Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL4 Questions


  • Please log in to reply
9 replies to this topic

#1 jaxoat

jaxoat

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 15 November 2010 - 11:06 AM

First, kudos for the tool set and public service. I work with computers for a living, but our environment is pretty tight and we don't (generally) have to deal with things like TDL4. That said...

I have been bouncing my head off several brick walls trying to figure out what was going on with a friends computer. In a nutshell, Windows Update would fail to load and I saw some redirection that was not, ummm, normal (is redirection ever normal). They had TrendMicro loaded and at some point loaded SuperAntiSpyware and Malware Bytes in an effort to fix said issues. All had the computer listed as clean. I kenned that it might be a rootkit (after I ran a few other prophylactic packages that also came up clean) so ran Sophos, Panda and McAfee's products (fwiw, in that order). They didn't blip either.

Anyway, Googled my way to this site, found the DDS tool, ran it, checked the log file, *finally* located the culprit, found another forum entry with a similar error, self-medicated with the TDSSKiller, and am now happy to report the machine is finally updating. :thumbsup:

That all said, I was curious if anyone knew:
  • what is the usual attack vector of TDL4 (so I can give my friend a probable insertion vector)?
  • if it resides anywhere else on the computer such that it'll pop back up?
  • if other computers on the network are at risk simply by co-existing on the same LAN?
  • if TDL4 is particularly stealthy? The first 3 anti-rootkits never bleeped of it's existence, and I wonder how many more I could have gone through before I found it.

Also, after I get this computer patched and purring, would you be willing to look at the generated logs to ensure it is not harboring any other items?

Thanks!

Edited by Orange Blossom, 15 November 2010 - 07:07 PM.
Moved to AV forum. ~ OB

The secrets to a successful marriage:

For Him: When she's right, she's right. When she's wrong, she's right.
For Her: You can tell him what to do or how to do it, but you cannot do both.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 AM

Posted 16 November 2010 - 09:39 AM

TDL3/TDL4 (Alurion) is the third and fourth generation of the TDSS rootkit which hides itself on a system by infecting system files/drivers like atapi.sys, a common target because it loads early during the boot process and is difficult to detect. Newer varinats, however, can target a number of other legitimate drivers in the Windows drivers folder and the Master Boot Record (MBR). Common symptoms/signs of this infection include:

  • Google search results redirected as the malware modifies DNS query results.
  • Infected (patched/forged) files in the Windows drivers folder.
  • Infected Master Boot Record.
  • Slowness of the computer and poor performance.
  • Fake alerts indicating the computer is infected.
  • Internet Explorer opening on its own.
  • BSODs as described in this article.
For more specific analysis and explanation of the infection, please refer to:

Edited by quietman7, 16 November 2010 - 09:51 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 rmagnus

rmagnus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 16 November 2010 - 02:34 PM

I just got rid of TDL4, which had driven me crazy for a week. First I was only able to boot in safe mode, then I reinstalled XP SP3 but Windows Update was disabled and I kept getting the Generic Host errors and SVCHOST errors. Also got the ads popping up in IE and Firefox. Also, Microsoft Security Essentials would not update, although I was able to do so by downloading the updates manually and running locally.

After reading this post on Bleeping Computer: http://www.bleepingcomputer.com/forums/topic318418.html I decided to try using Combofix, which seems to have done the trick. It detected and removed TDL4. Windows update now works and so far this system has been stable.

I had been using MSE and the Windows Firewall, but this got through them. I don't even recall downloading any programs before it happened. MSE detected a trojan downloader openstream.AM and a trojan clicker Yabector.B on a full scan (but not on a quick scan) but removing them didn't help. Spybot S&D didn't detect any adware other than a few cookies. I then tried Avira, which also didn't detect anything on a quick scan, but crashed halfway through a full scan. Finally I decided to try Combifix which worked.

Anyhow, I very much appreciate this website and the information and tools you make available.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 AM

Posted 16 November 2010 - 03:23 PM

rmagnus, I'm glad to hear you were successful in dealing with the infection. However, it's not a safe practice to be following specific instructions provided to someone else especially if they were given in the Virus, Trojan, Spyware, and Malware Removal Logs forum. Those were most likely given under the guidance of a trained staff helper to fix that particular member's problems, NOT YOURS after careful evaluation of the malware involved. Before taking any action, the helper must investigate the nature of the infection and then formulate a fix for the victim. Although your problem may be similar, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware. Using someone else's fix could lead to disastrous problems with your operating system.

In that particular thread, the Helper recommended using ComboFix. Please be aware that no one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise with new malware infections or other security tools conflicting with ComboFix, experts are aware of them and can advise users what should or should not be done while providing assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

You were fortunate in this instance that no unforeseen consequences or serious problems occurred. In the future, it's best that you tell us what specific issues YOU are having rather than point to someone else.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 rmagnus

rmagnus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 16 November 2010 - 08:42 PM

Quietman7, Oops. I was just trying to keep from bothering people with my problem. I had backed up my data files, and it's an old computer, so I took the chance. But in the future, I'll take your advice. Thank you for your comment.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 AM

Posted 16 November 2010 - 09:03 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jaxoat

jaxoat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 20 November 2010 - 02:30 PM

@quietman7

Thanks for the material. I read through most of it and am astonished at the sophistication that folks will adopt to inflict so must trouble on unsuspecting folks.

Regards.
The secrets to a successful marriage:

For Him: When she's right, she's right. When she's wrong, she's right.
For Her: You can tell him what to do or how to do it, but you cannot do both.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 AM

Posted 20 November 2010 - 02:35 PM

You're welcome. Safe surfing and have a malware free day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:03:55 AM

Posted 20 November 2010 - 05:02 PM

It certainly seems that these psychos like rogues too. Because isn't one of it's things to redirect to rogue sites? And you asked when is redirection everr normal? The only time it's normal is when it happens within the context of an already launched site. For instance, after poasting on certain message boards, there's a redirection back to the page of the topic. Somebody correct me if I'm wrong on that.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:55 AM

Posted 20 November 2010 - 05:31 PM

isn't one of it's things to redirect to rogue sites?

Yes. See Post #2 for symptoms.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users