Since Jan 1 massive amounts of TDSS rootkits (I should call them packages because it’s more than a rootkit) have been surfacing everywhere and I’ve been swamped with calls. …good thing for me, bad for them 😛
Anyway, here is how I’m removing and cleaning up the latest TDSS infection.
- When I get to the clients house I just assume they’ve been infected with a TDSS rootkit. 80% of the time I’m right.
- I immediately reboot their PC to my UBCD4Win. My UBCD4Win contains SAS, Avira (if I need it) and Dr. Web’s CureIT.
- In the UBCD4WIN bootable environment I’ll load EZ-PC-Fix, load Hives (basically just loads the host’s registry so I can edit it) and delete all temp files as well as Windows System Restore files. Next, load Dr Web and scan C:\Windows\System32.
- Dr. Web usually finds an infected atapi.sys (the rootkit) and asks me to move it (a.k.a – delete it).
- Now it’s time to clean up.
- I replace the deleted atapi.sys with a clean one from the proper OS.
- I load EZ-PC-FIX (on the desktop). Load Hives.
- Start Regedit. Expand HKLM on C: (not the bootable cd’s HKLM). Go to HKLM-Software-Microsoft-Windows NT-CurrentVersion-WinLogon.
- Inside the WinLogon key you NEED to have string name of Userinit and a value of C:\windows\system32\userinit.exe, (don’t forget to add the comma). Close regedit. Close Ez-PC-Fix.
- Locate a clean copy of userinit.exe, copy it. Open C:\Windows\System32 and rename the old userinit.exe to userinit.exe.old. Paste userinit.exe (the clean copy) to c:\windows\system32\userinit.exe.
- Run a SAS scan on:
- C:\Documents and Settings (for XP) or C:\Users (Vista), C:\Windows and the Registry.
- Run a full Avira scan.
- Encourage the client to choose either free anti-virus (Microsoft Security Essentials) or if they have the money for complete protection: Kaspersky Internet Security 2010.
- Make sure the client is running a current browser (IE8) and that Windows updates are being installed.
If you have your own personal experience with TDSS I’d like to hear about.