Removing and Cleaning Up TDSS Guide for 1/2010

Since Jan 1 massive amounts of TDSS rootkits (I should call them packages because it’s more than a rootkit) have been surfacing everywhere and I’ve been swamped with calls.  …good thing for me, bad for them 😛

Anyway, here is how I’m removing and cleaning up the latest TDSS infection.

  1. When I get to the clients house I just assume they’ve been infected with a TDSS rootkit.  80% of the time I’m right.
  2. I immediately reboot their PC to my UBCD4Win.  My UBCD4Win contains SAS, Avira (if I need it) and Dr. Web’s CureIT.
  3. In the UBCD4WIN bootable environment I’ll load EZ-PC-Fix, load Hives (basically just loads the host’s registry so I can edit it) and delete all temp files as well as Windows System Restore files.  Next, load Dr Web and scan C:\Windows\System32.
  4. Dr. Web usually finds an infected atapi.sys (the rootkit) and asks me to move it (a.k.a – delete it).
  5. Now it’s time to clean up.
    • I replace the deleted atapi.sys with a clean one from the proper OS.
    • I load EZ-PC-FIX (on the desktop).  Load Hives.
    • Start Regedit.  Expand HKLM on C: (not the bootable cd’s HKLM).  Go to HKLM-Software-Microsoft-Windows NT-CurrentVersion-WinLogon.
    • Inside the WinLogon key you NEED to have string name of Userinit and a value of C:\windows\system32\userinit.exe, (don’t forget to add the comma).  Close regedit.  Close Ez-PC-Fix.
    • Locate a clean copy of userinit.exe, copy it.  Open C:\Windows\System32 and rename the old userinit.exe to userinit.exe.old.  Paste userinit.exe (the clean copy) to c:\windows\system32\userinit.exe.
  6. Run a SAS scan on:
    • C:\Documents and Settings (for XP) or C:\Users (Vista), C:\Windows and the Registry.
    • Run a full Avira scan.
  7. Reboot.
  8. Encourage the client to choose either free anti-virus (Microsoft Security Essentials) or if they have the money for complete protectionKaspersky Internet Security 2010.
  9. Make sure the client is running a current browser (IE8) and that Windows updates are being installed.

If you have your own personal experience with TDSS I’d like to hear about.

, , , ,