Infected by Rootkit.Win32.TDSS

**shazz** · 10.04.2010, 01:12

Hi,

My PC has been infected by Rootkit.Win32.TDSS.d. After several failed attempts of removing the virus I've decided to post here.

See attached for my log file created by Kaspersky Virus Removal Tool.

Any help would be greatly appreciated.

Thanks.

**Aleksandra** · 10.04.2010, 01:54

1. Please, disable System Restore and antivirus (if you have).
2. Execute this script in AVPTool:

Код:

begin
SetAVZGuardStatus(True);
 QuarantineFile('C:\WINDOWS\system32\sdra64.exe','');
 DeleteFile('C:\WINDOWS\system32\sdra64.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

3. After reboot execute this script in AVPTool:

Код:

begin
 CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.

Upload file quarantine.zip, by link http://virusinfo.info/upload_virus.php?tid=75795

3. Make a new log of AVPTool.

4. Make a log of GMER http://virusinfo.info/showthread.php?t=51878

**shazz** · 10.04.2010, 02:48

Many thanks for your quick reply.

I followed steps 1, 2 and 3 successfully. However when I try making a log file using GMER I either get a blue screen or the application crashes (see attached screenshot)

What do I do?

**Aleksandra** · 10.04.2010, 08:39

1. Start the file Vba32Arkit.exe with double click.
2. Press the button Start and let Vba32Arkit to make a FULL SCAN of your system.
3. After scanning press the button File -> Save Zipped.. an save the logfile.
4. Attach the logfile to your new message.

**shazz** · 11.04.2010, 02:28

Thank you.

I've attached the VBA32ARKIT Log file here.

**Aleksandra** · 11.04.2010, 07:25

1. Replace C:\WINDOWS\System32\Drivers\isapnp.sys with a clean file from any similar system or from Windows CD using recovery console or Live CD.

2. Make a new log of Vba32Arkit.

**shazz** · 12.04.2010, 01:55

Hi,

I replaced the isapnp.sys file from another clean machine then I restarted my PC and generated the log file you asked for. See Attached.

**Rene-gad** · 12.04.2010, 12:45

- Execute following script in Manual disinfection

Код:

begin
QuarantineFile('C:\WINDOWS\System32\Drivers\isapnp.sys','');
CreateQurantineArchive('C:\quarantine.zip');
end.

and upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.

**shazz** · 13.04.2010, 01:27

Hi,

I tried using the quarantine upload button at the top of the page however everytime i try and upload the file I am told that the file already exists. I've tried renaming the file which gives the same result.

Forgive me if I have broken the rules but I've attached the file to this post.

Regards

**Aleksandra** · 13.04.2010, 05:53

Check your system with Live CD: http://www.freedrweb.com/livecd/?lng=en

**shazz** · 14.04.2010, 02:27

Aleksandra,

When I boot with Live CD I'm not sure if my system hangs once the interface is loaded or whether the mouse and keyboard are not operational. Is this normal?

I'm currently performing the scan using Live CD Safe Mode. I will let you know the results.

**Rene-gad** · 14.04.2010, 11:12

Сообщение от shazz

Is this normal?

No, it is not. Possibly you've burned Live CD with too high speed, for any Boot-CD you have to use the lowest one.

**CyberHelper** · 15.04.2010, 11:12

Статистика проведенного лечения:

Получено карантинов: 1
Обработано файлов: 2
В ходе лечения вредоносные программы в карантинах не обнаружены

Infected by Rootkit.Win32.TDSS

Опции темы

Infected by Rootkit.Win32.TDSS

Итог лечения

Похожие темы

Rootkit.Win32.TDSS cleaner, утилита для удаления троянца TDSS от eSage Lab

Rootkit.Win32.TDSS.d

Rootkit.Win32.TDSS.d / BackDoor.Tdss.565

Infected with packed.win32.tdss.aa

Rootkit.Win32.TDSS.a

Ваши права в разделе