News Stay informed about the latest enterprise technology news and product updates.

Beware the TDSS Rootkit Removal Tool!!!

In the latest (May 2010) issue of Virus Bulletin, I read Alisa Shevchencko’s story “TDSS Infections – Quarterly Report” with some interest and a lively appreciation of the TDSS rootkit malware and infections over the past year. Upon learning that a detection and repair tool for this rootkit (which is extraordinarily difficult to detect, even for rootkit-specific tools) was available from Shevchenko’s employers Website (eSage Lab) I decided to give it a shot. This program, simply called remover.exe scans systems to look for hidden driver files so that its users can remove them if and when they’re found. This tool comes with an undocumented catch, however, as I learned by electing to remove two hidden items that the program discovered on my system.

If you’re lucky, when you run this tool on your system, you’ll get a display that looks like this:

The best outcome is when no hidden driver files are detected

The best outcome is when no hidden driver files are detected

Alas, it turned out that the two hidden items that this program found on my system were hidden by Microsoft, not by any rootkit. When I removed them, I was removing my Windows 7 license key and activation data, so that when I rebooted my machine after the fix, I got the “black screen” background and a warning that my copy of Windows was not genuine. This was easy to fix, simply by re-entering my (valid) license key, and then re-activating Windows, but it did come as something of a surprise.

The two items that the progam discovered were:

  • C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
  • C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

Should you decide to run this program and it discovers exactly two hidden drivers, but no other signs of infection, you may want to check to make sure they don’t match this information. On the other hand, the fix is pretty easy if you do trash them and lose your license status and info, so you can go either way in deciding whether or not to allow the program to delete these questionable but benign items.