More How To Remove Antivirus 2009 and TDSS Rootkit

In my previous posting on How To Remove MS Antivirus 2009 I mentioned using Malwarebyte’s Anti-Malware Removal Tool along with running SuperAntivirus. These are both excellent spyware cleaners.

However, you may run into a few “gotchas” that prevent you from running these cleaning programs. Here’s how you can get around those problems, which are based on my first hand experience from cleaning one instance of MS Antivirus 2009 on a single PC.

Problem #1 — Unable to run Malwarebyte’s mbab-setup.exe program.

On this particular PC I kept clicking on the setup icon and nothing happened. I found out that this was because the spyware program was blocking execution of the antispyware installation file. Man, these spyware programs are getting more and more devious all the time!

To get around this I just renamed the mbab-setup.exe program to fred.exe and I was able to install the program. However, I could still only install the program from Safe mode.

Problem #2 — Unable to run Malwarebyte’s Anti-Malware program.

Once I booted to Safe mode and was able to install Mal’s program, I wasn’t able to RUN the program. This was because the spyware was also blocking that application filename as well.

So I navigated to c:\program files\malwarebyte’s antimalware and renamed the application file mbab.exe to fred.exe. Same trick as before.

Now the application ran, although this time I had to run the application from Normal mode and NOT Safe mode! Sheesh…what gyrations!

Program #3 — Browser is hijacked.

After running Mal’s Anti-Malware which caught a lot infections, I wanted to install SuperAntivirus. However, the browser was hijacked and would not let me navigate to the correct URL.

I decided to run Mal’s program a few more times from Normal mode and after about the third time if revealed that the PC had the TDSServ Rootkit virus.

Mal’s was able to clean up most of the TDSS infection. However, I had to manually navigate to c:\windows\system32 to manually delete the remaining TDSSxxxx files.

Once that was done, the browser seemed to be back to normal.

I ran SuperAntivirus from both Normal and Safe mode and also ran Mal’s from Safe mode — which was now working again — and everything finally came up clean.