14 replies to this topic

[TomT127]

This is the worst virus I have ever seen. TrendMicro reports it as TROJ_TDSS.DB (FE, FB, FC_. If course it is unable to quarantine. Malwarebytes will not load, even in safe mode. Cannot find files to delete.

Tried mounting infected HD as slave on another computer. Malwarebytes locks up when scanning whenever it gets to a certain file. Cannot delete file, it just locks up computer.

Advice from TrendMicro did not help. Said to boot into safe mode and look for UAC in system registry but it’s not there. Virus even prohibits search feature to locate Trojan files. Have no idea what to do at this point except reformat. Unfortunately I will loose everything. Pleas help if you can.

[robot202]

I am have the same problem as TomT127 above.

This is a HP laptop I am fixing for a friend. It is running XP Home Edition.The icons on the desktop would disappear and appear about every 30 seconds of so. I was able to install CCleaner, Spywareblaster, Spybot S & D, Antvir and Malwarebytes.

Of the five programs I installed only CCleaner, Spywareblaster and AntVir will run. Spybot S & D and Malwarebytes will not load or run when I click their icons. I have tried installing and running them both in Safe Mode and regular. Same result.

When I ran AntVir it found and deleted 28 trojans. After rebooting, the same results with MB and S & D. They will not load or run. If I try to surf to Microsoft and get updates, the browser will not connect to the site, but I can surf to Google or Foxnews etc.

I could take the easy way out and reload the OS, but I am sure fixing this would help a lot of other people who will come across this same problem.

What would you like me do do to help diagnose this problem?

Rob

[Fatdcuk]

Hi all,

You have the CLB rootkit installed that is blacklisting many security tools including MBAM as your all finding.

Inorder to get the fixing tools to load and work then the rootkit driver has to be located and killed.

No small feat when it is intentionally being hidden by design and not viewable by traditional method/tools but it can be done

Here is my quick fix guide to locating and killing the CLB driver(.sys) file that is underpinning the infection and blocking the cleanup tools from running.

Download the following tool and only use as directed!
http://rootrepeal.googlepages.com/

Install RootRepeal and select *File* scan only.



When scan has completed there will be a list of files generated.Some will be ok(legitimate files) but the bulk will be related to the Rootkit and it's hidden payload of files.



You will need to identify which is the CLB driver and here's how.

This is not as difficult as it appears because it will be 1 of (if not) the only file listed with a .sys extension.

It will also carry one of the following prefix's in its filename followed by random digits + .sys extension.

TDSS
Seneka
GAOPDX
UAC

**in my screenshot it is the file UACewsflctd.sys that is the Rootkit driver.

UAC prefix + random characters in this case= ewsflctd and .sys extension

Once you have identified the CLB driver then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.

You will only need to attack the CLB driver as the rest once no longer being protected are easy pickings for cleanup tools

Next install and update MBAM and run quick scan.

If you are not 100% confident in identifying the CLB driver then feel free to use Rootrepeal to generate an output log for me to review and i will advise

To do this goto report tab then select scan.
Configure as below and when report(.txt file) is generated then copy and paste contents of text file into a reply post.

[TomT127]

Thanks for the reply. Can I do this with the drive mounted as a slave in another computer? It's not really letting me download and run anything by itself.

[TomT127]

Never mind. Seems to have worked. Thank you so much.

[robot202]

I followed your directions Fatdcuk and I found a TDSSpaxt.sys file. I wiped it and right now I am running a MBAM scan and so far it has found 29 infections!

Looks like now I am on my way to get this laptop cleaned up.

Thanks for all your help

Rob

[Fatdcuk]

Thanks for the feedback all and glad that it worked as expected

I will say that that the CLB driver is also responsible for blocking access to various blacklisted sites(security softwares/fix's) and also prevents some installed softwares from updating.

But as you have found kill the driver and then its business as usual for installing/updating and running of tools
and as said before MBAM will install,update and run and will clean out the remainder of the infection

[TomT127]

I seem to be free and clear of that nasty trojan. Now I just have to update Windows because I even tried reinstalling XP. Even that didn't work. Nastiest little bugger I have ever come across. Thanks again for your help Fatdcuk.

[YoKenny1]

Whenever I have to install XP after a FORMAT I always disconnect the system from the Internet as a newly installed XP system is a wide open target for infection.

I have the SP3 CD from Microsoft so that I can be at a minimum level of protection before connecting the system to the Internet to get the latest SP3 updates:
https://om2.one.microsoft.com/opa/Validatio...avaScriptOn=yes

A small shipping charge will expedite the CD and be delivered in just a few days.

[DaChew]

It's so easy to slipstream sp3 into the xp cab files with nlite I just use my custom oem CD's for repair operations

This would make everybody's job a lot easier, especially with infected system files.

[Fatdcuk]

TomT127, on Mar 16 2009, 01:42 PM, said:

I seem to be free and clear of that nasty trojan. Now I just have to update Windows because I even tried reinstalling XP. Even that didn't work. Nastiest little bugger I have ever come across. Thanks again for your help Fatdcuk.

FYI running a repair install of the OS is not a fix for most malwares in its own right.
The repair install will address corruptions within the OS and its operating files but it wont address any other softwares and malware code that is currently installed on the PC.

Hence why CLB survived the Repair install as it is not part of the OS.

That said nothing will survive the full blooded reformat and reinstall but thankfully this is not necessary for this infection

All the best!

[T100]

I must say this is all very interesting to read

last week I had the same problems as stated above

couldn't open MBAM
couldn't open Spybot Search Destroy
couldn't install any spyware software
couldn't use the "Run" option
couldn't use "System Restore"

it was a very nasty piece of work for sure because I was completely defenceless
and everything I tried the Virus was stopping me

Trojan name = win32root.TDDS

this piece of shit actually de-activated my anti-virus Mcafee and de-activated firewall

the only way I could resolve this was by reading this superb forum and seeing this
http://www.malwareby...showtopic=12524

and the randembam.exe saved my life for sure

I could then run MBAM and it found 11 Trojans and after rebooting about 3 times (when instructed by MBAM)
they were nailed but I'm still very cautious

I have done a full scan now with MBAM and all is well (I hope)

I'm now wondering if I should follow fatducs instructions above and use RootRepeal ?

Fatduc what do you think ?

cheers
T

[Fatdcuk]

Hi,

Your good to go as if the CLB driver was still active then MBAM would'nt run.

I know that once MBAM is able to work its magic that we have got this infection well and truely covered from all directions by special Heuiristic rules

[T100]

Fatdcuk, on Mar 16 2009, 04:33 PM, said:

Hi,

Your good to go as the if the CLB driver was still active then MBAM would'nt run.

I know that once MBAM is able to work its magic that we have got this infection well and truely covered from all directions by special Heuiristic rules

OK Thank You Fatdcuk

Sorry for the misspelt name in previous post
I tried to edit but couldn't

Thanks again and please continue with you Great work here

cheers
T

[namato1]

I was having the similiar issue and followed these steps. THANKS!!! It worked like a charm, my system is now cleaned.