Home Malware Programs Spyware TDL4 Rootkit

TDL4 Rootkit

Posted: July 19, 2011

TDL4 Rootkit is a rootkit that infects deep-seated Windows components to hide itself before proceeding to attack your web browser and system settings. Like the majority of rootkits, TDL4 Rootkit tries to avoid ever being seen, and you may not know that TDL4 Rootkit is on your computer except by observing the symptoms that are related to its attacks. Common signs of a TDL4 Rootkit infection include malfunctioning Windows interface displays and browser hijacks that redirect you to hostile website or create advertisements. All rootkits, including TDL4 Rootkit, are extremely challenging to detect and remove by manual methods, and only the highest-quality threat-removal programs are recommended for deleting TDL4 Rootkit infections.

Recognizing When TDL4 Rootkit Has Come Calling to Your Web Browser

TDL4 Rootkit is another variation of the widespread and dangerous TDSS Rootkit, a rootkit that uses many different Trojans to coordinate sophisticated security and browser-based attacks. Among the Trojans accompanying TDL4 Rootkit is DNS Changer. TDL4 Rootkit, also known as Rootkit.Win32.TDSS.tdl4, doesn't stray far from its roots and maintains similar hostilities against any PC that TDL4 Rootkit manages to infect.

Symptoms of a TDL4 Rootkit infection can include but aren't limited to the following behavior:

  • After clicking a link in a search engine, you may be redirected to a website that's completely unrelated to the link. In addition to being a sign of a TDL4 Rootkit infection, this is also a symptom of other TDSS Rootkit components such as Google Redirect Virus. Websites that TDL4 Rootkit redirects you to may build traffic-based revenue for criminals, attempt to exploit browser or script vulnerabilities to install other harmful programs or encourage you to buy scamware security programs.
  • The Windows taskbar and desktop icons may fail to display properly at random moments. This display interference doesn't delete the related programs but may prevent you from accessing them, until you've disabled or gotten rid of TDL4 Rootkit.
  • TDL4 Rootkit infections have also been known to cause the following error message to appear:

    "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience."

Why You'll Probably Need Help Deleting TDL4 Rootkit

The potency of TDL4 Rootkit's stealth methodology is revealed in the over four million computers around the world, that have been estimated to be infected with TDL4 Rootkit. To start with, TDL4 Rootkit cheerfully bypasses the Windows PatchGuard to write to the Master Boot Record (or MBR) kernel and follows that up by using a hard drive port driver hook to prevent itself from simply being overwritten.

TDL4 Rootkit is able to infect both 64-bit and 32-bit Windows systems and is so deeply-hidden in Windows that the 'official' solution for deleting TDL4 Rootkit was, at first, to reinstall Windows from scratch! Fortunately, further information has become available that allows you to remove TDL4 Rootkit without needing to use such drastic measures.

The Windows Recovery Console may be required to delete TDL4 Rootkit, which can avoid being detected or removed by less advanced methods. Since rootkits that are closely related to TDL4 Rootkit are also known for using multiple infections to coordinate attacks, you should follow up any attempt at removing TDL4 Rootkit with a full anti-virus system scan.

Make sure that your anti-virus software is updated for recent PC threats, and if possible, launch this scan in Safe Mode to reduce the possibility of TDL4 Rootkit-related files avoiding detection.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %Temp%\_VOID[RANDOM CHARACTERS].tmp
    2 %Temp%\UAC[RANDOM CHARACTERS].tmp
    3 C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
    4 C:\WINDOWS\_VOID[RANDOM CHARACTERS]\
    5 C:\WINDOWS\_VOID[RANDOM CHARACTERS]\_VOIDd.sys
    6 C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM CHARACTERS].dll
    7 C:\WINDOWS\SYSTEM32\4DW4R3c.dll
    8 C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
    9 C:\WINDOWS\system32\_VOID[RANDOM CHARACTERS].dat
    10 C:\WINDOWS\system32\_VOID[RANDOM CHARACTERS].dll
    11 C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
    12 C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM CHARACTERS].sys
    13 C:\WINDOWS\system32\drivers\_VOID[RANDOM CHARACTERS].sys
    14 C:\WINDOWS\system32\drivers\UAC[RANDOM CHARACTERS].sys
    15 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].dat
    16 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].db
    17 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].dll
    18 C:\WINDOWS\system32\uacinit.dll
    19 C:\WINDOWS\system32\uactmp.db
    20 C:\WINDOWS\Temp\_VOID[RANDOM CHARACTERS]tmp
    21 C:\WINDOWS\Temp\UAC[RANDOM CHARACTERS].tmp

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID[RANDOM CHARACTERS]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
Loading...