Solved

rootkit.win32.tdss.tdl4 Infection, cannot remove.

Posted on 2010-09-16
13
4,401 Views
Last Modified: 2013-11-22
Hello's,
Here is an annoying one:
Could not get to anything with "windowsupdate" mentioned.
Random popups.
Random blue-screens.

Finally ran TDSS killer from Kaspersky and it detected:
\HardDisk0\MBR - Rootkit.win32.TDSS.tdl4

I select User Action: Cure
"Will be cleaned on next restart"  Restart now.

Immediately scan after reboot and same exact thing.  It seems to be replicating itself.

MalwareBytes and MS Security Essentials full scans detect nothing.

Any ideas?
0
Comment
Question by:devoleb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +5
13 Comments
 
LVL 48

Expert Comment

by:dbrunton
ID: 33696207
0
 
LVL 3

Expert Comment

by:Zach2001
ID: 33696317
I would start with a dedicated tool for that nasty: http://support.kaspersky.com/viruses/solutions?qid=208280684
Then with an offline scan using a LiveCD - eg: http://research.pandasecurity.com/security/safecd/
(Safemode a good idea for the tool, I would think)
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 33696545
For most rootkits you should do as Zach2001 suggests. Take a look at my article on rootkits and rootkit removal tools:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 24

Expert Comment

by:B H
ID: 33696637
i had a client with this a few days ago... eset's online scanner will do it for you:
http://www.eset.com/online-scanner
0
 
LVL 24

Expert Comment

by:B H
ID: 33696647
by the way, when i had a machine with that, it was sending spam... lots per second... so much so that the ISP shut down the connection.  you might want to temporarily block outbound port 25 in your router
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33696988
Hi,

As suggested by Zach2001 TDDSKiller from Kaspersky would fix this, if it doesn't then try Combofix:

Download Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Tutorial on how to use combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post logs here for further analysis.

Sudeep
0
 

Author Comment

by:devoleb
ID: 33698581
Hi guys,
Thanks for all the replies, but no luck so far.

As stated in the original post, the reason I know that this laptop has this rootkit.win32.tdss.tdl4 is because I specifically ran the Kaspersky TDSSKiller application.  Version 2.4.2.1 to be exact.

It detects it.  Says it will remove on next reboot.  And upon rebooting I run the tool again, and it detects it again, just as before.  I just verified it does the same thing in Safe Mode.

I tried the Panda SafeCD.  Burned to CDROM, booted, full scan (took ~50minutes), detected *nothing*.
I also downloaded the only Kaspersky book disk I could find, but the definitions were from 2009.  It, too, detected *nothing*.

I also tried the full ESET online scanner.  Took about 30 minutes and it actually removed remnants of AntiVirus 2010 from a while ago.  But no TDS rootkid detection.

I'm going to try ComboFix now.  WIll post log in a few.
0
 

Author Comment

by:devoleb
ID: 33698700
Ugh,

So I run ComboFix.exe, it had me install the Recovery Console.  Started the steps and a loud beep "ComboFix has detected root kit activity, reboot".  Restart computer and ComboFix resumes.

Got to around step 42 and blue screened.
Restart, bluescreen after Desktop loads.  I would love to post the combofix log, but it has yet to complete.

This rootkit is ridiculous.  Help
0
 
LVL 22

Accepted Solution

by:
optoma earned 250 total points
ID: 33699299
Looks like a Bootkit
Try Hitmanpro as it detects them now
http://www.surfright.nl/en/hitmanpro

After reboot, let it rescan and then try Combofix and post logs
0
 
LVL 2

Expert Comment

by:pmerjo
ID: 33700452
Do you know which exact file it is.... rather than delete it- go to its security settings and remove all permissions.  This would effectively neuter the file
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 33701121
You might consider trying to clean from a cd/usb boot first.  I would suggest SARDU.  Once you download and creat the sardu boot device (USB is nicer since it can have over 4.5gb of apps) boot from that device and run the various rootkit cleaners and basic cleaners, then try booting from the infected OS and running them again.

SARDU article: http://www.experts-exchange.com/Storage/Misc/A_3038-Boot-Disks-UBCD-UBCD4Win-and-SARDU.html
0
 

Author Closing Comment

by:devoleb
ID: 33701591
Optoma!  

Hitmanpro was my savior!  Download, double-click, ~5min scan and it detected not only the rootkit, but also quite a few other things (like IE proxy that wasn't visible by looking at Internet Options).  

It said it would remove rootkit on reboot.  I reboot.  Re-ran Hitman, clean.  Re-ran TDSSKiller, clean!  Tried going to windowsupdate, success!

Looks like I have a new tool for my arsenal.  This has truly been a headache for me.  I've honestly never seen one as persistent as this.


While ComboFix is usually very useful, it just could never complete a full scan with this particular kit.  The last attempt it got to step 50-something before a bluescreen hit.  So I was never able to actually get a CF log.  Thank you all for the help.  I really was going down the list.  The SARDU boot CD was next.

For any other people that may have this issue, is there any way to get a log file of Hitman Pro?  When it did the scan, I just let it reboot without looking for a log option.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33702104
Good to know its sorted :)
The proxy is not visable, but Hitmanpro, CF, Hijackthis etc detect it.

After Hitmanpro scans, there is a "save Xml log" tag which you can save the log before you hit the reboot choice but it dosn't matter now as the second scan was clean.

No harm to run CF again. It should run ok now.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Microsoft scam computer 10 81
svg file 10 113
I suddenly cannot write to C drive 20 90
Outlook 2016 blocks links on Comcast - Message about Organization's policies 1 44
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question