Search site

Add to Google

Featured Articles
Go Google go! back


I was asked to upgrade a customer's computer over the weekend, which had an added challenge. It has been infected by this malware, which embeds itself in a place which allows it to affect the way your browser performs internet searches in any web browser. Gone are the chivalrous days where computer viruses modify your BIOS settings to render the PC useless. This is fun for the hackers, but where is the profit in that ? The new generation of viruses will silently infect your computer, then use it as a way to generate revenues for the perpetrators (grabbing your online bank's logon id is one way of doing this). This particular piece of malware, for example, simply modifies all your internet search results in such a way that it does not matter which URL in the results you click on, it will trigger Google Adword's pay per click credit for the author (or whoever it benefits). The telltale signs that this malware is present are:

  • when you perform a search, it takes a lot longer for the results to come back than normal
  • regardless of whether you use Internet Explorer, Firefox, or whichever browser, or whichever search engine you use, be it Google, Yahoo! or whatever, the resulting page, normal looking as it is, is full of loaded links which send you to completely unrelated sites when clicked on. When you hover your mouse cursor over these links in Firefox (or right click on the link and select "Properties.." in Internet Explorer), you will see that all the URLs are prefixed with This is generally the URL generated by the Google Adword program to register a click and for an Adsense subscriber. And clicks are real money for some!
  • Your antivirus software and Windows Update stop working. This particular malware blocks update programs from contacting the vendors, obviously with the goal of prolonging its own influence
  • You might experience erratic behaviours when your computer boots up, like occasional lockups at different stages of the boot up sequence. I am not sure if the malware itself tries to contact the mothership, or it simply clashes with the antivirus software in general
Once your computer is in this state, it is extremely frustrating. You can not easily remove the malware, as it embeds itself at a layer of the operating system which makes it impossible to remove it while your computer is running (it configures itself to be a legacy non plug and play driver, and is thus loaded at a very early stage of the boot up sequence). It is not visible if you perform a search for the name of the driver file. You can see the driver file in the registry, but all the keys are not modifiable. Admittedly, the antivirus software should have prevented these trojans from being downloaded into your computer in the first place, but once they manage to get in, the only way to remove them is to somehow manually disable them to reclaim your PC.

To remove this annoying trojan, the first thing you'd have to do is to:
  1. go into your Device Manager (Start->Run...->type "devmgmt.msc", hit Enter)
  2. Switch on the "Show hidden devices" option in View..
  3. Expand the Non plug and play devices section and look for the device TDSSserv.sys. Disable this device and reboot
  4. Once you have rebooted, the Antivirus software should update itself again and hopefully remove the trojan for you. Failing that, go into your \WINDOWS folder and look for all files prefixed with TDSS (note that TDSSserv.sys will not be among these files!). You can either zap these files or move them elsewhere if you are not sure if they are needed by something else. Personally I think they are all to do with this trojan, although I am not 100% sure. Note that you might not have been able to remove these files while the trojan was still active, hence the reboot. There seems to be an ability for the trojan to reinstall itself if these files are not moved out of the way. I also discovered this strange phenomenon that if I boot the computer into Safe Mode, the trojan seems to disappear for a bit, then only to come back after a few reboots. Maybe it is unrelated, maybe not.
Personally, I have a much better solution. My computers do not run Windows, but Ubuntu. The current theory is no self respecting virus writer who has to fund his lifestyle on fast jets and luxury yatchs will bother writing a trojan for Ubuntu (although obviously if Ubuntu reaches critical mass one day (currently Ubuntu has 0.82% market share, so it has some way to go), which I hope it will, these equations might change). Even if he did, he will have a job getting it deployed in the system folder with administrator privileges, as is on Windows. Granted, there are still things I have to use Windows for (mainly because certain vendors could not be arsed to develop a Ubuntu version of their software), but as your computer is connected to the big, bad wide world out there, why open the front door and invite the unwanted guests in and give them a free reign on all your valuables? Of course there are firewalls and antivirus software, but surely common sense dictates that you do not give access to files and folders which are critical to your computer's operations to every Tom, Dick and Harriet. This is something the designers of the Unix operating system have factored in from the word "Go", but the Windows designers have not bothered with until it was too late.


discuss (1 comment)
 by by David at 30 Nov 2008 13:58:57
Looks like this nasty piece of malware comes down from those who download WinRar from a sponsored Google link as described on The Register at RAR file format compression and decompression are supported as standard on Ubuntu, by the way.
by David at 16 Dec 2008 20:29:16
Copyrights © Transcraft Trading Limited 2006.All rights reserved. Bots Rss-rss