Since Jan 1 massive amounts of TDSS rootkits (I should call them packages because it’s more than a rootkit) have been surfacing everywhere and I’ve been swamped with calls. …good thing for me, bad for them 
Anyway, here is how I’m removing and cleaning up the latest TDSS infection.
- When I get to the clients house I just assume they’ve been infected with a TDSS rootkit. 80% of the time I’m right.
- I immediately reboot their PC to my UBCD4Win. My UBCD4Win contains SAS, Avira (if I need it) and Dr. Web’s CureIT.
- In the UBCD4WIN bootable environment I’ll load EZ-PC-Fix, load Hives (basically just loads the host’s registry so I can edit it) and delete all temp files as well as Windows System Restore files. Next, load Dr Web and scan C:\Windows\System32.
- Dr. Web usually finds an infected atapi.sys (the rootkit) and asks me to move it (a.k.a – delete it).
- Now it’s time to clean up.
- I replace the deleted atapi.sys with a clean one from the proper OS.
- I load EZ-PC-FIX (on the desktop). Load Hives.
- Start Regedit. Expand HKLM on C: (not the bootable cd’s HKLM). Go to HKLM-Software-Microsoft-Windows NT-CurrentVersion-WinLogon.
- Inside the WinLogon key you NEED to have string name of Userinit and a value of C:\windows\system32\userinit.exe, (don’t forget to add the comma). Close regedit. Close Ez-PC-Fix.
- Locate a clean copy of userinit.exe, copy it. Open C:\Windows\System32 and rename the old userinit.exe to userinit.exe.old. Paste userinit.exe (the clean copy) to c:\windows\system32\userinit.exe.
- Run a SAS scan on:
- C:\Documents and Settings (for XP) or C:\Users (Vista), C:\Windows and the Registry.
- Run a full Avira scan.
- Reboot.
- Encourage the client to choose either free anti-virus (Microsoft Security Essentials) or if they have the money for complete protection: Kaspersky Internet Security 2010.
- Make sure the client is running a current browser (IE8) and that Windows updates are being installed.
If you have your own personal experience with TDSS I’d like to hear about.
{ 2 trackbacks }
{ 25 comments… read them below or add one }
I’ll try it out!:D and where are your videos Matt
Nice removal procedure
I’ve been slammed with the holidays and appointments.
thanks!
does UBCD4WIN supports windowns 7?
i just wanna make sure that my system is clean with avira.
Thanks for these very helpful instructions. I only have one question — how do I delete any/all Windows System Restore files? I’m not entirely sure where they are located.
I’m still having the problem that atapi.sys (which I know is a clean version) is still deleting itself from the \windows\system32\drivers directory. Each time I reboot my machine I have to use Recovery Console to copy it back. Odd.
Thanks again – for this and everything else on the site! I shall be telling everybody about your site!
@ARAVIM:
UBCD4WIN doesn’t officially support Windows 7, but it will work assuming it has functioning driver support
@AndrewBrooklyn:
System Restore files are stored in
“C:\System Volume Information”
@AndrewBrooklyn – it’s an option in the EZ-PC-Fix delete temp files menu.
combofix does the trick
@927 – sometimes it does, but some of these boxes are soooo far gone that logging on takes 10-15 minutes. Safemode is not possible either.
Avira and SAS (on a boot CD) also clean those malwares all by themselves.
———-
Matt, when will we have more video reviews ?
A full scan with Avira and a scan of the user folders? Man, how long does all that take? I’ve been working on a pretty foolproof virus removal method that takes under an hour onsite and have come up with this so far:
1. Immediately boot to UBCD4Win
2. Run EZPCFix and remove all temp files
3. Scan the registry and System32 with SAS
4. Scan System32 with Dr. Web’s Cure It! (it usually repairs atapi.sys if necessary, but if it moves it, replace it with a good copy)
5. While scanning with Dr. Web, run HijackThis (usually I end up removing almost everything)
6. Reboot into safe-mode (which should be possible now)
7. Run HijackThis again (works better out of UBCD environment)
8. Run AutoRuns
9. Run WinsockXPFix
10. Run Dial-A-fix
11. Run ComboFix
12. Test and install security essentials
It seems to work more or less everytime and takes a little over an hour. What are your thoughts? Anything too redundant or anything missing?
I installed KIS 2010 on my Windows 7 computer. It slowed EVERYTHING down to a crawl, it got worse and worse until I finally uninstalled it, and then everything sped back up again. When I had it installed, IE8 was so slow opening sites it was unusable, and I had to use Firefox. Even my Microsoft Office programs seemed slower. I have a fast computer, quad-core Intel with 6 gb ram, so it is certainly not my computer.
Glad to hear that progress is being made for OTHER people, those who insist on using 2010. My own feeling is that I should have stuck with what I learned long, long ago: “If it ain’t broke, don’t fix it.” That’s why I never upgraded from XP to Vista or to Windows 7. As long as I stay with this same machine, I’ll certainly never try to upgrade to KIS 2011, 2012, or whatever else comes along. The people who run these companies after a while stop being computer nerds and become money nerds — their only interest is in making more and more money and they lose sight of what made them successful in the first place: their customers. So, in order to make more money (they *think*), they create new, new, NEW! annual bloatware that no longer serves their customers, nor, ultimately, themselves. The worse their bloatware, the fewer their customers. You know what you can say to Kaspersky: “Bye-bye, guys! It was nice while it lasted but in a few years you’ll be gone….”
@927 – sometimes it does, but some of these boxes are soooo far gone that logging on takes 10-15 minutes. Safemode is not possible either.
ok mat.
i fix the normal stuff with malware defence/ie automatically opens/redirects
you can also you use rkill and tdsskiller to disable the malware
This Week’s Top 10 Spyware Threats. From Sunbelt Software. This one stood out.
Rootkit.TDss.Gen: Rootkit
I’m guessing Vipre will remove it
Malwarekilla –
I think my machine is back to normal now. Well, almost.
The only outstanding issue is that when I boot into Recovery Console, it no longer asks me for my Admin password, which it used to pre-rootkit virus.
Should I be concerned about that, and if so, what should I do?
How do you create a UBCD4WIN CD that has SAS etc installed?
Thanks!
Kungpao
Hey matt would you recommend avira over mse or mse over avira? I don’t mind the nag screen and the false positives.
Thx for this news Matt.
If a client has malwarebytes updated and running all the time (payed) is he protected against this rootkit? I really want to prevent them from being infected instead of going on site all the time.
Yes. i’d ask that question too.
Avira or MSE
mse. & kis 2010 detectes ubcd4win as a potental threat, on both my pc`s
Matt, After rootkit removal, are you considering threatfire in combination with MSE? I have settled on MSE, Threatfire, and Immunet together as a really good light alright combination with the windows firewall. As of this posting, Immunet is up to protection against 6,231, 897 threats. Bryan
Since I found this site to be helpful I thought I would add a few details of my own cleanup. My neighbor was hit with Personal Security and apparently TDSS, if they aren’t the same thing, and fell for the ruse. He gave them his credit card number. The next day he couldn’t boot his machine and was receiving the 0000007b STOP code on start-up. Atapi.sys was definitely infected, but replacing it with a good file both in system32 and dllcache didn’t do the trick. I was able to boot to Last Known Good, but the machine almost immediately forced me to reboot once Windows was up. The next time I received 0000007b on Normal, Safe, and Last Known Good start-ups. While in BartPE I noticed that there was an entry under Services in the registry for Atapi, but not in the registry for the imported registry. I checked my own machine and sure enough there was an entry for Atapi, but not in the infected machine under any of the ControlSet00xs (of which there were three). I imported the key from a good machine to all three control sets and the machine was then able to boot. So if anyone else is still getting 0000007b after cleaning the atapi.sys file try searching in the registry for the Atapi service under HKLM\System\ControlSet001\services.
my pc was infected about a month ago with a tdss trojan(packer) i had loads of rogue pc scanners one in particular pc security(fake windows)unfortunately my wife bought the product which is what they wanted anyway i downloaded malwarebytes,superantispyware and avira none of them picked up this tdss(trojan) i am new to computers so i had no understanding of what was causing my redirection i downloaded avg’s rootkit detection that never found nothing i continued this process for about 3 weeks i was on the verge of taking my pc to a shop for repair or reinstall the complete system then i downloaded kaspersky “tdsskiller” which picked up numerous infections in my registry atapi rebooted my computer and its been fine ever since it must rank as one of the worst infections for the sheer amount of control it excerts rendering your computer useless anyway i would recommend kasperskys tdss killer for the removal of these nasty rootkits