TDSS Rootkit Removal

I got a call the other day from a friend asking if I could take a look at his computer. Based on what he described, it sounded like a pretty standard combo infection of Anti-Virus 2009 and FakeAlert. He gave me the box, and a few days later I took a look.

The box would only boot into Windows successfully about one out of every 4 times. Once into windows, I found Antivirus 2009 and FakeAlert. As always, I tried the easiest things first, install Spy Sweeper and or Hijack This. Neither would install normally, so I changed the HJT folder name and .exe name, still would not run. Although Spy Sweeper would install, upon reboot it would say that the install was corrupt or something. At this point I should have realized there was a Rootkit.

I booted the box into a Slax live CD and went about removing AntiVirus2009 manually. Slax doesn't mount NTFS drives with write privileges by default, in order to accomplish this I ran the following commands:

umount /dev/hda2
ntfsmount /dev/hda2 /mnt/hda2

Now, had I know there was a rootkit and know a little about it TDSS, I could have probably killed it this time around. As I didn't, the process ended up taking quite a bit longer. Instead of simply removing Antivirus2009, I should have tried something like:

cd /mnt/hda2/windows/system32/drivers
ls tdss*
rm tdss*

cd ..
ls

and delete all .exe and .dll files with dates of 2009 on them (this may not work in a few months!)



Since I didn't realize there was a rootkit I simply removed Antivirus 2009 and rebooted.

Once I booted back into Windows I saw that fakealert was still there (and re-installing Antivirus2009) I decided to run rootkit revealer and see what it came up with. Sure enough there were a few entries for TDSSserv.sys and TDSSdata, and then two errors where it said it couldn't mount the the C and D driver. Did a little research on TDSS and realized that the box was most definitely rootkitted.

I played with the registry through regedit, but guess what, the only TDSS entries that were showing up were legacy data that would not stop the rootkit. No surprise. I searched the intewebs, read a variety of posts, grabbed a bunch of tools, Gmer, Icesword, and a bunch of others that I didn't end up using. I also created a UBCD4WIN boot disk based on this http://www.s-t-f-u.com/2008/10/29/rootkit-tdsssys-sucks-worse-than-a-2-dollar-whore-remove-it/ excellent post.

Now since I removed antivirus 2009 manually through Slax, I had created some discrepancies or problems with the disk. It still booted, into windows, but would not run a scheduled CHKDSK and I could no longer mount the volume in Slax because it gave some error, saying the volume was dirty and needed a chkdsk run.

I guess I really didnt need the UBCD4Win, as after like 15 mins it still hadn't booted, and because I'm impatient I just killed it and and used it to boot into the recovery console, but still, seems like something I will most definitely be using in the future.

After booting into the recovery console, I did what I should have done though Slax the first time around, and went to system32 removed all .exe's and .dll's with 2009 timestamps on them (at the time of this writing, that worked great, but probably wont soon as its almost 2009), and then into system32/ drivers got rid of all the TdssXXXX.sys files (where X= equals random characters). There were also some .ini files with 2009 dates on them that I probably could have removed, but didn't.

Rebooted into windows, to find that fakealert was still there. Opened Icesword (which is a fuking cool app) and killed the fakealert .exe manually (bratsk.exe or something). Since I couldn't find a way to search the registry though Icesword I just used regedit to search for "tdss" then navigated to those locations in IceSword (it takes care of permissions so deleting keys is far easier than in regedit) and delete the fuk out of anything tdss. The most interesting by far was the disallow section of TDSSDATA (I think that was it). It contained all the hooks that kept SS, Gmer, and all those other apps from running. I was able delete all TDSS entries. Rebooted.

Still had Fakealert. Searched the registry for TDSS. TDSSDATA was still there, but it looked like it hadn't fully set up as the keys were not there. Deleted it. At this point I was able to successfully install my prefered malware removal app (and inserted newest def set manually cause I work for them) and when I rebooted, the CHKDSK that I had scheduled many boot cycles actually kicked off.
The malware removal app install went through this time and I ran a full scan. Still waiting to see what all it found and removed, but at this point i'm pretty confident that the TDSS rootkit is dead. Big ups to the TDSS guy though, thats a pretty nice rootkit, and I know for a fact that you have at least one major malware vendor re-working their engine to accommodate removal (even if you hit after the engine was installed).

So, for the first time after getting the box, i feel safe connecting it up to the intewebs to get some likely much needed updates which is my guess where this came from.

Also, I heard that Microsoft released an update this week that removed over 1 million copies of rogue Antivirus apps? very interesting.