TDSS Remover
(update / NB!) To resolve a problem with remover.exe, please contact me via e-mail, and please do attach the program log file rk_remover_debug_log.txt (which is sharing the same directory with remover.exe).
***
While doing research of the TDSS rootkit (summarized in VirusBulletin May 2009), I stumbled upon the fact that no known program was capable of reliable automatic removal of the beast. Certain antiviruses can do it, only if the specimen is already known to them. But, if the specimen is new, i.e. if there is no known signature for it, no antivirus or anti-rootkit can remove it in an easy way.
So we decided to publish a ‘click-click-win’ kind of cleaner utility addressing this issue. The latest version of the TDSS removal tool (download here) is available at esagelab.com.
To find the malware, we use anomaly-based detection approach, scanning for hidden files, drivers, and registry entries. Since the tool does not rely on any kind of file signatures, but rather on the TDSS particular architecture, it will find and allow one-click removal of virtually any TDSS specimen.
Thus, all known versions of the TDSS malware are supported. Furthermore, subsequent versions will be supported automatically, unless the TDSS developers decide to change the rootkit’s very core technology (which I would be curious about, since the detection technique implemeted in our tool is not that easy to bypass).
Since the TDSS remover is actually an all-purpose anti-rootkit by design, only adjusted to the TDSS specific features, don’t be confused if it retrieves some more hidden objects (and possibly some more rootkits) apart from the TDSS itself 
.
i tried ur version to solve the tdss problem… but unfortunately it found 21 files to be suspicious.. but when i pressed the clean /delete button it asked for reboot and on clicking yes. the whole system is freezed and i had to manually restart it again ….
everytime the same problem came…. do something with it … as you ppl are the only one providing cure for this trojan ….
no one else is providing.. not even the big branded companies….
thankyou for your effort and time for providing this utility
Hi roby! What is your operating system name, version, service pack? Please, contact me at alisa@esagelab.com to solve the problem.
Well, I have to thank to all who made this utility cleaner, after so many attempts to remove this trojan (installing anti-spywares, working in safe mode, etc…), I found this and finally removed it for good, and only in… what, 1 or 2 minutes for search, delete and reboot… great job
Now I can see the drives in the Disk Management (it was there that I found out something was wrong… scanned my PC with a anti-spyware and saw the TDSS trojan) so I guess it’s all over…
So, once again, many many thanks for providing this utility
Cheers.
You are welcome!
Hi The tool worked for me removing the problem except for 3 reg entries..
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovfsthxnrijotbftavhxkrpuyvdmdbymftcqpx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ovfsthxnrijotbftavhxkrpuyvdmdbymftcqpx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovfsthxnrijotbftavhxkrpuyvdmdbymftcqpx
Am unable to manually delete these entries SPYBOT is unable to fix these entries
Look forward to your comments
TelB,
please, send me the log file (rk_remover_debug_log.txt) to alisa@esagelab.com.
hi there! just discovered your site, while trying to remove this annoyingly difficult bug. i’ve encountered an unusual problem: right after i did the cleaning and rebooted, when i try to run the remover.exe a second time to ensure it’s all clean, i get this new message:
“error while creating kernel driver binary”
worked ifne before applying it, so i don’t know what’s going on, with the proggy exactly.
i’m running winxp SP2, since i know you’ll need that info at least.
Hi Renny! This error can happen if some software (such as AV, HIPS, or other protection..) is blocking driver file creation.
The TDSS malware disables AVs, so you don’t have this problem while infected. After the disinfection your AV is up again, so it may start blocking the remover’s driver if there is a false positive.
Hi!
Thank you very much esagelab !
The TDSS rootkit cleaner, helped me to remove this TDSS malware.
Now everything is fine !
Thank you so much for creating this tool!!!! It did the job.
Hi, I can’t get your cleaner to work and I definitely have this nasty worm on the PC
Hope you can help!
Using: Vista Home Premium SP2.
I first tried running the app via safe mode, it prompted me to restart to set the hidden files permissions, I did so and then retried starting the program. I got an error: ‘Error while creating/starting service’
I thought safe mode was at fault, so I tried it in normal mode but again, got the same error. Here’s the log:
.\main.cpp(1749) : Debug log started at 29.09.2009 – 08:30:53
.\main.cpp(1750) : Program version: 1.4.0.0
.\main.cpp(1755) : OS: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6002), 32-bit
.\main.cpp(1758) : —————————————
.\service.cpp(95) : Creating service… .\service.cpp(114) : Allready exists
.\service.cpp(133) : Starting service… .\service.cpp(148) : StartService() ERROR 31
BSOD during the delete of a TDDS Rootkit.d variant.
Victor,
please send me the rk_remover_debug.log file immediately after you’ve recovered from a BSOD, and your kernel memory dump created during BSOD, to alisa@esagelab.com.
I’m attempting to eradicate a TDSS rootkit infection, and I’m having a problem using your TDSS Rootkit Cleaner.
The program does a great job at detecting the infected file (atapi.sys). But when I get to the point in the removal process where I’m prompted for my original Windows XP CD, I get the following error message:
“The D:\i386\ATAPI.SY_ file is different from the infected file and cannot be used to repair it”.
I assume this is because the system is running XP SP3, but the CD is SP1 or SP2, and the file doesn’t match. Unfortunately, I don’t have access to the SP3 version of that file in packed format!
Any possible solution will be much appreciated.
Hi JohnB!
Thanks for allowing the remover to send your dumps to our server. We have all the neccessary files to work on your issue, and will soon get back to you via e-mail.
Thanks. In the interin, I figured out a workaround to restore the original ATAPI.SYS file. I was able to just simply copy a clean version of ATAPI.SYS from the SP3 cabinet to both system32\drivers & system32\dllcache. I’m surprised that I was able to do that without any Access Denied/File Lock errors, but it worked.
btw, this was by far the hardest piece of malware I’ve ever had to deal with. After trying about 25 different malware & rootkit solutions, your program was the only one that was able to correctly detect the offending file. Thanks!
Hi,
remover is getting stuck at the ../main.cpp(857) RegOpenKey() fails..
I closed all the AV processes but still the same issue.
Please help.
TIA
–Srini
Hi SriniV! Please, send your rk_remover_debug_log.txt to support@esagelab.com.
I’m having the same problem as SriniV: Remover seems to hang at .\main.cpp(857) : RegOpenKey() fails.
Perhaps it’s a registry key permission problem?
I sent you a copy of my debug log. Please advise.
thanks,
JohnB
Thank you very much for taking the time to work on this tool and also making it available for public use. I for one am very grateful for your outstanding and excellent work. The tool worked like a charm and saved me a ton of frustration and otherwise wasted hours.
With sincere gratitude,
HV
SriniV, JohnB,
the issue with RegOpenKey() is fixed in version 1.6.3.
I had problem with Avast! (it sees the tool as a rootkit), so I had to turn off the protection and then I had problems to turn it on, but the tool itself seems to be working.
First, thank you very much for this program. One issue, though: it found a problem with a file called “nvata.sys” and asked for a windows xp cd for a clean copy of that file. I couldn’t find it anywhere in my XP cd or other XP cds (xp pro). The file was, however, in my motherboard’s driver cd (nvidia 680 sli).
Guys, simply thanks!!!!!!!! I have looked for a solution to this nag for days, you guys are the only one with one. Thanks again.
OH WOW you guys are truly amazing i was ready to throw my computer in the trash can and hop over to a apple store and never again know about rootkits when at last i came across this tool and scaned my computer and this is the only tool that located the rootkit and removed it and my computer was like new again WOW WOW you guys are my angel
good luck
thats amazing even paid antivirus failed to cure ( i’d eset smart security and still infected with olmarik with av) just a click and clean with tdss
thanks a million
I can’t download a .rar file. What do I need to do?
KevinG,
I don’t know. Maybe, try again? Just checked the link – it works.
http://www.esagelab.com/files/tdss_remover_latest.rar
Hi, im using BitDefender as Internet security 2010 suite this tool is being detected as a Virus(Gen:Rootkit.Heur.mGW@e4×7c!i)can you please help. IM trying to clear Directrdr and bu250 and/or bu520 (i think) redirects causing issues will all my browsers. IM running Windows 7, Thanks
Hi TonyG,
this is a false positive from BitDefender. Just turn off BitDefender and use the tool.
If you need more help, e-mail support@esagelab.com.
I’m having the same problem as John in posts #14-16, except I don’t know how to get the “clean version of ATAPI.SYS from the SP3 cabinet” HELP!!
Hi Jean,
we are currently working on full support for this issue. In the meanwhile, drop me an e-mail (alisa@esagelab.com) on details of your case.
Your Tool is good on TDL3 but it fails on TDL3.23 (latest). It detects, crashes when trying to upload sample to server, detects again and when you reboot, TDL3.23 is still there infecting atapi.sys. When will this tool be updated to counteract the new versions of TDL3?
Jean (re: Post #31),
I should have been more specific in my post (#16).
On my XP system, I was able to locate a clean copy of ATAPI.SYS in C:\WINDOWS\ServicePackFiles\i386. You should be able to copy that file to c:\WINDOWS\system32\drivers (overwriting the infected file), reboot, and be good to go.
Let me know if this works for you.
JohnB
Wow, thanks for trying to offer a user-friendly solution to a complex computer virus. But, I’ve run your rootkit cleaner and bootkit remover and they say I’m clean but I am still getting browser redirects and can’t boot into Safe Mode (get a “Stop 0×0000007B” error message). Any suggestions, for a relative computer novice, where to go from here?
John B.,
Thanks for trying to help me. I hadn’t checked back for a couple days. My problem just seems to get worse and worse! I tried to follow your instructions but got the following message:
Cannot copy Atapi; It is being used by another person or program.
I closed everything I possibly could, and still got that message. I also can not get into Safe Mode (same as #35).
I tried doing a diagnostic start-up and now can’t get it back to normal start up! It says it’s changed, but next time the computer starts it;s back in diagnostic start-up
I’ve installed and deleted so many programs, I’m afraid I’ll have to do a complete reformat soon. Does anyone know if even that will solve my problems?
Jean
Jean,
I’ve just posted a solution to your problem:
recovering an infected driver by hands.
.\main.cpp(3884) : Debug log started at 12.02.2010 – 18:25:47
.\main.cpp(3885) : Program Version: 1.6.3.1
.\main.cpp(3889) : OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
.\main.cpp(3897) : —————————————
.\service.cpp(92) : Creating service… .\service.cpp(125) : OK
.\service.cpp(130) : Starting service… .\service.cpp(145) : StartService() ERROR 5
Hi damien,
make sure you’re running the Remover with Administrator privileges. Turn off your protection software. If this won’t help, reach me at alisa@esagelab.com.
Hello, I tried your tool today, my AVG Pro detected c:\windows\system32\drivers\rk_remover.sys as a threat, containing the Win32/NSAnti virus. I suspect this file is part of your tool, and so after disabling AVG’s Resident Shield the tool ran without problems, and came across no threats, apart from some hidden BlueTooth regkeys which i suspected to be stored PIN-codes for BT communication with my phones.
However, I have 2 questions :
1. Is the service that is mentioned in the first lines of the rk_remover_debug_log automatically removed after completion of the scanning?
2. Is the original setting regarding FLAG_MAINTAIN_OBJECT_TYPELIST automatically restored after completion of the scanning, if not what is the possible effect and how can this be reset manually?
I too had a threat detection by AVG – in my case using the basic Free Antivirus version. At present you need to switch off the AVG Resident Shield to allow TDSS Remover to run as it detects rk_remover.sys as an infected file.
Also curious as to any side effects of the debug flag
FLAG_MAINTAIN_OBJECT_TYPELIST
With this flag set I had GMER crash XP to a BSOD.
May not be related but MS do recommend removing this flag once no longer needed.
Maup, DougCuk,
1. the Remover’s service registry key remains in the system, because some necessary data is stored there. Howewer, the service executable file (i.e. rk_remover.sys) is removed after you quit the program.
2. FLAG_MAINTAIN_OBJECT_TYPELIST cannot cause any side effects, it only tells the system to save some extra kernel statistics. To re-set this flag by hands, use the gflags.exe utility from Microsoft Debugging Tools (uncheck the “Maintain a list of objects for each type” setting).
[...] I’ve been contacted by a user who was afraid to run the TDSS Remover, because Kaspersky Antivirus found a Rootkit.Win32.Agent in it. This was a false positive – [...]
I note that the latest Remover.exe has decreased in size dramatically.
v1.6.3.1 – 1084 KB – Downloaded 13 February 2010
v1.6.3.4 – 180 KB – Downloaded 28 February 2010
This appears to be due to a major revision in the way the program is compiled. As far as I can see the problematic rk_remover.sys driver is no longer created.
This has solved the AVG false alarm detection.
Without revealing anything to help the Rootkit authors is there anything you can say regarding this major revision to your utility?
Hi DougCuk,
I am pleased with our users’ attentiveness
Indeed, the Remover’s size has changed dramatically in the latest build, because we stopped using a code protector (VMProtect). The reasons for this are as follows:
1. VMProtect often causes FPs from antivirus software. Got pissed with them, finally.
2. The Remover will be moving to a completely new core shortly. Thus, no need to protect the old one any more.
3. We are compassionate about those poor paranoid guys who buy AVs’ suspicions regarding the Remover, and reverse engineer the tool to ensure it’s not a malware
As per rk_remover.sys, it is still utilized. Howewer, normally it is deleted after you quit the program.
Your site is updated to day the latest version is 1.7 on the TDSSremover but the file version in the download link is still old – 1.6.3.4 modified 2/25/2010. Is there an updated file for download with versoin 1.7?
Peter,
check it now
I cannot open the zip file for TDSS Remover. My computer does not recognise .rar extension. Please help.
Susan,
http://www.rarlab.com
I have a bug to report. The open file dialogue box shows file types of *.sys. But it only shows *.sy_ files. I have to show all file types in order to see *.sys files. Please fix this bug. There is a disparity between what file types are being filtered for and what file types are actually being displayed. I use .sys files so I have to tell it to show all file types in order to see it.