Jon (j_b) wrote,

TDSS rootkit

Helping a friend recover a machine for which format-and-reinstall isn't an option...

The machine would boot up but any attempt to get to Windows Update would be instantly blocked (connection closed) from any web browser on the system. Also web surfing would have random popups inserted.

It skated through with no detections through:
* ClamAV
* F-Secure Rescue CD
* AVG Rescue CD
* Norton Internet Security Suite
* Microsoft Security Essentials
* MalwareBytes
* HijackThis
* Sysinternals Rootkit Revealer
* Avira AntiVir
* AVAST Antivirus
* BleepingComputer ComboFix
* AVG Free Edition suite
* ESET NOD32 Antivirus/antispyware
* Kaspersky Antivirus Free Trial Edition
* SUPERAntiSpyware

However MalwareBytes, Combofix, and Kaspersky identified that the "TDS" rootkit was infected, but couldn't do anything about it.

The TDSS rootkit remover from here seems to have worked:

It's now testing clean (with GMER) and accessing Windows Update properly.

Very interesting analysis of the rootkit from here:
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded