Help - Search - Members
Full Version: rootkit.win32.TDss.d detected but not deleted
Kaspersky Lab Forum > English User Forum > Virus-related issues
SWMBO
1% though Kaspersky's full scan, it detects rootkit.win32.TDss.d, tries to delete it & reboot, but its still there when rebooted. I'm stuck in an endless loop of it detecting it, trying to delete & reboot, detecting it......

A full scan in safe mode completes, but doesn't get rid of it. I've also tried using Trend's housecall and Malwarebytes antimalware.

GSI log: http://www.getsysteminfo.com/read.php?file...9b64f03c94e0c28
Lucian Bara
Hello
post a combofix log please:
Download it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe . Save the file to your desktop.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.
SWMBO
here you go...
Lucian Bara
run this script
CODE
begin
CreateQurantineArchive('c:\quarantine.zip');
end.


A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to the viruslab by using the WebForm: http://support.kaspersky.ru/virlab/helpdesk.html?LANG=en . Uninstall Combofix by: pause Kaspersky > Start > run > type combofix /u > ok. Restart Kaspersky.

Clear the detected list in kaspersky: Click the Detected Button in the main window, right click in the list and choose "discard all". Make a full scan with kaspersky and remove what it detects. Post a screenshot of the detected list afterwards.
SWMBO
QUOTE(Lucian Bara @ 28.03.2010 18:42) *
run this script
CODE
begin
CreateQurantineArchive('c:\quarantine.zip');
end.


A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to the viruslab by using the WebForm: http://support.kaspersky.ru/virlab/helpdesk.html?LANG=en .

Done

QUOTE
Uninstall Combofix by: pause Kaspersky > Start > run > type combofix /u > ok. Restart Kaspersky.

Combofix won't uninstall. combofix /u causes it to run a scan. Something is now preventing internet access from that pc.
SWMBO
Status: Disinfected (events: 2)
29/03/2010 00:46:00 Disinfected virus Rootkit.Win32.Tdss.ai C:\Qoobox\Quarantine.zip High
29/03/2010 00:45:56 Disinfected virus Rootkit.Win32.Tdss.ai C:\Qoobox\Quarantine.zip/Quarantine/C/WINDOWS/system32/drivers/atapi.sys.vir High

THANK YOU!

Internet access is back, but still can't get combofix to uninstall - I get an error message saying Incompatible OS.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.