Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
35160 Views 35 Replies Latest reply: Nov 13, 2011 4:20 PM by flyingninja RSS 1 2 3 4 Previous Next
fraserb Newcomer 6 posts since
Jun 30, 2011
Currently Being Moderated

Jun 30, 2011 10:43 AM

TDSS.e!RootKit

Hi there,

 

It seems that I have been infected with the above virus but I can't get rid of it. Forgive me but my technical knowledge is pretty limited.  Each time Mcafee starts up I get a message saying it has found and removed the TDSS.e!RootKit virus, but it doesn't actually go.  I've also run Malwarebytes Anti-Malware and it certainly removed other viruses which seems to have been attached to this, but it doesn't even recognise this one.  I then tried Super Anti Spyware which at least recognised the virus and said it had removed it, but when I rebooted it was still there.  I've also tried to run a number of other functions (such as RKill, etc) in both normal and safe modes but the virus is obviously blocking them from starting up.  I've even tried renaming these files but they still won't start up.

 

I therefore have a couple of questions (answer in layman's terms please ;-)):

 

  1. What sort of virus is this and what is it doing?
  2. How do I get rid of it?
  3. Am I safe using my computer in the meantime (I'm not at present as a precaution)?
  4. Is my data at risk (eg. bank sites I have visited prior to being infected)?

 

Any help would be greatly appreciated!

 

Cheers,

 

 

Fraser.

  • Hayton Volunteer Moderator 4,588 posts since
    Sep 27, 2010
    Currently Being Moderated
    1. Jun 30, 2011 11:38 AM (in response to fraserb)
    Re: TDSS.e!RootKit

    Moved into Security Awareness (Home User Assistance).

     

    If this is a genuine rootkit infection you may need specialist help to remove it. I'll see what I can find out about this.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • ConorD62 Champion 586 posts since
    Apr 9, 2010
    Currently Being Moderated
    2. Jun 30, 2011 3:08 PM (in response to Hayton)
    Re: TDSS.e!RootKit

    @Hayton,

     

    TDSS Killer might sound like it would do the trick.

     

    @Fraserb

     

    Have you ran a tool called TDSS Killer before? If not, I can give you the instructions to do so.


    If you need any help, please send me a message, the same goes for any malware questions.
  • Hayton Volunteer Moderator 4,588 posts since
    Sep 27, 2010
    Currently Being Moderated
    3. Jun 30, 2011 7:16 PM (in response to ConorD62)
    Re: TDSS.e!RootKit

    Okay, thanks Conor. Over to you.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,588 posts since
    Sep 27, 2010
    Currently Being Moderated
    6. Jul 1, 2011 2:53 PM (in response to fraserb)
    Re: TDSS.e!RootKit

    Referring to your original post, you say that McAfee detects this rootkit and claims to have removed it. This is certainly what the Threat Database entry says, at http://vil.nai.com/vil/content/v_457262.htm.

     

    You also say that when you reboot your PC the infection is still there. Obviously, if you get the same "Found / Removed" messages in your next scan that's obviously so, but are there any signs of this infection being present that you can see during or after startup? I want to exclude the possibility that you are being re-infected by doing something repeatedly - visiting a website, downloading something, whatever.

     

    Malwarebytes won't handle this, a rootkit is probably out of its league. No offence meant to MWB, but it doesn't do viruses. I'm surprised that SAS claimed to have detected it, not so surprised that it failed to remove it.

     

    It looks as if this rootkit is hiding in the MBR, so you may need to run a Microsoft program to fix the MBR. I noted this method in a post HERE but the details are given in a blog from Chun Feng, a Microsoft MMPC engineer. Go to the point in the blog that says "To fix the MBR:" and follow the instructions he gives there.

     

    WARNING : removing a rootkit may not be easy. Sometimes the best way to do it is to remove your hard drive and attach it to another PC as an external data drive, and scan it from that PC. Since the malware is hiding itself (and possibly other malware as well) from your own PC and AV programs it's usually easier to remove it if it's not active. An active rootkit intercepts low-level communications between the processor and the disk and returns misleading data to hide its presence. An extra warning : in extreme cases it is necessary to reformat your disk and reinstall your OS, AV, and everything else; and even then you may not get rid of the rootkit. Some people say that the only sure way to get rid of one is to throw your hard disk away and start over afresh.

     

    But let's give this MBR fix a go and see if it works.

     

    Your other questions : what is it doing - nothing good, I'll be bound. If you have passwords, credit card details, addresses, email addresses, phone numbers, photos, indeed any personal information whatsoever on your PC, you must consider it as stolen and take precautions - change passwords, warn your bank and/or card companies (and check your balances and transactions now), warn your friends and contacts to watch out for anything coming from your email account that might not actually be from you.

    That also answers your question about your data being at risk.

     

    And your PC is not safe to use - for anything - until the infection is removed.

     

    Message was edited by: Hayton on 01/07/11 20:53:13 IST

    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,588 posts since
    Sep 27, 2010
    Currently Being Moderated
    7. Jul 1, 2011 3:22 PM (in response to fraserb)
    Re: TDSS.e!RootKit

    I should have thought of this earlier : I downloaded McAfee's Stinger tool and TDSS!e Rootkit is in the list of infections which the Stinger is designed to deal with. See the entry for Stinger in this document, which gives a link to download it. The same document also gives you links to specialist malware-removal forums such as MajorGeeks and BleepingComputer.

     

    Be sure to read the instructions carefully, and also the extra instructions in there for XP users if that applies to you.

    Stinger.JPG


    Volunteer Moderator  Leeds, UK
    No PM's please
1 2 3 4 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points