Why my Google Searches are Redirected? TDSS Tidserv Win 32 rtk TDL3 Rootkit Virus Removal

October 26, 2010
By admin

Why my Google Searches are Redirected? How to Fix this Google Redirect Computer Virus that Hijacks Browser Internet Explorer? Also Antivirus Programs are Not Working, the Search Engine Results Pages are Just Random Sites, How can I fix this Search Redirect Virus?

Well, you might be wondering why the hell when you click a link on google seach result, it is redirected to a totally different, unrelated, useless, advertising scammy looking website. What more you might get even more frustrated when none of the legitimate antivirus, antimalware and antispyware programs were able to get rid of this google redirect virus…even after running the scan umpteen number of times….you still get ‘No viruses or spyware detected’

And you might be wondering why the hell these AV programs don’t work for the money you spend on them each year??? Yet this google redirect virus, find it’s way through your computer hiding somewhere and can’t be detected by none…How is that possible in first place???

Let’s get in depth on google search redirect virus aka internet browser hijacker.

When you click on google search results and getting redirected to a completely different unrelated scammy looking or advertising website, you can be sure that your PC is infected with TDSS virus.

TDSS trojan is a rootkit virus.

What is a rootkit virus?

A rootkit virus finds its way to a computer through some Trojan application, and once installed, it takes the privileges of a system administrator. The virus itself hides from other processes which makes it difficult for the anti-virus/anti-spyware or anti-malware programs to detect. They hide utility programs.

Rootkits hide the presence of spyware, key loggers, malware and Trojans on computers which might allow the hackers to install backdoors on computers.

TDSS, Tidserv,Alureon or TDL3 rootkit trojan

Occasionally a new virus appears that is clever enough to completely deceive anti virus programs. TDSS also known as Alureon [Microsoft], Tidserv [Symantec] or TDL3 is such a sophisticated virus that is causing sleepless nights for anti virus researchers.

“The TDL3 ,Win 32 rtk,TDSS or Tidserv is one of the most sophisticated viruses I have seen. The rootkit is just piggybacking on a standard driver to avoid detection by anti virus programs.” said Antivirus programmer

TDSS, TDL3, Tidserv or Alureon are signatures of this rootkit virus….. detected by your antivirus without being able to do anything most of the times. Here is the complete list of warning issued by various antivirus programs upon scanning your google redirect infected PC.

Packed.Win32.TDSS, Rootkit.Win32.TDSS —————–Kaspersky Lab
Mal/TDSSPack, Mal/TDSSPk ———————————–Sophos
Trojan:Win32/Alureon ——————————————–Microsoft
Packed.Win32.Tdss ———————————————- Ikarus
W32.Tidserv, Backdoor.Tidserv——————————— Symantec
Trojan.TDSS ——————————————————–MalwareBytes’
Backdoor:W32/TDSS ———————————————-F-Secure
BKDR_TDSS ——————————————————–Trend Micro
Rootkit.TDss ———————————————————BitDefender
Generic Rootkit.d ————————————————– McAfee

How does TDL3 ,Win 32 rtk,TDSS or Tidserv work?

TDL3 ,Win 32 rtk,TDSS or Tidserv registers itself first as print processor. The printer subsystem (spoolsv.exe), that has administrative rights, loads this Print Processor. Virus scanners that monitor the behavior of processes will not be alarmed because the printer subsystem is a trusted part of Microsoft Windows. TDL3 has now full system access rights as Print Processor and infects the lower level system driver that is responsible for the communication with the hard drive. When virus scanners want to check this driver, they see the original file so they are unable to recognize the infection.

TDL3 places an encrypted file system on top of the standard file system on the last sectors of the hard drive. The encryption ensures that these files cannot be read directly from disk to avoid detection by anti virus programs. The encrypted file system is used to store other threats that are downloaded from the Internet. “It is like a hotel”, says Mark Loman. “Other virus writers can book a room in this ‘TDL3-hotel’ and use it to hide their virus from anti virus programs”.

How TDL3 ,Win 32 rtk,TDSS or Tidserv rootkit hides it’s presence from antivirus programs?

TDL3 ,Win 32 rtk,TDSS or Tidserv infection comes from the usual dropper spread by peer to peer networks or by crack and keygen websites, and it needs administrator privileges to run its payload. If User Account Control (UAC) is disabled or the user voluntarily gives admin permissions, this infection can run even on Windows Vista and Windows 7. This is likely to be the usual scenario, where a user looks for specific cracks and don’t mind if UAC warns him, he gives admin privileges to the wanted crack.

When run, the infection is using a similar technique applied by MBR rootkit: all kernel mode and user mode components are stored to the last sectors of the hard drive, outside the file system. By doing so, they appear to be only raw bytes, bypassing every security check. Tdss rootkit bring this trick to a more advanced level, by encoding its components before they are written to the disk.

TDL3 ,Win 32 rtk,TDSS or Tidserv rootkit creates a fake driver object, its relative device object, and hijacks every disk I/O communication at the level of drivers’s chain where the infected driver was located (i.e. infected driver could be atapi.sys, or iastor.sys).

When intercepted, it injects inside the specified process its user mode components of the infection, tdlwsp.dll, tdlcmd.dll. Tdss rootkit is indeed a really worrying infection, it is in the wild and it’s quickly spreading without being intercepted and detected by almost anyone. Some antiviruses may throw up a warning about the presence of tdlcmd.dll or tdlwsp.dll, without being able to do anything

How to find if your PC is infected with TDL3 ,Win 32 rtk,TDSS or Tidserv Rootkit Trojan?

You may suspect that your computer is infected with TDSS malware if you encounter at least one of the following symptoms:

•Internet Explorer is hijacked
•Google search result links redirects to totally unrelated or harmful sites that host malicious software or display misleading advertisements, pop-ups and etc.
•You can’t access security related websites. This is commonly used method by nearly all widely spread malware in order to protect itself from being removed.
•You can’t launch antivirus and antispyware programs. TDSS TDL3 rootkit blocks security software too for an obvious reason. Also note that it may block any other software not only security related.
•Certain Windows system tools are disabled. Task Manager, Registry Editor and System Restore

How to remove TDL3 ,Win 32 rtk,TDSS or Tidserv?

The number of infected computers is growing quickly. The latest guest of the TDL3-hotel is redirecting search engines to malicious websites so many people refer to this as the Google Redirect Virus. There are only a few anti virus programs that detect a TDL3 ,Win 32 rtk,TDSS or Tidserv infection. And the number of anti virus programs that can remove the infection is nearly zero.

But there are the few special free google redirect virus removal tools from  antivirus programs,

  • Win32/Olmarik Removal tool by ESET
  • Hitman Pro by Surfright
  • TDSSKiller by Kaspersky Labs.
  • Windows Malicious Software Removal Tool by Microsoft
  • BlackLight by F-Secure
  • Stinger by McAfee
  • CureIt! by Dr.Web. The alternative download location is in CNET.com. You need to update the detection to get the latest detection updates.

Manual Removal Instructions:

Step 1. Check your hosts file for malicious entries.
Hosts file resides on C:WindowsSystem32Driversetchosts

If you see more lines of code and IPs, you should delete these, especially if they rewrite google or Microsoft subdomains.

Before editing, backup the current HOSTS file. You need to delete all the lines from this hosts file except “127.0.0.1 localhost”. The other entires you saw there need to be removed as they are malicious. (This is why IE unable to connect, because the HOSTS file block the huge list of websites…and you get a warning that “The Page cannot be displayed

Step 2. Check DNS (Domain Name Server) settings
1. Go to Control Panel->Network Connections and select your local network.
2. Right-click your local network icon and select Properties.

3. A window will open, then select Internet Protocol (TCP/IP) and click Properties.

4. You will see a window like the one below – this is the Internet Protocol window. Select “Obtain an IP address automatically” and “Obtain DNS server address automatically”.

5. Click OK to save changes.

Step 3. Checking your proxy settings on Internet Explorer
1. Launch your internet explorer.
2. Tools ->Internet Options, Connections tab. Press LAN Settings

3. Unselect everything or enter parameters that were given by system administrator.
4. Press OK.

TDSS, Alureon, or TDL3 Rootkit Files:

C:WINDOWS_VOID
C:WINDOWS_VOID_VOIDd.sys
C:WINDOWSsystem32UAC.dll
C:WINDOWSsystem32uacinit.dll
C:WINDOWSsystem32UAC.db
C:WINDOWSsystem32UAC.dat
C:WINDOWSsystem32uactmp.db
C:WINDOWSsystem32_VOID.dll
C:WINDOWSsystem32_VOID.dat
C:WINDOWSSYSTEM324DW4R3c.dll
C:WINDOWSSYSTEM324DW4R3sv.dat
C:WINDOWSSYSTEM324DW4R3.dll
C:WINDOWSsystem32drivers_VOID.sys
C:WINDOWSsystem32driversUAC.sys
C:WINDOWSSYSTEM32DRIVERS4DW4R3.sys
C:WINDOWSSYSTEM32DRIVERS4DW4R3.sys
C:WINDOWSTemp_VOIDtmp
C:WINDOWSTempUAC.tmp
%Temp%UAC.tmp
%Temp%_VOID.tmp
C:Documents and SettingsAll UsersApplication Data_VOIDmainqt.dll

TDSS, Alureon, or TDL3 Rootkit Windows Registry Information:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices_VOIDd.sys
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices_VOID
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUACd.sys
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices4DW4R3

Though you run the above google redirect removal tools that might remove the TDSS rootkit trojan, they may not fix the damages the rootkit has caused …even after you run AV programs, rkill, combofix, gmer, antimalware etc…you might notice your system sound not working(corrupted device driver), iTunes not working (corrupted files folders permissions), Slow Internet Connection etc..because the tool only remove the corrupted entries…but not fix or replace what should be there. This is why you need a powerful repair tool like Reimage. http://reimagepcrepair.com.

Reimage works by comparing each and every OS system files with the correct files from a web repository of 25 million Windows components. (since Reimage works by comparing with correct file, it can easily find even the hiding rootkit, infact this is what a rootkit remover do……dumps a list of files from your hard disk drive and compares it with the list from the recovery console in order to find a hiding virus) This is the sole reason you can get a PC as good as new once you run Reimage, all other antivirus and antimalware programs just delete the virus….but they don’t correct the damage…which results in re-infection and slow performing PC.

Reimage first scans your computer thoroughly; all the files, folders, registry keys and values, drivers, softwares, stacks and then either repair or remove those stuffs that should be there. But it’s not just that it does. They have an enormous web repository of application, drivers, system objects, etc. from where they compare your PC’s files and if corrupted replace it with the healthy ones.

Visit Reimage to fix Google Redirect Virus, Fix altered OS Files, Folders and Permissions

Tags: , ,

3 Responses to Why my Google Searches are Redirected? TDSS Tidserv Win 32 rtk TDL3 Rootkit Virus Removal

  1. [...] you might be wondering why the hell when you click a link on google seach result, it is redirected to a totally dif…, unrelated, useless, advertising scammy looking website. What more you might [...]

  2. [...] Explorer Script Error, Audio Ads Infomercials In Background, Desktop Files and Folders Hidden, Internet Google Searches Redirected Even After Running MBAM to Get Rid of Windows Recovery Virus. An error has Occurred in the Script [...]

Leave a Reply

Your email address will not be published. Required fields are marked *

*