How to remove the TDSS, TDL3, or Alureon rootkit using TDSSKiller

Posted by Grinler on March 2, 2010 @ 05:20 PM · Views: 57,896

Add to Favorites!    Print Guide!

• Share

What this infection does:

Dr. Guard is a rogue anti-spyware program from the same family as Paladin Antivirus. This rogue is promoted and installed through the use of fake alert Trojans that advertise the program on your desktop. This rogue is also known to be bundled with the TDSS, or TDL3, rootkit. As MBAM is not capable of removing this rootkit, you should also follow the steps in this guide: How to remove the TDSS, TDL3, or Alureon rootkit using TDSSKiller.

Once downloaded and installed, Dr. Guard will attempt to uninstall various security applications in order to protect itself from being removed. The anti-malware programs that it tries to uninstall include:

• Malwarebytes' Anti-Malware
• F-Secure
• NOD32
• Norton Internet Security
• Avira AntiVir
• Agnitum Outpost Security Suite
• AVG8
• avast!
• AntiVir

The program will then load and start to scan your computer for infections. Once the scan is finished it will state that there are numerous infections on your computer, but will not allow you to remove them until you purchase the program. In reality, the infections that it shows are all fake and do not actually exist on your computer. Therefore, please do not purchase this program based upon any of the scan results it shows.

Dr. Guard also employs numerous methods where it tries to trick you into thinking you are infected. The first method is the display of a Window that impersonates the legitimate Windows Security Center. The difference is that this fake version suggests you purchase Dr. Guard to protect yourself. While the program is running you will also see a constant display of fake security alerts and warnings appear on your desktop and Windows taskbar. These alerts contain dire messages stating that your computer is under attack, all of your data is being deleted, or that personal information is being sent to a remote location. Some examples of the alerts you may see include:

ANTIVIRUS IS RUN IN DEMO MODE. ACTIVATE YOUR ANTIVIRUS OTHERWISE ALL THE DATA WILL BE LOST OR DAMAGED!

DANGEROUS! ANTIVIRUS DETECTED SOME HARMFUL PROGRAMS ON YOUR PC! THEY MAY CORRUPT YOUR INFORMATION OR SEND IT TO HACKERS.
PLEASE, OPTIMIZE YOUR PC. IT RUN ONLY 10%.
NEED HELP? PLEASE, CONTACT DR. GUARD CUSTOMER SUPPORT SERVICE.

Windows Firewall has detected unauthorized activity, but unfortunately it cannot help
you to remove viruses, keyloggers and other spyware threats that steal your personal
information from your computer

System files of your computer are damaged. Please, restart your system ASAP.
There are some serious security threats detected on your computer. Please, remove them ASAP.

There are some serious security threats detected on your computer: viruses, trojans, keyloggers, exploits etc.
Your computer and all your personal data are in serious danger.
Protection: Click the balloon to install antivirus software.

Defenseless OS: Windows 2000/XP/Vista
Description: Spyware. Blocks access to computer. Attacks porn sites visitors.
Protection: Click the balloon to install antivirus software.

Just like the fake scan results, these fake alerts are just another tactic where Dr. Guard is trying to convince you that you have a security problem on your computer.

As you can see, Dr. Guard was created to trick you into thinking you are infected so that you will then purchase the program. It goes without saying that you should definitely not purchase this program, and if you already have, please contact your credit card company to dispute the charges. To remove this infection and any related malware, please use the removal guide below.

Threat Classification:

• Rootkits

Advanced information:

View TDSS, Alureon, or TDL3 Rootkit files.
View TDSS, Alureon, or TDL3 Rootkit Registry Information.

Tools Needed for this fix:

• TDSSKiller

Guide Updates:

03/02/10 - Initial guide creation.
03/05/10 - Updated for new version.
03/25/10 - Updated for minor change.

Automated Removal Instructions for the TDSS, Alureon, or TDL3 Rootkit using TDSSKiller:

1. The first thing you need to do is download tdsskiller from the following link and save it to your desktop.
   
   

   tdsskiller Download Link - http://support.kaspersky.com/viruses/solutions?qid=208280684

   If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.
   
   
2. Once the tdsskiller.zip file in your desktop, we need to extract the files from the zip file. You can do this by right-clicking on the tdsskiller.zip file and then selecting the Extract All... menu option as shown in the image below.
   
   
   
   
   
   
   
3. At the next screen, keep clicking the Next button until you see a screen similar to the one below.
   
   
   
   
   
   
   
   Now that the file has finished being extracted, click on the Finish button.
   
   
4. A folder will now open containing two files, including the TDSSKiller.exe program. Before you can run TDSSKiller, you first need to rename it so that you can get it to run. To do this, right-click on the TDSSKiller.exe and select Rename. You can now edit the name of the file and should name it a random name with the .com extension. For example, 123.com or 23kjasd123.com.
   
   
5. Once the file is renamed, you should double-click on it to launch it. When you run the program, Windows may display a warning similar to the image shown below.
   
   
   
   
   
   
   If you receive this warning, please click on the Run button to allow TDSSKiller to run. If you did not receive this warning, then TDSSKiller should have started and you can proceed to step 6.
   
   
6. TDSSKiller will now scan your computer for known TDSS variants. If one is found it will state that it has been detected as shown in the image below.
   
   
   
   
   
   It will then prompt you to type the word delete into the screen. Type delete and then press enter. TDSSKiller will now state that it will need to reboot the computer to finish the cleaning process. When it asks if you are ready to reboot your computer, press the Y key and press enter on your keyboard.
   
   If it does not detect anything on your computer, and you still think you are infected, then you can skip the rest of this guide and instead follow the instructions in this topic.
   
   
7. TDSSKiller will now reboot your computer. Once your computer has finished rebooting, the TDSS infection should no longer be active.
   
   
8. I now suggest that you scan your computer using MalwareBytes' to remove any traces that may still be present. A tutorial on how to use MalwareBytes' can be found here:
   
   MalwareBytes' Anti-Malware Tutorial
   

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Associated TDSS, Alureon, or TDL3 Rootkit Files:

C:\WINDOWS\_VOID<random>\
C:\WINDOWS\_VOID<random>\_VOIDd.sys
C:\WINDOWS\system32\UAC<random>.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UAC<random>.db
C:\WINDOWS\system32\UAC<random>.dat
C:\WINDOWS\system32\uactmp.db
C:\WINDOWS\system32\_VOID<random>.dll
C:\WINDOWS\system32\_VOID<random>.dat
C:\WINDOWS\SYSTEM32\4DW4R3c.dll
C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
C:\WINDOWS\SYSTEM32\4DW4R3<random>.dll
C:\WINDOWS\system32\drivers\_VOID<random>.sys
C:\WINDOWS\system32\drivers\UAC<random>.sys
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3<random>.sys
C:\WINDOWS\Temp\_VOID<random>tmp
C:\WINDOWS\Temp\UAC<random>.tmp
%Temp%\UAC<random>.tmp
%Temp%\_VOID<random>.tmp
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll

Associated TDSS, Alureon, or TDL3 Rootkit Windows Registry Information:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID<random>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3