01-24 05:14 43,008 ac------ c:\windows\system32\dllcache\ksxbar.ax
2009-01-24 05:14 43,008 a------- c:\windows\system32\ksxbar.ax
2009-01-18 23:40 --d----- c:\program files\Retro64 Games
2009-01-04 21:47 --d----- c:\windows\system32\CatRoot_bak
2009-01-04 21:38 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-01-04 21:38 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-04 21:38 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-01-04 21:38 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-01-04 21:38 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-01-04 21:38 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-01-04 21:38 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-01-04 21:38 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-04 21:38 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-01-04 21:35 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-04 21:34 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-04 21:34 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-04 21:34 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-04 21:33 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-04 21:30 --d----- c:\windows\system32\PreInstall
2009-01-04 19:10 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-01-04 19:10 268,648 a------- c:\windows\system32\mucltui.dll
2009-01-02 22:36 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-01-02 22:33 --d----- c:\program files\Windows Journal Viewer
2009-01-01 02:32 --d----- C:\Nexon
2008-12-30 18:53 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2008-12-30 00:36 --d----- c:\docume~1\alluse~1\applic~1\Messenger Plus!

==================== Find3M ====================

2008-12-11 19:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-05 22:18 499,712 a------- c:\windows\system32\msvcp71.dll
2008-12-05 22:18 348,160 a------- c:\windows\system32\msvcr71.dll
2008-11-14 15:03 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 0:01:14.59 ===============

Okay, lets do another rootkit scan and remove this suspicious object.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - D:\Hotspot Shield\hssie\HssIE.dll
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Delete this folder in bold:
D:\Hotspot Shield

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\sqmdata01.sqm" deleted successfully.
File "C:\sqmnoopt01.sqm" deleted successfully.
File "C:\sqmdata00.sqm" deleted successfully.
File "C:\sqmnoopt00.sqm" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Any change now?

Trojan.TDSServ Still There.

It's still finding it in temp folder?

Yea
C:\Documents And Setting\D-Secrets\Local Settings\Temp\np3A.tmp
And Another 2
Same But Random np.tmp

Hmm.

If this folder in bold below is present, delete it.
C:\Program Files\Conduit

Press Start > Run
Type in:
cmd
Press enter.
When the command prompt opens, type in:
ipconfig /flushdns <== note the space between the g and /
Press enter.

Close the command prompt.
Any change now?

Can't Find This File C:\Program Files\Conduit

How To Make The Command Prompt?
It Gives Me One Black Screen Like A Box
And Nothing Else
I'm Not Very Sure How To Use This Function

Yeah, it's a black box, that has this line (or should)

C:\documents and settings\username>

That's where you type the command.

Yaps Done Still There Lols
Trojan TDSServ ==''
Ahhh

Then I wouldn't worry, the machine is fine.
Try this.

Now open a new notepad file.
Input this into the notepad file:

@echo off
sc config "HotspotShieldService" start= disabled
sc stop "HotspotShieldService"
sc delete "HotspotShieldService"
del fix.bat
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

Yaps Done

Then it should be fine now, even if it detected tdss files.

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.