Variant: Rootkit Win32.tdss.mbr
Operating Systems Affected: Windows 9x, 2000, ME, XP, NT, Windows Vista, Windows 7, Windows NT, Windows Server
Rootkit Win32.tdss.mbr is a Trojan rootkit which is part of the Rootkit.Gen family group. The destructive Trojan will embed itself on Windows system and process files to hide its activities from Anti-Virus scanning programs. The rootkit is designed to infect the master boot record (MBR) of the computer which makes the system unstable and possible program or operating system (OS) crashes. Its main objective of course, is to provide hackers remote access to your computer by opening a back door port, which compromises your identity and sensitive information like email accounts, online banking account passwords, credit card information, and other potentially important data.
Always remember prevention is better than cure. So, keep your Windows operating system and Anti-Virus software constantly updated, but if you are infected by this nasty rootkit, instructions are itemized below on how to remove Rootkit Win32.tdss.mbr.
• Disable system restore (If using Windows XP and ME)
• End Rootkit Win32.tdss.mbr process files (Right click Taskbar → open Task Manager → click Processes tab → right click on the identified Trojan → End Process)
RkLYLyoM.exe
podmena.exe
file.exe
~.exe
7-v3av.exe
csrssc.exe
72631899.exe
1776260179.exe
ucxmykkc.exe
• Show hidden folders and files: (My Computer → Tools → Folder Options → View Tab → click show hidden folders, files and drives → uncheck hide operating systems files. Click OK)
• Search and Delete the following Trojan infected files:
UACyylfjdaa.dll
TDSSnrsr.dll
TDSSmaxt.sys
tdssserf.dll
TDSSriqp.dll
TDSSciou.dll
TDSSoexh.dll
tdidrv2.sys
RkLYLyoM.exe
podmena.exe
tdssserv.sys
file.exe
~.exe
7-v3av.exe
csrssc.exe
72631899.exe
1776260179.exe
ucxmykkc.exe
• Unregister the following .dll files: (Click Start → Run → Type the listed items below one at a time)
regsvr32 /u UACyylfjdaa.dll
regsvr32 /u TDSSnrsr.dll
regsvr32 /u tdssserf.dll
regsvr32 /u TDSSriqp.dll
regsvr32 /u TDSSriqp.dll
regsvr32 /u TDSSciou.dll
regsvr32 /u TDSSoexh.dll
• Delete the following Trojan created registry keys: (Click Start → Run → regedit → Ok)
HKEY_CURRENT_USER\Software\Mozilla\affid=
HKEY_CURRENT_USER\Software\Mozilla\subid=
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT\injectors
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sys
{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}
• Reboot the computer