Google Redirect Virus - Alternative to TDSSKiller

If you are struggling to get rid of the Google Redirect Virus and like me, just cannot get TDSSKiller to run, there is an alternate tool that might work. FixTDSS.exe from Symantec (sorry if I inserted the hyperlink wrong). I'm not a big fan of Symantec products, but this is one time they really helped me out. I fought with this virus all weekend and only came across this link this morning. It fixed the problem in less than 5 minutes. Maybe it will work for you too. Thanks Symantec!

A couple other points:

1. The redirect occurs when you click on the link in the Google search results. You can still get to some of the web sites by copying and pasting the address instead of clicking on it; however, the more critical sites like antivirus sites or Microsoft Update would still fail. I stumbled on a way to open an uninfected browser - (in XP) open Control Panel, Automatic Updates, and click on the link for "Install Updates from the Windows Update web site". This would open IE, apparently without infection.

2. While infected, services.exe would take as much as 278MB of my system's memory and would take up to 99% of the processing power away. Even in safe mode it would take over 125MB of memory. While this was going on, I knew even without opening Internet Explorer that the system was still infected. After running FixTDSS I knew it had worked because services.exe now only took about 4MB of memory and 0% of the processing power.

Yes, in some cases using Symantec's Backdoor.Tidserv Removal Tool (FixTDSS) has been successful when TDDSKiller fails but it's not a guarantee for all cases.

This is because some types of malware will target security tools to keep them from running properly.

Thanks WileEDingo. After following various threads and trying lots of malware, this one worked in less than five minutes. So far, so clean! It seems to have rid me of a google redirect virus that came with the system restore virus.

SPREAD THE WORD!
HOW TO GET TDSSKILLER TO RUN
My laptop was infected with a redirect virus and like others, I couldn't get tdsskiller to open.
In other words the infection was blocking tdsskiller.
Finally I managed to get it to run and it detected a bootkit.
The trick is:
1. Download tdsskiller on an uninfected computer
2. transfer tdskiller.exe to a memory stick
3. THIS IS THE IMPORTANT BIT:
Rename tdsskiller to iexplore.com ON THE MEMORY STICK, before you've connected it to the infected computer.
This is because these rootkit viruses have a list of antivirus/antimalware to block the operation of which they recognize by name.
It doesn't want to stop iexplore because it needs internet explorer for its illicit activities.
4 I then transferred 'iexplore.com' onto my infected laptop, double clicked and voila - tdsskiller opened up and allowed me to perform a scan.

SIMPLES!

I hope this has helped somebody else

Some types of malware will target security tools and files (processes) by name so they will not run. In some cases, the malware will flag and block these files by providing bogus (fake) alerts indicating they are malicious or infected. The malware does this deliberately in an effort to goad you into buying rogue security software that claims to remove the infection. At the same time however, the malware will ignore and allow some selected processes (certain core system components) to run. These core system components are usually critical system files which are necessary for the operating system.

Since the malware will ignore these files (processes), renaming security tools to those with critical system file names allows them to run normally so they detect and remove the infection. An example list of such file used for renaming would be the following:

* wuauclt.exe
* wscntfy.exe
* winlogon.exe
* wininit.exe
* nvsvc.exe
* lsm.exe
* lsass.exe
* iexplore.exe
* system
* svchost.exe
* spoolsv.exe
* smss.exe
* slsvc.exe
* services.exe
* explorer.exe
* ctfmon.exe
* csrss.exe
* alg.exe


Knowing this work around, some security tools like RKill by Grinler are already available in renamed versions for download as a convenience to the user.

WileEDingo, I wanted to add my thanks to you for this alternative to TDSSKiller. I have been using TDSSKiller for a very long time and tonight was the first time I couldn't get it to run. Renaming didn't help. I think whatever rootkit malware I had was blocking files based on their version/product/company information as well.

Downloading and running FixTDSS worked like a charm. It found the infection, killed it and I was able to finally run Combofix as well (it would repeatedly hang at the "scanning for infected files" screen).

So thank you very much! After searching for a while, finding this thread was my saving grace!

-yvonne