27 replies to this topic

[exile360]

Requireing elevation means the process needs to be run as an administrator because by default all users (including administrators) on Vista run processes without administrative privelages. If you right click on the installer for Spybot and click Run as administrator, that will fix the issue with sdwinsec.exe (which is the service that notifies Windows Security Center that Spybot is installed).

Were you able to run the scan with the Avira CD?

[Premudriy]

exile360, on Dec 4 2008, 08:10 AM, said:

Could be, or it could be related to the fact that it's on Vista. You can try running an offline scan with Avira's bootable rescue disc referred to in this post by AdvancedSetup: http://www.malwarebytes.org/forums/index.p...ost&p=36254 See if it won't remove the driver for you, if not then you can use bart's or something similar, basically anything that can be used to delete a file from the drive with Windows offline, even slaving the drive to another pc, then delete TSSServ.sys from the System32\Drivers folder because that driver is what's preventing tools from loading.

Thanks a lot, I was looking through System32, but never actually thought of checking the System32/Drivers. There it was, but names were different. I deleted the following items:

TDSSnbcb.sys

and

tssecsrv.sys


Only then I was able to start running the anti-malware software in safe mode. I'll scan with MBAM, Spybot, and Avira before I will boot it into a normal mode. Scan is running as I type this post.


Thanks again!



P.S.: Man, they come up with new and more advanced viruses every day. This one was sooo frustrating because it was blocking any anti-malware soft even in safe mode and denied access to registry entries through regedit.

[exile360]

Premudriy, on Dec 4 2008, 06:15 PM, said:

Thanks a lot, I was looking through System32, but never actually thought of checking the System32/Drivers. There it was, but names were different. I deleted the following items:

TDSSnbcb.sys

and

tssecsrv.sys


Only then I was able to start running the anti-malware software in safe mode. I'll scan with MBAM, Spybot, and Avira before I will boot it into a normal mode. Scan is running as I type this post.


Thanks again!



P.S.: Man, they come up with new and more advanced viruses every day. This one was sooo frustrating because it was blocking any anti-malware soft even in safe mode and denied access to registry entries through regedit.

Unfortunately, you can expect more of the same in the future, these infections are ever increasing in complexity and are targeting the tools to remove them. I would recommend since you got rid of the driver for the rootkit that you read the instructions here: http://www.malwareby...?showtopic=2936 and post your logs in a new topic here: http://www.malwareby...php?showforum=7

Please be sure not to install any software or use any removal/scanning tools exept those that you are instructed to by the expert who will be assisting you as doing so can make their job much more difficult. I hope I was helpful. Good luck and safe surfing.

[Premudriy]

exile360, on Dec 5 2008, 12:38 AM, said:

Unfortunately, you can expect more of the same in the future, these infections are ever increasing in complexity and are targeting the tools to remove them. I would recommend since you got rid of the driver for the rootkit that you read the instructions here: http://www.malwareby...?showtopic=2936 and post your logs in a new topic here: http://www.malwareby...php?showforum=7

Please be sure not to install any software or use any removal/scanning tools exept those that you are instructed to by the expert who will be assisting you as doing so can make their job much more difficult. I hope I was helpful. Good luck and safe surfing.

Well, I'm a computer tech myself, it just was the first time that I've seen this specific nasty virus on customer's PC. I usually install Comodo Firewall, Spybot, and AntiVir antivirus for them and configure it. I also install Mozilla Firefox with the following plugins: Ad-Block Plus, Ad-block Plus Element Hiding Helper, Adblock G.Filter Updater, FlashBlock, and NoScript. Plus I always tell them not to click on some rogue software links and that they don't need to install any other antiviruses etc., no matter how good the advertisement might look.

This is my first time using Malwarebytes. Usually I used HijackThis and was always able to get rid of stuff. Then scans by Spybot, Ad-aware(which became bad now), and Avira would finish things. I've also used RootKit Revealer and then removed registry entries manually. It always worked, but not this time. As I told, it wouldn't let HijackThis start.


It's just interesting that this particular customer had all the above mentioned software installed and yet he somehow got infected with this virus. I also found that his firewall was uninstalled when I first looked at his PC. I wonder if he uninstalled the firewall himself or if it's the work of this virus.

He must of clicked on some Antivirus2009 advertisement link because I don't see how else he could get infected.

Anyway, I'm pretty sure this PC is clean now. I've looked through logs - all is good.

Thanks a lot, again!

[Premudriy]

Oh, here's one last information: that customer called me and told how it all happened. Firewall showed popup that antivirus2009 was trying to access the internet. He thought it was an update for Avira. LOL! He let it through and it all rolled down the hill.

Good thing though is that maybe now he learned a good lesson (as well as I learned about TDSS).

[Tetigustas]

Quote

please help me with a slution, I have little hair left and
I keep getting the urge to HULK SMASH!

Start a new thread of your own and someone will be happy to help you.

Edited by Raid, 05 December 2008 - 05:30 AM.
Removed log paste - hijacked thread

[Raid]

Premudriy, on Dec 4 2008, 11:45 PM, said:

Well, I'm a computer tech myself, it just was the first time that I've seen this specific nasty virus on customer's PC. I usually install Comodo Firewall, Spybot, and AntiVir antivirus for them and configure it. I also install Mozilla Firefox with the following plugins: Ad-Block Plus, Ad-block Plus Element Hiding Helper, Adblock G.Filter Updater, FlashBlock, and NoScript. Plus I always tell them not to click on some rogue software links and that they don't need to install any other antiviruses etc., no matter how good the advertisement might look.

Sadly, your going to find that the old methods of dealing with malware aren't very effective against alot of the newer stuff. That TDSS variant was friendly by comparison.

Quote

It's just interesting that this particular customer had all the above mentioned software installed and yet he somehow got infected with this virus. I also found that his firewall was uninstalled when I first looked at his PC. I wonder if he uninstalled the firewall himself or if it's the work of this virus.

Technically it isn't a virus. And a popup likely invited him to download it.

Quote

Anyway, I'm pretty sure this PC is clean now. I've looked through logs - all is good.

Okay then, good luck with your efforts.

[Raid]

Tetigustas, on Dec 5 2008, 04:10 AM, said:

interesting coincedence or the rouge program blocking me

If you would like assistance, please create your own thread.

[indent]

I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions
[/indent]