02.09
While working on a co-worker’s computer that was infected with spyware I was able to remove just about everything using the tools I outline in Jay Lee’s Patented Spyware Removal System save for one persistent troublemaker that was redirecting every Google search through something called Triplexfeed.
Malwarebytes didn’t detect it. Spybot didn’t detect it. Combofix didn’t detect it. I couldn’t even see it as a BHO using HiJackThis. It was simply invisible to me, but each and every Google search popped up a window that clearly showed my Web browsing traffic being redirected.
I did a little research and was able to figure out I had come across a nasty TDL3 rootkit.
From Rootbiez
TDL or TDSS family is a famous trojan variant for its effectiveness and active technical development. It contains two compoments: a kernel-mode rootkit and some user-mode DLLs which performs the trojan operation (downloaders, blocking Avs, etc,.). Since the rootkit acts as an “injector” and protector for the ring3 bot binaries, almost technical evolutions of this threat family focus on rootkit technology so as to evade AV scanners. As in its name, TDL3 is 3rd generation of TDL rootkit, still takes its aims at convering stealthy existences of malicious codes. Beside known features, this threats is exposed with a couple of impressive tricks which help it bypassing personal firewall and staying totally undetected by all AVs and ARKs at the moment.
Thanks to Daejin Media I got tipped to a program called Hitman Pro 3 – Second Opinion Malware Scanner.
Hitman Pro 3 scanned the infected system, detected about 5 things and removed them and had me reboot at which point it scanned again and found two more. After the second re-boot the system was free of the hijack.
It doesn’t install anything on your computer, either. Just a single executable that scans your computer and cleans up the mess. Hitman Pro is FAST, too. I had everything cleaned up in about 10 minutes.
Part of the magic of this program is how it uses a scan cloud to determine if suspicious files are, in fact, dangerous or not.
From the Hitman Pro Web site:
For the files that are classified as suspicious, the Hitman Pro client sends a request to the Scan Cloud for confirmation if these files are indeed malicious. The Scan Cloud is a cluster of multiple computers, residing on the Internet. The Scan Cloud will respond to this request with the answer:
* Safe
* Malicious
* UnknownWhen the file is unknown, the Hitman Pro client uploads the file to the Scan Cloud where the file is scanned using the anti virus programs of 5 different vendors. Each of these anti virus programs analyzes the file and responds with “safe” or “malicious”. Click here for more details about the Scan Cloud.
Hitman Pro is not free. They do offer a 30 day free trial, though. After that the price is subscription based.
Not since discovering Spybot Search & Destroy have I been THIS enthused about an anti-spyware tool.