Google Redirects, TDSS, TDL3, or Alureon removal guide

Table of Contents:

1. A quick description of what the virus is and the support possible under the warranty
2. Removal Instructions for the TDSS, Alureon, or TDL3 Rootkit using TDSSKiller
3. Associated TDSS, Alureon, or TDL3 Rootkit Files
4. Associated TDSS, Alureon, or TDL3 Rootkit Windows Registry Information

A quick description of what the virus is and the support possible under the warranty

TDSS or TDL3 is the name of a family of rootkits for the Windows operating system. It downloads and starts other malware on your computer and delivers advertisements to your computer, while it blocks certain programs from running. It infects your computer in several ways, such as replacing the hard disk drivers with malicious versions. Once a computer is infected, TDSS is invisible to Windows and any anti-malware programs. It continues downloading and running further malware and delivering more advertisements to your computer. These infections are detected under various names depending on the particular anti-virus vendor that you are using.

There are symptoms that the TDSS infection may display that you should watch out for:

• Search results - Links are redirected to unrelated sites. When you click on one of the search results, it redirects to an advertisement instead.

• The inability to run various programs - Certain programs simply do not start up. TDSS has a configuration setting called disallowed that contains a large list of programs that it does not allow to start up. It does this so that you cannot launch anti-virus and anti-malware programs to help you remove this infection.
• Various sites access blocked - TDSS blocks access to download pages, forums, and computer help and security sites.
• Web browsing is slower than normal - web pages load slower.

The surest way to resolve this is to perform either a factory restore or clean Operating system install on your computer. Taking you through this is what is covered under our pro support warranty. You can also find articles taking you through this on the link page below:

• An online guide to reinstalling or restoring your Operating System on your Dell computer

As you can see, the TDSS rootkit is an intrusive infection that takes over your machine and is very difficult to remove.

Kaspersky Labs has released a tool called TDSSKiller that can be used to remove most variants of TDSS from your computer. There are other programs that do the same thing. You can use a different program. However, this software is free and it is the software I am most familiar with.

I have prepared a how-to guide below that shows you how to remove the virus - short of a full operating system reinstall. However this is not covered under your warranty and is carried out at your own risk.

Removal Instructions for the TDSS, Alureon, or TDL3 Rootkit using TDSSKiller

1. The first thing that you must do is download TDSSKiller from the following link and save it to your desktop.

   • TDSSKiller Download Link 

2. When you get to the above page, click on the TDSSKiller.exe link to download the file. If you are unable to download the file, then TDSS may be blocking it. You must download it first to a clean computer and then transfer it to the infected computer using a CD, DVD, external drive, or USB flash drive. Once the file has completed transfer, you should now have the TDSSKiller icon on your desktop.

(Figure.1 TDSSKiller Icon)

3. Before you run TDSSKiller for the first time, you must rename it. Right-click the TDSSKiller.exe icon on your Desktop and select Rename. Edit the name of the file to a random name with the .com extension.

   For example: 123.com or abc.com If a random name does not work, then try renaming it to something like iexplore.com and run it again.

4. Double-click on it to launch it. When you run the program, Windows may display a warning message on the screen.

(Figure.2 Run Window)

5. If you receive this warning, click on the Run button to allow the program to run. If you did not see a warning, then TDSSKiller should have started already. Go to step 10, if so.

6. TDSSKiller starts and displays the welcome screen.

(Figure.3 Start Scan)

7. Click on the Start scan button to have it scan your computer for the infection.

8. When the scan has finished, it displays a result screen stating whether or not the infection was found on your computer. It displays a screen with a list of what it found.

(Figure.4 Scan Running)

9. To remove the infection, simply click on the Continue button and TDSSKiller attempts to remove the infection. If it does not give the option Cure, leave it at the default action of Skip and press the Continue button. Do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.

10. When it has finished cleaning the infection, you see a report.

(Figure.5 Scan Results)

11. If TDSSKiller cleans the TDSS infection, it may require a reboot to finish the cleaning process. Click on the Reboot now button to reboot your computer and finish the removal of the TDSS infection from your computer.

12. It is recommended to run a scan tool like Malwarebytes or a similar Malware scanner tool, to ensure everything is thoroughly scanned and cleaned. Ensure that you pick a tool that is well known and that you download it from the source. It is possible to re-infect your computer by downloading from unknown sources.

• Raise a request for aid on an Internet forum
• Run through a factory restore or clean install of your operating system

Associated TDSS, Alureon, or TDL3 Rootkit Files

C:\WINDOWS\_VOID<random>\

C:\WINDOWS\_VOID<random>\_VOIDd.sys

C:\WINDOWS\SYSTEM32\UAC<random>.dll

C:\WINDOWS\SYSTEM32\uacinit.dll

C:\WINDOWS\SYSTEM32\UAC<random>.db

C:\WINDOWS\SYSTEM32\UAC<random>.dat

C:\WINDOWS\SYSTEM32\uactmp.db

C:\WINDOWS\SYSTEM32\_VOID<random>.dll

C:\WINDOWS\SYSTEM32\_VOID<random>.dat

C:\WINDOWS\SYSTEM32\4DW4R3c.dll

C:\WINDOWS\SYSTEM32\4DW4R3sv.dat

C:\WINDOWS\SYSTEM32\drivers\_VOID<random>.sys

C:\WINDOWS\SYSTEM32\drivers\UAC<random>.sys

C:\WINDOWS\SYSTEM32\4DW4R3<random>.dll

C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys

C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3<random>.sys

C:\WINDOWS\Temp\_VOID<random>.tmp

C:\WINDOWS\Temp\UAC<random>.tmp

%Temp%\UAC<random>.tmp

%Temp%\_VOID<random>.tmp

C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll

File Location Notes.

%Temp%:

Shows the Windows Temp folder, by default this is C:\Windows\Temp for Windows 85/98/ME, C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp for Windows 2000/XP and C:\Users\<Current User>\AppData\Local\Temp in Windows Vista, Windows 7, and Windows 8

%CommonAppData%:

Shows the Application Data folder for the All Users profile, by default this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista, Windows 7, and Windows 8

%AppData%:

Shows the current users Application Data folder, by default this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP and for Windows Vista, and Windows 7 it is C:\Users\<Current User>\AppData\Roaming

%LocalAppData%:

Shows the current users Local settings Application Data folder, by default this is C:\Documents and Settings\<Current User>\Local Settings\Apllication Data for Windows 2000/XP and for Windows Vista, Windows 7, and Windows 8 it is C:\Users\<Current User>\AppData\Local

%CommonAppData%:

Shows the Application Data folder in the All Users profile, for Windows XP, Vista, NT, 2000 and 2003 it directs to C:\Documents and Settings\All Users\Application Data\ and for Windows Vista, Windows 7, and Windows 8 it is C:\ProgramData

Associated TDSS, Alureon, or TDL3 Rootkit Windows Registry Information

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID<random>

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3