Thursday, November 27, 2008

TDSS Rootkit Removal

I got a call the other day from a friend asking if I could take a look at his computer. Based on what he described, it sounded like a pretty standard combo infection of Anti-Virus 2009 and FakeAlert. He gave me the box, and a few days later I took a look.

The box would only boot into Windows successfully about one out of every 4 times. Once into windows, I found Antivirus 2009 and FakeAlert. As always, I tried the easiest things first, install Spy Sweeper and or Hijack This. Neither would install normally, so I changed the HJT folder name and .exe name, still would not run. Although Spy Sweeper would install, upon reboot it would say that the install was corrupt or something. At this point I should have realized there was a Rootkit.

I booted the box into a Slax live CD and went about removing AntiVirus2009 manually. Slax doesn't mount NTFS drives with write privileges by default, in order to accomplish this I ran the following commands:

umount /dev/hda2
ntfsmount /dev/hda2 /mnt/hda2

Now, had I know there was a rootkit and know a little about it TDSS, I could have probably killed it this time around. As I didn't, the process ended up taking quite a bit longer. Instead of simply removing Antivirus2009, I should have tried something like:

cd /mnt/hda2/windows/system32/drivers
ls tdss*
rm tdss*

cd ..
ls

and delete all .exe and .dll files with dates of 2009 on them (this may not work in a few months!)



Since I didn't realize there was a rootkit I simply removed Antivirus 2009 and rebooted.

Once I booted back into Windows I saw that fakealert was still there (and re-installing Antivirus2009) I decided to run rootkit revealer and see what it came up with. Sure enough there were a few entries for TDSSserv.sys and TDSSdata, and then two errors where it said it couldn't mount the the C and D driver. Did a little research on TDSS and realized that the box was most definitely rootkitted.

I played with the registry through regedit, but guess what, the only TDSS entries that were showing up were legacy data that would not stop the rootkit. No surprise. I searched the intewebs, read a variety of posts, grabbed a bunch of tools, Gmer, Icesword, and a bunch of others that I didn't end up using. I also created a UBCD4WIN boot disk based on this http://www.s-t-f-u.com/2008/10/29/rootkit-tdsssys-sucks-worse-than-a-2-dollar-whore-remove-it/ excellent post.

Now since I removed antivirus 2009 manually through Slax, I had created some discrepancies or problems with the disk. It still booted, into windows, but would not run a scheduled CHKDSK and I could no longer mount the volume in Slax because it gave some error, saying the volume was dirty and needed a chkdsk run.

I guess I really didnt need the UBCD4Win, as after like 15 mins it still hadn't booted, and because I'm impatient I just killed it and and used it to boot into the recovery console, but still, seems like something I will most definitely be using in the future.

After booting into the recovery console, I did what I should have done though Slax the first time around, and went to system32 removed all .exe's and .dll's with 2009 timestamps on them (at the time of this writing, that worked great, but probably wont soon as its almost 2009), and then into system32/ drivers got rid of all the TdssXXXX.sys files (where X= equals random characters). There were also some .ini files with 2009 dates on them that I probably could have removed, but didn't.

Rebooted into windows, to find that fakealert was still there. Opened Icesword (which is a fuking cool app) and killed the fakealert .exe manually (bratsk.exe or something). Since I couldn't find a way to search the registry though Icesword I just used regedit to search for "tdss" then navigated to those locations in IceSword (it takes care of permissions so deleting keys is far easier than in regedit) and delete the fuk out of anything tdss. The most interesting by far was the disallow section of TDSSDATA (I think that was it). It contained all the hooks that kept SS, Gmer, and all those other apps from running. I was able delete all TDSS entries. Rebooted.

Still had Fakealert. Searched the registry for TDSS. TDSSDATA was still there, but it looked like it hadn't fully set up as the keys were not there. Deleted it. At this point I was able to successfully install my prefered malware removal app (and inserted newest def set manually cause I work for them) and when I rebooted, the CHKDSK that I had scheduled many boot cycles actually kicked off.
The malware removal app install went through this time and I ran a full scan. Still waiting to see what all it found and removed, but at this point i'm pretty confident that the TDSS rootkit is dead. Big ups to the TDSS guy though, thats a pretty nice rootkit, and I know for a fact that you have at least one major malware vendor re-working their engine to accommodate removal (even if you hit after the engine was installed).

So, for the first time after getting the box, i feel safe connecting it up to the intewebs to get some likely much needed updates which is my guess where this came from.

Also, I heard that Microsoft released an update this week that removed over 1 million copies of rogue Antivirus apps? very interesting.

11 comments:

dewtea said...

Thanks for the great article. Helped me a lot in removing this beast. I'd like to share my story here for reference.
It all started when my wallpaper changed to a 'Warning: Your system may not be protected' blue screen. I knew something had hit me. Using process explorer I quickly removed some files (e.g. uesiuqcr.exe) and thought that was it.
Next day my MSN messenger refused to sign-in. I quickly opened up Sysinternals' TCPView and Process Explorer to find that the DCOM Server Process launcher service was creating countless connections and had also opened up local ports (like port 1015 etc) and traffic was routed through these local ports. It was also denying access to popular (and not-so-popular) antivirus sites. I knew i had to reinstall windows. :(

Removing TDSS was one hell of a job. But like you mentioned, detecting its presence was even more difficult. I only suspected it after carefully looking through entries loaded by DCOM server process launcher service using Sysinternals' Process Explorer. Thank God I didn't have to re-install windows which requires re-install of a lot of software scattered around in several partitions.
Since the TDSSxxx.dll files were invisible through explorer and command prompt (which was my first encounter with such files), I had to login to my less frequently used Vista to get rid of these files. After that things (steps described by you) were pretty straight using IceSword (great piece of software).

Thanks again and sorry for the long comment ;)

Erick said...

you can also try going into the device manager and choose 'show hidden devices' under view, then look for TDSServ.sys under Non-Plug And Play Drivers and disable it. Reboot and now you can see the files starting with TDSS in \windows\system32\ directory.

Justin said...

I had a run-in with this nasty root kit tonight as well. After reading all these great articles I was preparing to clean them out when I came across Erick's comment.

After disabling TDSServ.sys under Non-Plug And Play Drivers and rebooting, I was able to delete all the TDSS files in the \windows\system32\ directory. Finally I could run my anti-virus etc. software and connect to av sites again!

Greg said...

Excellant advice Erick...thanks!

eggBrain said...

I ran into this TDSS rootkit just over the weekend and I was worried. It would start booting to bluescreen after fixboot, fixmbr and an attempt at repair-install.

I couldn't do safe mode, nothing. So I slaved the drive to anther bootable hard drive and ran the AVG Free scan on it overnight. It found 6 infections, all with the *TDSS* as part of the name.

I promptly removed them.

Then, after powering off, I detached the slave and changed it to Master and she booted up just fine after finishing the repair-install it was left in.

I then ran Spybot Search and Destroy on the drive (as now it is the primary drive) and it found several Registry entries and it cleaned them out. I rebooted and ran it again, no recurrence. (also cleared System Restore and created another restore point for today).

Then I read all the previous posts here, went to the hidden devices and lo and behold, the TDSS service was there BUT NOT functioning properly, so I was satisfied that it wasn't running at all. I disabled it anyway. (Will reboot then run AVG in a bit).

I did a search of TDSS files and it seems there's a bunch of .zips and a few .dlls left behind which I will scan with AVG first, then use SD and/or ComboFix to finish it off.

Question being, will TDSS still be embedded as part of the rootkit? Also, should TDSS be uninstalled as a service or cleaned out by a anti-malware program?

eggBrain said...

I have since run 3 full scans from AdAware, Spybot and AVG since and have all come up clean. I renamed some suspicious TDSS files and my system is still up and running.

If you are having a TDSS problem (symptoms generally of not being able to go to security websites) and can not boot to your OS, you may have to follow a possible alternate solution than what is presented here.

Chris said...

Thanks for the advice Erick. Your advice of showing hidden devices in device manager revealed TDSServ.sys under Non-Plug And Play Drivers. After this I checked for files with TDSS in their name in the system32\drives\etc folder. Deleteing these as well as some in the temp folder I found using windows search and now I am able to Launch Spybot as well as update AVG.

Charles said...

I'll do you's even one better... if you have or can nab a copy of the last version of AVG Antirootkit before it was discontinued and made only available in the pay version 8.0 it will find it and remove it for you automatic clean and easy.

You can still download the tool from Brothersoft for now, but you may have to hand type the link if all your searches are being DNS jacked to marketting mahooey:
http://www.brothersoft.com/avg-anti-rootkit-free-60621.html

Alisa Sh said...

TDSS tends to mutate rapidly, its core files names changing very often. Thus, removing the beast by file names (either from an external Linux OS, or from a bootable CD, or manually via the Devices/Non PnP drivers box, etc.) is an unstable solution which would fail from time to time.

Searching for hidden files (whatever their names) is a better way. It can be done by using one of the pro anti-rootkit solutions, still it's somewhat tricky to know your way around these programs because of the their massive output.

Good news: there is a free TDSS removal utility available for anyone looking for a simple 'one-click' solution. We made it for fun and skill, bored by the fact that no AV solution is capable of removing the TDSS reliably.
If you ever try it, please DO provide your feedback.

hedgehog said...

I had a friend's laptop come in maxed out with malware. Could not install any tools such as malwarebytes antimalware to deal with it, the browser was unusable due to constantly being redirected, and though I could see lots of bad files, they all came back as fast as I deleted them. There was no visible source I could locate as the source of all the problems - no obvious in your face scamware or obvious spyware applications, probably because someone prior to me had tried to fix the problem by deleting the fakeware. I ran a rootkit reveal and found TDSS - but how to get rid of it when there were no visible registry entries to delete, ditto files. Answer SDFix, which I got from bleepingcomputers. It came down as a zip I think, which got by the install problem, and all I needed to do was boot into Safe Mode and start the batch file. If you call up Task Manager you can see it working away in processes, otherwise you might think nothing is happening as there is no progress indiction. then you boot back into full mode and it does a bit more - and then it is done. Sorted! after that I could download antispyware tools and soon had 177 other nasties rubbed out, many of them Vundo copies. Went to bed happy :)

David said...

Took me almost 24 hours of hairpulling frustration to rid my son's computer of "Malware Defense", Rootkit.TDSS and several other possibly associated infections like the "Google Installer" error and the Viewpoint.Exe error. Of course I was initially unable to even run SuperAntiSpyware or Symantec. SuperAntiSpyware now comes with an "Alternate Boot" which did allow the program to boot up, but then the scan would cease halfway through. Sometimes it would take half a dozen reboots to get the computer to even get back to the desktop. And even Safeboot was often locked out. MBAM got rid of most of the issues including "Malware Defense" but that dang "Rootkit.TDSS" kept returning even after MBAM said it was deleted. Rootkit Repealer found a suspicious purported Sam Cooke MP3 file that was "locked to the API" but couldn't delete the file. The key to SOLVING the Rootkit problem turned out to be the AVG Free Rootkit Removal Tool. THANK YOU FOR THE LINK. I visited a dozen other websites trying to address the same issue, but THIS WEBSITE WAS THE ONLY ONE that linked to that AVG tool. Once AVG found and deleted the file, I was able to run SuperAntiSpyware which found and deleted 1 more file and 8 other registry entries related to that Rootkit. Rebpoted, Rescanned and the computer is now 100% disinfected. THANK YOU!