Browser Redirects, TDSS Rootkits and Malware

This post was written by admin on June 15, 2010
Posted Under: Browser Hijack,Free PC Security,Rootkits,Search Redirects

Modern malware tends to download several TDSS Rootkits, redirects browsers, disables security programs and Task Manager.

The days of renaming .exe files and cleaning Hosts Files are left behind as malware becomes more dangerous in its approach, yet many users continue to download rogue programs and some are also installed at a later time after visiting an infected site and being hit by a 'drive-by' download which installs a Trojan Downloader.

There are many ways to avoid falling victim to these parasites which I will cover another time.

One particularly nasty rogue program I covered previously, Defense Center, which installed 9 TDSS Rootkits, although I have also seen other variants which have installed 27 TDSS Rootkits!

So you get the usual round of popups, your searches are redirected and your Task manager is disabled - all bad news. But all is not lost.

I did try Hitman Pro, which found many problems but on reboot they were still there and Task Manager was still disabled.

So the first step was to download RKill - I use the .com version but you may find that it won't run, so try another. Also note that in some instances it may take several attempts for it to open the Command Window, so don't give up, or try it in Safe Mode with networking, although normal boot mode is preferred.

Simply open a browser and search for RKill as shown in the video, the browser may be redirected, but by using the back button it eventually arrives at the site.

Run the program and allow it to kill known malware processes and import a registry file which re-enables many applications that were blocked.  It will kill explorer.exe as it does this, your desktop will disappear briefly and reload when RKill has run.

Always download  a new copy as the program is frequently updated.

Follow this up with cleaning your Temp Files and the easiest way to do this is by running CCleaner. Run it until such times as it shows '0 bytes removed'. Again, follow the instructions in the video.

Frequently, you will find that this stops the browser redirects for the time being, but you're not finished yet!

Malwarebytes will crash after completing its scan, so download, install and update SuperAntiSpyware, or use the Portable version and update then perform a Quick Scan. Allow the program to remove ALL infections found and then follow the prompts to reboot.

At this point, you should have Task Manager back and working normally.

Run TDSSKiller and when the scan is complete hit 'Y' on the keyboard to reboot. Run TDSSKiller again to ensure there are no more rootkits found.

Perform a Quick Scan with Malwarebytes Anti-Malware after updating the program, if you don't have it installed you should do, and SuperAntiSpyware so that you can use them as on-demand scanners.

When the scan has completed follow the prompts to remove all infections found and reboot, follow this up with cleaning the Temp Files again with CCleaner to ensure all traces are removed. Finally, purge System Restore Points, details below.

Clear the DNS Cache:

Windows XP - Start Menu > Run, type in cmd - Command window will open, type in ipconfig / flushdns and press enter.

Vista and Windows 7 - Start > All Programs> Accessories > Command Prompt, right click and Run as administrator - Command window will open, type in ipconfig / flushdns and press enter.

RKill links are LIVE links - instant download
RKill.com Download Link
RKill.exe Download Link
RKill.scr Download Link
eXplorer.exe Download Link
iExplore.exe Download Link

If RKill won't download try exeHelper which is very similar to RKill - thanks to Sly_Old_Mole for the links:
These links are LIVE links - instant download
exeHelper.com
exeHelper.scr

TDSSKiller
CCleaner
SuperAntiSpyware
Malwarebytes Anti-Malware
Hitman Pro
Process Explorer from Sysinternals - When Task Manager is disabled this will run and is a far better tool.

With all of these tools, if running Windows 7 or Vista they MUST be run as administrator.

Purge System Restore Points:

Windows XP:
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
'You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.'

Create a new Restore Point:
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
Click OK.

Windows Vista:
Go to Start > Control Panel > Backup and Restore Center.
On the left, select 'Create a restore point or change settings'.
In the window that opens, select the 'System Protection' tab.
Each available disk which is listed, has a checkbox alongside it. Untick each of these checkboxes.
A new window will be displayed, select 'Turn System Restore Off'.

This disables System Restore, you should then immediately re-enable it.

Reselect all the listed drives, click 'OK' and restart the computer.

Windows 7:
Go to Control Panel > System.
Click on System Protection on the left.
A new window will open, click the (C:) Drive to highlight it then click 'Configure'.
Click click Delete, click OK.
Click Create, give a description and click Create. Click OK and close Control Panel windows
Disclaimer:
Free PC Security accepts NO responsibility for the use of programs listed on this site - Full disclaimer click here

AddThis Social Bookmark Button

Surf Safer, Surf with WOT - Click Here or the links below

Internet ExplorerWeb of Trust for Internet Explorer

FirefoxWeb of Trust for Firefox

Google ChromeWeb of Trust for Google Chrome

OperaWeb of Trust for Opera

, , , ,

Page/Site Security Report

Vote this page

topvotes.appspot.com

Reader Comments

Malware removal just gets harder and harder, another vote for regular image backups as covered elsewhere. Two birds one stone, a backup and potential Malware removal tool.

As Admin has mentioned, with drive-by downloads users may not necessarily have installed the malware themselves, just visited a rouge website.

As for helping with prevention, keep your anti-malware programs up to date and try use software with a bad site list. Keep your browser and operating system up to date also and of course use vigilance.

Such a long article, I'm sure Admin had a lot more things they wanted to say whilst trying to keep this one brief.

#1 
Written By Grant on June 17th, 2010 @ 8:27 pm

Grant - Many thanks for your comment - I could have added much more to this article, but it needs to be brief and to the point to assist users in a practical way.
Malware is becoming a lot more dangerous, there is no doubt about that and regular image backups are an easy solution rather than using several tools over a couple of hours - image restore is so much quicker.
Drive-by's are also becoming more common, user visits infected site, backdoor Trojan downloads and waits then starts to install rootkits, fake AV's and redirect searches, as many users are finding out.
Trying to put together the necessary information and trying to keep it brief, is not an easy task, just as squeezing a few hours of removal into a 10 minute video!
Prevention is much better than the cure, and there are many tools which are free to use to prevent malware infecting users computers.
As always, it is down to educating users and helping to spread the word :)
All the best
Colin

#2 
Written By cotojo on June 18th, 2010 @ 12:23 pm

Colin,

I think yet got the balance right with trying to get the detail and trying to keep it short. To me it further highlights the difficulty of removing modern malware. Rootkits are especially nasty and hard to remove.

As for the 'drive by downloads', one of things readers should benefit from within this site is the continuously updated 'malicious sites' to try help avoid security problems, such as the 'drive by downloads'.

#3 
Written By Grant on June 21st, 2010 @ 6:34 am

Grant - Thank you :)
It's always a case of looking at it from a readers point of view, too long and it won't be read, too short means lack of information.
Modern malware is much more ruthless in its methods, downloading several rootkits and other malicious programs and removal is time consuming - as always, a clean ghost image, created regularly, could ease the process.
By using virtualization programs or a Virtual Machine, users can avoid the problems that 'drive-by's' create if used correctly - but no system is foolproof and it is down to the user to make responsible choices and regular backups.
Al the best
Colin

#4 
Written By cotojo on June 22nd, 2010 @ 3:02 pm

When I tried to download SuperAntiSpyware Free Edition from download.cnet.com I got the following warning from McAfee Site Advisor: "In our tests, this download contained programs some people would consider adware, spyware or other potentially unwanted programs." Could you please explain why McAfee Site Advisor would give this warning if this program is one you recommend. Thanks!

#5 
Written By D P Wijesinghe on July 11th, 2010 @ 3:18 am

D P Wijesinghe -CNet does have some dodgy downloads but they are in the minority which is why Site Advisor flags the site, not specifically SuperAntiSpyware Free Edition.

As with any of the major download sites, there are programs that are undesirable but SuperAntiSpyware is clean and one I use regularly on other computers.

More details of Site Advisor's ratings can be found by clicking here.

Regards

Colin

#6 
Written By cotojo on July 11th, 2010 @ 12:58 pm

I'm extremely happy I fell upon this site and this page in particular. I though all was lost and was going for a format of the hard disk. Your divide and conquer approach using multiple tools is brilliant as each tool has its strong and weak points. The step by step video took the fear out of going through this lengthy process.

Thanks a million. I know quite a few people stuck with the redirect virus and will be sending them to your page!

#7 
Written By Eric on September 29th, 2010 @ 5:13 pm

Eric - Many thanks for your kind comment.
Redirect malware has affected many users and the easiest way to solve the problem was to recreate the same problem and set about removing it.
There is no one tool that will fix the problem and using multiple tools correctly is much easier than a clean format although patience is required as it can be along process.
It is always pleasing to know that readers benefit from articles such as this. I was a beginner once too and try to remember that as I put articles together so that readers can follow step by step and simplify the process.
Kind regards
Colin

#8 
Written By cotojo on September 29th, 2010 @ 8:45 pm

Add a Comment

required, use real name
required, will not be published
optional, your blog address

IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)

What is 5 + 8 ?
Please leave these two fields as-is:
CommentLuv badge
Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 11,597 bad guys.

Next Post:
Previous Post:
Get Adobe Flash playerPlugin by wpburn.com wordpress themes