I have been bouncing my head off several brick walls trying to figure out what was going on with a friends computer. In a nutshell, Windows Update would fail to load and I saw some redirection that was not, ummm, normal (is redirection ever normal). They had TrendMicro loaded and at some point loaded SuperAntiSpyware and Malware Bytes in an effort to fix said issues. All had the computer listed as clean. I kenned that it might be a rootkit (after I ran a few other prophylactic packages that also came up clean) so ran Sophos, Panda and McAfee's products (fwiw, in that order). They didn't blip either.
Anyway, Googled my way to this site, found the DDS tool, ran it, checked the log file, *finally* located the culprit, found another forum entry with a similar error, self-medicated with the TDSSKiller, and am now happy to report the machine is finally updating.
That all said, I was curious if anyone knew:
- what is the usual attack vector of TDL4 (so I can give my friend a probable insertion vector)?
- if it resides anywhere else on the computer such that it'll pop back up?
- if other computers on the network are at risk simply by co-existing on the same LAN?
- if TDL4 is particularly stealthy? The first 3 anti-rootkits never bleeped of it's existence, and I wonder how many more I could have gone through before I found it.
Also, after I get this computer patched and purring, would you be willing to look at the generated logs to ensure it is not harboring any other items?
Edited by Orange Blossom, 15 November 2010 - 07:07 PM.
Moved to AV forum. ~ OB