Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Cant Fully Remove Rootkit.tdss


maj
 Share

Recommended Posts

Hey everyone a few days ago, I got this Malware Defense virus, and all the lovely trojans along with it. After finding a guide using malwarebytes and studying on this thing, I removed it and all. And Malwarebytes said my pc was clean yet after the restart, Firefox wont work, just gives Drwatson error when I try to open. So I run this program called rkill from the guide to kill the rootkit and open new explorer.exe, and all is fine, I scan with Malwarebytes again and it shows Rootkit.TDSS is hiding in registry HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT. Yet when I go into the registry in normal or safe mode the registry key is not there?! This is a repeated process every time I turn my computer on. I have included the log here from safe mode, I have other from regular if its wanted. Some help on how to finally get rid of this is really appreciated! Thanks.

Malwarebytes' Anti-Malware 1.44

Database version: 3458

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 6.0.2900.5512

1/12/2010 1:02:21 PM

mbam-log-2010-01-12 (13-02-21).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 189841

Time elapsed: 19 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

Please read the instructions below and follow them in exactly the same way as described:

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Do NOT post the log yet, but allow mbam to reboot.
  • After reboot, immediately rescan with malwarebytes, let it perform another scan, select to remove and reboot once again.
  • It's important that these steps are performed immediately after eachother (scan > select to remove > reboot > right after reboot, another scan > select to remove > reboot).

Then when done, post the LATEST malwarebytes log in your next reply. Only post that log AFTER the second reboot.

Link to post
Share on other sites

Hello I followed your instructions as you said. I dont know if this makes a difference, the first reboot was successful, I rescanned deleted rebooted, on the second time to start up it wouldnt load windows, it went to a black screen I had to manually turn it off and start back up, but here is the results.

Malwarebytes' Anti-Malware 1.43

Database version: 3554

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

1/13/2010 5:36:58 PM

mbam-log-2010-01-13 (17-36-58).txt

Scan type: Quick Scan

Objects scanned: 120258

Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\H8SRTmwpawktetj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTpoaqjnbkpj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTskakboirrr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\H8SRTlhlsmlgibq.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\123\Local Settings\Temp\H8SRT1ded.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\h8srtkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\h8srtshsyst.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTkvkqlxrhcj.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

s

Link to post
Share on other sites

I rescanned after I did the deletion and reboot of the former log results, and I got this.

Malwarebytes' Anti-Malware 1.43

Database version: 3554

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

1/13/2010 7:19:01 PM

mbam-log-2010-01-13 (19-19-01).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 191484

Time elapsed: 32 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP105\A0021863.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Sorry for doing a double post, but I thought about the location of that and I disabled system restore and rebooted, rescanned and got this.

Malwarebytes' Anti-Malware 1.43

Database version: 3554

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

1/14/2010 1:11:11 PM

mbam-log-2010-01-14 (13-11-11).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 184840

Time elapsed: 23 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

So I think its clean now? I think disabling the system restore worked I dont know, but it seems like it?

Link to post
Share on other sites

  • Staff

Yes, if you disable system restore, it deletes the restore points in it. I suggest you enable system restore again since this is recommended. It will have clean restore points now since older ones got deleted ;)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :D

Link to post
Share on other sites

Haha I will do that.

Unfortunately I knew how to prevent, my first virus in 5 years ;). Also I know how I got it too, I downloaded Avi2Dvd, which is freeware, and had some adware on it, and I let it install. My own stupidity, so I hope it helps to tell people to watch out when downloading that program!

Thanks tons for the help! Also great program you guys made, and the trial or free version, EXCELLENT! Thanks :D

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.