Argh. TDSS infection (Vista)

[Ai Haibara]

Well, apparently our main (family) system, a Vista tower, has just picked up a TDSS (rootkit) infection. I know it's there, has most of the symptoms I've already experienced (had to help a relative clear her XP system of it a couple of months ago, took me a while and almost made me want to swear off using computers altogether, until I finally saw a suggestion on the net during searches that said to try the last free version of AVG Anti-Rootkit. That worked, and the system's still TDSS-free today.), including attempts to keep certain processes (mostly anti-malware) from running, attempts to keep you from accessing certain anti-malware sites, interfering with Safe Mode and System Restore, etc. At least THIS version isn't keeping me from accessing USB-connected devices... yet.

Problem is, I don't think AVG Anti-Rootkit works under Vista - and hasn't detected a thing, anyway. Does anyone have any suggestions for anything else that would work? Don't any of the anti-virus companies like Symantec have a removal tool for it, more or less?

Many of the directions I've seen on the net mention disabling TDSSserv.sys, the driver that apparently does all of the above, keeps it hidden, and replaces components if they've been deleted/removed. That driver name didn't exist on the XP tower, and doesn't seem to exist on the Vista tower - but then, you'd have to expect that. They don't want the thing to be removed, after all. I've disconnected the system from the net and the network.

[minidv2dvd]

have you tried this scanner?

http://www.gmer.net/

[freebird73717]

do you have a spare pc that is known clean? I've seen pc's that were so infected with bugs that they wouldn't even boot. For those tough ones what i found that worked the best was to pull the hard drive from the infected pc and place it into a clean fully updated and protected pc, then run my a/v scans from that pc and clean the infected hard drive.

edit
As long as you don't click any file on the infected drive while it's in your good pc then you will be safe. Since this drive is not running an active OS the virus/malware will not be active.

edit again
After cleaning the hard drive with the good pc you still need to re-run your a/v software after placing your harddrive back into it's original tower just to make sure that everything is clean.

[Ai Haibara]

Well, I'll try anything. I probably AM coming close, again, to just not wanting anything to do with computers for a long, long time. Still don't know how I managed to be roped into maintaining everyone's systems, all these years... (bleah)

minidv2dvd: I tried it, but it didn't detect anything. Messing around with the Scan feature (active processes/files/?) let me stumble upon the filename of the (hidden) device driver, but that's about it. It may have contributed to a BSOD while I was experimenting with the Scan feature on a second (slightly later) run-through.

freebird73717: Unfortunately, most of our other active systems are older, and don't have the drive connections I'd need to do that. The only other possibility, an XP tower, I'm not completely sure it's 100 percent clean.

I do have some Linux LiveCDs, but I couldn't use those to delete the hidden files (including the .sys driver), as I keep seeing reports that doing that against an NTFS drive isn't really a good idea.

[jagabo]

I do have some Linux LiveCDs, but I couldn't use those to delete the hidden files (including the .sys driver), as I keep seeing reports that doing that against an NTFS drive isn't really a good idea.

Modern Linux LiveCDs have no problems with NTFS. If you're not sure, just rename the driver -- you can rename it back later if there is a problem. Or boot into Windows' safe mode and rename or delete the file. Or boot a Windows install CD/DVD and elect to use the console to fix the system -- then rename/delete the file. A good root kit will have another copy of the driver and restore it though.

[freebird73717]

I do have some Linux LiveCDs, but I couldn't use those to delete the hidden files (including the .sys driver), as I keep seeing reports that doing that against an NTFS drive isn't really a good idea.

That used to be true but the latest live cd versions of ubuntu from 8.04 on can read, write, and delete files from ntfs just fine. I'm sure that there are other distros that can do the same ubuntu is just the one I always recommend.

edit
looks like jagabo beat me to it.

[wtsinnc]

Don't have any idea if this will help; I found this thread in the Malwarebytes forums archives.
http://www.malwarebytes.org/forums/index.php?showtopic=7194

[ocgw]

Well, I'll try anything. I probably AM coming close, again, to just not wanting anything to do with computers for a long, long time. Still don't know how I managed to be roped into maintaining everyone's systems, all these years... (bleah)

minidv2dvd: I tried it, but it didn't detect anything. Messing around with the Scan feature (active processes/files/?) let me stumble upon the filename of the (hidden) device driver, but that's about it. It may have contributed to a BSOD while I was experimenting with the Scan feature on a second (slightly later) run-through.

freebird73717: Unfortunately, most of our other active systems are older, and don't have the drive connections I'd need to do that. The only other possibility, an XP tower, I'm not completely sure it's 100 percent clean.

I do have some Linux LiveCDs, but I couldn't use those to delete the hidden files (including the .sys driver), as I keep seeing reports that doing that against an NTFS drive isn't really a good idea.

How about a fresh install before kissing PC's goodbye??

ocgw

peace

[LIGHTNING UK!]

I wrote a FAQ entry for ImgBurn that should help you get rid of this.

http://forum.imgburn.com/index.php?showtopic=10650

[Ai Haibara]

Bleah. I've tried a handful of anti-rootkit programs that were supposedly compatible with Vista, including GMER, Blacklight and RootRepeal (thanks, LIGHTNING UK!), but none of them detect it. So, one of three things is happening: they're not completely compatible with Vista (not really likely), this is a new variant of the rootkit, doing even more to hide itself from every possible program (probably), or... I'm doing something wrong (perhaps -_-).

jagabo, freebird73717: Downloading Ubuntu now (9.04, I think). Unfortunately, this particular rootkit also integrates itself into Safe Mode, so you can't do anything against it from there. Our systems have been pretty much OEM since WinME, so the only install discs we have around are for 95 and 98.

So, I can definitely boot from the Ubuntu CD as a LiveCD, without installing, browse the system drive, looking at certain directories by date, and just delete the files? (I read a post somewhere, a while back, from someone who apparently had luck doing that - the rootkit files all had a recent date. Anything in /windows/system32, and /windows/system32/drivers with a recent date AND random letter filenames could be suspect...
(okay, include /windows/, root, appdata and program data in there, too, along with a number of other directories... bleah.)

Did they remove the console from Vista? I believe I could boot to it in XP without an install disc, but...

wtsinnc: Thanks, but that link also mentions the Device Manager method of disabling the rootkit driver, which doesn't seem to work, anymore... unless it's just using a different name, and I can figure out which one it is.

ocgw: ...no. I'd prefer to avoid a reformat and reinstall unless it's absolutely, completely necessary. If I could easily (coughcough) remove it from XP, it SHOULD be easy (coughcoughcough) to remove it from Vista.
Well, that and I ended up doing it way too many times with 98, that I dread ever doing it again. And there's way too much stuff from all the family members on the HD... and I dread having to re-enter all the configuration information, Internet server information, reinstall all the programs I use... :P

LIGHTNING UK!: Thanks! This one doesn't seem to be the version that pops up the 'Secrets' error - I had to deal with that one on the other XP system I mentioned. This one hasn't blocked me from using USB drives, but I haven't tried opening Imgburn or creating any blank discs, yet.
I'm not sure whether or not RootRepeal found the rootkit, on the Files scan - it seemed to flash past the directories I know contain files from the rootkit, without adding anything to the list (but I'm not sure; the program was maximized and the list had already filled the window with entries (API-locked files, though).) Unfortunately, after it had been going quite a while and was still scanning, a 'blank' error box popped up on the screen, followed by another when I closed that, then the entire program closed.
Scanning in the other tabs didn't find components of the rootkit, as far as I can tell.

[minidv2dvd]

try the free version of avast a/v. it might not be tdss.

[Ai Haibara]

Well, Spybot picked up parts of it, classifying it as TDSS.rtk, and it behaves with most of the same symptoms I saw with the previous infection (with the exception of not giving that stupid 'secrets' error and denying use of USB drives and blank discs), and the entries SSD showed matched what I'd previously seen, too.

[minidv2dvd]

even if it is tdss, avast free should be able to remove it. takes a couple re-boots.

[Ai Haibara]

I don't know... I'm a bit skeptical, especially since at this point, all the anti-rootkit programs seem to be unable to see it, but like I said, I'll give anything a try.
(...if I can find a USB drive with 40MB free that I won't mind risking getting infected, I guess. I don't think it will, but I'm just being [s:195ed33ab9]paranoid[/s:195ed33ab9] cautious. I've been using a spare 32MB drive that has a write-protect switch on it.)

[Dv8ted2]

I realize you are skeptical and prefer not to do a format, but that is just about the only way to get rid of a rootkit, because it hides on the OS level and hides as system files.

Anything short of a format would be a waste of time.

[lizzoqops]

Combofix worked well for me the last time I got a virus. Used in combination with malwarebytes, it found everything. It does make some changes to your system, though.

Lots of info on it here:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

[Ai Haibara]

Dv8ted2: Yeah, I know the risks, and that the best method of eradicating the things is to reformat or do a factory restore (I wouldn't be surprised if anything comes along that could compromise an OEM restore partition, though...) But, it is possible to remove them if you're careful, thorough, and have the right tools - or also scan the HD from outside the version of Windows running on it.

We ended up buying a new system as well, so repairing the infected system isn't as urgent at the moment, but I'm still working on it. I'll probably get around to throwing a anti-virus Rescue CD at it sooner or later.

[TBoneit]

Keep in mind that you may think you've cleaned it and it is hiding, waiting for credit card or bank login info....

safest way Zero out the drive and restore for original cds.

Since it isn't urgent I will suggest you sign up with http://www.bleepingcomputer.com/ and then either http://www.bleepingcomputer.com/forums/forum103.html or http://www.bleepingcomputer.com/forums/forum22.html

Read the Readme & FAQs

They'll help you get clean safely. It won'tbe instant but it should work.

BTW I have seen factory restore partitions that were infected and reinstalled the infection while at work.