rootkit win32.tdss.mbr

November 8, 2010 at 23:32:37
Specs: Windows Vista
I have rootkit win32.tdss.mbr. Problem is, computer will not boot, preventing removal. I have Kaspersky removal tool, but Windows must be running to use it. i am just getting a blinking cursor. Won't boot to safe mode.

See More: rootkit win32.tdss.mbr

Report •

November 9, 2010 at 03:06:05
in your case you may have to remove the hard drive and then either slave it or use a USB adapter cable to another PC and remove the virus that way.
After the removal it should run fine in the problem PC.

Some HELP in posting on plus free progs and instructions Cheers

Report •

November 9, 2010 at 11:17:51
Your best bet, is try booting with the Kaspersky Rescue CD found here, which will allow you to scan the infected system without having to boot into Windows:

You'll need a blank CD/DVD though, and then will have to burn it with CDburnerXP: Once it's burned, just restart your computer and tap "F-10", or whichever key it is to take you to the Boot menu, from that menu select your CD drive and press "Enter".

Another option, if you have a Vista install disc, is to try the Recovery console: and of course the last is to backup all data using a live Linux CD (and USB flash drive), and then formating your hard drive and reinstalling Vista... To use a live Linux CD, follow the steps below:

To use a live Linux CD, simply, download the .Iso from here:

Burn it to a blank CD if you have one using CDburnerXP:

Once burned, load the disc into your CD-ROM drive and boot the PC, then select "F10" (or whichever key it says to get to the boot menu)

Once at the boot menu, select your CD-Drive, and press "Enter".

It will then pop-up with a few options.. Please let the CD boot itself(Do not click "Install" or anything else), once at the desktop, click on "Menu", then select "Computer". Look for your disk drive in the panel and left click on it. If that doesn't work, try right clicking the drive, and selecting "Mount".

Once mounted you'll see your Windows partition. To get to your Documents/Pictures and other files to back them up click on "Documents & Settings", then whichever your name is (example "Owner".

Then simply back up all your data, and then trying using the recovery disc that came with your PC (if any).

Helpful tips before getting started:

Report •

November 9, 2010 at 14:56:18
Thanks for suggestions, but already tried all of those-none worked. What worked was Hirens boot CD, which allowed me to run "Mini XP". Once running Mini XP, I was able to run the Kaspersky remove tool for this particular rootkit. It fixed it and immediately booted into Vista. Mini XP is a fantastic tool which allows you to run Windows programs on an un-bootable PC.

Report •

Related Solutions

November 9, 2010 at 16:38:30
It is a great tool. Glad you were able to get the problem fixed!.

Helpful tips before getting started:

Report •

December 10, 2010 at 16:11:46
yes same infection here...
i used kaperskys tdss killer and it works when you have windows....but it reinfects after a day or 2 and the pesky redirects start again.
then i faced the non-boot situation you are facing with a command prompt.
I figured it must be in the MBR.
Here is a simple way to get windows back (note: this does not stop it reinfecting, it just gets you back from looking at a scary curser situation that you are in.

i fixed it by using a windows xp disk.
here is what you do:

change the bios to boot from cd first (you can enter your bios usually by pressing F2 key, or Delete key, (read the bios splash screen for clues which other key if these 2 don't do it)
Then change you cd drive to be the first in the "boot order"
next insert your xp cd, and restart the pc.
when it says "run from cd press any key" , you press any key.
You get a blue screen with stuff happening, wait until it asks if you want to "do a full install or press R for recovery console"
enter the "r" key on your keyboard.
It then says "choose an installation to repair" and SHOULD list something like:
"1. C:windows"
(if you normally have 1windows installation on your disk as the "C:" drive.)
so enter "1".
It then asks you if you have an administrator password to enter that now.
so enter it, if you don't know what it is there is probably no password so try just pressing "enter" key or "return" key.
you now have a list of commands.
press the space bar to find the bottom of the list and see the command prompt if you cant see it.
write the following: FIXMBR
then press enter.
you will see a scary message don't worry, i have done this about 20 times and for this infection it does work.
so it asks you to confirm y or n. enter "y"
it now says it has been fixed and you have a command prompt again.
at this point you can either enter "exit"
or just switch the pc on and off again.
as the pc restarts quickly eject the cd so that it doesnt see it and trys to boot from hard drive.
then you will see your lovely xp booting up as normal again and relax.

PS dont forget to enter your bios again and switch the hard drive back to being the1st boot device in the boot order.

I have done this many times and from windows i cannot get the trojan/virus cleaned.

It keeps returning....i have tried spybot and avg and trend housecall and these cant clean out the trojan/virus. It is a real nasty. i'll keep trying....

Report •

Ask Question