TechSpot

Trojan TR/TDss.yux

By HughMcB
Jul 11, 2009
  1. Hey,

    I`ve recently managed to pick up some form of trojan or something that`s dicking up my machine and causing lots of problems (sometimes I cant get it to start, skips to different websites etc.)

    I ran the 8-steps outlined on this forum, attached are the logfiles.

    Avira keeps detecting these same two files:

    TR/TDss.yux
    TR/Crypt.ZPACK.Gen

    Thanks in advance.

    View attachment 50507

    View attachment 50508

    View attachment 50509

    Thank you in advance.

    Edit:
    By the way I can`t seem to attach my hijackthis logfile, even when I change the name the attachment manager keeps saying that I`ve already got this in another thread, I will just paste the text here instead, sorry.

     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't see any Trojans in Avira. All the logs are clean. Let's run the following and check further:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    Please attach the report on your next reply. It will be located at C:\ComboFix(.txt)

    Do not click on the ComboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Eset NOD32 Online AntiVirus Scanner HERE:

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    There should be a paper click on the bar across the message box. That can be use for the attachment.
     
  3. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

    Hey, when I click the link to combofix you gave me I don't get an automatic download prompt, instead I just googled "bleepingcomputer" and "combofix" and I downloaded their version. Even then I was unable to change the file name until after downloaded it i.e. it just automatically saved to the downloads folder and I had no option to change that.

    When I run combofix it just reads the error:

    I am using Vista.

    Note: Everytime I log into the internet Avira is still coming with the same pop-up displaying that trojan.

    Thanks again in advance.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Send me the scan log from Avira showing this.

    Did you run the online Eset Nod32 AV scan? Log?

    Uninstall Combofix:
    • Click START> RUN
    • Type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • When shown the disclaimer, Select "2"

      Now install Combofix from here:
      [1]. Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix
      [2]. Scroll down to Using ComboFix
      [3]. Click on the BleepingComputer.com to download.
      [4]. When you get the " Download Security Warning" prompt click on the Save button
      [​IMG]
      [5].When it asks you where to save it, make sure you save it directly to your Windows Desktop.
      [​IMG]
      [6]. The file name should be Combofix.exe. The file location should be desktop

      Once that is done, follow with:
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      [o] Double click on the saved setup on the desktop.
      [o] Security prompt: This time you click on Run. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)

    Screen shots credit to BleepingComputer.

    Please attach Report to next reply.
    Please attach Eset Nod32 log to next reply.
     
  5. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    1. Please delete this entry that was quarantined by the Eset online scan:
    Win32/Kryptik.YL trojan

    2.The run a full system scan with Avira- save log, attach to next reply.

    3.Please try the Combofix scan again- with the original install removed as instructed and a new install. NOTE naming instruction. Attach report to next reply.

    4.Rescan with HijackThis and attach new log with next reply.

    Unfortunately, the Win32/Kryptik.YL Trojan is said to be polymorphic, meaning it will change into a variant every time removal is attempted. This is what the Virut malware does, making it nearly impossible to remove it.
     
  7. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Check what I asked again please:
    Eset shows the same Trojan. Did you delete it? Did you then run Eset again? Is this a new find or the same find?

    I need a full system scan with Avira and the log please/. You have a Trojan that has characteristics like Virut in that it is polymorphic> it changes whenever you try to remove it. The 'best fix' for Virut is a reformat and reinstall.

    Please download SmitfraudFix (by S!Ri)

    • [1]Extract the content (a folder named SmitfraudFix) to your Desktop.
      [​IMG]
      [2]Open the SmitfraudFix folder and double-click smitfraudfix.cmd
      [3]Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
      [4]Please copy/paste the content of that report into your next reply.
    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm[/url

    Run Temp File Cleaner:
    TFC (Temp File Cleaner)

    Download
    TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


    Summary:
    1. Delete Trojan from Eset
    2. Full system scan with Avira. Save and Attach log in next reply
    3 Run Smitfraud. Save log and attach to next reply
    4. Run TFC
    5. Scan with HijackThis and attach new log.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...