I just got hit by a drive-by virus!!!!!!

Yup. It happened. I was actually trying to research something for a member here at MG and I did a Google search. I clicked on one of the pages that came up in the result list and WHAM!!! I got nailed. I'm sure some of you are familiar with the TDSSSERV trojan/rootkit. A very tricky SOB that one. If I didn't have the full paid version of MalwareBytes, I'd probably still be fighting it. It actually locked my hard drive out of most scanners so I couldn't even scan for malware! MalwareBytes' realtime protection prevented it from getting a firm foothold but even so, the virus wouldn't let come here to Major Geeks, Microsoft, and several other sites. If I tried to do a search, I was re-routed. Anyway- it's a real bad one and as far as I can tell, there is no way I could have avoided it. Once I opened the page that was infected, I was infected. That quick. So, MalwareBytes ran the scan where other tools would scan for about a second and show nothing found (because the virus had locked out the drives with a phony IDE/ATAPI driver I found in my system32\drivers folder). So, THANK YOU MALWAREBYTES!!!! They returned my PC to normal! If anyone is pondering buying a quality realtime antispyware/malware/trojan/ rootkit/ all purpose nasty protector, get Malware Bytes. Out of 5 stars, I give it 30!!!!
:-D

(is there a removal tool specifically for this? I've seen this infection quite a bit in the past month or two and a dedicated removal tool would be awesome. What about ComboFix? Does it work on TDSSSERV?)

 

hi,

i got a spare pc infected with this and used a combination of knoppix, sdfix and combofix to clean it,

 

It just shows that a virus can get you without going to naughty siteshttp://www.getsmile.com/emoticons/smileys-91853/u/maulhood.gif

 

WOW!! Glad you could fix it. When Googling would the "Safe Search" or "Link Scanner" components in free AVG v8 have shown that it was not a safe link/site?

 

Perhaps... I don't use AVG though... I use AntiVir. This may be an argument for using AVG's link scanner or safe search. IIRC the link/web site was called "Freewarelinks.net" or something real close to that....

 

Just found some info on what the Linkscanner actually does in AVG v8. Perhaps it's not the "right" thread that I'm posting this in, but it would apply to your (resolved} issue. Look at the last reply:

http://freeforum.avg.com/read.php?14,140138,backpage=4,sv=
".....LinkScanner detects sites with exploits (so either phishing sites or more importantly the 'drive-by-download' sites that infect your machine only by visiting them). The binaries that you download from a site are not checked by LinkScanner - this is WebShield's task (available in the Pro edition)"

 

It's something to think about, even though AVG's Link Scanner has been the cause of some fairly heated complaints due to the amount of network traffic it can generate by simply scanning active links. It was surprising that none of my active protection showed me the drive-by installing. MalwareBytes blocked the child process from really digging in deep, but the parent process installed totally unseen by BOclean, AntiVir, and active MalwareBytes. Does anyone know if a firewall stops this type of attack? I was running Online Armor for awhile but found it to be a bit cumbersome as it questioned legitimate software installs, and since I'm a very safe surfer, it seemed that it hampered things more than it helped, but my thoughts on these things have really changed in the past 48 hours or so....

(in case anyone is wondering, the name of the site that infected me was very similar to "Freewarelinks.net", I don't remember exactly what it was and I have since run several cleaners so if it was in any histories anywhere, it's gone now; I was searching for info on a file extension and Google provided the link in the list of results)

 

dlb,

I got hit by the same virus/trojan, in the same manner that you did, early Friday morning. First indication that I was infected was a Windows Security Center popup telling me that my firewall had been disabled. Immediately after this, the XP Antivirus 2008 popup appeared, desktop background changed, etc.

I had just pulled the power cord out of my cable modem, upon receiving the firewall disabled notification, as I'm paranoid about anything that disables my firewall, and acted quickly. Granted, I'm using an older and unsupported firewall ( Sygate ), but the first thing that this virus/trojan did was to disable it. Newer and supported firewalls may not have this problem, but not sure.

Rebooted in safe mode, and ran Malwarebytes ( nonpaid version ) , and it found and quarantined all files.

Just replying in hope of answering whether or not a firewall would have prevented this.