Jump to content

tdss.sys rootkit detected but not removed

Recommended Posts

Hello everybody ...

I need help with this f.... tdss malware, MB correctly detects the concerned registry key being infected, allows deletion and all seems to proceed the right way. Once I reboot the PC the infection is still there, I've disabled-rebooted PC and then uninstall the tdss.sys driver with no success.

I think the rootkit hides all files having tdss into filename .. though .. because I've never been able to see such files anywhere in the drive. ???

Please help me I'm desperate ...



Link to post
Share on other sites

Although not done what is suggested there it helped to find the way to solve the problem, as follows:

a) from DeviceManager -> Show hidden peripherals

:) disable Tdssxyx.sys where xyz are random characters (found on non plug and play peripherals)

c) REBOOT SAFE MODE (press F8 while Windows boots) no command prompt

d) move to Windows\system32 and NOW the tdssxyz.xyz files become visible!! Deleted them all.

e) move to system32\drivers, deleted tdssxyz.sys

f) reboot safe mode (?) and unistall the peripheral driver tdssxyx.sys

g) reboot normal - deleted all what possible from registry - search tdss (all values) if and when found -> delete

h) Scan MB did not found any tdss anymore !!! Neither tdss.sys has been installed nor process explorer (www.sysinternals.com) finds any handle or dll attached.


Seriously thinking to upgrade to MBPro, MB has been the only malware fighter capable of removing AntivirXp 2009. The rest is ordinary routine.

I want to thanks all the people spending their time to give me this help that solved (almost I think so) the infection.


Malwarebytes' Anti-Malware 1.30

Versione del database: 1345

Windows 5.1.2600 Service Pack 3

01/11/2008 14.16.47

mbam-log-2008-11-01 (14-16-47).txt

Tipo di scansione: Scansione completa (C:\|)

Elementi scansionati: 104800

Tempo trascorso: 13 minute(s), 2 second(s)

Processi delle memoria infetti: 0

Moduli della memoria infetti: 0

Chiavi di registro infette: 0

Valori di registro infetti: 0

Elementi dato del registro infetti: 0

Cartelle infette: 0

File infetti: 0

Processi delle memoria infetti:

(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:

(Nessun elemento malevolo rilevato)

Chiavi di registro infette:

(Nessun elemento malevolo rilevato)

Valori di registro infetti:

(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:

(Nessun elemento malevolo rilevato)

Cartelle infette:

(Nessun elemento malevolo rilevato)

File infetti:

(Nessun elemento malevolo rilevato)

Link to post
Share on other sites

  • Staff

A note on this infection .

MBAM should get all be the service (that is protected by removing all permissions from the key) but the file the service points to does die so it is only a trace .

In future versions of MBAM we will be looking at both better crippled permissions handling and DRA (Direct Registry Access) , DRA bypasses permissions .

If anyone has a scan log (with current MBAM version and defs) where we do not remove the FILES I need to know about it ASAP .

Another note on this infection , the TDSS guy modifies the scan results to make it look like MBAM is trying to remove the system32 folder . MBAM neiter has this ability nor attempts to do what the modified log shows .

Link to post
Share on other sites

  • 3 weeks later...
Thanks for the attention.

Attached are 4 logs zipped, they should show the history of the infection(s). The keypoint is in the third log, where it says tdss deletion successfully but it is not. Hope it helps ...


Does anyone know HOW OR WHERE this TDSS infection comes from....

Link to post
Share on other sites

High risks (like Rootkit.TDss.Gen) are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer :huh:

Link to post
Share on other sites

Does anyone know HOW OR WHERE this TDSS infection comes from....

Most likely your using an unsecured connection, and it is your router that is infected. It will require a special process to remove it.

Hi read and follow the instructions here then post a log here . Someone will be happy to help you.

Link to post
Share on other sites

  • 5 months later...
Most likely your using an unsecured connection, and it is your router that is infected. It will require a special process to remove it.

Why would you say that? If his router is "infected", wouldn't he just have to reset it? Correct me if I'm wrong, but that comment almost scared the crap out of me. I had to check on that for a minute.

Link to post
Share on other sites

  • Root Admin

This is a 6 month old post and Jean does not currently participate on the site anymore.

There are a couple of methods to infect a router, in general the most common is by someone using one that does not have a password on it. They then modify setting, usually DNS to point elsewhere or block out security sites. There is another that attempts to actually update the firmware of the router.

Link to post
Share on other sites

  • 4 months later...

@ Sal

There kinda busy in that forum. It may take a couple of days..

follow these instructions & post it in the HiJackLog Forum please

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

  1. Please read and follow the instructions provided here: I'm infected - What do I do now?
  2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

  • Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  • Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  • Using these other tools often makes the cleanup task more difficult and time consuming.
  • If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  • Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  • There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.