The px***.sys files are legitimate. After further investigation, they are required for Windows to boot.

We can go with a reformat and reinstall, to help rid the infection and replace all of the system files lost.

Or, those px***.sys files will have to be found on the OS disc or at a remote location and replaced.


See the problem you were having, in which I discovered immediately, was that TDSS was making a backup each time it re-infected your computer. Once it was removed, it then restored the infection from its backup. Rootkits have primary system control, in which they can manipulate infections and hide them from existence.

TDSS is used by hackers to gain full system access in order to launch attacks across the internet or cause the system to be manipulated to generate income for the malware writer.

My plan was to find where the backup was, then delete that and the infection at the same time.

Also, could be that your system was infected by a newer variant of Virut, which is a file-patching virus that infects core system files with malware, and attempts to take control of your computer.

Hello,

thanks for all your help and suggestions. I hate to contradict the DragonMaster, but the px*.sys files are not part of Windows. They got placed onto the system, when I installed Prevx.

The PrevX people said:

"PXKBF.sys" doesn't guarantee that it is our file - there are some infections that have started using that name because we do. Our driver is in the 20KB range, while the others are < 10KB.
http://www.wilderssecurity.com/showthread.php?p=1653386

Yes, I understand the TDSS/TDL3 virus kept reinfecting the system. But as we both know from the dissemination of the virus that can be found here:
www.drweb.com/static/BackDoor.Tdss.565_(aka%20TDL3)_en.pdf
is that the virus creates an encrypted virtual filesystem that is physically located outside the Windows file system.

I am sad to say that we lost the battle. But anyway, I sharpened my tools with your help and no data got lost.

There is some last questions: If I reformat the system partition, the "special" area the virus has created outside the Windows file system will remain, since I don't intend to erase the entire disk.

Is there a way to write an entirely new master boot record (MBR) that 100% will not reference into running anything outside the file system?

Is there a way to overwrite unallocated space on the disk with zeros to make sure all remnants of the virus are removed?

Thank you again for your help!

TDSS writes directly to the disk.

Use Recovery Console command fixmbr. Then, delete the current partition only, and reinstall the OS.

TDSS does not write outside of the partition. So, by deleting the Windows partition and reinstalling it, it will rid the infection.

Sad part is, no tools detect TDSS at its lowest point, because the tools cannot read past a certain level on the disk.