How To Detect A 64-bit Alureon Rootkit Infection

Martin Brinkmann
Sep 1, 2010
Updated • Jan 1, 2013

Alureon, or TDL, TLD3 and Tidserv, is the first rootkit that can infect 64-bit Windows PCs. Before that, only 32-bit systems were affected by rootkits, and many Windows users realized that in February, when Microsoft patch MS10-015 caused infected machines to display a blue screen. It obviously was not Microsoft's fault back then, which was first assumed by professionals and users alike. It turned out after some research that the TLD3 rootkit was responsible for that behavior.

The developers of the rootkit have improved it considerably since then, and managed to add the ability to infect 64-bit Windows systems. That's a first, and security vendors are alarmed about that trend.

However, the authors of these attacks have not been resting. Just under a month ago, we became aware of a new variant of Alureon that infects the Master Boot Record (MBR) instead of an infected driver. While this new variant did not affect 64-bit machines, it had an inert file called ldr64 as part of its virtual file system. More recently, we discovered an updated variant that successfully infected 64-bit machines running Windows Vista or higher, while rendering 64-bit Windows XP and Server 2003 machines unbootable.

Many security companies have already added detection of the 64-bit variant to their security applications, Microsoft for instance added signatures to Microsoft Security Essentials in the beginning of August.

Still, Windows 64-bit owners may want to verify for themselves that the rootkit is not installed on their operating system. As the information above suggest, Windows XP and Windows Server 2003 owners will immediately notice that something is wrong, as their operating system will fail to boot. Windows Vista or Windows 7 64-bit users should read on.

There are at least two options to do that, all with tools already included in the operating system:

Open a command prompt, with Windows-R, entering cmd and enter.

Use the command diskpart to open Diskpart in a new command line window.

Enter lis dis in the new prompt, if it remains empty the computer is infected with the rootkit. If the disks display, it is not.


windows 64 bit rootkit detection
windows 64 bit rootkit detection



The second option to detect the 64-bit rootkit is the following: Launch Disk Management from the Computer Management pane.

If it does not show disks, it means the system is infected with the rootkit. If it shows disks, everything is fine.

Infected System


Additional information are available at Technet and Symantec.

How to Remove the Rootkit if the system is infected:

Several programs are able to remove the rootkit and repair the MBR so that the system boots normally after the repair.

Hitman Pro Beta 112 and later can do it for instance.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Wade said on July 26, 2012 at 5:50 am

    completed both test checked good but, I still have a rootkit installed still redirecting my web browser (firefox) :(

  2. hak01 said on September 2, 2010 at 12:12 am

    easy to detect the presence. but very difficult to isolate the infected file. most probably it would be a legitimate system file.

    example: C:\WINDOWS\system32\drivers\afd.sys

  3. Ross said on September 1, 2010 at 8:20 pm

    If it’s as easy to detect as that, then it’s not a very good rootkit, is it?

  4. Gadou said on September 1, 2010 at 1:54 pm


    How do you save / restore a dual boot Linux / Windows 7 ?

    1. Martin said on September 1, 2010 at 3:25 pm

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.