I rece ntly was hired to repair a computer, soon after booting it up at home I discovered it had some serious issues. (Please note this article was written in the spring of 2010, since then there have been developments from Kaspersky that make the removal of this rootkit easier, see the below update). Google searches were redirected to all sorts of locations, but never where you really wanted to go. The computer was severely slow, and there were other noticeable security issues that signified some serious malware. An initial scan with Malwarebytes revealed 48 malware issues that were easily resolved. Further scanning with AVG, F-Secure, and Trend Micro couldn’t find anything… but still there was something up. The re-direct issue was not resolved, and the computer really only functioned well in safe mode. This was a vista system that seemed to also be suffering with the all too common SVCHOST issue that ate up the CPU and automatic updates did not work at all. The owner had never updated their OS so this copy of vista didn’t even have SP1 installed on it. I ran hijackthis and OTL to generate some logs and take a glimpse at what was really going on. Eventually I ran a scan with Dr. Web Cure It and it was able to find the TDSS rootkit in memory. It claimed to have eradicated the memory process, but because it didn’t deal with the actual files it didn’t deal with the backdoor. Further research identified Kaspersky had released a tool TDSSKILLER.exe to deal with this parasite. I ran this program, but it was unsuccessful. It did identify that the backdoor was there, and claimed to have eliminated it, but upon reboot… no dice. It seemed this was a new variant of TDSS, one that Kaspersky hadn’t caught up with yet.

What is the backdoor TDSS rootkit?

Backdoor.TDSS is a malicious parasite that is commonly downloaded and installed onto your computer through security holes. Once inside your machine, Backdoor.TDSS will embed itself into the registry in order to open up an unsecured backdoor in your system. This backdoor can be exploited by a hacker to give clear, unfettered access to your PC and any data stored on it. This threat runs in stealth mode, therefore remaining undetected by the user while performing its malicious acts. This threat is commonly associated with rogue antispyware products, such as Antivirus 2009. Backdoor.TDSS is considered a high-level threat and should be removed from your system immediately.

More info on TDSS: exterminate-it

How I did it… Backdoor.TDSS removal:

UPDATE, MAY 2011

This article was originally published in the spring of 2010. Since then antivirus developer Kaspersky has improved their tool and The Kaspersky TDSS removal tool is all you need to remove this virus now. The below steps are no longer actually required for the removal of TDSS.

How to do it BEFORE Kaspersky TDSS worked (pre 2011)

Step 1: Run OTL (You can download it here, or here.)

Run a custom fix with the following code pasted in: (Between the asterisks)

********************************************************

:OTL
O4 – HKLM..\Run: [NWEReboot] File not found

:Files
C:\Windows\System32\pb.sys
C:\Windows\System32\drivers\atapi.sys|C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys /replace

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

********************************************************

Step 2: Download Combofix (Download here or here).
Rename the executable, to something else (like combo-fix.exe)
Run combofix
! Note, make sure you disable all your anti-virus before doing this.
Combofix is a powerful tool, and has unpredictable results when used in the wrong circumstances.
Best way to disable anti-virus is by disabling their associated services.

Step 3: Update malwarebytes and run a quick scan.

Step 4: Download tdsskiller.exe
Run it. This program may or may not be able to deal with the TDSS variant you’re tackling. It doesn’t matter anymore, by this point we should have eradicated it.
The point of running this is to see if it can find the backdoor or not. If this comes up clean, you’re all good!

Enjoy your computer.

By the way the SVCHOST issue was resolved by installed Windows Update Agent fresh. I had to use process explorer (with admin privileges) to kill the SVCHOST process while I installed this. After rebooting everything worked great.