rootkit.win32.tdss.tdl4 having trouble removing it

Reaction score
13
Location
NH
I have a clients PC in front of me with rootkit.win32.tdss.tdl4 and I am having trouble removing it.

The PC only has 1 profile and is Windows Xp Pro System restore is Disabled

So far I have tried the following.
Rkill to kill the process (nothing found except for rkill)
Software based tools were tried first
Fsecure no results
stinger no results
tdsskiller finds it cures but it comes back (system restore is disabled)
backlight no results
Eset finds it as (Eolmarik) but cannot fix it so I downloaded separate scanner Eolmarik removal tool (it cannot find it) so no results
Combofix finds the rootkit(s) removes them but it is still present

Manual Removal
removed the following files
system32UACdfqsytqwwyfllri.dll
system32UACsnbfuyfvmevqlyg.dll
and the registry keys associated with them or at least I think I did but it has come back :rolleyes:

I will go through the manual process again maybe I missed a key but any help would be appreciated thanks.
 
If it is coming back after a reboot, slave the drive and scan it with Kaspersky.

I recently worked on a PC that scanned completely clean but had random svchost crashes and redirects. TDSS would sometimes be detected. Turns out the virus was in the MBR and could only be found by an offline scan.
 
Run combofix in safemode without networking and it will get ride of it, then run TDSSkiller from Kaspersky in safe mode to see if it has been removed. Then boot into real mode and run your other cleaning tools, just make sure there are no other antivirus products running and that you have disabled you internet connection.
 
Last edited by a moderator:
I do agree use Hitman Pro it will pick it up, Im get pretty happy with the results. Also try your Windows XP recovery disk and let it fix the MBR.

if you salve it and your having issues now you can pick it up on your machine, correct me if im wrong. just thinking if its being bad now to drop imagine if you got 2 machines with it.

I dont mean to knock any techs here but combofix should be a last thing to use, most people use it not knowing what it can really do and it can kill you more then it can help, it is a awesome tool I love it but I use it for the last stab.
 
I have seen this one many times the trick is not to boot from the drive use windows cd boot to repair shell fixmbr and then scan the drive slaved.
If you do not get rid of the rootkit dropper files you will re-infect the bootblock on re-boot.
Many bios has boot block protection if you turn it on you can check for changes in the boot block.
Kaspersky needs to update tdsskiller it misses the rootkit dropper files that re-infect the bootblock.
 
Last edited:
if you salve it and your having issues now you can pick it up on your machine, correct me if im wrong. just thinking if its being bad now to drop imagine if you got 2 machines with it.

Simply slaving a HDD will not infect your computer. If you are running files off an infected machine on your own computer, then you deserve to get a virus.
 
What do you need to know about combofix to make it safe to use?

When using ANY automated tools such as combofix to remove stuff, you can do more damage to the OS, then fixing it. It is beyond recommended to have a back up of the machines before hand that way you can drop back to it. In this case the recovery console is disabled so unless the OP makes a quick image then then I would avoid it.

Hint why the majority of your security software gives you a warning when you have combofix on your computer because it works at such a level that can be damaging to your OS. Its been a while since I have needed it but It should prompt you to close all windows/apps, setup a recovery point. But I have seen many techs and end users in other forums fail at following those 2 simple steps, and they have bigger issues now everything it even more down the drain.

I have never had to slave a infected drive so I never got any issues on none of my machines. I only slave when I have to thanks for clearing that up. I do know I have put my usb in infected machines and transferred them to my workbench but nothing that inst easy to kill.
 
FYI for everyone here, just had that infection; ran TDSSKiller, which did remove a few items and identified the same rootkit, and then ran fixmbr from a Windows CD. Prior to fixmbr, mbr.exe (from the gmer folks) was still showing a rootkit. Afterwards, mbr.exe showed clean (reported "user and kernel mbr ok"), although it said "Copy of mbr has been found in Sector 2". Computer ran fine; gmer showed no other infection, TDSSKiller showed clean and didn't find anything else with Malwarebytes and Combofix. I declared it clean after several reboots, and returned it to the customer. Don't think there was anything else I could do at that point; unless someone else can chime in with another suggestion. (I mention this here as help to our initial poster on the topic.)
 
What is the significance of the "copy of the mbr" message mbr fix gives? I've seen it a few times on systems with no rootkit as far as I could tell.
 
Yep, MobileTechie, that's what I was wondering. Googling didn't come up with much of an answer; that's why I declared my situation clean.
 
the issue has been 100% resolved thank you

I overlooked that the quarantine folder was being picked up as being infected and I had not repaired the MBR...noted for next time this pops up not to skip obvious steps.
 

I too use Hitman Pro and it is a good tool, but it's downfall is that it requires a internet connection so it can scan in the cloud, this is not OK because the rootkit will keep reinfecting the MBR as it is downloading from the internet. To remove this mbr rootkit you need to be disconnected from the internet and to run combofix in safemode. As for the safety of combofix, I have never had a problem with it becuase I always run it safe mode without a network connection and without interruptions from AV software and alike.
 
Last edited by a moderator:
Back
Top