Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus - Alternative to TDSSKiller


  • Please log in to reply
5 replies to this topic

#1 WileEDingo

WileEDingo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 23 January 2012 - 02:05 PM

If you are struggling to get rid of the Google Redirect Virus and like me, just cannot get TDSSKiller to run, there is an alternate tool that might work. FixTDSS.exe from Symantec (sorry if I inserted the hyperlink wrong). I'm not a big fan of Symantec products, but this is one time they really helped me out. I fought with this virus all weekend and only came across this link this morning. It fixed the problem in less than 5 minutes. Maybe it will work for you too. Thanks Symantec!

A couple other points:

1. The redirect occurs when you click on the link in the Google search results. You can still get to some of the web sites by copying and pasting the address instead of clicking on it; however, the more critical sites like antivirus sites or Microsoft Update would still fail. I stumbled on a way to open an uninfected browser - (in XP) open Control Panel, Automatic Updates, and click on the link for "Install Updates from the Windows Update web site". This would open IE, apparently without infection.

2. While infected, services.exe would take as much as 278MB of my system's memory and would take up to 99% of the processing power away. Even in safe mode it would take over 125MB of memory. While this was going on, I knew even without opening Internet Explorer that the system was still infected. After running FixTDSS I knew it had worked because services.exe now only took about 4MB of memory and 0% of the processing power.

Edited by WileEDingo, 24 January 2012 - 10:10 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 AM

Posted 24 January 2012 - 02:44 PM

Yes, in some cases using Symantec's Backdoor.Tidserv Removal Tool (FixTDSS) has been successful when TDDSKiller fails but it's not a guarantee for all cases.

This is because some types of malware will target security tools to keep them from running properly.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 Oisin123

Oisin123

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 18 February 2012 - 06:44 PM

Thanks WileEDingo. After following various threads and trying lots of malware, this one worked in less than five minutes. So far, so clean! It seems to have rid me of a google redirect virus that came with the system restore virus.

#4 guitarman428

guitarman428

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 26 February 2012 - 01:16 AM

SPREAD THE WORD!
HOW TO GET TDSSKILLER TO RUN
My laptop was infected with a redirect virus and like others, I couldn't get tdsskiller to open.
In other words the infection was blocking tdsskiller.
Finally I managed to get it to run and it detected a bootkit.
The trick is:
1. Download tdsskiller on an uninfected computer
2. transfer tdskiller.exe to a memory stick
3. THIS IS THE IMPORTANT BIT:
Rename tdsskiller to iexplore.com ON THE MEMORY STICK, before you've connected it to the infected computer.
This is because these rootkit viruses have a list of antivirus/antimalware to block the operation of which they recognize by name.
It doesn't want to stop iexplore because it needs internet explorer for its illicit activities.
4 I then transferred 'iexplore.com' onto my infected laptop, double clicked and voila - tdsskiller opened up and allowed me to perform a scan.

SIMPLES!

I hope this has helped somebody else

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 AM

Posted 26 February 2012 - 08:30 AM

Some types of malware will target security tools and files (processes) by name so they will not run. In some cases, the malware will flag and block these files by providing bogus (fake) alerts indicating they are malicious or infected. The malware does this deliberately in an effort to goad you into buying rogue security software that claims to remove the infection. At the same time however, the malware will ignore and allow some selected processes (certain core system components) to run. These core system components are usually critical system files which are necessary for the operating system.

Since the malware will ignore these files (processes), renaming security tools to those with critical system file names allows them to run normally so they detect and remove the infection. An example list of such file used for renaming would be the following:

* wuauclt.exe
* wscntfy.exe
* winlogon.exe
* wininit.exe
* nvsvc.exe
* lsm.exe
* lsass.exe
* iexplore.exe
* system
* svchost.exe
* spoolsv.exe
* smss.exe
* slsvc.exe
* services.exe
* explorer.exe
* ctfmon.exe
* csrss.exe
* alg.exe


Knowing this work around, some security tools like RKill by Grinler are already available in renamed versions for download as a convenience to the user.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#6 yvonne713

yvonne713

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:40 AM

Posted 17 March 2012 - 01:15 AM

WileEDingo, I wanted to add my thanks to you for this alternative to TDSSKiller. I have been using TDSSKiller for a very long time and tonight was the first time I couldn't get it to run. Renaming didn't help. I think whatever rootkit malware I had was blocking files based on their version/product/company information as well.

Downloading and running FixTDSS worked like a charm. It found the infection, killed it and I was able to finally run Combofix as well (it would repeatedly hang at the "scanning for infected files" screen).

So thank you very much! After searching for a while, finding this thread was my saving grace!

-yvonne




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users