How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
By Lawrence Abrams
on March 2, 2010 @ 05:20 PM | Last Updated: November 16, 2010 | Read 1,243,871 times.
TDSS, or TDL3, is the name of a family of
rootkits for the Windows operating system that downloads and execute other malware,
delivers advertisements to your computer, and block programs from running. This
rootkit infects your computer in various ways that include replacing hard disk
drivers with malicious versions. Once a computer is infected, TDSS will be invisible
to Windows and anti-malware programs while downloading and executing further
malware and delivering advertisements to your computer. This particular infections
is detected under various names depending on the particular anti-virus vendor.
A list of vendors and their detection names for TDSS can be found below.
While infected, the files and services associated with TDSS will be invisible,
but there are symptoms that the TDSS infection may display. These symptoms include:
- Google search result links will be redirected to unrelated sites. When
you search through Google and click on one of the search results, instead
of going to the correct page you will instead be redirected to an advertisement.
It should be noted that some of the domains you are redirected to are legitimate
companies, but that may have affiliates that promote their products in a dubious
- The inability to run various programs. When you attempt to run certain
programs, you will not receive an error, but they simply will not start. TDSS
has a configuration setting called disallowed that contains
a large list of programs that it will not allow to execute. It does this so
that you cannot launch anti-virus and anti-malware programs that may help
you remove this infection.
- The inability to access various sites. For example, at the time of this
writing TDSS is blocking access to BleepingComputer.com as well as other computer
help and security sites.
- Web browsing is slower than normal. When starting your web browser or browsing
the web, you may find that web pages load slower.
As you can see, the TDSS rootkit is an intrusive infection that takes over
your machine and is very difficult to remove. Thankfully, Kaspersky Labs has
released a tool called TDSSKiller that can be used to remove most variants of
TDSS from your computer. We do, though, need to perform some steps in order
to get the program to work. These steps are described in the removal guide below.
View TDSS, Alureon, or TDL3 Rootkit files.
View TDSS, Alureon, or TDL3 Rootkit Registry Information.
Tools Needed for this fix:
03/02/10 - Initial guide creation.
03/05/10 - Updated for new version.
03/25/10 - Updated for minor change.
07/29/10 - Updated for change to a GUI interface.
11/16/10 - Updated instructions.
Automated Removal Instructions for the TDSS, Alureon, or TDL3 Rootkit using TDSSKiller:
- The first thing you need to do is download tdsskiller from the following
link and save it to your desktop.
Download Link - http://www.bleepingcomputer.com/download/tdsskiller/
When you get to the above page, please click on the Download EXE button to download the file. If you are unable to download the file for some reason, then TDSS may be blocking
it. You would then need to download it first to a clean computer and then
transfer it to the infected one using an external drive or USB flash drive.
Once the file has completed downloading, you should now have the TDSSKiller
icon on your desktop as shown below.
- Before you can run TDSSKiller, you first need to rename it so that you
can get it to run. To do this, right-click on the TDSSKiller.exe
icon that should now be on your Desktop and select Rename.
You can now edit the name of the file and should name it a random name with
the .com extension. For example, 123.com or 23kjasd123.com. If a random name does not work, please try renaming it as iexplore.com and attempt to run it again.
- Once the file is renamed, you should double-click on it to launch it. When
you run the program, Windows may display a warning similar to the image shown
If you receive this warning, please click on the Run button
to allow TDSSKiller to run. If you did not receive this warning, then TDSSKiller
should have started and you can proceed to step 6.
- TDSSKiller will now start and display the welcome screen as shown below.
At this screen click on the Start scan button to have TDSSKiller
scan your computer for the TDSS infection.
- TDSSKiller will now scan your computer for the TDSS infection. When the
scan has finished it will display a result screen stating whether or not the
infection was found on your computer. If it was found it will display a screen
similar to the one below.
To remove the infection simply click on the Continue button
and TDSSKiller will attempt to clean the infection. If it does not say Cure,
leave it at the default action of Skip and press the Continue
button. Do not change it to Delete or Quarantine
as it may delete infected files that are required for Windows to operate properly.
- When it has finished cleaning the infection you will see a report stating
whether or not it was successful as shown below.
As you can see from the above screen, TDSSKiller was able to clean the TDSS
infection, but requires a reboot to finish the cleaning process. Click on
the Reboot now button to reboot your computer and finish
the removal of the TDSS infection from your computer.
- I now suggest that you scan your computer using MalwareBytes' to remove
any traces that may still be present. A tutorial on how to use MalwareBytes'
can be found here:
- If TDSSKiller was unable to remove the TDSS infection, even though it detected
it but was unable to cure it, then you should follow the steps here to request
assistance from one of our malware removal experts:
Guide For Use Before Using Malware Removal Tools and Requesting Help
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
View Associated TDSS, Alureon, or TDL3 Rootkit Files
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
File Location Notes:
%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\<Current User>\AppData\Local\Temp in Windows Vista, Windows 7, and Windows 8.
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.