TDL3 Variant Removal
Recently I worked on a client’s workstation that had a very interesting “infection”. Google internet searches would be redirected to random company websites and the Microsoft Windows Update website refused to load properly.
The client was running Avast and SpyBot (with Tea-Timer). I turned up the detection level in Avast to show exactly what was being scanned and/or retrieved from the internet. Sure enough, I spotted a variety of strange URLs being retrieved, like “rudolfdisney.com”.
I suspected a hijacker of sorts, that should have been relatively easy to remove. Unfortunately, the computer would NOT boot into Safe mode, making this issue a bit trickier to resolve.
(Note: As soon as we suspected virus activity, the network cable was unplugged and the tools were all run via a USB thumb drive. Connections to the internet were only made to download the tool updates.)
Malwarebytes and Spybot ran completely clean, but the redirects were still happening. My hunch was that it was some sort of rootkit, and I downloaded and ran every free rootkit detector on the market: Sohpos,Mcafee, TrendMicro,Combofix. None of them detected any viruses or rootkits.
It wasn’t until I found a great guide by John at EliteKiller.com (http://www.elitekiller.com/malware.htm), that got me on the right track. He put a fantastic removal kit together called “Rogue Removal Kit” that has all of the latest free remove tools available in one package.
I installed it on the computer and since I had run most of the other tools in the package, I installed the next on the list, Hitman Pro.
The very first scan detected a “variant of TDL3 detected” (rootkit). It was infected on the master boot record (bad stuff), but I had the option to clean if off. It cleaned the system, rebooted, ran another scan automatically and everything was fine. I started Internet Explorer to go to Windows Update and it worked like a charm. Avast did not detect any other URL redirects. Success!
Hitman Pro is definitely going into my toolkit for future fixes.
Summary: I’m happy I was able to remove the rootkit and fix the client’s computer. I’m just shocked that none of the major players in the industry were able to detect the rootkit as easily as HitMan Pro did. They have a great summary on their blog concerning the virus: http://hitmanpro.wordpress.com/2010/01/19/tdl3-rootkit-still-large-issue-for-anti-virus-programs/
Kudos go to John (http://www.elitekiller.com/malware.htm) and HitMan Pro.
If you suspect an infection:
1.)Remove the computer from the network
2.)Run every free-scan tool available to detect and correct the issue
3.)After the infection is cleared up, always run updates on your machine to prevent the infection from re-occuring.