Jump to content

Malwarebytes not working on virus


Recommended Posts

This is the worst virus I have ever seen. TrendMicro reports it as TROJ_TDSS.DB (FE, FB, FC_. If course it is unable to quarantine. Malwarebytes will not load, even in safe mode. Cannot find files to delete.

Tried mounting infected HD as slave on another computer. Malwarebytes locks up when scanning whenever it gets to a certain file. Cannot delete file, it just locks up computer.

Advice from TrendMicro did not help. Said to boot into safe mode and look for UAC in system registry but it

Link to post
Share on other sites

I am have the same problem as TomT127 above.

This is a HP laptop I am fixing for a friend. It is running XP Home Edition.The icons on the desktop would disappear and appear about every 30 seconds of so. I was able to install CCleaner, Spywareblaster, Spybot S & D, Antvir and Malwarebytes.

Of the five programs I installed only CCleaner, Spywareblaster and AntVir will run. Spybot S & D and Malwarebytes will not load or run when I click their icons. I have tried installing and running them both in Safe Mode and regular. Same result.

When I ran AntVir it found and deleted 28 trojans. After rebooting, the same results with MB and S & D. They will not load or run. If I try to surf to Microsoft and get updates, the browser will not connect to the site, but I can surf to Google or Foxnews etc.

I could take the easy way out and reload the OS, but I am sure fixing this would help a lot of other people who will come across this same problem.

What would you like me do do to help diagnose this problem?

Rob

Link to post
Share on other sites

Hi all,

You have the CLB rootkit installed that is blacklisting many security tools including MBAM as your all finding.

Inorder to get the fixing tools to load and work then the rootkit driver has to be located and killed.

No small feat when it is intentionally being hidden by design and not viewable by traditional method/tools but it can be done :P

Here is my quick fix guide to locating and killing the CLB driver(.sys) file that is underpinning the infection and blocking the cleanup tools from running.

Download the following tool and only use as directed!

http://rootrepeal.googlepages.com/

Install RootRepeal and select *File* scan only.

post-1856-1237161793_thumb.jpg

When scan has completed there will be a list of files generated.Some will be ok(legitimate files) but the bulk will be related to the Rootkit and it's hidden payload of files.

post-1856-1237161865_thumb.jpg

You will need to identify which is the CLB driver and here's how.

This is not as difficult as it appears because it will be 1 of (if not) the only file listed with a .sys extension.

It will also carry one of the following prefix's in its filename followed by random digits + .sys extension.

TDSS

Seneka

GAOPDX

UAC

**in my screenshot it is the file UACewsflctd.sys that is the Rootkit driver.

UAC prefix + random characters in this case= ewsflctd and .sys extension

Once you have identified the CLB driver then use your mouse to highlight it in the Rootrepeal window.

Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.

You will only need to attack the CLB driver as the rest once no longer being protected are easy pickings for cleanup tools :P

Next install and update MBAM and run quick scan.

If you are not 100% confident in identifying the CLB driver then feel free to use Rootrepeal to generate an output log for me to review and i will advise :P

To do this goto report tab then select scan.

Configure as below and when report(.txt file) is generated then copy and paste contents of text file into a reply post.

post-1856-1237162712_thumb.jpg

post-1856-1237161793_thumb.jpg

post-1856-1237161865_thumb.jpg

post-1856-1237162712_thumb.jpg

Link to post
Share on other sites

I followed your directions Fatdcuk and I found a TDSSpaxt.sys file. I wiped it and right now I am running a MBAM scan and so far it has found 29 infections!

Looks like now I am on my way to get this laptop cleaned up.

Thanks for all your help

Rob

Link to post
Share on other sites

Thanks for the feedback all and glad that it worked as expected B)

I will say that that the CLB driver is also responsible for blocking access to various blacklisted sites(security softwares/fix's) and also prevents some installed softwares from updating.

But as you have found kill the driver and then its business as usual for installing/updating and running of tools

and as said before MBAM will install,update and run and will clean out the remainder of the infection :)

Link to post
Share on other sites

Whenever I have to install XP after a FORMAT I always disconnect the system from the Internet as a newly installed XP system is a wide open target for infection.

I have the SP3 CD from Microsoft so that I can be at a minimum level of protection before connecting the system to the Internet to get the latest SP3 updates:

https://om2.one.microsoft.com/opa/Validatio...avaScriptOn=yes

A small shipping charge will expedite the CD and be delivered in just a few days.

Link to post
Share on other sites

I seem to be free and clear of that nasty trojan. Now I just have to update Windows because I even tried reinstalling XP. Even that didn't work. Nastiest little bugger I have ever come across. Thanks again for your help Fatdcuk.

FYI running a repair install of the OS is not a fix for most malwares in its own right.

The repair install will address corruptions within the OS and its operating files but it wont address any other softwares and malware code that is currently installed on the PC.

Hence why CLB survived the Repair install as it is not part of the OS.

That said nothing will survive the full blooded reformat and reinstall but thankfully this is not necessary for this infection B)

All the best!

Link to post
Share on other sites

I must say this is all very interesting to read

last week I had the same problems as stated above

couldn't open MBAM

couldn't open Spybot Search Destroy

couldn't install any spyware software

couldn't use the "Run" option

couldn't use "System Restore"

it was a very nasty piece of work for sure because I was completely defenceless

and everything I tried the Virus was stopping me

Trojan name = win32root.TDDS :)

this piece of stuff actually de-activated my anti-virus Mcafee and de-activated firewall

the only way I could resolve this was by reading this superb forum and seeing this

http://www.malwarebytes.org/forums/index.php?showtopic=12524

and the randembam.exe saved my life for sure B)

I could then run MBAM and it found 11 Trojans and after rebooting about 3 times (when instructed by MBAM)

they were nailed but I'm still very cautious

I have done a full scan now with MBAM and all is well (I hope)

I'm now wondering if I should follow fatducs instructions above and use RootRepeal ?

Fatduc what do you think ?

cheers

T

:)

Link to post
Share on other sites

Hi,

Your good to go as if the CLB driver was still active then MBAM would'nt run.

I know that once MBAM is able to work its magic that we have got this infection well and truely covered from all directions by special Heuiristic rules B)

Link to post
Share on other sites

Hi,

Your good to go as the if the CLB driver was still active then MBAM would'nt run.

I know that once MBAM is able to work its magic that we have got this infection well and truely covered from all directions by special Heuiristic rules :)

OK Thank You Fatdcuk

Sorry for the misspelt name in previous post

I tried to edit but couldn't

Thanks again and please continue with you Great work here B)

cheers

T

:)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.