Rootkit: TDSS****.sys Sucks worse than a 2 dollar whore. Remove it!

October 29, 2008

Well I’ve been in rootkit hell today with this stupid nasty ass virus/malware. And it’s been a bitch to get rid of but I’ve finally knocked it out of the park with the help of a few good apps.

Here’s a list of what I used to help me get rid of this sucker.

TCPVIEW: Great app usually this one app will let you know if you got some suspicious connections happening. If you see things things that should be there usually you are infected.

AutoRuns: Probably the best app you can use to find out what’s starting up at boot time. And it will let you disable or delete a start up entry. Most malware and viruses live in fear of this program and won’t even let this program run unless you rename it to something else. If you install this and it doesn’t run. You have an infection.

Ultimate Boot CD for Windows: Yeah if Samuel L. Jackson was a CD this would be him. This is probably the best thing you can use to help you get rid of a ROOTKIT! Because much like Samuel L. Jackson is tired of these mother fucking snakes on this mother fucking plane. ROOTKITS can’t hide from the UBCD4WIN! They become visible files that you can just delete from your system.  And when I say delete. I mean pimp slap the shit out of them.

Originally I got that lame ass malware that lives in your system tray trying to get you to buy that infection cleaner aka beep.sys. And I thought I had gotten rid of this particular nasty problem when I ran some of the different online virus scanners. Boy was I wrong. After a day or two I got hit with a BSOD Stop: c0000218 unknown hard error. Boy did this frost my ass. I was able to get into safe mode and spent most of the day running scans, chkdsk, fixboot and a whole mess of other crap that didn’t work at all. And to top it off some process was running that I could not find that was hijacking my google search results. So after a little digging I finally came to the realization that it was a root kit.

In comes UBCD4WIN. The beauty here is that the UBCD4WIN has it’s own shell and pretty much boots off of the cd. This has the pleasent effect of bypassing the rootkit and letting you see things that you wouldn’t normally see. Finally i was able to see the file tdSSpqxt.sys along with like 20 other tdss****.sys files floating around in my system32 folder. I was finally able to delete them and get my system back into something other than safe mode.

 

I’d like to give an honorable mention to the Bleeping Computer Forums. The guys on there are pretty knowledgeable and I was able to glean some useful information from their site from other users that are having the same issue I had. The recomendation of Malware Bytes was very useful. They also recommend the program Combo Fix, I didn’t use this program. However they do recommend it so I imagine that it gets the job done. And I’d also recommend going to Bleeping Computer Forums for help with an infection.

If you find this post useful. Make a donation. I know that over 1,000 visitors a month come to view this post. So help a brother out.





12 Responses to “Rootkit: TDSS****.sys Sucks worse than a 2 dollar whore. Remove it!”

  1. grey580 on October 30th, 2008 9:36 pm

    If anyone needs help removing this crappy virus post here and let me know.

  2. grey580 on November 3rd, 2008 8:34 am

    BTW if you get this lame rootkit. Don’t even bother with any scans like spybot or online virus scans. You won’t remove the rootkit.
    Use the ultimate boot disk for windows. The cd has those utilities built into it. Plus a antivirus program on the cd. Run everything from the bootdisk and you’ll be able to clean out your infection.
    :)

  3. rootkitguy06 on November 17th, 2008 8:23 am

    I recently (last night, 11/16/2008) got hit with some variant of the TDSS rootkit, and you’re not joking, this sucker is a bitch. I’m usually pretty competent about this kinda thing and have rarely ever even had an attack on my system. But with this thing, I don’t even know where to begin. I looked at the Build instructions for the ultimate boot cd, and am a little confused, can I do all those steps on an infected machine? (I’m writing this message on a buddies’ comp.) Any help would be greatly appreciated.

  4. grey580 on November 17th, 2008 9:36 am

    Dude I would say to do it on a different machine. you don’t want to screw up any6thing. that cd will help you get your machine back into working order.

    last week i helped a friend get back into his girlfriends laptop. he had deleted the userinit.exe entry from his registry. the computer would boot into partially into windows but would log him off immediately. with the ulitmate boot disk we were able to enter into the registry and put back in the userinit.exe entry.

    be safe and do it on a different computer.

  5. grey580 on December 2nd, 2008 10:13 am

    I just ran again into another computer that had this pos rootkit installed on it.
    FYI the tdss files all seem to be installed with a date or time that is hours ahead of the system clock. At least that’s how the files looked like on the machine I checked. It was easy to then track down the tdss files by sorting by last date modified and lookign at the latest files. Also the latest modified folders has tdss files in them. So it’s important to look at the latest modified folders because it will have the tdss rootkit files in there.

  6. creanium on December 2nd, 2008 11:48 am

    So what did you end up doing to get rid of this stupid rootkit?

    I’ve got a computer that has TDSS on it, and I’ve booted into UBCD4W. Do I just have to manually find all files and folders affected by TDSS or are there more automated fixes available while I’m here in UBCD4W.

    Thanks for the help!

  7. grey580 on December 3rd, 2008 8:14 am

    Unfortunately I had to go in and manually delete the files.

    You just need to have some patience and look at your newest files one by one. Unfortunately there is no easy way to fix this. But at least it’s fixable. Luckily enough the rootkit seems to live mostly in the system32 folder of your windows directory.

  8. whatttup_G on February 18th, 2009 12:48 pm

    lmfao… possibly the best one page post in the history of the innerwebs… fucking rootkits can eat my ass as well, i agree

    i chased my problems around for a week before i got bored and fdisk’ed the little fucks into oblivion, but i too found bleepingcomputer a massive value in my amatuer hacking efforts… those dudes know their shit hands down… serious buisness all the way… anyhow i never did track every piece of my bugs down, too many to count at one point, then towards the end the root bastard kept regenerating and spawning faster than i could chase it… so while it was able to cruise around my box, it wasnt able to hide once i knew where to look, and clicking the power on the modem was the ultimate ownage… that was only thanks to the help and posts of others who had also been bastardized by this shit… eventually i was at a point where i could sit there guns drawn, then enable my NIC, then flip on the internet and watch the vermin crawl out of their holes trying to respawn or steal my visa or whatever the fuck they were after… it was pretty fun towards the end, i could click the net on for 5 sec, see where the roaches came from, then start shooting… i believe i was stopped short of a full win because my userinit.exe was infected and beyond repair

    anyways i had to chime in on a few levels… to you a killer post, nice of you to put this online where others can find it like me, i love the massive flavor you dealt out in short order, classic shit dude… apps like ad-aware and spybot are piles of shit and worthless in a fight with anything worthwhile, a waste of download and honestly i think adaware was one of my first infections, but i digress…. MBAM from malwarebytes is seriously good, as is the avast a/v suite, both free and both worth paying for, i’m considering buying pro versions of both as we speak… but the utilities i now have, wow, the thumbdrive from hell is now assembled and is deadly in its ability, so because of this killer post and my hatred for the fucking homo spam twats of the world, here are the keys to fighting back, hope it helps someone out…

    http://www.bleepingcomputer.com – go here for web help, read the rules and put your request in line nicely and be patient, there are jedi there that will help you for free if you can wait for them to get to you… during outbreaks like now, they are slammed with requests, something you can gather on your own by noticing the amounts of threads, view counts and ages of posts etc…

    hijackthis – http://www.hijackthis.de – one of the best freebies on teh web… gives you a tool to see what is running, what is starting, generates log files your can save and post and send out for help… this should be your first step in scanning your box for junk

    process explorer – http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx – amazingly enough, one of several kick ass apps from microsoft themselves… why this isn’t included in the already overbloated xp i dont know, probably because the public at large would generally just panic delete shit left and right and cause more harm than good… anyways, this app rocks, shows you whats running, what dll’s are hooked to what, tons more than i know what to do with… you can open this and watch the bugs crawl around your system, its amazing… once you gain the upper hand, you can set the bugs off and create a fourth of july moment as you watch vundo and rootkits spawn all over your shit… this should be your second download, again just to look and see under the hood

    avast a/v – http://www.avast.com – these guys are all about the fight and have a nice all in one suite of tools that, for home/personal users, if fully powered and free from day one, all they wants is an email address to mail you a key… this package found a number of bugs all over my system, stuff that the adaware’s and spybots of the world are not remotely equipped for… so skip that junkware and get something real, this stuff works well

    more expert type tools – i’m just going to list the things i have on hand, and warn you that you should not just run the shit out of everything pounding your box into pieces… each sort of has its own place in the world, each should be run with the help of an expert like those that offer assistance at bleeping computer… but the thumbdrive from hell now has: dds.scr, gmer.exe, combo-fix.exe, otviewit.exe, otscanit2.exe, otmoveit3.exe, rootkitrevealer.exe, sdfix.exe, avenger.exe, several apps from sysinternals and the three listed above, tcpview, autoruns and UBCD which i am in total agreement with the poster here… i would rename that app to “bootdisk mother fucker, do you speak it” in tribute to samuel :D

    sorry for the megapost, but all of this is fresh on my mind and honestly i’ve been looking for a place to dump it… ultimately i needed the ultimate virus killer known as fdisk to finally clean my system, but that could have been due to the fact that my box was probably infected for years

  9. minijedimaster on March 5th, 2009 3:18 pm

    I just obliterated this lil biatch the other day. It seems as if it’s mutating in the wild or has been changed a bit. The main file on the machine I was on was UACxxxxxx.sys in the system32/drivers folder. The main thing on this rootkit is that it runs a hidden service based off that one file and you need to figure out what and where that file is. If you use rootkitrevealer from sysinternals it will show you all the registry entries which will in turn point you to where the file is at. You can then boot of your UBCD or like I did a Windows PE disk and delete the offending file and registry entries which will make the rootkit useless. At that point you can reboot and actually install your malwarebytes etc to clean off the remaining traces. Great post, made me laugh.

  10. grey580 on March 25th, 2009 3:24 pm

    I came across this the other nite. UACxxxxxx.sys is a new variation on this lame rootkit.

    I fired up ubcd4win and just removed it from the system. Easy as cake.

  11. gonzoted on May 5th, 2009 11:57 am

    If you are having problems, PLEASE READ!!…..

    OKay, I have to thank the developers of this combo fix program and the person “Grey580″ who had posted it online, enough in the right places in order for me to find this article and website in the first place.

    This Combo Fix program just seriously saved my computer from death last night. I made a stupid mistake getting some programs downloaded and installed from some torrent sites, although I have some things I really needed, along came the risk of serious infection. AVG, did catch it, spyware dr didn’t get all of it, and a list of other measures I took couldn’t stop it.
    In Fact it was so bad Malware Bytes would not, and could not work. I was seriously FUCKED!

    It all started when I realized there was a problem was that on the search pages – google and yahoo’ everytime I searched something and clicked on the cached linked or the normal headers, my computer was hijacked and taking me to other places that I had no fucking idea how I was getting to, like real estate foreclosure sites, media download, anime porn sites, hannah montant tribute sites (WTF) and endless amount of bogus pop up surveys and cheezy cell phone txt message spam sites.. IT was really awful.

    Next, I saw I was having some major errors – “Disk defrag could not start”, System restore “could not create backup point and needed to be restarted” and my computer wouldn’t let me explore C:\ drive – giving me a long lenghty failure to write something buillshit error.

    I was seriously in trouble. every article online that told me how to fix the problems by goign into the cmd prompt and doing endless measures weren’t working. I couldnt’ even run scandisk.

    Then I found this link and I learned about the issue with rootkits and how they were fucking up the computers.
    Grey580 was right on the money. So I down loaded the program.

    As expected, this program attacked the problem like a Samuel L Jackson psycho mutherfucker, however, I have to say, it brought another element to the scenario, similar to the deeply menacing intensity that Lawrence Fishburn plays, because this program took a LONG LONG time to fix my problems – and it made me really nervous what it was doing. It found a dozen rootkit threats that had apparently mutated. They were mixed in the C:\windows\system32 and drivers folders – disguised as 30-40 letter .sys and .dll files like “gvxyvxckdqwmqbqwucxtiufubxyxublotfomoweloy.sys” and so on.. there were a dozen of these things.

    SO I let the program do its thing and it deleted multiple entries of shit it found and when the computer restarted, scandisk worked again and so did sytem restore and disk defrag. Now as a matter of fact the computer runs better than it did.

    All I can say this thing works and just run it anyways of you have a problem anywhere remotely similar to mine!

    Cheers to everyone! good luck!

  12. rozmo on July 12th, 2009 6:09 pm

    FYI this thing drops a file in the device manager called TDSSserv.sys under hidden devices> non plug and play. If you are lucky you can go in there and stop the device. I wasn’t able to because the fucking rocket scientist who wrote it included shutting that feature off and also write protected it’s registry entries. I read else where that others were able to disable it in the device manager which virtually cuts the fucking life out of it.

    Regards,
    rozmo

    p fucking s: For anyone who still has it give it a try….

    CP>System>Device Manager>View> Show Hidden Devices>Non Plug and Play>TDSSserv.sys> Right Click> Properties>Drivers>Stop

Got something to say?

You must be logged in to post a comment.