I recently was hired to repair a computer, soon after booting it up at home I discovered it had some serious issues. (Please note this article was written in the spring of 2010, since then there have been developments from Kaspersky that make the removal of this rootkit easier, see the below update). Google searches were redirected to all sorts of locations, but never where you really wanted to go. The computer was severely slow, and there were other noticeable security issues that signified some serious malware. An initial scan with Malwarebytes revealed 48 malware issues that were easily resolved. Further scanning with AVG, F-Secure, and Trend Micro couldn’t find anything… but still there was something up. The re-direct issue was not resolved, and the computer really only functioned well in safe mode. This was a vista system that seemed to also be suffering with the all too common SVCHOST issue that ate up the CPU and automatic updates did not work at all. The owner had never updated their OS so this copy of vista didn’t even have SP1 installed on it. I ran hijackthis and OTL to generate some logs and take a glimpse at what was really going on. Eventually I ran a scan with Dr. Web Cure It and it was able to find the TDSS rootkit in memory. It claimed to have eradicated the memory process, but because it didn’t deal with the actual files it didn’t deal with the backdoor. Further research identified Kaspersky had released a tool TDSSKILLER.exe to deal with this parasite. I ran this program, but it was unsuccessful. It did identify that the backdoor was there, and claimed to have eliminated it, but upon reboot… no dice. It seemed this was a new variant of TDSS, one that Kaspersky hadn’t caught up with yet.
What is the backdoor TDSS rootkit?
Backdoor.TDSS is a malicious parasite that is commonly downloaded and installed onto your computer through security holes. Once inside your machine, Backdoor.TDSS will embed itself into the registry in order to open up an unsecured backdoor in your system. This backdoor can be exploited by a hacker to give clear, unfettered access to your PC and any data stored on it. This threat runs in stealth mode, therefore remaining undetected by the user while performing its malicious acts. This threat is commonly associated with rogue antispyware products, such as Antivirus 2009. Backdoor.TDSS is considered a high-level threat and should be removed from your system immediately.
More info on TDSS: exterminate-it
How I did it… Backdoor.TDSS removal:
UPDATE, MAY 2011
This article was originally published in the spring of 2010. Since then antivirus developer Kaspersky has improved their tool and The Kaspersky TDSS removal tool is all you need to remove this virus now. The below steps are no longer actually required for the removal of TDSS.
How to do it BEFORE Kaspersky TDSS worked (pre 2011)
Step 1: Run OTL (You can download it here, or here.)
Run a custom fix with the following code pasted in: (Between the asterisks)
********************************************************
:OTL
O4 – HKLM..\Run: [NWEReboot] File not found
:Files
C:\Windows\System32\pb.sys
C:\Windows\System32\drivers\atapi.sys|C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys /replace
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
********************************************************
Step 2: Download Combofix (Download here or here).
Rename the executable, to something else (like combo-fix.exe)
Run combofix
! Note, make sure you disable all your anti-virus before doing this.
Combofix is a powerful tool, and has unpredictable results when used in the wrong circumstances.
Best way to disable anti-virus is by disabling their associated services.
Step 3: Update malwarebytes and run a quick scan.
Step 4: Download tdsskiller.exe
Run it. This program may or may not be able to deal with the TDSS variant you’re tackling. It doesn’t matter anymore, by this point we should have eradicated it.
The point of running this is to see if it can find the backdoor or not. If this comes up clean, you’re all good!
Enjoy your computer.
By the way the SVCHOST issue was resolved by installed Windows Update Agent fresh. I had to use process explorer (with admin privileges) to kill the SVCHOST process while I installed this. After rebooting everything worked great.
43 comments
Daniel Snyder says:
May 27, 2010
I’ve now used this fix effectively twice on separate machines. Interestingly enough they were both running vista. Anyone deal with this on XP or 7?
Daniel Snyder says:
May 27, 2010
I’ve now used this fix effectively twice on separate machines. Interestingly enough they were both running vista. Anyone deal with this on XP or 7?
Paul Seal says:
May 29, 2010
this post is very usefull thx!
Paul Seal says:
May 28, 2010
this post is very usefull thx!
Daniel Snyder says:
May 29, 2010
Seems like this post is getting a lot of hits, hope it is helping people. If you are using this fix effectively, let us know with a comment. thanx
Daniel Snyder says:
May 29, 2010
Seems like this post is getting a lot of hits, hope it is helping people. If you are using this fix effectively, let us know with a comment. thanx
Daniel Snyder says:
May 31, 2010
tdsskiller on its own seems often ineffective as the TDSS family mutates quickly (being updated by their developers I suppose).
Daniel Snyder says:
May 30, 2010
tdsskiller on its own seems often ineffective as the TDSS family mutates quickly (being updated by their developers I suppose).
Rift says:
Jun 6, 2010
This solution worked perfectly on my XP (Home) system!
I picked up TDSS 565 with the unwanted hijacking invasion of Antivirus 2009 (can’t somebody stop those bastards?).
None of the standard commercial antivirus programs could remove it completely (Dr Web at least detected it–but as mentioned, removal was only of the process, not the files).
Thanks so much for posting this effective method! Hope others plagued by this find their way to your article.
Daniel Snyder says:
Jun 7, 2010
Awesome to hear. Thanks for the comment. Antivirus 2009 as mentioned by Rift is a Rogue Security Product! Dangerous stuff, search ‘rogue’ on this site to find related information.
Rift says:
Jun 6, 2010
This solution worked perfectly on my XP (Home) system!
I picked up TDSS 565 with the unwanted hijacking invasion of Antivirus 2009 (can’t somebody stop those bastards?).
None of the standard commercial antivirus programs could remove it completely (Dr Web at least detected it–but as mentioned, removal was only of the process, not the files).
Thanks so much for posting this effective method! Hope others plagued by this find their way to your article.
Daniel Snyder says:
Jun 7, 2010
Awesome to hear. Thanks for the comment. Antivirus 2009 as mentioned by Rift is a Rogue Security Product! Dangerous stuff, search ‘rogue’ on this site to find related information.
Codypeak says:
Jun 11, 2010
the atapi.sys replace only works if that's the driver which is being used on that system for hard disk controller. Not all machines use atapi.sys
Some newer variants only infect the hard disk controller in memory, and actually infect a randomly selected driver.
Posting what amounts to a blind fix, while it worked for you, is not the best advice.
danielsnyder says:
Jun 11, 2010
Cody, totally valid point and you're right this was a custom fix
analyzed for the particular machine in question. My research into
tdss is likely limited and I didn't realize other variants were
affecting machines that weren't using atapi.sys, if you have
additional info please submit, or I'd be even like a guest post if you
could write an article on this. Thanks
Daniel
Zolex PC says:
Jul 7, 2010
I have seen this infection many times as well. I usually use Combofix, with a dose Malware Bytes. Spybot as well to finish things up. Steve http://www.zolexpc.com
danielsnyder says:
Jul 8, 2010
Zolex, thanx for commenting, and your input.
Zolex PC says:
Jul 9, 2010
I have seen TDSS numerous times on XP.
Inds_flames says:
Jul 12, 2010
Thank you so much for this help. I had a similarly infected pc from a friend and spent a good week (on & off) tryng to get rid of that rootkit. Your instructions were perfectlt clear and worked on the 1st try.
danielsnyder says:
Jul 18, 2010
Great, thanks for your comment! Much appreciated.
danielsnyder says:
Jul 18, 2010
Interesting… that miserable rootkit!
danielsnyder says:
Aug 9, 2010
I'm amazed how much traffic this post continues to get. Please if you are finding this article helpful, let us know with a comment or a thumbs up (above). Thanks!
Aeternus says:
Dec 7, 2010
My friend got hit with an antivirus 2009 infection and and this infection and I got a similar combo recently so it’s safe to say they are connected somehow. My friend got rid of the rogue program quickly but the tdss infection lead to a reformat. As for me, I killed the rogue antivirus program with a manual delete and discovered the redirecting issue from the tdss recently. We were both running WindowsXP Service Pack 3.
I followed the steps according to what you said and most of them worked for me. In the custom otl fix I replaced the name of the driver you put with the name of the driver that was infected on mine (found by running the tdss killer as another source recommended). Everything went smoothly except the tdsskiller keeps causing a bsod and restart on my computer before and after the fix, but I have had bad experience with kapersky software before so wouldn’t exactly recommend that step. All the other steps seem to have worked. The problem has vanished. I would prefer to know where it hides so I could do manual checks/deletes but I’ll only pursue that if this didn’t work for some reason. I’m doing followup scans now. Thank you.
Daniel Snyder says:
Dec 7, 2010
Glad the post was of some help. I realize it is kind of a blind fix, and am glad you were able to identify the driver that was infected on your system. All clear now?
Aeternus says:
Dec 11, 2010
Yes, Everything is now clear. 🙂
Aaron says:
Feb 2, 2011
Great post! After hours of working on trying to rid my system of this TDSS, your post finally gave me the solution. I’m glad Symantec was able to stop the download of a toolkit, but I surely wish it could have provided more help in deleting the infection. It ended up being in my isapnp.sys driver, discovered thanks to you.
Thanks again for your help.
Daniel Snyder says:
Feb 3, 2011
Glad this helped Aaron! This is one of my oldest articles on the blog here, yet still gets a lot of views and is helping a lot of people. Always nice to get positive feedback! Thanks.
Jakub Kaplan says:
Feb 6, 2011
Great post, helped me resolve my problem. Thanks a lot for the post.
I had already run TDSSKiller which got rid of the main root, but still had Google redirect remnants. Then I found this post, tried ComboFix and that seems to have cleaned up the rest (so far).
Uff. I should probably get my Windows Update fixed, so I can receive updates again.
Thanks again for great post.
Jakub
Daniel Snyder says:
Feb 7, 2011
Glad to help. It’s amazing to me that TDSS is still making its rounds and wreaking havoc. Yeah the update problem is critical… sounds like a Vista system. ?
Jakub Kaplan says:
Feb 7, 2011
Indeed… A Vista system. 🙂
LabRatNo9 says:
Mar 9, 2011
Hi
Thanks for posting the resolve of this nasty problem.
I had it on my Win7…
The TDSSKiller.exe did it for me.
I followed all your steps except Combofix.
This app crashed my computer each time i tried to use it.
( perhaps it’s not intended for win7 )
again thanks for helping.
Marc.
Frodis says:
Mar 16, 2011
Your advice was the only thing that worked for me. Thanks! However, I still can’t use Windows Update properly. I’m running Vista with no service packs. The update will never d/l and stays at 0%. If I manually d/l the service pack, it won’t finish installing and just hangs with the initial progress meter at about 50%. I can’t figure out how to get this part working. DrWeb no longer finds anything and neither does tdsskiller. Another thought; was Malwarebytes supposed to find anything during the process? Mine didn’t.
Daniel Snyder says:
Mar 17, 2011
Hey Frodis, glad it was able to help (at least somewhat). I vaguely remember the exact same problem you are having, but since I no longer have a vista system in front of me I can’t quite remember the fix. I do recall that it had something to do with re-installing the actual windows updater software. (So instead of trying to update, first you need to re-install the software that does the update). Sorry I can’t be more precise, the fix is vague for me.
Jakub Kaplan says:
Mar 27, 2011
Good idea. I’ve searched on it and it seems there is a tool called CheckSUR from MS that attempts to fix Windows Update.
Might be good for anyone having the probs to give it a go, which is what I am doing ATM>
Daniel Snyder says:
Mar 28, 2011
Thanks. Let us know how CheckSUR works for you.
Jakub Kaplan says:
Mar 28, 2011
Didn’t work. Oh dear. The thing with this is, if I give an hour to try to fix this like I did yesterday and it doesn’t work out, then I spend an hour and have nearly nothing to show for it. 🙁
Daniel Snyder says:
Mar 28, 2011
You can’t stop trying Jakub. It’s never a waste of time! Even if you fail, you’ve learned something. Of course that’s easy for me to say, my computer isn’t going to crap right now. 😉 good luck!
Art says:
Apr 29, 2011
Seemed to work, but then OTL.exe showed up as a Trojan. Huh?????????
Daniel Snyder says:
Apr 29, 2011
What is telling you it is a trojan? My advice would be to disable your AV while running this step in the process. It may help to disable your internet connection at the same time, then try running OTL.
Art says:
Apr 30, 2011
Tried that, but when I tried running a couple other malware and anti-virus scans, OTL came up as a Trojan. Not trying to be obstinate, but I really don’t know.
Thanks
Daniel Snyder says:
May 1, 2011
The reason OTL would come up as a trojan with other scanners is simply the nature of the software. It is the type of software that most ‘average’ users would not be traditionally using for any legitimate purpose. Detecting its purpose as a trojan does not make it a threat, but rather identifies signatures within the program that are similar to that of malicious software. You have nothing to worry about.
Kevin says:
May 12, 2011
I oddly ran into a Backdoor.TDSS.565 that Antimalware, cureit, AND combofix (my staple) could not fix…but TDSSKiller did.
I actually fully expected it to fail after it returned after 5 or so combofix runs.
Scott says:
May 19, 2011
This little bugger of a virus has sucked up a few hours of my time on several systems.
I know you started this thread over a year ago so I just wanted to give you an update. The Kaspersky TDSS removal tool is all you need to remove this virus now. You don’t have to go through all the other steps.
Technology moves on….
Aloha
Daniel Snyder says:
May 20, 2011
Scott. Thanks for the update. Things certainly do change. I haven’t glanced at this article in a LONG time, so its good to know someone is keeping up with it! 🙂