A recent incident with Malware on a client machine showed the tenacity of this particular variant. The client knew they had done something wrong when they ran the source program. They had been expecting something but not this. After using the usual tools MSE (Microsoft Security Essentials) , Malwarebytes and Spybot and a side order or autoruns and Hijackthis – I still had a lingering feeling that something else was still at play. I decided to call in a hitman – not for the client – for the malware in the form of Hitman Pro which you can get here.
The tool bills itself as a Second Opinion malware scanner – which is really what it is but with an added advantage that it seems to plug some of the gaps in the other applications. I had used Microsoft and Sophos’ rootkit detectors but neither came up with anything – so when Hitman pro flagged up something I felt confident that we were getting somewhere.
One of the characteristics of this was google bringing up wrong sites when searched for. So after a bit of research I had been fairly confident we were dealing with a rootkit known as TDSS or TDL3.
Summarising TDSS from BleepingComputer (That article has alternative instructions for removing the rootkit)
TDSS, or TDL3, is the name of a family of rootkits for the Windows operating system that downloads and execute other malware, delivers advertisements to your computer, and block programs from running. This rootkit infects your computer in various ways that include replacing hard disk drivers with malicious versions. Once a computer is infected, TDSS will be invisible to Windows and anti-malware programs while downloading and executing further malware and delivering advertisements to your computer. This particular infections is detected under various names depending on the particular anti-virus vendor. A list of vendors and their detection names for TDSS can be found below.
Packed.Win32.TDSS, Rootkit.Win32.TDSS Kaspersky Lab Mal/TDSSPack, Mal/TDSSPk Sophos Trojan:Win32/Alureon Microsoft Packed.Win32.Tdss Ikarus W32.Tidserv, Backdoor.Tidserv Symantec Trojan.TDSS MalwareBytes’ Backdoor:W32/TDSS F-Secure BKDR_TDSS Trend Micro Rootkit.TDss BitDefender Generic Rootkit.d McAfee
While infected, the files and services associated with TDSS will be invisible, but there are symptoms that the TDSS infection may display. These symptoms include:
- Google search result links will be redirected to unrelated sites. When you search through Google and click on one of the search results, instead of going to the correct page you will instead be redirected to an advertisement. It should be noted that some of the domains you are redirected to are legitimate companies, but that may have affiliates that promote their products in a dubious manner.
- The inability to run various programs. When you attempt to run certain programs, you will not receive an error, but they simply will not start. TDSS has a configuration setting called disallowed that contains a large list of programs that it will not allow to execute. It does this so that you cannot launch anti-virus and anti-malware programs that may help you remove this infection.
- The inability to access various sites. For example, at the time of this writing TDSS is blocking access to BleepingComputer.com as well as other computer help and security sites.
- Web browsing is slower than normal. When starting your web browser or browsing the web, you may find that web pages load slower.
As you can see, the TDSS rootkit is an intrusive infection that takes over your machine and is very difficult to remove. Thankfully, Kaspersky Labs has released a tool called TDSSKiller that can be used to remove most variants of TDSS from your computer.
So Hitman Pro – in the authors words …
Research shows that computers are still run a chance of getting infected because the existing anti virus program is not giving you a 100% protection. “32% of computers infected, despite presence of anti virus program.” Read more…
Just relying on a single vendor is not sufficient to completely protect you. You do need a second source to make sure you are secure. But in most cases, installing a second anti virus program is not a viable solution. Two programs are effecting the performance of the computer dramatically, and sometimes even conflict causing the computer to crash.
Hitman Pro is designed to work alongside existing security programs without any conflicts. It scans the computer quickly (less than 5 minutes) and does not slow down the computer (except for the few minutes it is scanning). Hitman Pro does not need to be installed. It can be run straight from a USB flash drive, a CD/DVD, local or network attached hard drive.
Hitman Pro offers you a Free Scan for a second opinion. It is designed to check if your security measures work. If nothing is found (and we sincerely hope so), then you will never need a license. When a virus is found, then you will receive a free 30-day license to remove the threat.