Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Rootkit created small partition on harddrive; blocks tdsskiller

  • Please log in to reply
1 reply to this topic

#1 Angelusai


  • Members
  • 13 posts
  • Local time:08:14 PM

Posted 12 August 2012 - 03:50 PM

First off thank you for your time and effort in helping me with this problem!

This is on my mother's computer which has Windows 7 Home Premium, Service Pack 1. Two days ago she called me in her computer was spammed with bogus error messages but it was so late at night I just turned it off to deal with the following morning. The virus turned out to be Rogue.File Recovery. It was blocking the antivirus from working properly so I used Malwarebytes Anti-Malware to remove it and the help page I read said to follow up with tdsskiller to clean out any rootkits but it will not run. I tried running as admin, changing it's file name and extension to .com, and I tried in Safe Mode with no luck. So I ran a full system scan with Avast since it was now working it detected Win32: Malware-gen in one location, and MBR:SST [Rtk] in multiple locations, and was able to detain all except for the one listed as file name MBR:\\.\PHYSICALDRIVE0\Partition3. Avast then suggested to do a boot-time scan which ran and detected Java:CVE-2012-1723-BP [EXP˥] along with the MBR:SST [Rtk]. It tried to repair the files but was unable to. For the Java virus I just deleted the entire application and it no longer shows on the scan. Curious about the file name I checked the partitions in Disk Management and sure enough there's a blank named volume that's 10MB but it says it has 100% free space. Out of desperation I ran Combofix which didn't seem to do anything. Each time I run Avast this rootkit shows up in it's little partition and brand new locations keep popping up that it's created. Avast can detain the file locations but it cannot do anything about the partition location. I realize I listed a lot of different malwares so to be clear the only one that shows now is MBR:SST [Rtk]. I just wanted to be thorough with all I ran into working on her PC yesterday.

The symptoms of this lingering malady are:
-Very sluggish loading times on the internet.

-Clicking on search links sometimes redirecting to bogus advertisement sites; though Firefox usually prevents this. The sites are always random things like Norton products or vacation ads.

-Firefox randomly crashes. Sometimes it happens repeatedly in a very short time span and sometimes the browser can be open a few hours. (Luckily no crash in all the time I've spent thinking and typing this out so far.)

-Computer randomly restarts/crashes, this happens very rarely it did not do it once yesterday but did do it once so far today.

-Blocks tdsskiller from executing. I tried running it again hoping it was one of the many other viruses that was blocking it but it will still not run trying all the different methods.

-Malwarebytes Anti-Malware full scan does not detect it.

I've thought about just reformatting but I honestly don't know if that can touch this rogue partition or not.

BC AdBot (Login to Remove)


#2 narenxp


  • BC Advisor
  • 16,371 posts
  • Gender:Male
  • Location:India
  • Local time:08:14 PM

Posted 12 August 2012 - 10:14 PM

We need advanced tools to remove this one

Read the guide here on preparing logs


and create a topic here


Until then do not mess up things.We can easily remove the 10 mb partition too.

Good luck

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users