ROOTKIT.TDSS.V3

[Dabest1ever]

Yesterday i download the HD texture pack from Skyrim Nexus and i didnt even unzip it yet and the virus initiated itself..It started with opening about 50 script pages on my screen then started setting false warning signals to me. Like my RAM was about to overheat and my CPU fan was running 20% slower etc then it tries to make you get this program that will SUPPOSEDLY disable it. Which is obviously the scam..At any rate i removed some of it since i have some use of my PC back but i can not access TASK MANAGER anymore SYSTEM RESTORE basically anything that will let me get at this thing. it even dioscbles external storage media by telling you you need to format them before they will work but the format fails at the end..Anyone know of anything i can do here? I tried PCTOOLS and BITDEFENDER no luck..They pick up the threats but cant remove them it seems. Anyone has any insight that would be very much appreciated!

[Ghogiel]

run malwarebytes, it's usually good at squishing bugs like this.

some virus actually block some exes from running, so if malwarebytes doesn't run simple rename the exe to some thing else and hope for the best

[lonegreywolf20]

Yesterday i download the HD texture pack from Skyrim Nexus and i didnt even unzip it yet and the virus initiated itself..It started with opening about 50 script pages on my screen then started setting false warning signals to me. Like my RAM was about to overheat and my CPU fan was running 20% slower etc then it tries to make you get this program that will SUPPOSEDLY disable it. Which is obviously the scam..At any rate i removed some of it since i have some use of my PC back but i can not access TASK MANAGER anymore SYSTEM RESTORE basically anything that will let me get at this thing. it even dioscbles external storage media by telling you you need to format them before they will work but the format fails at the end..Anyone know of anything i can do here? I tried PCTOOLS and BITDEFENDER no luck..They pick up the threats but cant remove them it seems. Anyone has any insight that would be very much appreciated!

 

 

After doing some research for ya, I have found the best way is to manually remove it. There is also Spyware Doctor apparently, but I have never been a fan of that particular program.

 

Here is a link to removal instructions manually.

 

http://blog.teesupport.com/manually-remove-rootkit-tdss-v3-without-coming-back/

[lonegreywolf20]

run malwarebytes, it's usually good at squishing bugs like this.

some virus actually block some exes from running, so if malwarebytes doesn't run simple rename the exe to some thing else and hope for the best

 

I was going to suggest running malwarebytes from a thumb drive, but according to many reports malwarebytes doesn't find this particular nasty.

[Sunnie]

You probably picked up that scamware from one of the ads, not from the mod you downloaded. Since I started using Adblock plus, I have not been hit with those scamware hyjackers, and it was getting to the point I would get hit once a month.

[Erisine]

TDSS is a particularly nasty strain. As of a couple of weeks ago, I was finding a few that would identify like TDSS (3 and 4) but behaved more like Zero Access on steroids.

 

A sign that you've got the nastier one is if Malware Bytes gets shut down or you can't run it a second time.

 

Kaspersky has a tool called TDSSKiller: http://support.kaspersky.com/faq/?qid=208280684

 

It has some moderate success in removing TDSS.

[Dabest1ever]

I just want to THANK ALL OF YOU for sharing your insights and findings with me. I am going to give these suggestions a try now. I will post back later with my results. Wish me luck!

[Dabest1ever]

Well i just tried the Kaspersky tool and it wont let me open it..im assuming it is blocking EXE like you mentioned earlier..this is nuts..Running g MalwareBytes now..Last resort is doing it manually which their is no guarantees..its looking like salvage what i can from pictures,mp3's and then format..yikes Edited January 12, 2012 by Dabest1ever

[Erisine]

That virus shouldn't be blocking the Kaspersky tool -- what error are you getting when you try to open it? Or is it straight-up closing on open?

 

Are you working in Safemode? If not, restart your computer. As the PC begins to boot, hit F8 repeatedly until it stops booting and gives you the option to start Windows normally or start in Safemode. Don't be alarmed if things look really weird in this mode if you've not used it before.

 

In Safemode, go ahead and run MBAM first (the Malware Bytes software) since it'll just suck up everything tedious that may be on your system. If, while MBAM is running, it just automagically closes on you, or refuses to open without even giving an error to explain why, it's probably because you have another type of virus that knows to kill to antimalware.

 

After MBAM runs (or fails), try and run Kaspersky TDSSKiller again.

 

Google around and see if you can find a support forum if that doesn't help. :( I hate doing wipes, so I feel for ya.

[LHammonds]

I received your PM...which is basically the same as your 1st post...however, what is the link to the mod you mentioned?

 

If the mod does not contain an EXE file, odds are you did not get the virus from it. If it is a root kit, the likelihood of you knowing the actual source of infection will be very low. Always be careful of the EXE programs you download from the net. If you grab stuff from bittorrent networks, you are just asking for punishment like this. If you are just browsing sites, be sure to use FireFox (not IE) and add the following add-ons:

 

• WOT (Web of Trust) - This will help you identify and prevent access to known bad sites...especially helpful if your browser is hijacked and redirected to such a site.
  
• NoScript - This will prevent scripts from running..thus minimizing the possibility of malware scripts hijacking your browser. Just be sure to allow JavaScript to run on all the Nexus sites or the Nexus won't work for you.
  
• Adblock Plus - This will block most ads from even showing up. However, I recommend not blocking the Nexus ads because that is what helps keep this site alive. If you see a bad ad, grab a screenshot (print screen), upload it and let Dark0ne know...he is very quick to remove bad ads but screenshots are mandatory in order to know exactly what to tell the marketing people to remove.

 

It is also important to have a good anti-virus / firewall system. I tend to use and recommend Comodo Internet Security (100% free). It is a kind of geeky app but does its job well to prevent baddies from getting a foothold, and when they do, prevent them from dialing home or infecting other machines.

 

More programs can be found on our wiki: How to protect your PC

 

But this was all preventative stuff BEFORE malware strikes. I'd also recommend downloading an Ubuntu Live CD (get the 32-bit version even if you have 64-bit PC) and burning a disc. This will allow you to boot your PC off a CDROM (which will not load the virus on your hard drive). You can then use Ubuntu's package manager to download and install antivirus program(s) and then scan your hard drive to clean off the virus. FYI - Don't worry about "installing" on a Live CD...it only installs in memory. When you reboot or boot the CD again, anything installed will be gone.

 

LHammonds