Перейти к содержимому


Фото
- - - - -

Backdoor Tdss.565 Keeps Returning


  • Please log in to reply
8 ответов в этой теме

#1 Maria Bustillos

Maria Bustillos

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 10 Апрель 2010 - 06:58

I have run dr.web several times and this virus keeps returning, though status is 'eradicated' it always comes up on the following scan.

(I have the windows version and am running XP)

Thanks for any help you may be able to offer.

Maria

#2 Stefan Dashich

Stefan Dashich

    Downshifter

  • Virus hunters
  • 975 Сообщений:

Отправлено 10 Апрель 2010 - 12:46

Try scanning with beta CureIt! - http://beta.drweb.com/files/?p=%2Fcureit&unreg=t :)
"That's thirty minutes away. I'll be there in ten."

#3 drumut

drumut

    Member

  • Moderators
  • 325 Сообщений:

Отправлено 10 Апрель 2010 - 13:25

Turn off system restore because viruses can hide themself into there. Do that scan at secure mode (press f8 while booting up and choose secure mode)

You can read this and this russian forum threads, i believe these would help you too. You can use online-translator.com for translation.
OS : Debian Sid , all i have all i need!

#4 Maria Bustillos

Maria Bustillos

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 10 Апрель 2010 - 19:11

Thanks so much for your responses. Unfortunately it's not letting me boot into safe mode. Any ideas?

I'm going to go translate the other posts now!

Thanks again

Maria.

#5 drumut

drumut

    Member

  • Moderators
  • 325 Сообщений:

Отправлено 10 Апрель 2010 - 19:26

I highly recommend you to run Dr.Web LiveCD if you can't get what you want from cureit.
OS : Debian Sid , all i have all i need!

#6 Stefan Dashich

Stefan Dashich

    Downshifter

  • Virus hunters
  • 975 Сообщений:

Отправлено 10 Апрель 2010 - 19:40

Have you tried beta CureIt! in normal mode?
"That's thirty minutes away. I'll be there in ten."

#7 Maria Bustillos

Maria Bustillos

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 11 Апрель 2010 - 02:49

Both my laptop and my desktop are infected. Laptop boots to safe mode, ran beta cure-it--trojan still returned. I am trying a second complete scan now.

Desktop--a mess. I have two drives on this machine, both bootable. Neither can boot to safe mode, though. Nor can they boot to an XP disk. On the other hand, the second drive is clearly not as compromised as my main drive. After running Combo Fix as someone on another site suggested in order to repair safe mode (by installing recovery console) I can no longer boot to the main drive at all: a message appears claiming that there is a problem authenticating my Windows version.

Also: TDSS Killer (Kaspersky) says that atapi.sys is infected on the laptop. The second drive (that I'm writing to you from) on the desktop shows no infection from TDSS Killer.

Two questions. 1) Is it possible that the router is infected?

2) Do you advise removing the infected drive and putting it in another machine that will boot to safe mode? Tedious, but I can do this. There are a couple of extra machines lying around.

Thanks for all your help!

Maria.

#8 Bashox

Bashox

    Newbie

  • Members
  • 1 Сообщений:

Отправлено 11 Апрель 2010 - 04:13

I have the same trojan "backdoor.tdss.565" on my computer with Vista, visited a Dutch website yesterday which resulted in this infection. I only visited this site, nothing downloaded or executed.
Nod32 was active but it did not detect the infection.
When this trojan started to download files from "http://lenina66.com/209.exe" and "269.exe.crypted.exe" nod32 detected the exe files as virusses.
CureIt finds the process in memory "c:\Windows\System32\svchost.exe:1172" and Eradicate it.
However CureIt does not find the source, no infected files found. So the process will return. Currently there is no Rootkit, virusscanner or other tool which detects and removes this trojan.
Tried online scanners, spyware removal progs, rootkit progs like Gmer, tdsskiller and Rootkitrevealer.
So, currently this trojan is on the loose and it seems that no detection or removal is possible. Reinstalling Vista has no use because it can be infected again very quick without protection.

#9 drumut

drumut

    Member

  • Moderators
  • 325 Сообщений:

Отправлено 11 Апрель 2010 - 11:43

Hello,


1) Is it possible that the router is infected?


Yes it is possible the router infected actually your router may hijacked. You can try to reset your router by reading your router's manual.

2) Do you advise removing the infected drive and putting it in another machine that will boot to safe mode? Tedious, but I can do this. There are a couple of extra machines lying around.


Save this file to your desktop and run it, follow the instructions and after that please check if you can boot at safe mode.

Tried online scanners, spyware removal progs, rootkit progs like Gmer, tdsskiller and Rootkitrevealer.


To find the source there are other tools but they are for professional use.
OS : Debian Sid , all i have all i need!


Читают тему: 0

0 пользователей, 0 гостей, 0 скрытых