Google Installer Virus: How to Identify This Trojan/Rootkit & Next Steps

Google Installer Virus: How to Identify This Trojan/Rootkit & Next Steps
Page content

What is the Google Installer Virus?

Google is the company that claims their motto is “Don’t be evil.” However, the Google Installer Virus, otherwise known as the

GoogleUpdate.exe or later as the Google Redirect Virus and the Google Chrome virus, has certainly performed a lot of evil on computers.

While Google itself did not make, promote or spread the virus, some users believed the company did because many Google update and installer files showed an error upon opening. The Chrome browser and GoogleUpdate.exe were particularly affected because every time a user with this infection would attempt to install or use the browser, it would close. It would display an error message stating that, “Google Installer encountered an error and needed to close.” These were the words that made users believe Google distributed the virus. The writers of the virus disguised its signature to appear as Google files, which is how they probably remained on some people’s systems for so long.

The underlying Trojan/Rootkit called “RTKT_TDSS.BB” primarily makes up the virus and allows it to wreak havoc on a computer. Known by various names depending on which anti-virus or anti-malware program is used, this particular infection was first discovered in the beginning of August 2008. The underlying Trojan/Rootkit has a low infection rate, but a dangerously high damage rate and continues to infect computers worldwide.

What Does the Google Installer Virus Do?

Some of the more common names for this virus when detected by various security programs include RTKT_TDSS.BB (Trend Micro), Backdoor.Tidserv, Hacktool.Rootkit (Symantec), Troj/Rootkit-FM (Sophos), TR/Rootkit.Gen (Avira), Trojan.Win32.Tdss.uqa (Kaspersky), Backdoor:W32/TDSS (F-Secure), and others. This infection creates its own registry keys as well, as most infections do, and include the following:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\Software\Mozilla\affid=

  • HKEY_CURRENT_USER\Software\Mozilla\subid=

  • HKEY_LOCAL_MACHINE\SOFTWARE\TDSS

  • HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\versions

  • HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT\injectors

  • HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\H8SRTd.sys

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sys

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sys

The underlying infection of the Google installer virus also creates the following system files within the Windows folder in the programs file:

  • %System%\spool\prtprocs\[TEMPORARY FILE NAME].tmp (this is the executable file)

  • %System%\drivers\TDSServ.sys and %System%\drivers\H8SRTd.sys

  • %System%\TDSS[RANDOM VALUE].log

  • %System%\TDSS[RANDOM VALUE].dat

  • %System%\TDSS[RANDOM VALUE].dl

This installer virus also attempts to access the Internet, creating a backdoor in the spoolsv.exe process, which can be found in the Task Manager of Windows-based computers with a printer installed. The infection injects the malicious code into this process, thus granting the infection access to the Internet. After this process is completed, the infection will attempt to connect to websites where a bot is ready to deploy more malware to the user’s computer. By this point, the infection is firmly rooted and very difficult to remove.

Installer Virus Symptoms

Google Installer Virus Symptoms

The Google installer virus is a very damaging infection if left unchecked. Like all Trojans and rootkits, this one can steal personal information, stop your Internet from working and crash your computer as well, not to mention infect all other computers that may be on the local network. Some of the specific actions that the underlying Trojan/Rootkit are known for include:

  • Browser takeover, which redirects address bar entries to advertising pages and malware infected websites and excessive pop-ups of the same advertisements.

Additionally, the Chrome browser eventually crashes with the error message stating, ““GoogleInstaller.exe” has encountered a problem and needs to close,” with recurrences of the message every few minutes. This is why the infection received the name “Google Installer Virus.”

  • Inability of the user to visit security advice blogs, forums, or websites and the user’s inability to download any files

Even if files are downloadable, they are corrupted, meaning the user is either unable to run them or execution of the files causes the browser or computer to hang or crash. This is especially true of anti-virus and anti-malware programs. Additionally, any security program already installed on the computer may not open and if it does, hangs until the process must be ended with the Task Manager.

The installer virus is not limited to these specific activities; they are simply some of the most common actions taken by the Google Virus. However, if any of these symptoms appear, the computer with these symptoms probably has the Google installer infection and the user should perform an infection removal immediately to prevent any further damage.

Google Virus Removal

Now comes the fun part. After symptoms appear or if the user’s current anti-virus solution recognizes the Installer Virus signatures as a detected threat, the user should remove the threat as soon as possible. Simply quarantining the threat and deleting it might work; however, because this infection is coupled with a rootkit, it is more than likely that the removal of the infection simply removes the Trojan, not the rootkit. If this happens, the rootkit will download, reinstall the infection, and continue to cause havoc.

Using a removal tool such as Malwarebytes or Symantec’s Removal Tool may do the trick. If using either of these tools, or any other security program of choice, be sure to rename the files so the infection does not “know’ that it is a security program. To do this when the “Save” dialogue box appears, for Malwarebytes, simply change the file name from “m-bam_setup.exe” and the Symantec Removal Tool from “FIX.TDSS.exe” to “boo-hoo.exe” or a similar name. Follow the prompts to install and run the programs and then again to delete the detected threats. If these tools do not work, manual infection removal may be the only option.

Basic Protection

The Google Installer Virus has created massive frustration to computer users everywhere. While the threat of infection is minimal, once a user is infected, the harm that can come from it is immense. The best way to prevent this — or any — infection is to always keep anti-virus and anti-malware up to date. Additionally, because of the complicated nature of many viruses of late, a simple anti-virus may not detect all types of threats. Using a security program made especially for detecting rootkits, spyware, viruses, Trojans and more is recommended for the most comprehensive protection possible.

References:

TrendMicro ThreatInfo RTKT_TDSS.BB

ThreatExpert Submission Summary

Symantec: Backdoor.Tidserve Removal

Malwarebytes Information and Download