Windows Enterprise Desktop

May 12 2010   3:16PM GMT

Beware the TDSS Rootkit Removal Tool!!!

Ed Tittel Ed Tittel Profile: Ed Tittel

In the latest (May 2010) issue of Virus Bulletin, I read Alisa Shevchencko’s story “TDSS Infections – Quarterly Report” with some interest and a lively appreciation of the TDSS rootkit malware and infections over the past year. Upon learning that a detection and repair tool for this rootkit (which is extraordinarily difficult to detect, even for rootkit-specific tools) was available from Shevchenko’s employers Website (eSage Lab) I decided to give it a shot. This program, simply called remover.exe scans systems to look for hidden driver files so that its users can remove them if and when they’re found. This tool comes with an undocumented catch, however, as I learned by electing to remove two hidden items that the program discovered on my system.

If you’re lucky, when you run this tool on your system, you’ll get a display that looks like this:

The best outcome is when no hidden driver files are detected

The best outcome is when no hidden driver files are detected

Alas, it turned out that the two hidden items that this program found on my system were hidden by Microsoft, not by any rootkit. When I removed them, I was removing my Windows 7 license key and activation data, so that when I rebooted my machine after the fix, I got the “black screen” background and a warning that my copy of Windows was not genuine. This was easy to fix, simply by re-entering my (valid) license key, and then re-activating Windows, but it did come as something of a surprise.

The two items that the progam discovered were:

  • C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
  • C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

Should you decide to run this program and it discovers exactly two hidden drivers, but no other signs of infection, you may want to check to make sure they don’t match this information. On the other hand, the fix is pretty easy if you do trash them and lose your license status and info, so you can go either way in deciding whether or not to allow the program to delete these questionable but benign items.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: