Troj_BDDTSRVER.a, new trojan/virus- anyone dealt with this before?

Discussion in 'Malware Help (A Specialist Will Reply)' started by farkingidiot, Mar 28, 2005.

  1. farkingidiot

    farkingidiot Private E-2

    Troj_BDDTSRVER.A

    Apparently this is a new trojan, just a few months old. I've managed to clean virii myself in the past, but this one is causing me a major headache. Using various search engines (and searching the usenet), I can't find any info on it, except for here:

    Trendmicro's explanation of the trojan

    My previous AV program, McAfee was suddenly shut down and wouldn't work. I also couldn't re-install it. Figuring something was up, I did Trend Micro's free online scan, my usual fallback position. Bingo! This virus popped up.

    I've now got Trend's AV program installed and I've tried to follow their solution page, but there's two major problems. I can't run their software in Safe mode, as they say you can and Regedit doesn't show ANY svhost.exe files anywhere.

    I'm pretty frustrated.


    I figured I could clean it following their steps, but 2 out of 3 of the steps I can't even use.

    Has anyone else had any experience with this trojan?

    I can't find anything about removal or even what it does other than on Trendmicro's site.

    I've been attempting to remove it using the steps on the sticky posted here for basic removal, but it ain't working.

    I figure the next step is to get HiJack this and post the log file, blah, blah...but I'm hoping someone can help me to clean this before I get to that point.

    Can anyone help me? :( :(
     
    farkingidiot, Mar 28, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have run all steps in the READ ME FIRST and still have a problem, follow the steps below.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Mar 28, 2005
    #2
  3. farkingidiot

    farkingidiot Private E-2

    I've run all the steps in READ ME FIRST.

    Once done and booting back into normal mode, mMy virus scanner immediately lit up to say that the trojan is still there. During my scans, only TrendMicro's online scanner acknowledged it's existance and said that it cleaned it. All other scans turned up nothing other than Symantec, which showed a possible virus at C:\Program Files\SBC Yahoo!\Connection Manager\IP INsight\ipin32.dll saying it was infected with Adware.IPInsight

    I can't find any trace of it in regedit (Per TrendMicro's instructions, as I posted earlier) When I try to terminate the program in Task Manager, my PC starts a timer, then shuts down.

    Thanks you for any help you can give me.
     

    Attached Files:

    farkingidiot, Mar 29, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Remember to exit all browsers before running HJT. You had
    C:\Program Files\Internet Explorer\iexplore.exe running.

    Answer a couple questions on why the below are needed and why they are running multiple times:
    C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
    C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
    C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
    C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

    Also do you use Viewpoint or Viewpoint Toolbar? If not, you should uninstall it using Add/Remove programs.
    The same goes for Viewpoint Manager.
     
    chaslang, Mar 29, 2005
    #4
  5. farkingidiot

    farkingidiot Private E-2


    Yeah, I picked up on that Viewpoint thing. I'm going to delete that.

    I've got a bunch of Sony Multimedia on my PC (A Sony Vaio) from when I bouht it. Still haven't used it, so imagine that's what it is. Don't know why there's multiple entries, though. I don't think it's causing any harm.
     
    farkingidiot, Mar 29, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They are wasting a load of sysem resources especially since they are running multiple times (multiple services are running). Those along with a bunch of other stuff I see in your log are slowing your system down. We can talk about that later if you want.

    Here is some stuff to fix.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {1FA6610D-B137-1E80-DB50-115578AD2D17} - C:\WINDOWS\System32\bsnhvjb.dll (file missing)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [Reg Run] C:\WINDOWS\System32\cvhost.exe
    O4 - HKCU\..\Run: [Reg Run] C:\WINDOWS\System32\cvhost.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\cvhost.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).
    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 29, 2005
    #6
  7. farkingidiot

    farkingidiot Private E-2

    I've done all you asked. PC-cillin was able to finally quarantene and delete the offending trojan, BUT svchost.exe keeps popping up when I check in Task Manager.

    PC-cillin found the trojan hiding in C:\Windows\system32\usr.dll

    I re-booted and scanned again. and nothing came up.

    Somehow, it still seems to still be on my PC, although if it's doing something, I don't know what it is.

    (also, I'm getting an error message with my system settings protector. I'll attache that file, if needed once this matter gets dealt with. Also, I would like your suggestions on speeding up my PC, if we can take care of this initial matter.)

    Thanks for any help you can give.
     

    Attached Files:

    farkingidiot, Mar 29, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    svchost.exe is a valid system process. You will normally see several of them (and more).

    So PC-cillin removed the usr.dll file?

    Are the below all expected/desired by you?

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://dsl.sbc.yahoo.com/
     
    chaslang, Mar 29, 2005
    #8
  9. farkingidiot

    farkingidiot Private E-2


    Yeah, the Yahoo stuff is wanted and yes, usr.dll is now gone. Maybe that's why I'm getting the Systems settings protector message?
     
    farkingidiot, Mar 29, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What is this message and who is giving to you?
     
    chaslang, Mar 29, 2005
    #10
  11. farkingidiot

    farkingidiot Private E-2

    The message is coming from Windows:

    "System settings protector has encountered a problem and needs to close. We are sorry for the inconvenience.

    Error signature

    AppName: teatimer.exe AppVer: 1.3.0.12 ModName: kernel32.dll
    ModVer: 5.1.2600.2180 Offset: 0001eb33"

    then it wants to send the file I've attached, if it means anything to you.

    And BTW, thanks a TON for your help.
     

    Attached Files:

    farkingidiot, Mar 30, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Disable SpyBot's Teatimer and see if the problem goes away.

    To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
    Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.

    Now quit Spybot!
     
    chaslang, Mar 30, 2005
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds