How to Remove H8SRT Trojan / Rootkit TDSS

The H8SRT Rootkit is a modification to the TDSS Trojan that installs a driver to hide itself, hijacks Internet Explorer, gives fake security and virus warnings, redirects search queries and major site access, as well as disables Task Manager, Registry Editor and blocks most anti-spyware applications. Not only does it disrupt normal use of the computer but also does a good job at trying to keep you from removing it by disabling the tools you would need.

I’m not sure how I got this little bug but it was one of the most stubborn apps that I had seen in quite a while. The hardest part about this is that it won’t let you download or execute applications that are used to remove it or identify what malware I had on my system. When I come across malware I typically go download MalwareBytes Anti-malware (MBAM) and run it and problem solved, however this time it wouldn’t download the application until I renamed it to just a generic “Setup.exe” and saved it. After it was installed I then was unable to execute it as “mbam.exe” I had to rename it to “notepad.exe” which then allowed me to execute it. Once I got it to run it removed some of the fake AV items, but after a few reboots and even safe mode the H8SRT Trojan was still on my computer. I did a bit of internet research and found out that Kaspersky has created a removal tool for TDSS.Rootkit which the H8SRT Rootkit is based. Once I downloaded and ran the Kaspersky tool: TDSSKiller, I follow up with another round of MBAM and now my system is clean.

Download TDSS Killer: http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Kaspersky Documentation on TDSS Killer: http://support.kaspersky.com/viruses/solutions?qid=208280684
Kaspersky Free Virus Removal Tools: http://www.kaspersky.com/removaltools
Download MBAM: http://www.malwarebytes.org/mbam-download.php

Read More