Monday, July 4, 2011

How to Detect and Remove TDL4 / TDL3 / TDSS / Alureon Rootkits

Experts are continuing to say scary things about TDL4 and its botnet, throwing around terms like "virtually indestructible". Whether this is true or not, clearly TDL4 is a highly sophisticated piece of crimeware that has top researchers very concerned.

If you think you may be infected, Kaspersky Labs has released a free tool for Windows users (all versions, 32 and 64-bit) called TDSSKiller which will detect and remove TDL4 rootkits / bootkits. It can be downloaded here.

TDSSKiller also detects other TDSS-family rootkits such as TDL2 / TDL3, and unknown rootkits by analyzing for:
  • Hidden or Blocked services
  • Hidden or Blocked files
  • Forged files
  • Rootkit.Win32.Backboot.gen (generic / unknown MBR infection)
I'm confident those who design the TDSS rootkits will soon figure out a way to defeat Kaspersky's detection / removal, but for now, this is a great place to start if you are concerned about these rootkits.

If you have no luck with TDSSKiller, you may wish to try Norman TDSS Cleaner, Avast's aswMBR Tool, or HitMan Pro, which also claim to detect and remove TDL3, TDL4 and its variants.

1 comment:

Carrigon said...

I just spent the weekend getting this infection off my pc. And I'm still wondering if it has left some remnant somewhere on my drive. It's a nasty one. I had freezeups, slowdowns, BSOD's when waking from sleep mode that would reboot me. Cleaning the infection stopped all that. My system is now running fast and smooth. But it's getting scary with these new strains.