Bootkit TDSS.d virus removal

August 10, 2011 at 12:12:29
Specs: Windows Vista, Intel Core 2 Duo 2.53GHz/3 gigs
Hi, I'm having problems in my pc. I'm currently using another computer to post this. I was doing a research for my college on google images when I was struck by a virus. First, my antivirus, which is Avira, stated it was JAVA problem/virus infection. I tried to remove the threats and run a full scan. It detected a BOO\TDSS.d, that I later found out it was a Bootkit kind of virus. I really don't understand much, so I don't know how to proceed.

At first, it looked like my whole HD was erased, and of course I freaked out! It reniciated itself, and I realized it was only concealing my files. At the moment it rebooted 2 times, and it's concealing my desktop. For now I'm running a complete scan with Malwarebytes Anti-Malware, that had 4 detections so far, but I'm running a full scan just in case. I also tried TDSSKiller before, with no sucess, since it doesn't let the program open. It also closes my browser after some time, or everytime I type "bootkit tdss removal" here in this forum (which is why I'm using a different pc).

EDIT: Sorry, I forgot to tell that on my sidebar a small icon appears, which is a red circle with an "X" on it, and all kinds of security issues messages keep popping up, saying I have hardrive problems that need to be fixed imediately and a fake scan window also pops up and "detects" all kinds of issues in my pc.

Can you guys help me?

See More: Bootkit TDSS.d virus removal

Report •

August 10, 2011 at 12:51:08

Please download TDSSKiller

Vista/Windows 7 users - Right-click and select: Run as Administrator

Click: ‘Start Scan’

If Malicious objects are found, DO NOT allow the tool to Cure.
Click the arrow next to 'Cure' and select Skip
We need to see the report first, as it may show false detections!!

Click 'Continue'

When the tool is done, a log is produced at the root drive which is typically C:\
For example, C:\TDSSKiller.

Please post the 'TDSSKiller' log in your reply.

Next, download aswMBR:
Save it to the Desktop.

'Vista/Windows 7 users - Right-click and select: Run as Administrator

Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop,
Note - Do NOT attempt any fix anything!!.

Please post the log produced by 'aswMBR' in your next reply.

Also, you will notice that another file is created on the Desktop. It is named MBR.dat.

If you have a USB flash drive, please move the mbr.dat file to it.
If not, move the mbr.dat from the Desktop, to the C:\ drive.

This is important, just in case we need to have access to the MBR information!!

Retired - Doin' Dis, Dat, and slapping malware.

Report •

August 10, 2011 at 14:25:05

Thank you for your time, but the thing is I can't run TDSSKiller. I've tried saving the .exe file in different places, but it is still the same, even if if I try running as administrator, it simply doesn't run. The pointer just seems to load something, but for merely 2 seconds and that's it. So, I'm kinda lost, I'm not sure if there's another step I ought to take or what...!

Report •

August 10, 2011 at 16:27:40

Rename TDSSKiller, and see if you can then get it to run.

To do this, right-click on the TDSSKiller.exe icon on your Desktop
Select: Rename.

Name with a .com extension. For example,

Once the file is renamed, right-click and select: Run as Administrator, or double-click on it to launch it..

See if that works.

Retired - Doin' Dis, Dat, and slapping malware.

Report •

Related Solutions

August 10, 2011 at 16:56:18
I tried renaming it, but still couldn't get anything. I also tried re-downloading the file and saving with a different name to see if it worked, but got nothing either.

Report •

August 10, 2011 at 18:16:14
Restart your computer

Tap the F8 ke, before the Windows logo appears.
At the Advanced Options menu, select: Safe mode with Networking

Log on to your PC with your normal account (with administrative rights).

Download 'iExplore.exe', which is a renamed copy of 'RKill':

[If the file does not download, paste the following, >without the brackets<, in the address bar of your browser:

Save the file to the Desktop

Vista/Windows 7 users, right-click the file, and select: Run As Administrator

Ignore any messages, and allow the file to run until the command window closes.

If you have problems running RKill, download any of the other renamed versions of RKill from its download page.

Without a reboot, download 'Malwarebytes’ Anti-Malware' (black button with green and white icon) :

Save to the Desktop

Vista/Windows 7 users, right-click the file, and select: Run As Administrator

Follow the prompts to install the program.

Run Malwarfebytes’ AntiMalware and update the program.

Once updated, select 'Perform Full Scan' and click the 'Scan' button.

When the scan finishes, click OK in the message box, and you will see the results of the scan.

Click the 'Remove Selected' button to get rid of the malware.

When Malwarebytes finishes, you may be prompted to reboot. If so, reboot.

Please post the >Malwarebytes log< in your reply.

Retired - Doin' Dis, Dat, and slapping malware.

Report •

August 11, 2011 at 11:44:17
I've done everything, and the log is as followed. I didn't remove the second "threat" because it was merely the rkill with another name, so I left it there.

Malwarebytes' Anti-Malware

Database version: 7435

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.6001.19088

11/08/2011 14:22:35
mbam-log-2011-08-11 (14-22-35).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|N:\|)
Objects scanned: 334763
Time elapsed: 40 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
n:\RECYCLER\s-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx (Worm.Conficker) -> Quarantined and deleted successfully.
c:\Users\meninas\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Not selected for removal.

Report •

August 18, 2011 at 04:27:00
Maybe this will help. I am battling a BOO/TDss.M infection at this moment too. Also had the problem that Virusprograms did not work and also AV-websites could not be accessed. I have tried running a ESET online security scan. You need do download a small file on another computer first and put it on a USB-drive. Run the program and let ESET scan the computer online. For me it removed 8 infections. After that the normal Virusscanner could be reïnstalled on the computer (but still could not be updated etc.) but it would let me scan now. It removed 11 infections of the systems. After a reboot I was able to update the AV and all AV-services were running normal now. Again a complete scanned showed 12 infections, three of which the BOO/TDss.M. All others could be cleaned, this one not.
Going to try the TDSSkiller now.....

Report •

August 19, 2011 at 08:20:25

Sorry for the delay. Somehow this topic got lost in my notifications.

My apology.

Let's press on...

Please download ComboFix:

Save ComboFix.exe to your Desktop!!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of CF.

Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link:

Vista/Windows 7 - Right-click on ComboFix.exe and select: Run as Administrator
Follow the prompts.

Click on ‘Yes‘, to continue scanning for malware.

When finished, CF produces a report.

Since this report can also be quite large, please go to the ‘Uploading’ website:

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix report, and click on 'Open'
You will see the following:
“Your file has been uploaded successfully: (Name and size of the file)”

Please copy the 'Download link', and provide it in your reply.


1.Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE

Report •

August 22, 2011 at 00:24:19
.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-22 02:09:11
02:09:11.407 OS Version: Windows x64 6.0.6002 Service Pack 2
02:09:11.407 Number of processors: 2 586 0xF0D
02:09:11.407 ComputerName: BENJIE-PC UserName: user
02:09:30.017 Initialize success
02:09:56.457 AVAST engine defs: 11081901
02:10:03.949 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
02:10:03.951 Disk 0 Vendor: Hitachi_ FBEO Size: 238475MB BusType: 3
02:10:03.954 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000062
02:10:03.956 Disk 1 Vendor: RICOH 01 Size: 238475MB BusType: 0
02:10:03.959 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000063
02:10:03.962 Disk 2 Vendor: RICOH 02 Size: 238475MB BusType: 0
02:10:03.990 Disk 0 MBR read successfully
02:10:03.994 Disk 0 MBR scan
02:10:03.999 Disk 0 Windows VISTA default MBR code
02:10:04.006 Service scanning
02:10:07.396 Modules scanning
02:10:07.396 Disk 0 trace - called modules:
02:10:07.424 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys iaStor.sys hal.dll
02:10:07.424 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004dd4260]
02:10:07.424 3 CLASSPNP.SYS[fffffa6000fcfc33] -> nt!IofCallDriver -> [0xfffffa80040c05d0]
02:10:07.424 5 acpi.sys[fffffa60008f8fde] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004bb6050]
02:10:08.417 AVAST engine scan C:\Windows
02:10:11.906 AVAST engine scan C:\Windows\system32
02:12:44.476 AVAST engine scan C:\Windows\system32\drivers
02:12:59.155 AVAST engine scan C:\Users\user
02:13:04.741 File: C:\Users\user\AppData\Local\KBDatzas.dll **INFECTED** Win32:Bredolab-FY [Trj]
02:14:26.202 File: C:\Users\user\AppData\Local\Temp\0.13934077284957647.exe **INFECTED** Win32:Karagany-AM [Trj]
02:14:26.271 File: C:\Users\user\AppData\Local\Temp\0.9714228385780624.exe **INFECTED** Win32:Karagany-AM [Trj]
02:14:26.697 File: C:\Users\user\AppData\Local\Temp\4FEB.tmp **INFECTED** Win32:Defender [Trj]
02:14:27.340 File: C:\Users\user\AppData\Local\Temp\5B41.tmp **INFECTED** Win32:Defender [Trj]
02:15:26.646 File: C:\Users\user\AppData\Local\Temp\setup2936754432.exe **INFECTED** Win32:Dropper-HXN [Drp]
02:15:26.691 File: C:\Users\user\AppData\Local\Temp\setup3091124160.exe **INFECTED** Win32:Dropper-HXN [Drp]
02:15:46.506 File: C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\62e1c78e-254fab8b **INFECTED** Win32:Defender [Trj]
02:15:46.951 File: C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\3a4af22a-7120fbff **INFECTED** Win32:FakeAlert-AWM [Trj]
02:15:47.146 File: C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4e519b86-462c5360 **INFECTED** Win32:Karagany-AM [Trj]
02:15:47.206 File: C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4e519b86-66cfe9c0 **INFECTED** Win32:Karagany-AM [Trj]
02:15:56.504 File: C:\Users\user\AppData\Roaming\Adobe\plugs\mmc477864883.txt **INFECTED** Win32:Kryptik-EIX [Trj]
02:16:50.330 AVAST engine scan C:\ProgramData
02:19:14.498 File: C:\ProgramData\SMiPOgxpPKhx.exe **INFECTED** Win32:Kryptik-EIX [Trj]
02:20:37.119 Scan finished successfully
02:22:32.578 Disk 0 MBR has been saved successfully to "C:\Users\user\Desktop\MBR.dat"
02:22:32.591 The log file has been saved successfully to "C:\Users\user\Desktop\aswMBRfiggs.txt"

I'm following the same steps trying to get rid of this virus!

Kaspersky's Tdss killer doesn't work
Avira detected it but couldn't do anything because I didn't have authorization?
aswMBR hasn't done anything but made this log

Report •

August 22, 2011 at 01:52:46
Ok I tried this other thing to fix the MBR by opening a command prompt under the repair windows option after pressing F8, and it said to enter these prompts:


and it didn't work, all the files are hidden still and I have to open explorer with the "Run as Admin" option...

aaflac44 please help! Avira says they have a definition of this virus but their program doesn't help with the deny access action it takes...

Report •

August 22, 2011 at 08:46:36

Please start your own topic in this forum (Security and Virus):

It gets rather confusing when dealing with more than one person in a topic.

Title the topic:
Possible Rootkit, attn: aaflac44

I will be glad to help you then.

Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE

Report •

Ask Question