11 replies to this topic

[kgbagent]

Hello all,

I'm new here, but have been reading and it seems these forums are very helpful.

Here's my problem: one of my PC's (not this one) got infected with Antivirus 2009 yesterday. I ran Ad-Aware, McAfee, and a-squared. A-squared pointed me to the file location and I deleted it manually. McAfee detected no viruses. Now the PC (running XP SP3) is having several annoying problems, clearly indicating infection. Not only is it re-directing any searches from google, msn, yahoo, etc. to bogus pages, but it prevents me from connecting to any anti-spyware/anti-malware sites!

I cannot use that PC to connect to this site or any other anti-spyware site (safer-networking, etc). IE 6.0 gives me the "page cannot be displayed" message and tries to tell me there is a connectivity problem. This is not the case as I can access any non-spyware related webpage and Internet connectivity otherwise is fine. It is as if this virus/malware has blacklisted every possible website that could solve the problem. I am pissed!

I even downloaded mbam-setup.exe to a USB drive from my other PC. When inserted into the infected PC, this file simply will not run (I can hit <enter> or doubleclick it or right-click-open the file and all I get is a half-second hourglass...then nothing happens.) I then installed the mbam app to the USB drive itself and attempted to run mbam.exe from the USB drive while inserted in the infected PC. No luck.

I have read through many of the typical instructions for diagnosing these issues yet I have yet to read about one where the Internet connection to sites like malwarebytes are "blacklisted."

Any ideas?? Thanks in advance.

[kgbagent]

One clarification: I CAN run hijackthis and perform a scan.

[lordpake]

Sounds like you have tdsserv rootkit.

Best advice I can give is get HjT log in normal mode from that computer and post it here http://www.malwareby...php?showforum=7

[kgbagent]

lordpake, on Dec 6 2008, 04:37 PM, said:

Sounds like you have tdsserv rootkit.

Best advice I can give is get HjT log in normal mode from that computer and post it here http://www.malwareby...php?showforum=7

Done. Thank you

[Trolltaker]

Sounds like you're dealing with the same thing that I've been working on all day. I've tried a half-dozen approaches so far, to no avail. The XP firewall and some of the virus trackers I've tried identify sinowal.trojan (aka mebroot) but I think that its a recent variant of it. I registered Malwarebytes because the free version gave me the best identification of any of them, but now that I've registered, I'm getting Error Code 731(0,9) as soon as it identified one infected object.

[exile360]

For anyone still having issues, please follow AdvancedSetup's instructions here: http://www.malwarebytes.org/forums/index.p...amp;#entry35969 and see if that doesn't get it working, you should be able to scan with MBAM after that and remove the nasties, it would also be a good idea to post your logs in the Malwarebytes' HijackThis forum as lordpake suggested to make sure you are completely clean.

[kgbagent]

exile360, on Dec 6 2008, 07:05 PM, said:

For anyone still having issues, please follow AdvancedSetup's instructions here: http://www.malwarebytes.org/forums/index.p...amp;#entry35969 and see if that doesn't get it working, you should be able to scan with MBAM after that and remove the nasties, it would also be a good idea to post your logs in the Malwarebytes' HijackThis forum as lordpake suggested to make sure you are completely clean.

Thanks Exile360, but I did not find TDSServ.sys or anything resembling that in my non-plug-n-play devices. Although before I found this site I found another that advised deleting a whole ton of registery values that reference TDSS*. I found only two that did contain "TDSS" and deleted both.

I would REALLY love to be able to run malwarebytes on this machine. Is there another back door?

Thanks

[exile360]

Try going to C:\Program Files\Malwarebytes' Anti-Malware and rename the file mbam.exe to something else, then see if it will run. If it does, update it and do a quick scan to see if it finds the bugs.

[Tech0utsider]

exile360, on Dec 7 2008, 03:52 AM, said:

Try going to C:\Program Files\Malwarebytes' Anti-Malware and rename the file mbam.exe to something else, then see if it will run. If it does, update it and do a quick scan to see if it finds the bugs.

Will that mess up registry entries and render the invalid?

[exile360]

Tech0utsider, on Dec 7 2008, 12:03 AM, said:

Will that mess up registry entries and render the invalid?

Nope, it works just fine, in fact, before AdvancedSetup posted with his fix for the TDSS rootkit that's how users were getting MBAM to run.

[kgbagent]

exile360, on Dec 7 2008, 01:11 AM, said:

Nope, it works just fine, in fact, before AdvancedSetup posted with his fix for the TDSS rootkit that's how users were getting MBAM to run.

I GOT IT! TDSS finally showed up in Device Manager. I disabled it and the install worked. Malwarebytes rocks!

[exile360]

Excellent, I'm glad you finally nailed that nasty rootkit. To make sure you get everything cleaned up, please follow the instructions here: http://www.malwareby...?showtopic=2936 and post your logs in a new topic here: http://www.malwareby...php?showforum=7

Please be sure not to install any software or use any removal/scanning tools exept those that you are instructed to by the expert who will be assisting you as doing so can make their job much more difficult. I hope I was helpful. Good luck and safe surfing.