Last week, my indiscreet non-techie colleague encountered his yet-another-virus-attack experience. There should be nothing big as he had an antivirus product installed. However, after casually spending his routines for some days; beverages and snacks and tons of unproductive applications running from his laptop, he felt that his laptop became much slower than usual and also exercised some strange behaviors. He later asked me to investigate the oddities and construe what was actually going on.
To my surprise, normal simple procedure in detecting and destroying virus, trojan, and other malware didn’t work at the time. Antivirus reported nothing but the strange behaviors persisted. Still being unsatisfied and puzzled, i tried to verify antivirus’ finding by conducting online scanning and here the mystery started to unravel.
To make it short, my friend’s laptop was infected with TDSS rootkit. This rootkit is a combination of trojan and adware. Reported first time by Sophos, this attack has gained its notoriety as one of the hot trojan and malware attacks in November.
If you happen to experience symptoms below, you might infer that you have been infected by TDSS rootkit:
- Slow browser
Your browser unusually loads slower than it should be. Even though browser is the only application you run, the speed is still slow, invalidating assumption that the slow loading is caused by insufficient memory
- Continuous high CPU percentage for System Idle Process
If you press Ctrl-Alt-Del and see the list of running processes, you will notice that “System Idle Process” consumes most of the CPU cycles, usually more than 90%
- Denied access to some files and folders
If you enable System Restore, you will notice that if you click the folder “System Volume Information” that resides in the root directory of each drive, you will get message “Access is Denied”. You can also check some other files in system32 folder and raise the same message.
- Redirection of results from search engine and unavailability to access antivirus and security websites
If you try to search for remedy for the infection and type words related to antivirus like “virus removal, trojan removal, TDSS, antivirus vendors, etc” you will notice that every time you click the link from the result page you will be redirected to another search engine, that is bediddle (bediddle.com) or some other page that is different from the real link.
You are also disabled from accessing antivirus providers’ websites and circumvented from conducting online scan.
- Antivirus doesn’t work or only seems to work
If you try to scan using your antivirus, it will say your system is safe. This is actually not true. Try updating your virus database definition and you will see error reported by the update engine. Also, if you want to install a new renowned antivirus, you will always fail the installation.
After some trials and errors, I found out a solution that actually worked and removed all the infection. Credit to a thread starter in bullguard forum who recommended malwarebytes and also provided some tricky steps in the removal process. I’d like to recap the process and later add my remarks and some additional info you may need.
The removal process is as follows:
- Download malwarebytes from an uninfected computer.
- Put the installation file in a USB flash disk and rename the installation file into setup.exe. The rootkit has its dictionary of security products. This step is necessary to prevent the rootkit from detecting the installation file will be used to extinguish itself.
- Turn on or reboot the infected computer in normal mode
- Transfer the file to the infected computer and run the setup file.
Note 1: Change the installation folder into something else like Malwar or Malware. Also give different name for the program folder in Start Menu. This is necessary to prevent the recognition from the rootkit dictionary.
Note 2:In the last step of installation, make sure to uncheck the launch and database definition update. We will do it later
- Go to the folder where the program is installed and rename file mbam.exe into something else like mab.exe
- We will update the database definition of malwarebytes. Click the mab.exe then select “Update” tab. Wait until the app is updated with the latest database.
- Restart the infected computer in safe mode
Note: you can go into safe mode by pressing F8 after the first beep or before the Windows logo appears on your monitor
- In safe mode, run mab.exe from the app folder and execute the full scan. You will need to wait for 2 or 3 hours or more, depending on the number of files in your drives. The scan should find file TDSSeoqh.dll which is the root source of the infection.
- After scan finishes, reboot your computer in normal mode.
- Again, run mab.exe from the app folder and execute full scan. In this step, more trojan files will be found. The removal app will ask you to restart your computer in order to remove the files. However, before you proceed, go to the app folder and rename mab.exe into its original mbam.exe.
- After restart, you should have been cleaned from the infection. It must be a brighter day. Congrats to yourself.
Besides malwarebyte, you might also find some of these tools useful:
I used this tool before malwarebytes. It could detect the rootkit but it was unable to fully clean the system. It gave up deleting file TDSSeoqh.dll and instead quarantining its clone in vain. However, this tool provides comprehensive log which can be very useful for you, especially the “file with hidden attributes” part.
- Spybot S&D
This tool is a privacy software that lets you watch unwanted program from modifying your system. Every time a program tries to modify a registry, it will prompt you asking whether to approve the action or not. This tool can be a little cumbersome and vexing for non-techie. But basically, it’s a system saver.
Besides the tools, you may also invest some time in modifying your windows explorer configuration, especially the configuration for viewing files and folders from the windows explorer. You can modify the options by clicking the “Tools” > “Folder Options” > “View” and then change some default values like unchecking the option to hide extension for known files, unchecking the option to hide system files, and choose the option to show the hidden files. This way, you will find it easier to notice a malicious program trying to hamper with your system.