1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Rootkit.tdss removal

Discussion in 'Virus & Other Malware Removal' started by 08roopb, Sep 22, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    Ok,,, lets try this:


    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    KILLALL::
    
    Rootkit::
    c:\windows\system32\tdlwsp.dll
    c:\windows\system32\tdlwsp.dll
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply. And run Malwarebytes in Perform Full Scan", and post the MBAM report please. Be sure to update Malwarebytes before the scan... And post the report with Combofix.txt
    .

    Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     
  2. 08roopb

    08roopb Thread Starter

    Joined:
    Sep 22, 2009
    Messages:
    13
    i get a blue screen when i run combo fix, right when it starts scanning, after it creates a backup.
     
  3. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    Go ahead and run Malwarebytes in Perform Full Scan", and post the MBAM report please. Be sure to update Malwarebytes before the scan...
    .
     
  4. 08roopb

    08roopb Thread Starter

    Joined:
    Sep 22, 2009
    Messages:
    13
    here it is
     

    Attached Files:

  5. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    Hi 08roopb

    This should do the trick. Lets see....

    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    FCOPY::
    C:\Windows\ServicePackFiles\i386\nvata.sys|C:\Windows\System32\drivers\nvata.sys
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply
     
  6. 08roopb

    08roopb Thread Starter

    Joined:
    Sep 22, 2009
    Messages:
    13
    here it is
     

    Attached Files:

  7. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    The CFScript you ran before, something was missed. Can you run it again please.


    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    FCOPY::
    C:\Windows\ServicePackFiles\i386\nvata.sys|C:\Windows\System32\drivers\nvata.sys
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply
     
  8. 08roopb

    08roopb Thread Starter

    Joined:
    Sep 22, 2009
    Messages:
    13
    hi sorry it took me a few days to reply, i was away. i think the rootkits are gone, malwarebytes doesnt detect them anymore. thanks for all the help. ill post the combofix log just in case.
     

    Attached Files:

  9. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    That was it.... Nice Job! Lets run a virus scan to make sure all infections are gone. We are almost done here.....:)

    Please run the F-Secure Online Scanner

    Note: You must use Internet Explorer for this scan!
    • Accept the License Agreement.
    • Once the ActiveX installs click Full System Scan
    • Once the download completes, the scan will begin automatically.
    • The scan will take some time to finish, so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • Click the Show Report button and copy and paste the entire report in your next reply.
     
  10. 08roopb

    08roopb Thread Starter

    Joined:
    Sep 22, 2009
    Messages:
    13
    Scanning Report

    Wednesday, October 7, 2009 12:43:42 - 12:49:51

    Computer name: LLBPULF
    Scanning type: Quick scan
    Target: System

    No malware found

    Statistics

    Scanned:

    • [*]Files: 4110
      [*]System: 4110
      [*]Not scanned: 0
    Actions:

    • [*]Disinfected: 0
      [*]Renamed: 0
      [*]Deleted: 0
      [*]Not cleaned: 0
      [*]Submitted: 0
     
  11. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    Your computer is clean......(y)


    Some final items:


    Follow these steps to uninstall Combofix and all of its files and components.
    • Click START then RUN
    • Now type ComboFix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]



    Remove all but the most recent Restore Point on Windows XP

    You should Create a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore.
    Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
    Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the new Restore Point a name, then click "Create".
    • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then use the Disk Cleanup to remove all but the most recently created Restore Point.
    • Go to Start > Run and type: Cleanmgr.exe
    • Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
    • Click the "More Options" tab, then click the "Clean up" button under System Restore.
    • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
    • Click Yes, then click Ok.
    • Click Yes again when prompted with "Are you sure you want to perform these actions?"
    • Disk Cleanup will remove the files and close automatically.
    • On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
    • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.
    [​IMG] [​IMG]

    Additional information
    Microsoft KB article: How to turn off and turn on System Restore in Windows XP
    Bert Kinney's site: All about Windows System Restore




    Here is some useful information on keeping your computer clean:
    1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
    2. Here are two great Preventive programs
    :
    • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
    • Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
    • Red for Warning
    • Yellow for Use Caution
    • Green for Safe
    • Grey for Unknown

    Here are the link to install SiteAdisor in Internet Explorer and Firefox



    Now you should Clean up your PC


    Here are some additional links for you to check out to help you with your computer security.

    How did I get infected in the first place.

    Secunia software inspector & update checker

    Malware And Spyware Tips

    It was a pleasure working with you 08roopb...
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Rootkit tdss removal
  1. IronFistVGP
    Replies:
    1
    Views:
    229
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/862832