Welcome Guest (Log In | Create Account)
New Member? Join for free.

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

By on March 2, 2010 @ 05:20 PM | Last Updated: November 16, 2010 | Read 1,223,381 times.
  • Print this page

TDSS, or TDL3, is the name of a family of rootkits for the Windows operating system that downloads and execute other malware, delivers advertisements to your computer, and block programs from running. This rootkit infects your computer in various ways that include replacing hard disk drivers with malicious versions. Once a computer is infected, TDSS will be invisible to Windows and anti-malware programs while downloading and executing further malware and delivering advertisements to your computer. This particular infections is detected under various names depending on the particular anti-virus vendor. A list of vendors and their detection names for TDSS can be found below.

 

Definition Name
Anti-virus Vendor
Packed.Win32.TDSS, Rootkit.Win32.TDSS Kaspersky Lab
Mal/TDSSPack, Mal/TDSSPk Sophos
Trojan:Win32/Alureon Microsoft
Packed.Win32.Tdss Ikarus
W32.Tidserv, Backdoor.Tidserv Symantec
Trojan.TDSS MalwareBytes’
Backdoor:W32/TDSS F-Secure
BKDR_TDSS Trend Micro
Rootkit.TDss BitDefender
Generic Rootkit.d McAfee

 

While infected, the files and services associated with TDSS will be invisible, but there are symptoms that the TDSS infection may display. These symptoms include:

  • Google search result links will be redirected to unrelated sites. When you search through Google and click on one of the search results, instead of going to the correct page you will instead be redirected to an advertisement. It should be noted that some of the domains you are redirected to are legitimate companies, but that may have affiliates that promote their products in a dubious manner.

  • The inability to run various programs. When you attempt to run certain programs, you will not receive an error, but they simply will not start. TDSS has a configuration setting called disallowed that contains a large list of programs that it will not allow to execute. It does this so that you cannot launch anti-virus and anti-malware programs that may help you remove this infection.

  • The inability to access various sites. For example, at the time of this writing TDSS is blocking access to BleepingComputer.com as well as other computer help and security sites.

  • Web browsing is slower than normal. When starting your web browser or browsing the web, you may find that web pages load slower.

As you can see, the TDSS rootkit is an intrusive infection that takes over your machine and is very difficult to remove. Thankfully, Kaspersky Labs has released a tool called TDSSKiller that can be used to remove most variants of TDSS from your computer. We do, though, need to perform some steps in order to get the program to work. These steps are described in the removal guide below.

 

Threat Classification:

 

Advanced information:

View TDSS, Alureon, or TDL3 Rootkit files.
View TDSS, Alureon, or TDL3 Rootkit Registry Information.

 

Tools Needed for this fix:

 

Guide Updates:

03/02/10 - Initial guide creation.
03/05/10 - Updated for new version.
03/25/10 - Updated for minor change.
07/29/10 - Updated for change to a GUI interface.
11/16/10 - Updated instructions.

 


Automated Removal Instructions for the TDSS, Alureon, or TDL3 Rootkit using TDSSKiller:

 

  1. The first thing you need to do is download tdsskiller from the following link and save it to your desktop.

    TDSSKiller Download Link - http://www.bleepingcomputer.com/download/tdsskiller/
    When you get to the above page, please click on the Download EXE button to download the file. If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.

    Once the file has completed downloading, you should now have the TDSSKiller icon on your desktop as shown below.


    TDSSKiller icon


  2. Before you can run TDSSKiller, you first need to rename it so that you can get it to run. To do this, right-click on the TDSSKiller.exe icon that should now be on your Desktop and select Rename. You can now edit the name of the file and should name it a random name with the .com extension. For example, 123.com or 23kjasd123.com. If a random name does not work, please try renaming it as iexplore.com and attempt to run it again.


  3. Once the file is renamed, you should double-click on it to launch it. When you run the program, Windows may display a warning similar to the image shown below.


    Run warning


    If you receive this warning, please click on the Run button to allow TDSSKiller to run. If you did not receive this warning, then TDSSKiller should have started and you can proceed to step 6.

  4. TDSSKiller will now start and display the welcome screen as shown below.


    TDSSKiller welcome screen


    At this screen click on the Start scan button to have TDSSKiller scan your computer for the TDSS infection.

  5. TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.


    TDSS Infection Found


    To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection. If it does not say Cure, leave it at the default action of Skip and press the Continue button. Do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.

  6. When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.


    Scan completed


    As you can see from the above screen, TDSSKiller was able to clean the TDSS infection, but requires a reboot to finish the cleaning process. Click on the Reboot now button to reboot your computer and finish the removal of the TDSS infection from your computer.

  7. I now suggest that you scan your computer using MalwareBytes' to remove any traces that may still be present. A tutorial on how to use MalwareBytes' can be found here:

    MalwareBytes' Anti-Malware Tutorial

  8. If TDSSKiller was unable to remove the TDSS infection, even though it detected it but was unable to cure it, then you should follow the steps here to request assistance from one of our malware removal experts:

    Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 


 

Associated TDSS, Alureon, or TDL3 Rootkit Files:

C:\WINDOWS\_VOID<random>\
C:\WINDOWS\_VOID<random>\_VOIDd.sys
C:\WINDOWS\system32\UAC<random>.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UAC<random>.db
C:\WINDOWS\system32\UAC<random>.dat
C:\WINDOWS\system32\uactmp.db
C:\WINDOWS\system32\_VOID<random>.dll
C:\WINDOWS\system32\_VOID<random>.dat
C:\WINDOWS\SYSTEM32\4DW4R3c.dll
C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
C:\WINDOWS\SYSTEM32\4DW4R3<random>.dll
C:\WINDOWS\system32\drivers\_VOID<random>.sys
C:\WINDOWS\system32\drivers\UAC<random>.sys
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3<random>.sys
C:\WINDOWS\Temp\_VOID<random>tmp
C:\WINDOWS\Temp\UAC<random>.tmp
%Temp%\UAC<random>.tmp
%Temp%\_VOID<random>.tmp
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll

File Location Notes:

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\<Current User>\AppData\Local\Temp in Windows Vista, Windows 7, and Windows 8.

 

Associated TDSS, Alureon, or TDL3 Rootkit Windows Registry Information:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID<random>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3

 


 

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.


Advertise   |   About Us   |   User Agreement   |   Privacy Policy   |   Contact Us   |   Sitemap   |   Chat   |   Tutorials   |   Uninstall List
Tech Support Forums   |   The Computer Glossary   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides   |   Downloads


© 2003-2014 All Rights Reserved Bleeping Computer LLC.
Site Changelog