Found TDL4 Aluroot but can't remove

system · November 15, 2011, 2:56am

Hi all,

Am at my wits end so really hoping someone can help…

Similar to a poster from back in July, Avast has detected a trojan that redirects all my google links to various sites including ebay and some dodgy anti-malware site and seems to be wayyy too clever for all the programs I’ve tried (tdss killer/hitman pro/avast bootscan/aswMBR/fixtdss). aswMBR finds it but only the FixMBR button is available after the scan - not the fix button. Avast seems to be constantly blocking malicious url’s too. I ran a full Avast scan plus boot-time scan but when complete it freezes so I can’t do anything with it. I also end up having to power off via the on/off button and reboot with a system restore as the mouse and keyboard are always locked at the windows login page. I’m using good old XP service pack 3 on a Dell Inspiron 9400 and the aswMBR log is below if that’s any help.

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-15 01:08:11

01:08:11.480 OS Version: Windows 5.1.2600 Service Pack 3
01:08:11.480 Number of processors: 2 586 0xF06
01:08:11.480 ComputerName: STEVE UserName:
01:08:13.011 Initialize success
01:08:13.776 AVAST engine defs: 11111401
01:08:20.150 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
01:08:20.150 Disk 0 Vendor: Hitachi_HTS541612J9SA00 SBDOC74P Size: 114473MB BusType: 3
01:08:22.181 Disk 0 MBR read successfully
01:08:22.181 Disk 0 MBR scan
01:08:22.181 Disk 0 unknown MBR code
01:08:22.181 Disk 0 scanning sectors +234436545
01:08:22.275 Disk 0 scanning C:\WINDOWS\system32\drivers
01:08:27.836 File: C:\WINDOWS\system32\drivers\i8042prt.sys INFECTED Win32:Aluroot [Rtk]
01:08:36.022 Service scanning
01:08:38.600 Modules scanning
01:08:41.693 Module: C:\WINDOWS\system32\DRIVERS\i8042prt.sys SUSPICIOUS
01:08:50.629 Disk 0 trace - called modules:
01:08:50.660 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ab5af10]<<
01:08:50.660 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8ae83ab8]
01:08:50.660 3 CLASSPNP.SYS[ba0e8fd7] → nt!IofCallDriver → [0x8ac5a030]
01:08:50.660 \Driver\00001944[0x8aadc788] → IRP_MJ_CREATE → 0x8ab5af10
01:08:51.269 AVAST engine scan C:\WINDOWS
01:08:56.722 File: C:\WINDOWS\kb913800.exe INFECTED Win32:Malware-gen
01:09:00.846 AVAST engine scan C:\WINDOWS\system32
01:10:51.450 AVAST engine scan C:\WINDOWS\system32\drivers
01:10:58.527 File: C:\WINDOWS\system32\drivers\i8042prt.sys INFECTED Win32:Aluroot [Rtk]
01:11:10.962 AVAST engine scan C:\Documents and Settings\Steve Rix
01:47:06.732 AVAST engine scan C:\Documents and Settings\All Users
01:51:14.982 Scan finished successfully
01:51:50.467 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Steve\Desktop\MBR.dat”
01:51:50.482 The log file has been saved successfully to “C:\Documents and Settings\Steve\Desktop\aswMBR.txt”

system · November 15, 2011, 5:17am

 I'm using good old XP service pack 3 on a Dell Inspiron 9400

01:08:22.181    Disk 0 unknown MBR code

In that case,DELL has a cutom MBR and will be reported as unknown by aswMBR.Fixing it via aswMBR or any other tool will destroy your DELL MBR and u lose access to recovery partition.

hitman pro

can cause a collateral damage it is not recommended to use as been specified by malware removal experts.

01:08:27.836    File: C:\WINDOWS\system32\drivers\i8042prt.sys  **INFECTED** Win32:Aluroot [Rtk]

thats a good news that TDL4 isnt in the MBR.

01:08:41.693    Module: C:\WINDOWS\system32\DRIVERS\i8042prt.sys  **SUSPICIOUS**

01:08:56.722    File: C:\WINDOWS\kb913800.exe  **INFECTED** Win32:Malware-gen

01:10:58.527    File: C:\WINDOWS\system32\drivers\i8042prt.sys  **INFECTED** Win32:Aluroot [Rtk]

Seeing the above conditions it is not recommended to click fixMBR button as it may regard your pc unbootable…wait untill our malware expert essexboy arrives as i though would like to assist but it is better to take assistance from a qualified person…till then do this:

essexboy post:1:

Please download Malwarebytes’ Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

system · November 15, 2011, 10:03am

Thanks true indian! I just ran MBAM and it found and dealt with two items - see below. Although I’m still getting the Avast pop-ups that are blocking ping.exe from opening up random sites. Hopefully essexboy will be able to advise…

Malwarebytes’ Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8166

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

15/11/2011 09:55:46
mbam-log-2011-11-15 (09-55-46).txt

Scan type: Quick scan
Objects scanned: 191563
Time elapsed: 10 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) → Value: mu → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\AppSecDll (Trojan.Agent) → Value: AppSecDll → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

system · November 15, 2011, 12:38pm

Please attach OTL log for essexboy to review

essexboy post:1:

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
.
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp*.* /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

To attach : Within the post select :
Additional options
Browse
Locate the OTL log
Select the OTL log

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/SelectOTLtoattach.gif

Please ensure that all logs are saved in the ANSI format

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/SaveAsANSI2.gif

system · November 15, 2011, 2:20pm

Lucky I have a memory stick and netbook - every time I tried to post my reply with the docs attached, the server reset in Firefox and it failed every time. Yet other sites still work (though they do keep being redirected more often than not). Anyway, here are the attached files…

system · November 15, 2011, 7:00pm

Should also add that I can’t do a normal boot up/re-boot any more (that was since the Avast boot-scan freeze). The windows welcome screen is always locked so that I can’t use the keyboard or mouse. I have to press F8 during boot up and select the ‘load last version of windows that worked normally’ option (restore point?).

essexboy · November 15, 2011, 8:01pm

Looks like you have thrown everything at it bar the kitchen sink. However, I believe I know the main culprit - so lets start

Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 6 and validate
[]The RKreport.txt shall be generated next to the executable.
[]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.
.
NEXT
.
Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV - File not found [Auto | Stopped] -- -- (wkoeaprj) O2 - BHO: (Reg Error: Value error.) - {405EA845-8131-40AD-B359-6433ADF1223D} - C:\WINDOWS\system32\bootvidd.dll File not found O2 - BHO: (no name) - {6F2F8576-1CD5-4759-8802-21CB0BECC7F2} - c:\windows\system32\dmbandu.dll File not found O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - ID - No CLSID value found. O4 - HKU\S-1-5-21-2247744071-1403820768-2080818773-1005..\Run: [ina2je7xgnmx] C:\WINDOWS\system32\ina2je7xgnmx.exe File not found O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) [2011/11/15 13:38:20 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\kqdjhg.sys [2008/04/03 20:08:48 | 006,490,880 | ---- | C] () -- C:\WINDOWS\System32\lyehbwaj.dat [2008/03/27 22:09:50 | 000,035,584 | ---- | C] () -- C:\WINDOWS\System32\njthhniw.dat [2008/03/27 22:09:49 | 000,638,208 | ---- | C] () -- C:\WINDOWS\System32\hdbevbrp.dat [2008/03/27 22:09:49 | 000,043,264 | ---- | C] () -- C:\WINDOWS\System32\yhgdzaft.dat [2008/03/27 22:09:49 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\mzalukpk.dat
:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
FINALLY
.

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

system · November 15, 2011, 9:56pm

Hi essexboy,

I ran roguekiller - results below. I then ran OTL as instructed but upon reboot I still have a frozen mousepad and keyboard so can’t type in my password and login to windows. Only way around that is to do what I’ve been doing before - hit F8 during bootup and run the last working version of windows. But that would surely undo any good work we’ve done so far? This thing is evil!

RogueKiller V6.1.8 [11/14/2011] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Steve [Admin rights]
Mode: Shortcuts HJfix – Date : 11/15/2011 21:41:10

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 58 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 155 / Fail 0
My documents: Success 158 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 1263 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 – 0x3 → Restored
[D:] \Device\CdRom0 – 0x5 → Skipped
[E:] \Device\Harddisk1\DP(1)0-0+12 – 0x2 → Restored

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[1].txt >>
RKreport[1].txt

essexboy · November 15, 2011, 10:16pm

OK could you now run combofix - from safe mode if necessary

I see you should have all the files and folders back now

system · November 15, 2011, 10:26pm

Mouse and keyboard locked in safe mode also

Should I select the option for ‘last known good configuration’?

essexboy · November 15, 2011, 10:32pm

Yes as the kbd file is infected Combofix, should replace that - you may need to run Roguekiller again with option 6 - but we shall see

system · November 15, 2011, 10:36pm

Okay will do - do you still want me to run OTL scan first and post the log, or just go straight to combofix?

essexboy · November 15, 2011, 10:43pm

No straight to Combofix please and I will use OTL later to sweep up

system · November 16, 2011, 8:45am

Had to leave it running overnight - all looking good this morning! The log is 672kb and I can’t attach it due to the size - tried zipping it but zips aren’t allowed. I then tried pasting it in but it’s over 1000 characters in size! Bit frustrating. Will try and PM it to you

system · November 16, 2011, 8:51am

Ahh seems I can’t PM you. Any ideas? Oh and also most of my programs have disappeared!

Pondus · November 16, 2011, 10:01am

you need 20 post`s before you can do that…forum spam protection

system · November 16, 2011, 10:34am

upload the log file here:

www.mediafire.com

and then give the link of your log file download from mediafire here at your topic…

system · November 16, 2011, 10:41am

Thank you! Here is the link: http://www.mediafire.com/?485vwg5bt4tgklp

system · November 16, 2011, 10:56am

essexboy will check the log…when he is back at night ;D

system · November 16, 2011, 10:58am

Awesome - thank you very much

Found TDL4 Aluroot but can't remove

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software Run date: 2011-11-15 01:08:11

Announcements

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-15 01:08:11