TDSSSERV.sys Removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by JayMasterJay, Feb 28, 2009.

  1. JayMasterJay

    JayMasterJay Private E-2

    Ok, so I spent a couple days on this one!

    Symptoms:

    -Can't run the majority of your anti-spyware programs. You double-click on the icons, but nothing happens. They are in fact being launched, and if you check task manager->processes, you'll find the process running. Unfortunately, this virus will block any attempt to actually run anti-spyware, even the online scanners. None of the scanners even work in safe-mode!

    -This is usually attached to Spyware Guard 2009. If this appears anywhere on your screen, its a pretty good indicator that you've already been infected. It will even appear in your taskbar. This is removable in add/remove programs, but the infection itself is NOT.

    -Scanners/removal programs attempted before solution:
    1) Ad-aware 2008 - found several small infections, but did not remove any of this virus.

    2) Spybot S&D - did not open the main scanner program, however, Tea Timer and Resident shield still remained functional.

    3) MalwareBytes - did not open the program.

    4) ComboFix - did not open the program.

    5) SpyHunter - did not open the program.

    6) VundoFix - this was not a virtumonde/vundo strain so this naturally did not help.

    Solution!!!:

    Note: If you do not have MalwareBytes or Spybot S&D, GET THEM! Once you are infected, you cannot proceed to any anti-malware sites, so you will have to put the install files on a thumb-drive or cd-rom from another computer.

    1) Go to MalwareBytes folder (usually C:\Program Files\MalwareBytes Anti-Malware). Change the executable from mbam.exe to hello.exe.

    1a) Go to Spybot Search & Destroy folder (usually C:\Program Files\Spybot Search & Destroy). Change the executable from SDMain.exe to blah.exe

    2) Restart computer in safe-mode. (Press F8 a lot while booting, then select safe-mode)

    3) When in safe-mode, go to MalwareBytes folder and double-click on hello.exe. (this is actually the MalwareBytes executable)

    4) Once MalwareBytes launches, do a full system scan. This only had about 4 threats by the end of the scan when I was in safe mode.

    5) Restart computer, and boot normally (NOT SAFE MODE).

    6) Once the computer restarts, run MalwareBytes again (hello.exe in program files). Perform the full scan.

    7) When I ran this, it picked up 7 main entries (4 or so had TDSS in the name). Remove everything. Mine was not able to remove 1 of the entries, so it offered to remove after reboot.

    8) Restart computer and boot normally (NOT SAFE MODE).

    9) Once windows loads, go to your Spybot S&D executable (blah.exe) and run it. Prior to this point, Spybot would not even run for me, but the application showed up, and I was able to run a full scan. Make sure you download latest updates/immunize as soon as you enter the application.

    9) Reboot and proceed to run any scanner you can! Never hurts to go overboard. Just don't run any of them at the same time. If every single scanner runs, that means that this nasty TDSS stuff is gone.


    Good luck!

    -JayMasterJay
     
    JayMasterJay, Feb 28, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!



    Thanks but our standard cleaning procedure fully cover removing this completely along with many other problems. Those procedures are quoted below.

     
    chaslang, Mar 1, 2009
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds