Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.TDSS or Rootkit.Rustock[KBI] Trouble


  • Please log in to reply
2 replies to this topic

#1 Casperxx99

Casperxx99

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 01 September 2009 - 06:00 AM

One of my friends managed to install this nasty rootkit on to my Vista Ultimate machine and I have had nothing but problems since. First It redirected search engines, then it installed win police pro, then it killed access to all windows executable unless you ran them in administrator mode. The rootkit was identified as a Rootkit.TDSS by Malware bytes, and Spyware Doctor, but it was identified as Rootkit.Rustock[KBI] by SuperAntispyware. Spyware Doctor and SuperAntispyware failed to rid me of the pest, but Malware bytes managed to remove most of it. Right now im stuck with 4 TDSS regkeys that wont delete. Malware detects them, but will not remove them. I've tried manual removal, and checked the added approprite registry permissions. The just wont go away and im afraid I havent removed the infection. Although, the computer appears to work perfectly.

Malwarebytes' Anti-Malware 1.40
Database version: 2723
Windows 6.0.6000
Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmfqnmkfeu (Rootkit.TDSS) -> Delete on reboot.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmlhphykoy (Rootkit.TDSS) -> Delete on reboot.

I can view these 2 keys but not delete them, they are where the injector is held. Although, i did manage to delete SOME of the files contained in there.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ytasfwqespetxa (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ytasfwycogfnfb (Rootkit.TDSS) -> Quarantined and deleted successfully.

I cant even view the contents of these keys, nor will they delete.

I can post full Malware Logs and HJT logs if needed. Any help is appricated.
TIA-Rob

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 01 September 2009 - 06:03 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check only the Files box: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Thenatureboy

Thenatureboy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 07 September 2009 - 08:50 AM

I had the same problem. I downloaded Malwarebytes and looked at the results. I searched my computer and the registry for leftovers. And then continued deleting them and updating Malwarebytes and re-running until it died eventually.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users