How to completely remove TDSS variants from an infected computer

Written by: David Ouwinga

Posted: 2011-11-22

Category: Computer Repair

If you are anything like us, you have been seeing the TDSS rootkit at least once or twice on workstations at your company. Here is a little guide to help remove one of the latest variants that infects the master boot record. This is done without using the recovery console so that it is possible to remote into the computer to remove the infection.

Step 1: Arm Yourself

You will need the following tools in your toolbag:

 

Step 2: Cure the Infection

The following process will remove the infection and stop it from reinfecting after reboot. This should be done as an admin user unless otherwise specified:
 
1. Run bootkit_remover to see if your master boot record is clean. If you are clean you will see green text similar to the text in the following picture. If the text is yellow then proceed to 1a, Otherwise proceed to step 2.
Bootkit Remover
1a. Run mbrfix. In order to run mbrfix you will need to open a command prompt and navigate to where you had extracted mbrfix. Then run the following command:
 
For windows XP
MbrFix /drive 0 fixmbr /yes
 
For Windows 7 
MbrFix /drive 0 fixmbr /yes /win7
 
Note: There is a batch file in the zip called “mbrfix device 0 win xp.bat”. This will run the windows XP command for you.
 
1b. Reboot the computer immediately after running mbrfix. This is to help prevent reinfection.
1c. After the reboot, run bootkit_remover to verify that the master boot record is clean. You should now have green text instead of yellow. If not try the steps again.
 
2. Run TDSKiller. Just hit the scan button and follow any instructions that popup (if any). This will likely not find anything, but is handy to make sure.
3. If Malwarebytes is already installed on the computer it is likely infected. You will need to run MalwareBytes Cleaner (mbam-clean.exe) to remove it first.
4. Install the latest version of MalwareBytes from their website and then update it.
5. Run a Full MalwareBytes scan.
6. Reboot after the MalwareBytes scan
7. Login as the user and run Unhide.exe
8. While still logged in as the user run another full MalwareBytes scan
9. Reboot and you should now be completely clean and all the icons from the desktop and start menu should be back. 
 

Comments

There are no comments

Post a comment