Jump to content

How to tell when infected, post rootkit.tdss steps, data safe to move?


Recommended Posts


I'm trying to find out if it is possible to tell when a computer has been infected.

I believe I was infected when trying to update my music artwork and clicked on a link to a lyrics site. I was running the Symantec Endpoint Protection and on XP.

Shortly after that I noticed the "Windows Police Pro" pop-up and within minutes of my not being able to identify the program or shut is down I pulled my internet plug.

I then proceeded to use malwarebytes, spybot search and destroy and antiviral to fix the problem in safemode. That computer has remained offline (with one 5 minute exception) since I first pulled the internet plug.

In the searches I found that the rootkit.tdss was installed. It has been cleaned, (the machine rebooted, re-scanned, re-deleted, rebooted, rescanned and reports clean).

I see in another post that the rootkit.tdss is serious. I can't tell when nor how long it was installed - was it installed with the Windows Police pro or before?

My other workstation (the one I am on now) was used transfer files on compact flash to the infected one. It is windows 7 beta and runs antivir, and scans clean with malwarebytes and antivir -- should I worry about it being infected?

I don't know what my next steps should be - should I wipe the OS on the workstation (it is the primary store for the family data and has all of our programs on it, including one I want to use on Monday like my palm pilot) or is it OK to use?

If I do have to wipe it (unpleasant thought!) is the data OK if the scans come up clean? I

Link to post
Share on other sites

Hi Folks,

Sure seems busy here!

I've had to move some of the data - I ran an anti-virus scan on it on the computer I opened it from and it didn't report anything - hopefully that's OK????

I've run another Avir rootkit and system scan on the infected computer and saw 6 entries that say: [iNFO] The registry entry is invisible. Each one was the same as the registry entries that MalwareBytes and Avir free said was the rootkit.tdss location. Does this mean the computer is still infected? :)

Looking forward to your advice,


Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.