Anti-malware software - what does it really do?

JJR87 · Mar 7, 2011

Hello,

Does anyone know exactly how an anti-malware program removes trojans and viruses?

I was having a problem with the Google Redirect trojan and researched how to get rid of it including renaming MalwareBytes .exe file, going into Safemode, as well as searching in the Non plug-n-play directory of devmgmt.msc (Device Manager) but couldn't find threats or the device entry "TDSSserv.sys" or any of its aliases e.g. seneka, etc.

After running through these methods several time to no avail, I opened up the registry editor and ran a search for "tdss" and found within a file named url3 a binary string that included "t.d.s.s" and deleted it.
Seemed to work fine after that but I can't be sure if it's completely gone.

Can anyone knowledgeable explain/describe to me what the anti-malware software actually does?

Thanks!

TimW · Mar 7, 2011

AV and AS software looks for the following based upon definitions built into the programs. Which is why you need to keep them updated:

Malware hooks itself into the OS via rootkit like processes and at boot time, disrupts the startup of the processes/services that the security programs use. Also during normal operation ( after startup ) they look for various services and terminate the sevices ( similar to what you would do with the services.msc program ) and the look for processes and terminate them. Also in some caes, they just replace the security program's files with their own malware files and keep the name of the security program to just make it harder to locate.
Click to expand...

If you think you still are having malware issues, please do the following:

READ & RUN ME FIRST. Malware Removal Guide

JJR87 · Mar 7, 2011

Thanks Tim. Looks like a good read.

TimW · Mar 7, 2011

In addition to the R&R instructions, since you said you found a TDSS type of infection, you can run this:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.

If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123tdk.com).

If you do not see the file extension, please refer to: How to view hidden, system files & folders!

Click the Start Scan button.

Do not use the computer during the scan

If the scan completes with nothing found, click Close to exit.

If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).

Attach this log to your next message

JJR87 · Mar 8, 2011

TDSS killer log file attached. No infection was found, but I still seem to be having the redirection issue. Please advise! Thanks.

TimW · Mar 8, 2011

Please attach the rest of the requested logs from doing the Read and Run First instructions:
SAS
MBAM
RootRepeal -- If it runs.
ComboFix
C:\MGLogs.zip

Log in or Sign up

Anti-malware software - what does it really do?

JJR87 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

JJR87 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

JJR87 Private E-2

Attached Files:

TDSSKiller.2.4.20.0_08.03.2011_15.13.50_log.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member