TDL3 Rootkit
TDL3 Rootkit is a variant of the well-known TDSS Rootkit infection that has spread through millions of computers worldwide and uses multiple components and sophisticated stealth defenses. TDL3 Rootkit has these traits in common with the original TDSS Rootkit and will manifest TDL3 Rootkit's attacks in the form of search result hijacks, BSODs (Blue Screens of Death, AKA blue error screens) and a slowdown of system performance. Rootkit infections similar to TDL3 Rootkit are also known sources of security issues that can result in remote attacks and other criminal actions against your computer. As one of the newer versions of a notoriously difficult-to-remove rootkit, TDL3 Rootkit should only be removed by highly-sophisticated security software that can handle such deep-rooted threats to your PC.
How TDL3 Rootkit Defeats Your Typical Anti-Virus Software
TDL3 Rootkit is named for being the third version of the old TDSS Rootkit that's still circulating the Internet in large quantities to this very day. Tens of thousands of computers already have been reported as infected by TDL3 Rootkit despite the fact that almost two-thirds of them have used fully-updated anti-virus software.
This troubling development is made possible by rootkit-based techniques that allow TDL3 Rootkit to infect the Master Boot Record kernel or other deeply-buried parts of the Windows operating system. A TDL3 Rootkit infection, like all rootkits, will not create independent memory processes that you can see in Task Manager, and may not even create visible files or folders.
Most TDL3 Rootkit infections have a preference for infecting system drivers. If your security software scans your computer and displays a large list of infected .sys files, you may have TDL3 Rootkit or a similar rootkit infection. Insufficiently advanced anti-virus software, however, aren't likely to detect TDL3 Rootkit at all.
Perhaps the most troubled aspect of a TDL3 Rootkit infection is the fact that it can cause the now-rare Blue Screen of Death errors to appear once again. This is the result of an old Windows patch interacting poorly with TDL3 Rootkit. However, Microsoft has since yanked the patch off of their database until the problem is solved, so you don't need to worry about BSODing your computer by accident. This BSOD will appear whenever Windows tries to load, and only a separate Windows boot CD will let you bypass it to remove TDL3 Rootkit.
Be Ready for TDL3 Rootkit's Mad Rush for Your Online Search Results
The main sign of any TDL3 Rootkit infection is a browser hijack that redirects you to unfamiliar websites. In some cases, TDL3 Rootkit may wait until you've clicked a search engine link, before redirecting you to a totally different destination. Typing in the URL may not avoid TDL3 Rootkit's redirection technique since TDL3 Rootkit has also been reported to use DNS-based hijacks.
This type of attack can also be seen in TDL3 Rootkit's ancestors like TDSS Rootkit and in related components like the Google Redirect Virus. However, TDL3 Rootkit has other symptoms that you may be able to use to single it out:
- TDL3 Rootkit will actively prevent you from visiting websites that are related to PC security. TDL3 Rootkit may redirect you away from these websites automatically or create a fake error screen that blocks the website's content.
- Your web browser will suffer in performance and speed due to TDL3 Rootkit's hijack-related activities. Some other versions of the same rootkit have also been reported to cause a random loss of keyboard input within the browser.
- Most worryingly, TDL3 Rootkit will attempt to block you from using any program that's on its blacklist. These programs include security tools and anti-virus software that could be used to detect or delete TDL3 Rootkit.
File System Modifications
- The following files were created in the system:
# File Name 1 %Temp%\_VOID[RANDOM CHARACTERS].tmp 2 %Temp%\UAC[RANDOM CHARACTERS].tmp 3 C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll 4 C:\WINDOWS\_VOID[RANDOM CHARACTERS]\ 5 C:\WINDOWS\_VOID[RANDOM CHARACTERS]\_VOIDd.sys 6 C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM CHARACTERS].dll 7 C:\WINDOWS\SYSTEM32\4DW4R3c.dll 8 C:\WINDOWS\SYSTEM32\4DW4R3sv.dat 9 C:\WINDOWS\system32\_VOID[RANDOM CHARACTERS].dat 10 C:\WINDOWS\system32\_VOID[RANDOM CHARACTERS].dll 11 C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys 12 C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM CHARACTERS].sys 13 C:\WINDOWS\system32\drivers\_VOID[RANDOM CHARACTERS].sys 14 C:\WINDOWS\system32\drivers\UAC[RANDOM CHARACTERS].sys 15 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].dat 16 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].db 17 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].dll 18 C:\WINDOWS\system32\uacinit.dll 19 C:\WINDOWS\system32\uactmp.db 20 C:\WINDOWS\Temp\_VOID[RANDOM CHARACTERS]tmp 21 C:\WINDOWS\Temp\UAC[RANDOM CHARACTERS].tmp
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID[RANDOM CHARACTERS]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.