Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Google Redirects, TDSS, TDL3, or Alureon removal guide

Summary: The following article provides information about on how to remove the Google Redirects, TDSS, TSL3, or Alureon malware from your Computer. Most of the steps below are not covered under your warranty and are carried out at your own risk. ...

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content


Symptoms

Table of Contents:

  1. A quick description of what the virus is and the support possible under the warranty
  2. Removal Instructions for the TDSS, Alureon, or TDL3 Rootkit using TDSSKiller
  3. Associated TDSS, Alureon, or TDL3 Rootkit Files
  4. Associated TDSS, Alureon, or TDL3 Rootkit Windows Registry Information

 

A quick description of what the virus is and the support possible under the warranty

 

TDSS or TDL3 is the name of a family of rootkits for the Windows operating system. It downloads and starts other malware on your computer and delivers advertisements to your computer, while it blocks certain programs from running. It infects your computer in several ways, such as replacing the hard disk drivers with malicious versions. Once a computer is infected, TDSS is invisible to Windows and any anti-malware programs. It continues downloading and running further malware and delivering more advertisements to your computer. These infections are detected under various names depending on the particular anti-virus vendor that you are using.

There are symptoms that the TDSS infection may display that you should watch out for:

  • Search results - Links are redirected to unrelated sites. When you click on one of the search results, it redirects to an advertisement instead.
Note: Some of the domains you are redirected to are legitimate companies, however they may have affiliates that promote their products in a dubious manner.
  • The inability to run various programs - Certain programs simply do not start up. TDSS has a configuration setting called disallowed that contains a large list of programs that it does not allow to start up. It does this so that you cannot launch anti-virus and anti-malware programs to help you remove this infection.
  • Various sites access blocked - TDSS blocks access to download pages, forums, and computer help and security sites.
  • Web browsing is slower than normal - web pages load slower.
Note: As always, the decision to use this information is at the end user’s risk as malware removal is not a pro-support entitlement. This information is provided "AS IS."

The surest way to resolve this is to perform either a factory restore or clean Operating system install on your computer. Taking you through this is what is covered under our pro support warranty. You can also find articles taking you through this on the link page below:

As you can see, the TDSS rootkit is an intrusive infection that takes over your machine and is very difficult to remove.

Kaspersky Labs has released a tool called TDSSKiller that can be used to remove most variants of TDSS from your computer. There are other programs that do the same thing. You can use a different program. However, this software is free and it is the software I am most familiar with.

I have prepared a how-to guide below that shows you how to remove the virus - short of a full operating system reinstall. However this is not covered under your warranty and is carried out at your own risk.

Cause

Removal Instructions for the TDSS, Alureon, or TDL3 Rootkit using TDSSKiller

 

  1. The first thing that you must do is download TDSSKiller from the following link and save it to your desktop.

  2. When you get to the above page, click on the TDSSKiller.exe link to download the file. If you are unable to download the file, then TDSS may be blocking it. You must download it first to a clean computer and then transfer it to the infected computer using a CD, DVD, external drive, or USB flash drive. Once the file has completed transfer, you should now have the TDSSKiller icon on your desktop.

Kaspersky TDSS Killer Portable

(Figure.1 TDSSKiller Icon)

  1. Before you run TDSSKiller for the first time, you must rename it. Right-click the TDSSKiller.exe icon on your Desktop and select Rename. Edit the name of the file to a random name with the .com extension.

    For example: 123.com or abc.com If a random name does not work, then try renaming it to something like iexplore.com and run it again.

  2. Double-click on it to launch it. When you run the program, Windows may display a warning message on the screen.

run warning

(Figure.2 Run Window)

  1. If you receive this warning, click on the Run button to allow the program to run. If you did not see a warning, then TDSSKiller should have started already. Go to step 10, if so.

  2. TDSSKiller starts and displays the welcome screen.

tdsskiller start

(Figure.3 Start Scan)

  1. Click on the Start scan button to have it scan your computer for the infection.

  2. When the scan has finished, it displays a result screen stating whether or not the infection was found on your computer. It displays a screen with a list of what it found.

infection found

(Figure.4 Scan Running)

  1. To remove the infection, simply click on the Continue button and TDSSKiller attempts to remove the infection. If it does not give the option Cure, leave it at the default action of Skip and press the Continue button. Do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.

  2. When it has finished cleaning the infection, you see a report.

scan completed

(Figure.5 Scan Results)

  1. If TDSSKiller cleans the TDSS infection, it may require a reboot to finish the cleaning process. Click on the Reboot now button to reboot your computer and finish the removal of the TDSS infection from your computer.

  2. It is recommended to run a scan tool like Malwarebytes or a similar Malware scanner tool, to ensure everything is thoroughly scanned and cleaned. Ensure that you pick a tool that is well known and that you download it from the source. It is possible to re-infect your computer by downloading from unknown sources.

Note: If you are still having issues, you can:
  • Raise a request for aid on an Internet forum
  • Run through a factory restore or clean install of your operating system

Resolution

 

Associated TDSS, Alureon, or TDL3 Rootkit Files

 

C:\WINDOWS\_VOID<random>\
C:\WINDOWS\_VOID<random>\_VOIDd.sys
C:\WINDOWS\SYSTEM32\UAC<random>.dll
C:\WINDOWS\SYSTEM32\uacinit.dll
C:\WINDOWS\SYSTEM32\UAC<random>.db
C:\WINDOWS\SYSTEM32\UAC<random>.dat
C:\WINDOWS\SYSTEM32\uactmp.db
C:\WINDOWS\SYSTEM32\_VOID<random>.dll
C:\WINDOWS\SYSTEM32\_VOID<random>.dat
C:\WINDOWS\SYSTEM32\4DW4R3c.dll
C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
C:\WINDOWS\SYSTEM32\drivers\_VOID<random>.sys
C:\WINDOWS\SYSTEM32\drivers\UAC<random>.sys
C:\WINDOWS\SYSTEM32\4DW4R3<random>.dll
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3<random>.sys
C:\WINDOWS\Temp\_VOID<random>.tmp
C:\WINDOWS\Temp\UAC<random>.tmp
%Temp%\UAC<random>.tmp
%Temp%\_VOID<random>.tmp
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
File Location Notes.
%Temp%:
Shows the Windows Temp folder, by default this is C:\Windows\Temp for Windows 85/98/ME, C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp for Windows 2000/XP and C:\Users\<Current User>\AppData\Local\Temp in Windows Vista, Windows 7, and Windows 8
%CommonAppData%:
Shows the Application Data folder for the All Users profile, by default this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista, Windows 7, and Windows 8
%AppData%:
Shows the current users Application Data folder, by default this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP and for Windows Vista, and Windows 7 it is C:\Users\<Current User>\AppData\Roaming
%LocalAppData%:
Shows the current users Local settings Application Data folder, by default this is C:\Documents and Settings\<Current User>\Local Settings\Apllication Data for Windows 2000/XP and for Windows Vista, Windows 7, and Windows 8 it is C:\Users\<Current User>\AppData\Local
%CommonAppData%:
Shows the Application Data folder in the All Users profile, for Windows XP, Vista, NT, 2000 and 2003 it directs to C:\Documents and Settings\All Users\Application Data\ and for Windows Vista, Windows 7, and Windows 8 it is C:\ProgramData

 

Associated TDSS, Alureon, or TDL3 Rootkit Windows Registry Information

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID<random>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3
Note: This is a self-help guide. Use at your own risk.

Article Properties


Affected Product

Inspiron, Latitude, Vostro, XPS, Fixed Workstations

Last Published Date

03 Oct 2023

Version

4

Article Type

Solution