Avast Free 6.0 is giving me:
C:\WINDOWS\system32\drivers\termdd.sys
Threat: Rootkit: system modification
When I ask for any of the available options (move to chest, repair, delete) Avast says it will do it on the next reboot. It doesn’t, because even if I let Avast do it’s pre-boot (Safe Mode?) scan, the same advice as above comes up next time I run the same Avast scan.
How can I find out whether or not this is a real problem?
Thanks in advance.
C:\WINDOWS\system32\drivers\termdd.sys
upload suspicious file(s) to www.virustotal.com and test with 44 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see
alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
Metascan http://www.metascan-online.com/
Virustotal says I’m clean:
Just trying the alternative,
Thanks
Aha!! aswMBR says:
21:51:25.812 OS Version: Windows 5.1.2600 Service Pack 3
21:51:25.812 Number of processors: 2 586 0xF0D
21:51:25.812 ComputerName: DR-6SYOQK06ZSJH UserName: dr
21:51:26.281 Initialize success
21:51:26.390 AVAST engine defs: 11091900
21:51:40.875 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdePort2
21:51:40.875 Disk 0 Vendor: WDC_WD1600AAJS-00PSA0 05.06H05 Size: 152626MB BusType: 3
21:51:40.890 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP3T0L0-19
21:51:40.890 Disk 1 Vendor: ST3120026AS 3.18 Size: 114473MB BusType: 3
21:51:40.890 Device \Device\Ide\IdeDeviceP2T0L0-6 → ??\IDE#DiskWDC_WD1600AAJS-00PSA0___________________05.06H05#5&2932390f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
21:51:40.890 Device \Driver\atapi → DriverStartIo 86823af1
21:51:42.906 Disk 0 MBR read successfully
21:51:42.906 Disk 0 MBR scan
21:51:42.968 Disk 0 Windows XP default MBR code
21:51:42.968 Disk 0 scanning sectors +312576705
21:51:43.062 Disk 0 scanning C:\WINDOWS\system32\drivers
21:51:58.093 File: C:\WINDOWS\system32\drivers\termdd.sys INFECTED Win32:Alureon-FZ
21:52:00.343 Service scanning
21:52:01.390 Modules scanning
21:52:20.781 Disk 0 trace - called modules:
21:52:20.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86823ecc]<<
21:52:20.812 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86ba5ab8]
21:52:20.812 3 CLASSPNP.SYS[f7677fd7] → nt!IofCallDriver → \Device\00000071[0x86b22f18]
21:52:20.828 5 ACPI.sys[f750e620] → nt!IofCallDriver → [0x86b17d98]
21:52:20.828 [0x868d3da0] → IRP_MJ_CREATE → 0x86823ecc
21:52:21.281 AVAST engine scan C:\WINDOWS
21:52:27.156 AVAST engine scan C:\WINDOWS\system32
21:53:45.281 AVAST engine scan C:\WINDOWS\system32\drivers
21:53:55.390 File: C:\WINDOWS\system32\drivers\termdd.sys INFECTED Win32:Alureon-FZ
21:53:57.390 AVAST engine scan C:\Documents and Settings\dr.DR-6SYOQK06ZSJH
21:54:57.000 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\dr.DR-6SYOQK06ZSJH\Desktop\MBR.dat”
21:54:57.000 The log file has been saved successfully to “C:\Documents and Settings\dr.DR-6SYOQK06ZSJH\Desktop\aswMBR.txt”
These are seriously funkly tools! Shall I just Google Alureon-FZ or is there a preferred option? Many thanks
Some opinions - please? Having Googled Alureon, Bill Gates says use the Windows Malicious Software tool, which I have always refused to download, on the grounds that I don’t want any conflict (remember Norton?) between Avast, which has always served me well and some other programme. On the other hand, Avast (automatically updated) has allowed Alureon into my machine (Sygate firewall, Spybot and SpywareBlaster protected). Advice, about getting rid of Alureon and stopping any other attacks, please?
OK try this
Quick scan, or full scan, or does it matter?
aswMBR only have one scan!..OBS you mean the dropp down box for AV engine, leave it at quick
Unfortunately this is a TDL3 type infection which aswMBR cannot kill… But I do have a tool that will
Please read carefully and follow these steps.
[*]DownloadTDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillermain.png
[*]If an infected file is detected, the default action will be Cure, click on Continue.
http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerMal-1.png
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerSuspicious.png
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerCompleted.png
[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
good you where not in bed yet ;D
Essexboy - I ran TDSSKiller and it objected to termdd.sys and then produced a log, but I hit the wrong tit, so I don’t have a log for you. However, running a second time says I’m clean, so does Avast. One rootkit gone. Tell me, what was the rootkit for - are my (KMeleon) saved passwords at risk? If Avast didn’t stop it getting on my machine, should I be using something else? Pontus - thanks for your help and thank you and Essexboy both for your expertise. Cheers, David
Correction here - I said “what was the rootkit for” when I should have asked “what did the people who wrote it intend to achieve?”
Alureon
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2FAlureon
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=alureon
so you may want to change your passwords…
also check back tomorrow to see if essexboy have anything to say…he may have logged out for today
If Avast didn't stop it getting on my machine, should I be using something else?Nope.....as no security program have 100% detection
Passwords changed. So - please tell me - did Alureon go into my hard disk, or did it just observe and note what I did with my keyboard? Should I (against my better judgement) be using the Windows Malicious Software Tool? Thanks
To date I have removed this from systems running every type of AV both paid and free - so no one is immune
Although Avast will block any attempts that it makes to connect to the net
Could you run an OTL scan now please to ensure that there are no remnants
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs
Essexboy - thanks for staying with it and apologies for the delay - I’ve been away the last few days.
I downloaded OTL and ran it, and it produced OTL.txt and Extras.txt as you said. I then noticed I’d forgotten to click “Scan All Users” before scanning, so I did it again that box ticked. However, it then only gave me one file on completion, OTL.txt. I’ve tried running it again a few times, but still get just the one notepad file as a result. Herewith then, are “OTL single user.txt” and Extras single user.txt" (the results of the first scan with “Scan All Users” unselected, together with the single file, “OTL All users.txt”. Hope this makes sense. Many thanks.
After the first run OTL will only produce one log ;D
Nothing readily apparent there
Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif
On completion of the scan click save log, save it to your desktop and post in your next reply
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif
OK, aswMBR.txt attached