Win32.TDSS.rtk Removal Help Needed

Zo

unread,

May 2, 2009, 7:20:28 AM5/2/09

to

I've been trying for the last couple of days to get rid of this problem
and nothing seems to work. Tried using the following:

Spyware Terminator - shows system clean
SuperAntiSpyware - shows system clean
Malabytes AntiMalware - shows system clean
Avira Antivirus - show nothing in results
Spybot Search and Destroy - Shows the Win32.TDSS.rtk
RootRepeal - Shows one instance of it

Spybot goes through the cycle that the problem has been fixed, but a
rescan shows that it is still present.

The scans are being performed with hidden and hidden systems files
being shown.

Also tried the Windows Malicious Software Removal Tool Version
2.9.2441.0 with negative results also.

Can anyone help please? This thing is driving me nuts! tia

--
Zo
New Lemon Scented Tagline *****

David H. Lipman

unread,

May 2, 2009, 7:28:36 AM5/2/09

to

From: "Zo" <hom...@newsbill.net>

You have a TDSserv RootKit

Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log in your post with a full explanation of your problem
and what you have done to date in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

PA Bear [MS MVP]

unread,

May 2, 2009, 3:55:21 PM5/2/09

to

What anti-virus application was installed when the machine got infected?

olmansparky

unread,

May 3, 2009, 8:48:35 AM5/3/09

to

How I got rid of Win32.TDSS.rtk
WARNING: These instructions are not for the novice computer user!
This virus appears to open the flood gates for other viruses

Using �SpyBot� you may find the Virus "Win32.TDSS.rtk" SpyBot found
the virus but did not delete it.
Using �Malwarebytes� Anti-Malware showed the Vendor (Virus Name)
location and hidden name of the virus/spyware

Next Step
1. Download The Avenger2 by Swandog46 (http://swandog46.geekstogo.com/)
to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Once you have found the hidden file. In my case was:
ovfsthplblwyodptalbqvptxfnfxxdxxacujcr.sys

3. Now, open the avenger folder and start The Avenger program by
clicking on its icon.
Right click on the window under Input script enter your script (See
example)
Click on Execute
Answer "Yes" twice when prompted.
-------------------------------------------------
Example of deleting : ovfsthplblwyodptalbqvptxfnfxxdxxacujcr.sys using
Avenger2

Files to delete:
C:\WINDOWS\system32\drivers\ovfsthplblwyodptalbqvptxfnfxxdxxacujcr.sys

------------------------------------------------
Note: The above file "ovfsthplblwyodptalbqvptxfnfxxdxxacujcr.sys" was
found on my system
I am sure that it is Win32.TDSS.rtk

4.The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute
contains "Drivers to Delete"
or "Drivers to Disable", The Avenger will actually restart your
system twice.)
On reboot, it will briefly open a black command window on your
desktop, this is normal.
After the restart, it creates a log file that should open with the
results of Avenger�s actions.
This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you
asked it to delete, and will have zipped
them and moved the zip archives to C:\avenger\backup.zip.

---------------------------------------------------------------------------------
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Example Usage
Files to delete:
C:\WINDOWS\system32\drivers\ovfsthplblwyodptalbqvptxfnfxxdxxacujcr.sys

My Log from Avenger2 was as follows:

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ovfsthkerntjieupekyjlnuugqkhymicnkuvag" found!
ImagePath:
\systemroot\system32\drivers\ovfsthplblwyodptalbqvptxfnfxxdxxacujcr.sys

Start Type: 1 (System)

Rootkit scan completed.

File
"C:\WINDOWS\system32\drivers\ovfsthplblwyodptalbqvptxfnfxxdxxacujcr.sys"
deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Once you have completed these instructions, reboot and use Spybot and
�Malwarebytes� Anti-Malware to clean anything you may have missed.

--
olmansparky
------------------------------------------------------------------------
olmansparky's Profile: http://forums.techarena.in/members/95926.htm
View this thread: http://forums.techarena.in/security-home-users/1172514.htm

http://forums.techarena.in

David H. Lipman

unread,

May 3, 2009, 10:02:19 AM5/3/09

to

From: "olmansparky" <olmanspar...@DoNotSpam.com>

| How I got rid of Win32.TDSS.rtk
| WARNING: These instructions are not for the novice computer user!
| This virus appears to open the flood gates for other viruses

The TDSserv is a Trojan RootKit -- It is NOT a "virus"!

Note that there are different variants to this RootKit and your information using Avenger
may not work with all variants.

Zo

unread,

May 3, 2009, 11:19:50 AM5/3/09

to

David H. Lipman used his keyboard to write :

Thanks for the response. Went to the GeeksToGo site and followed the
instructions given using the combofix method and as of today, I now
have a "clean" system according to the recent Spybot scan. I

--
Zo
"1 man, 7 woman hot tub -- $850/offer"

Zo

unread,

May 3, 2009, 11:36:17 AM5/3/09

to

olmansparky formulated on Sunday :

Thanks for the reply, yes Spybot was app that discovered this monster
and to think that there a few that think Spybot is past its prime.
Neither Malabytes, SuperAnti, Spyware Terminitor or Avira Antivir (of
course this thing was a rootkit) so Antivir did not detect it, but I'm
really shocked that none of the others detected this well known
rootkit.

After visiting GeeksToGo, I followed the instruction given using the
combofix method and everything is back to "normal" for now. I'll keep
the Avenger link just in case. Thanks again.

--
Zo
Click..Click..Click..darn, out of taglines!

David H. Lipman

unread,

May 3, 2009, 12:16:46 PM5/3/09

to

From: "Zo" <hom...@newsbill.net>

| David H. Lipman used his keyboard to write :

| Thanks for the response. Went to the GeeksToGo site and followed the
| instructions given using the combofix method and as of today, I now
| have a "clean" system according to the recent Spybot scan. I

Please post the forum thread URL.

Zo

unread,

May 4, 2009, 9:15:05 AM5/4/09

to

on 5/3/2009, David H. Lipman supposed :

> From: "Zo" <hom...@newsbill.net>
>
>> David H. Lipman used his keyboard to write :
>
>
>> Thanks for the response. Went to the GeeksToGo site and followed the
>> instructions given using the combofix method and as of today, I now
>> have a "clean" system according to the recent Spybot scan. I
>
>
> Please post the forum thread URL.

Okay, here it is:

http://www.geekstogo.com/forum/index.php?showtopic=237620&view=getnewpost

--
Zo
Shhhhhhh; the secrets of the Internet are at .....^*& %*$^^^^^^^^^ NO
CARRIER.

PA Bear [MS MVP]

unread,

May 4, 2009, 11:37:37 AM5/4/09

to

[Spyware Terminator? SpyWall? STUPIDAntiSpyware Free? Eusing Free Registry
Cleaner? Are you sure you formatted before reinstalling Windows? Why did
you wait nearly a week after the reinstall [4/24] before installing an
anti-virus application [4/30]? How did you obtain Sygate Personal Firewall?]