Jump to content
  • Welcome!

    Register and log in easily with Twitter or Google accounts!

    Or simply create a new Huddle account. 

    Members receive fewer ads , access our dark theme, and the ability to join the discussion!

     

Computer help! Fugging rootkits!


southcakalac

Recommended Posts

Malwarebyte's has detected a rootkit on my computer. I carries a name of .TDSS. Malwarebytes says it removes it but then when I check again it there again. I read some stuff on the web about removing them and it seems complicated.

Any computer guys here that can lend a hand?:confused:

Edit: I'm running windows vista.

Link to comment
Share on other sites

I've never run into this particular dilemma, but in all the other infections I've had on my PC, I generally run two or three different spyware/AV programs to make sure it's gone. Malwarebytes is pretty good though... maybe boot to safe mode and run it again?

Maybe someone else has specific experience with this one on here...

Link to comment
Share on other sites

I've had this problem before, the only way get rid of it for good is to remove it from the registry and malwarebytes won't do that. You need to type regedit into the search/command line that opens up after you hit the start button. You want to look for a registry entry under HKEY_LOCAL_MACHINE>SOFTWARE that looks like gibberish. It will usually be a bunch of random letters together. Double check that its nothing important and then blast it/delete it. After that is done you'll have rendered the rootkit useless after you re-boot as it won't be able to run anymore. From there you should be able to remove it for good after doing another malwarebytes scan.

Your rootkit must not be too bad as the one I had wouldn't even allow malwarebytes to do a scan. I had to find this tool that found hidden registry entries to get rid of the sucker.

Link to comment
Share on other sites

Format C:

I've had this problem before, the only way get rid of it for good is to remove it from the registry and malwarebytes won't do that. You need to type regedit into the search/command line that opens up after you hit the start button. You want to look for a registry entry under HKEY_LOCAL_MACHINE>SOFTWARE that looks like gibberish. It will usually be a bunch of random letters together. Double check that its nothing important and then blast it/delete it. After that is done you'll have rendered the rootkit useless after you re-boot as it won't be able to run anymore. From there you should be able to remove it for good after doing another malwarebytes scan.

Your rootkit must not be too bad as the one I had wouldn't even allow malwarebytes to do a scan. I had to find this tool that found hidden registry entries to get rid of the sucker.

Screwing around in the registry when you aren't 100% sure what you're looking for can end badly.

Link to comment
Share on other sites

I had a similar problem with my laptop....I tried everything and I personally agree messing with ure registry can have serious consequences...I recommend saving ure pics, and important files and rebooting the thing.

Depending on how bad the rootkit is, he may not be able to do that. Personally mine locked down any non-read activity to all of my drives thus elminating my ability to copy off important stuff and blast the thing. Honestly, its not that hard to do what I said. My bogus entry looked like this:

gxbhnxd

Now does the above resemble anything close to something "critical" that would crash your PC? As long as he doesn't mess with windows registry entrys (which wouldn't be found under the HKEY_LOCAL_MACHINE>SOFTWARE section) then the worst that could happen is a given program (whatever is erroneously deleted) would need to be reinstalled to work effectively again.

Link to comment
Share on other sites

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 6.0.6001 Service Pack 1

9/10/2009 4:52:05 PM

mbam-log-2009-09-10 (16-52-05).txt

Scan type: Quick Scan

Objects scanned: 85265

Time elapsed: 6 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmeatecqxs (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

This is what is says. I've looked through the registry and can't seem to locate it. I'm worried about deleting the wrong thing. I will keep trying though.

Link to comment
Share on other sites

Do just a standard search on your computer for all files containing the file name part "kbiwkm". What comes up?

Yes if you want to be super safe, you can do a search for that filename in the registry, re-name the file slightly once you find it, and then re-boot. The registry entry should show up after that. Also make sure that you have the folder options setup on your C:\ drive so that you can see hidden files and windows critical system files. These rootkits will hide themselves by disguising themselves to fall under those umbrellas and you'll never catch them with a search unless you check those boxes under folder options first.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...