Win32 Virus Removal

PCMag's Editor-in-Chief Lance Ulanoff hit me with a strange question: "Every time I do a search and click a result link, I end up on some random page, even though the link shows I'd be going elsewhere." Luckily for Lance I've encountered this problem before. It's caused by a multi-faceted threat variously called TDSS, Alureon, or Tidserv.

The first time I ran into Tidserv it was inflicting exactly the same symptoms on my daughter's laptop. Unlike Lance's security-free test system, her laptop was protected by an up-to-date installation of Norton Internet Security 2010; it didn't help. She worked directly with Symantec technicians to identify and eliminate this then-new variant. Symantec's page on what they call Backdoor.Tidserv now includes a removal tool designed specifically to wipe out this threat.

Tidserv does indeed redirect search result links so you end up visiting web sites associated with the threat's authors, but that's just the most visible effect. According to Symantec it hides itself using advanced rootkit technology, displays advertisements, and opens a back door that further compromises the affected system's security.

Symantec reports that this Trojan is designed specifically to make money. It generates web traffic, collects sales leads for other dubious sites, and tries to fool the victim into paying for useless software. If those tricks don't work it can kick up the threat level by downloading additional malicious or misleading programs.

Pernicious threats like this one, threats that sometimes get past normal security, are precisely the target for Symantec's free Norton Power Eraser tool. I advised Lance to try the beta version of Norton Power Eraser 1.5, released today in conjunction with the Norton 360 Version 5 public beta. This update gives Norton Power Eraser the new ability to draw on Symantec's massive Norton Insight database to help identify threats.

Alas, Norton Power Eraser isn't yet powerful enough to remove this particular threat. Symantec supplied a brand new removal tool and reported that the removal techniques from this tool will eventually be merged into NPE. I predict eventual success, but jury is still out as the removal tool takes quite a while to finish its scan (eight hours on my clean test system).

If you click on a search link and it goes to the wrong place once, that might be a fluke. If it happens multiple times you've got a problem. Update your antivirus and run a full scan, seek a threat-specific removal tool online, or try a free tool like Norton Power Eraser. You don't want to leave a threat like Tidserv running loose on your computer.