infected with WIN32Rootkit.TDSS?

March 9, 2009 at 13:52:23
Specs: XP Home SP2
My laptop is experiencing the following issues:

Unable to do a system restore
search engine links are re-routed

I get a constant pop-up that says: "google installer has encountered a problem and needs to close"

I cannot install Malwarebytes anti-malware to do a system scan.

I was able to do an Ad-Aware scan, Ad-Aware found: WIN32Rootkit.TDSS but is not able to remove it.


So. Is the rootkit above what's causing my issues? If yes, how do I get rid of it?

Thanks in advance.

See More: infected with WIN32Rootkit.TDSS?

Report •

March 9, 2009 at 14:21:20
This may temporaryily help with the redirects:

Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
Highlight that driver and right click on it and select DISABLE - NOT uninstall.
Now RESTART your computer.

If that did not work go start > run type cmd and press enter or ok.
type ipconfig /flushdns (The space between g and / is needed)

Then press Enter, type Exit, press Enter again, Try to connect to the internet.

If that did not work try Safe Mode with Networking. Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select Safe Mode with Networking, then press "Enter".
Choose your usual account.

Please download Malwarebytes' Anti-Malware from one of these sites:



Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Report •

March 11, 2009 at 11:00:21
Thank you jabuck for your in-depth response. Today, I was able to get back to my laptop. And just out of curiosity, I wanted to see If I can load Malwarebytes (before I was not able to.) For some reason I was today. Did a full scan and found the following:

Files Infected:
C:\WINDOWS\system32\UAChrgrkiuk.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACvtsrvrvx.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACwwkrgaln.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\UACltivkhoa.sys (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACglwjrpni.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACkbxrstae.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACmqhrmupl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACxurtbgay.log (Trojan.Agent) -> Delete on reboot.

Everything was removed.
Dumb question: does this mean everything should be back to normal? My laptop does not have the mentioned symptoms anymore, so I assume everything is good to go??

I also wanted to ask if you or anyone could recommend an internet security suite that can "prevent" this from happening again.

Thanks again for your time. Very much appreciated.

Report •

Related Solutions

Ask Question