September 5, 2010

TDL3 Variant Removal

Recently I worked on a client’s workstation that had a very interesting “infection”. Google internet searches would be redirected to random company websites and the Microsoft Windows Update website refused to load properly.

The client was running Avast and SpyBot (with Tea-Timer). I turned up the detection level in Avast to show exactly what was being scanned and/or retrieved from the internet. Sure enough, I spotted a variety of strange URLs being retrieved, like “rudolfdisney.com”.

I suspected a hijacker of sorts, that should have been relatively easy to remove. Unfortunately, the computer would NOT boot into Safe mode, making this issue a bit trickier to resolve.

(Note: As soon as we suspected virus activity, the network cable was unplugged and the tools were all run via a USB thumb drive. Connections to the internet were only made to download the tool updates.)

Malwarebytes and Spybot ran completely clean, but the redirects were still happening. My hunch was that it was some sort of rootkit, and I downloaded and ran every free rootkit detector on the market: Sohpos,Mcafee, TrendMicro,Combofix. None of them detected any viruses or rootkits.

It wasn’t until I found a great guide by John at EliteKiller.com (http://www.elitekiller.com/malware.htm), that got me on the right track. He put a fantastic removal kit together called “Rogue Removal Kit” that has all of the latest free remove tools available in one package.

I installed it on the computer and since I had run most of the other tools in the package, I installed the next on the list, Hitman Pro.

The very first scan detected a “variant of TDL3 detected” (rootkit). It was infected on the master boot record (bad stuff), but I had the option to clean if off. It cleaned the system, rebooted, ran another scan automatically and everything was fine. I started Internet Explorer to go to Windows Update and it worked like a charm. Avast did not detect any other URL redirects. Success!

Hitman Pro is definitely going into my toolkit for future fixes.

Summary: I’m happy I was able to remove the rootkit and fix the client’s computer. I’m just shocked that none of the major players in the industry were able to detect the rootkit as easily as HitMan Pro did. They have a great summary on their blog concerning the virus: http://hitmanpro.wordpress.com/2010/01/19/tdl3-rootkit-still-large-issue-for-anti-virus-programs/

Kudos go to John (http://www.elitekiller.com/malware.htm) and HitMan Pro.

If you suspect an infection:
1.)Remove the computer from the network
2.)Run every free-scan tool available to detect and correct the issue
3.)After the infection is cleared up, always run updates on your machine to prevent the infection from re-occuring.

Customer Love

I have had the pleasure of working with Jeremy on several innovative projects. With each experience, I was continually impressed with Jeremy’s ability to interpret requirements, translate them into a technical application, and deliver solutions on time and on budget. On many occasions, Jeremy demonstrated his acumen in researching technical approaches and developing innovative solutions. He is a highly skilled data mining and word press expert. Most impressive is Jeremy’s ability to consult on a wide variety of technologies with ease and ability to speak to the business challenges and solutions in a concise and substantive manner. He has always been a pleasure to work with maintaining a positive demeanor and responsiveness to customer needs. I’m happy to give my highest recommendation to Jeremy

- – Daniel Kerns

Silva Tech Solutions LLC

September 5, 2010

TDL3 Variant Removal

Recent Posts

Google Merchant Security Woes

Magento 2 Homepage 404

Spin-up Fast Local WordPress Development Instances using Ubuntu Multipass

Magento2 – Guest Checkout Credit Card Messages

Coronavirus Will Accelerate World Wide Adoption of Automation Technologies