Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS.sys removal help


  • This topic is locked This topic is locked
8 replies to this topic

#1 Deese25

Deese25

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 06 June 2010 - 03:43 PM

My laptop has been infected with the TDSS.sys malware. I done scans with Malwarebytes, Spybot S&D, and Hijack This. None have detected the malware. Then I ran a scan with GMER, and found the location of the malware, which is in the registry. I tried to delete the files, (crazy, I know!) with no luck. I have downloaded combofix, but I do not feel comfortable using it on my own. Can you guys help me?

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:03 PM

Posted 06 June 2010 - 04:12 PM

Hello Deese25,



Let's try this first :
  1. Go to this page and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Deese25

Deese25
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 06 June 2010 - 08:57 PM

Here is my log. The TDSS.sys is still in my registry.

Attached Files


Edited by Deese25, 06 June 2010 - 09:02 PM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:03 PM

Posted 07 June 2010 - 02:35 PM

QUOTE
The TDSS.sys is still in my registry.
Please post the report that is telling you this. smile.gif How is it running please?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Deese25

Deese25
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 07 June 2010 - 08:14 PM

It's running much better. My Google and Yahoo searches do not redirect anymore. Thank you very much! I'm just worried that the virus will come back if it is still in the registry. Here is the GMER log that says this.

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:03 PM

Posted 07 June 2010 - 10:23 PM

Glad it's better. thumbup2.gif Thanks for posting that. Every little bit of info I have helps.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Deese25

Deese25
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 12 June 2010 - 11:33 PM

I ran Combofix and the TDSS is still in the registry. I wasn't sure how to disable my antivirus, so I ran the combofix anyway. Here are my logs for Combofix and GMER.

Attached Files



#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:03 PM

Posted 13 June 2010 - 02:24 PM

Which Anti Virus? One of those needs to go. Having two creates conflicts, hogs resources, and can even create system instability. Neither one of them can do their job properly as it stands now. I won't suggest you uninstall Symantec, since you paid for it, but I will tell you that Avira is the better product.....unless this really is a business computer. Seems Symantec does better with the corporate version. If you want to keep Avira, then maybe just temporarily uninstall it and turn Norton off to run ComboFix.

Once we get an accurate log we'll get rid of those pesky registry entries. thumbup2.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:03 PM

Posted 21 June 2010 - 09:33 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users