November 18

0 comments

TDL3 /TDSS Rootkits –

By Christopher Mendla

November 18, 2010

XP

Last Updated on September 22, 2023 by Christopher G Mendla

I came across a windows XP laptop where I could not remove the malware. I tried a number of different tricks but it kept coming back. The symptoms were

  • I could not connect to the windows update page at windowsupdate.microsoft.com.
  • Attempting to visit certain websites would result in an ad page instead of the intended website.
  • A win32 services error dialog would pop up occasionally.
My research led me to a new series of rootkits that hook themselves into your machine using trusted services such as the print spooler. They then hide themselves from windows and encrpyt themselves. Rootkit Revealer didn’t show the problem. I found a page here that offered a tool called hitman pro.  Hitman pro will scan for free but you need to buy a subscription for about 30 Euros to clean the rootkits. I didn’t get to try that as I found a free tool from Kapersky that cleaned things up called TDSS Killer.  There is also a free diagnostic tool called GMER that seems to have success at identifying and cleaning the new rootkits. I couldn’t find a good set of documentation on how to use the cleaning features of GMER although I could make a pretty good guess at the process.
In summary, the battle to keep malware from your machines has become a bit more difficult. Right now, the traditional antivirus apps are not able to reliably identify and kill these rootkits. You need to do a bit of manual sleuthing.

Christopher Mendla

About the author

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}