Yesterday, a client got infected with some malware after visiting what should have been a safe website. I ran through the usual routine of deleting the malicious files in the Temporary Internet Files folder and scanning with MalwareBytes. The scan found and cleaned up about 8 objects and the annoying scareware was gone upon restarting. Unfortunately, pop-unders were showing up on sites that definitely didn’t have advertisements and the top Google Search results were being redirected through a few websites to end at an ad page.
Since further malware scans were showing up clean, there were no malicious add-ons in IE, and the problem happened in both IE and Firefox it seemed likely that we were dealing with a rootkit.
I downloaded and ran TDSSKiller, a product from Kaspersky Labs.
Running the scan, it found one object and removed it upon restart. Upon logging back in, all of the symptoms of the infection were gone. No more pop-unders and no search results being redirected. These symptoms don’t necessarily mean a rootkit is present but if you can’t find anything else that could be causing it, it’s probably a rootkit hiding itself from Windows and thus your tools and investigation.
Another tool recommended to deal with rootkits is the command-line tool, RKill. RKill is used to terminate malware and rootkits that are running and might be able to prevent other tools from properly running.
A common trick that malware uses these days is to prevent executables (.exe files, specifically) from running. This can be cleaned up by removing an entry in the Registry with Regedit. However, you might not be able to run regedit.exe unless you copy it and rename it as regedit.bat or with a different executable extension. For this reason, you might need to rename tdsskiller.exe. RKill is available to download as different extensions like .com or .scr and with different names for your convenience from BleepingComputer.