Free Help from Tech Experts

Geeks To Go is a helpful hub, where thousands of volunteers serve up answers and support. Check out the forums and get free advice from the experts, including malware removal and how-to guides and tutorials. Converse about Windows 10, get system building advice or download files... Go to forums >>

TDL4 Infection Update Win32/Olmasco MAXSS Pihar


TDSS/TDL4 has been a resilient and common rootkit used to infect computers, installing botkits, fake antivirus, and browser redirects. Just as it appeared development of the rootkit had stalled, some new variants have been appearing. Many antivirus programs are not detecting these new variants. They are detected by ESET as Win32/Olmasco, and BitDefender as MAXSS or Pihar. If not detected by antivirus, the most common symptoms are browser redirects and multiple Internet Explorer processes not started by the user that will respawn when terminated.

These variants have begun appearing in our malware removal forums. For example here and here. Due to changes in how they operate, these new variants require some new techniques to remove. Previously the MBR (Master Boot Record) was overwritten. The new version leaves the MBR untouched, but creates a hidden partition and marks it as boot. This means tools and techniques that scan the MBR for changes, or rewrite the MBR will no longer work, and may result in an unbootable system. Newer techniques and tools for removal are still being developed, but mostly involve booting offline, using a live Linux CD like gparted.

Read the rest of this entry »