TDSSKiller finds serveral treats

March 24, 2012 at 03:45:39
Specs: Windows XP, Corei7 965 / 12 GB
TDSSKiller finds 17 mediocre treats when the additional options (verify file digital signatures and detect TDLFS file system) are checked. Scanning with TDSSkiller using the regular settings finds nothing either. Rootkitbuster also finds problems, but isn't able to fix them.

Should i be worried?

I uploaded the files that Rootkitbuster found to virustotal, but they appear to be clean.

edited by moderator: remove unrequested log

See More: TDSSKiller finds serveral treats

Report •

March 24, 2012 at 04:46:47
Boot to ur recovery console go to the cmd and type bootrec /fixmbr hit enter, bootrec /fixboot hit enter. Run a chkdsk c: /r / x Now boot to windows and run tdsskiller.

Report •

March 24, 2012 at 13:05:30
The best way to do this is to run these 3 progs in EXACTLY the order listed
1- rkill.exe
2- tdss killer
3- malwarebytes
Don't reboot untill AFTER the malwarebytes scan.

If the above doesn't work, then do the same in safe mode

Some HELP in posting on plus free progs and instructions 7 Golds

Report •

March 26, 2012 at 00:18:42
XpUser4Real >

Rkill doesn't find anything.
TDSS does and finds the same things
MBAM doesn't find anything.

Gretti > Is there a chance that this might give problems booting etc? I don't have time to reinstall Windows and all software and settings atm.

Report •

Related Solutions

March 26, 2012 at 00:23:26
Then you may want to try combofix:
follow the guide and you should be fine.

Why would you want to fool with your boot sector if your pc boots up fine? Makes no sense to me.

Some HELP in posting on plus free progs and instructions 7 Golds

Report •

March 26, 2012 at 22:39:07
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product.

For more information on antivirus software, see
Additional recovery instructions for Trojan:DOS/Alureon.A
This virus may cause damage to the Master Boot Record (MBR) and Boot Configuration Data (BCD). You will need to run the following commands using the "bootrec.exe" tool to ensure a complete repair of your computer:

bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcd

For more details on these commands, please refer to Microsoft Security Article KB927392, with specific focus to the options "/fixmbr", "/fixboot" and "/rebuildbcd".

Report •

March 27, 2012 at 01:03:00
XpUser4Real > Done that, Combofix found some files (JPG's) and deleted them but noted that were harmeless most likely.

Gretti > I scanned with the latest version of all these products in safe mode, no infections were found.

Avast Antirootkit
Avast Anti Virus
Bitdefender Online Scan
Dr. Web
Fsecure Blacklight
Fsecure Online Scan
Sophos Anti Rootkit
SUPER Anti Spyware
Trend Micro Housecall
VBA32 Anti Rootkit

Do you still think fixing the MBR is needed?

Report •

March 27, 2012 at 07:39:34
I myself have never heard of fixing MBR when a PC boots up fine.
Wow, you sure did your homework! Thanks for listing all the things, if others would do that it sure would speed up the repair.
Give these 2 fully working trials a shot.
1- Trojan Remover
2- Hitman Pro

They usually pick up things the others miss

Some HELP in posting on plus free progs and instructions 7 Golds

Report •

March 28, 2012 at 00:58:15
All good rootkits load from the MBR. It is a part of the drive that does not get scanned by antivirus programs. Also the small unallocated part of your drive that is leftover windows installs can become a mountable partition by some tricky viruses.

Okay, now you know that most computer my have some unsigned drivers installed, this is normal under most circumstances. You would only want to scan for unsigned drivers to find them, not remove them.

Once you find the unsigned drivers, you need to make sure that they are legitimate drivers and are the correct version, size, etc... this is what google is good for. If they check out, they should be left alone, they are not bad and are most likely functioning correctly. I think that TDSSkiller is finding these is what is leading to believe that your computer is infected.

Also for Note, this was copied from the kaspersky page:

"A bootkit is a type of malware that infects the Master Boot Record (MBR).

This infection method allows the malicious program to be executed before the operating system boots. As soon as BIOS (Basic Input Output System) selects the appropriate boot device (it can be a hard disk or a flash drive), the bootkit that resides in the MBR starts executing its code. Once the bootkit receives the control, it usually starts preparing itself (reads and decrypts its auxiliary files in its own file system that it has created somewhere in the unallocated disk space) and returns the control to the legitimate boot loader overseeing all stages of the boot process.

The main feature of a bootkit is that it cannot be detected by standard means of an operating system because all its components reside outside of the standard file systems.
Some types of bootkits hide even the fact that the MBR has been compromised by returning the legitimate copy of the MBR when an attempt to read it has been made.
A system infected with a bootkit can be cured with the TDSSKiller utility. "

Report •

Ask Question