Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How I got rid of the "unable to reach windows updates" rootkit


  • Please log in to reply
2 replies to this topic

#1 WoodyS

WoodyS

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 17 February 2011 - 03:04 PM

Hi everyone,
Thank you everyone your contributions to BeepingComputer has helped me many times in the past. I hope I now can contribute.

I was cleaning up a computer virus and came across interesting and maybe useful information. I hope this can help someone in the future.
___________________
Computer: Dell Volstro, Windows XP HOME (32bit) with SP3
___________________
Issue: Many IExplorer redirects, unable to reach windows update web site.
___________________
Discovery (reduced to the essential steps):

Removed all the system temporary files, prefetch entries, and old restore points before beginning cleanup.

Avira AntiVir Rescue System boot and scan - found and removed TDDS rootkit from MBR & several other virus infections.

Reboot
Can reach most web sites.
Fewer IExplorer redirects, but still a few.
Unable to reach Windows Update web site

Kaspersky TDDSKiller scan - found and removed TSSD rootkit from MBR

Reboot
Unable to reach Windows Update web site

SuperSpyware scan - found and removed variant of TDDS rootkit from MBR

Reboot
Unable to reach Windows Update web site

HitmanPro scan - found & removed MBR rootkit

TrojanRemover scan - find MDF rootkit. unable to remove

BartPE boot
Run MBRFIX (it is in the program list) & replace MBR with
clean copy
note: could have also used Windows R Console
For details, GOOGLE "MBR repair"

Reboot
Reach Windows Update web site
Windows Updates download and install properly
Regular virus scan - nothing found.
___________________
Summary:
I suspect there is a new variant of TDDS Rootkit that is able to replace itself in the MDF as the rootkit is clean by the scanning tools. The only way to get ahead of this rootkit is to
- boot to something beside the infected hard drive
- replace the MDF with a good copy

I hope this helps someone in the future.

WoodyS

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:15 AM

Posted 17 February 2011 - 07:26 PM

Hello.

First, let me say that we are glad that you have resolved your issue.

However, some of the methods you used (particularly the rewriting of the MBR), are not something we recommend that inexperienced users do without expert supervision. There are a number of scenarios in which the use of commands such as 'fixmbr' can have a wide variety of unintended consequences. In some circumstances (for example, an encrypted drive), the machine may no longer be able to boot at all after executing the command.

For assistance with removing this and other tricky malware infections, the best route to take is to submit a help request to our Malware Removal Team by following this guide: http://www.bleepingcomputer.com/forums/topic34773.html

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 WoodyS

WoodyS
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 20 February 2011 - 08:01 PM

Hi,
Thank you for pointing that out. I forgot to consider the encrypted drive issue.
I can always count on BleeepingComputer for the best education.

Best wishes,
WoodyS




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users