1 2 3 4 Previous Next 35 Replies Latest reply: Nov 13, 2011 4:20 PM by flyingninja RSS

    TDSS.e!RootKit

      Hi there,

       

      It seems that I have been infected with the above virus but I can't get rid of it. Forgive me but my technical knowledge is pretty limited.  Each time Mcafee starts up I get a message saying it has found and removed the TDSS.e!RootKit virus, but it doesn't actually go.  I've also run Malwarebytes Anti-Malware and it certainly removed other viruses which seems to have been attached to this, but it doesn't even recognise this one.  I then tried Super Anti Spyware which at least recognised the virus and said it had removed it, but when I rebooted it was still there.  I've also tried to run a number of other functions (such as RKill, etc) in both normal and safe modes but the virus is obviously blocking them from starting up.  I've even tried renaming these files but they still won't start up.

       

      I therefore have a couple of questions (answer in layman's terms please ;-)):

       

      1. What sort of virus is this and what is it doing?
      2. How do I get rid of it?
      3. Am I safe using my computer in the meantime (I'm not at present as a precaution)?
      4. Is my data at risk (eg. bank sites I have visited prior to being infected)?

       

      Any help would be greatly appreciated!

       

      Cheers,

       

       

      Fraser.

        • 1. Re: TDSS.e!RootKit
          Hayton

          Moved into Security Awareness (Home User Assistance).

           

          If this is a genuine rootkit infection you may need specialist help to remove it. I'll see what I can find out about this.

          • 2. Re: TDSS.e!RootKit
            ConorD62

            @Hayton,

             

            TDSS Killer might sound like it would do the trick.

             

            @Fraserb

             

            Have you ran a tool called TDSS Killer before? If not, I can give you the instructions to do so.

            • 3. Re: TDSS.e!RootKit
              Hayton

              Okay, thanks Conor. Over to you.

              • 4. Re: TDSS.e!RootKit

                @Hayton @ConorD62 Thanks for your help.  I'm pretty sure TDSS Killer was one of the programmes I tried to run but the virus blocked.  Let me check again when I'm home this evening and I'll let you know how I get on.

                 

                Thanks again!

                • 5. Re: TDSS.e!RootKit

                  Yip, as expected, it won't run in either normal or safe mode. Any other suggestions?

                  • 6. Re: TDSS.e!RootKit
                    Hayton

                    Referring to your original post, you say that McAfee detects this rootkit and claims to have removed it. This is certainly what the Threat Database entry says, at http://vil.nai.com/vil/content/v_457262.htm.

                     

                    You also say that when you reboot your PC the infection is still there. Obviously, if you get the same "Found / Removed" messages in your next scan that's obviously so, but are there any signs of this infection being present that you can see during or after startup? I want to exclude the possibility that you are being re-infected by doing something repeatedly - visiting a website, downloading something, whatever.

                     

                    Malwarebytes won't handle this, a rootkit is probably out of its league. No offence meant to MWB, but it doesn't do viruses. I'm surprised that SAS claimed to have detected it, not so surprised that it failed to remove it.

                     

                    It looks as if this rootkit is hiding in the MBR, so you may need to run a Microsoft program to fix the MBR. I noted this method in a post HERE but the details are given in a blog from Chun Feng, a Microsoft MMPC engineer. Go to the point in the blog that says "To fix the MBR:" and follow the instructions he gives there.

                     

                    WARNING : removing a rootkit may not be easy. Sometimes the best way to do it is to remove your hard drive and attach it to another PC as an external data drive, and scan it from that PC. Since the malware is hiding itself (and possibly other malware as well) from your own PC and AV programs it's usually easier to remove it if it's not active. An active rootkit intercepts low-level communications between the processor and the disk and returns misleading data to hide its presence. An extra warning : in extreme cases it is necessary to reformat your disk and reinstall your OS, AV, and everything else; and even then you may not get rid of the rootkit. Some people say that the only sure way to get rid of one is to throw your hard disk away and start over afresh.

                     

                    But let's give this MBR fix a go and see if it works.

                     

                    Your other questions : what is it doing - nothing good, I'll be bound. If you have passwords, credit card details, addresses, email addresses, phone numbers, photos, indeed any personal information whatsoever on your PC, you must consider it as stolen and take precautions - change passwords, warn your bank and/or card companies (and check your balances and transactions now), warn your friends and contacts to watch out for anything coming from your email account that might not actually be from you.

                    That also answers your question about your data being at risk.

                     

                    And your PC is not safe to use - for anything - until the infection is removed.

                     

                    Message was edited by: Hayton on 01/07/11 20:53:13 IST
                    • 7. Re: TDSS.e!RootKit
                      Hayton

                      I should have thought of this earlier : I downloaded McAfee's Stinger tool and TDSS!e Rootkit is in the list of infections which the Stinger is designed to deal with. See the entry for Stinger in this document, which gives a link to download it. The same document also gives you links to specialist malware-removal forums such as MajorGeeks and BleepingComputer.

                       

                      Be sure to read the instructions carefully, and also the extra instructions in there for XP users if that applies to you.

                      Stinger.JPG

                      • 8. Re: TDSS.e!RootKit

                        Thanks for all that help Hayton.  I've managed to download and run the stinger, but it still doesn't find the virus (although it runs fine).  I even disabled the restore function as per the XP instructions and that didn't make a difference.  Any other ideas or is it wipe the hard drive and start again time?

                        • 9. Re: TDSS.e!RootKit

                          I should have also added that after being identified and "deleted" during a standard Mcafee scan, each time I reboot and run a new scan (before starting any other programmes) the scan finds and deletes the same virus.  I also downloaded the Fake Alert Stinger as well as the Stinger programme but neither seem to find it.  I have just realised that I didn't follow all of the instructions in your earlier post re: MBR so I'll run that tonight to see if that helps.  Will keep you posted.

                          1 2 3 4 Previous Next