TDL4 Infection

Hi, I was wondering if someone could help me out. I had Avast detect Alureon in three different files. I happen to know that this is the name for TDSS and in my case the TDL4 variant. I ran tdsskiller which claimed to cure the infection and no longer detects it. Then I ran MBAM which removed 2 items. My question is can someone recommend a program to run that will produce a log that will show if the rootkit is really gone. Also, i have three files in my virus chest that all test positive to be part of Alureon. Is it safe to delete them or are they safer in the chest?

My question is can someone recommend a program to run that will produce a log that will show if the rootkit is really gone

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log / Malwarebytes log )

Essexboy will be notified when the logs are posted
you usually find hime her 8:pm - 11:59pm UK time

Thank you very much, here is the log. I’m also attaching an MBAM log on the off chance that it is of any use.

While you might not like this answer, I feel it needs to be posted anyway: Infection by rootkit → game over. Go and reinstall from scratch.

Help: I Got Hacked. Now What Do I Do?

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.

Think so? I seen the experts at bleeping computer clean this quite a few times. I know there is a risk of the computer not being trustworthy anymore but I don’t use it for anything particularly sensitive. I would really like to attempt cleaning it before I resort to a reformat. I was assuming that at some point if it was really that bad Combofix could be used to at least kill the rootkit. Anyway, thanks for your input.

Hitman Pro is said to deal well with TDL rootkits.

Hitmanpro is still killing systems I am afraid

Nothing apparent in that log ;D

Any problems

Hi, thanks for your replies and sorry for the delay.

  1. Firefox can’t update-- I’m running it virtualized until I can be sure the infection is gone. Don’t know if that’s the cause or not but it’s possible.

  2. No Sound-- I went into the control panel to make sure nothing is turned down or muted. Everything is at max volume and all speakers and devices are not muted. I definatly had sound before the infection happened.

  3. Redirects-- Occasionally, Firefox will either a) Open about 3 tabs whenever i click a search result. They all have weird domain names and stuff but I’m able to close them before they load. Or b) When i click a search result in google, i will get redirected to another search engine (Halappi, i think it’s called?) usually with the same search term that i put in google.

Thanks for your help and have a great day!

Hi, Going through my ots log, these were some lines that concerned me. They were all added at almost the same time and i don’t know what any of them are. Do you have any insight?

Yontoo Layers Client → C:\Program Files\Yontoo Layers Client → [2011/03/11 16:54:02 | 000,000,000 | —D | C]
Tarma Installer → C:\Documents and Settings\All Users\Application Data\Tarma Installer → [2011/03/11 16:54:01 | 000,000,000 | —D | C]
My Cheat Tables → C:\Documents and Settings\Lacy Moore\My Documents\My Cheat Tables → [2011/03/11 16:53:48 | 000,000,000 | —D | C]
OpenCandy → C:\Documents and Settings\Lacy Moore\Local Settings\Application Data\OpenCandy → [2011/03/11 16:53:37 | 000,000,000 | —D | C]
Cheat Engine 6.0 → C:\Documents and Settings\All Users\Start Menu\Programs\Cheat Engine 6.0 → [2011/03/11 16:53:37 | 000,000,000 | —D | C]
Cheat Engine 6 → C:\Program Files\Cheat Engine 6 → [2011/03/11 16:53:28 | 000,000,000 | —D | C]

Some people do have them legitimately although I consider them foistware… Watch them go
Do you have the same redirects with IE ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} [HKLM] -> C:\Program Files\Yontoo Layers Client\YontooIEClient.dll [Yontoo Layers]
[Files/Folders - Created Within 30 Days]
NY ->  Yontoo Layers Client -> C:\Program Files\Yontoo Layers Client
NY ->  Tarma Installer -> C:\Documents and Settings\All Users\Application Data\Tarma Installer
NY ->  My Cheat Tables -> C:\Documents and Settings\Lacy Moore\My Documents\My Cheat Tables
NY ->  OpenCandy -> C:\Documents and Settings\Lacy Moore\Local Settings\Application Data\OpenCandy
NY ->  Cheat Engine 6.0 -> C:\Documents and Settings\All Users\Start Menu\Programs\Cheat Engine 6.0
NY ->  Cheat Engine 6 -> C:\Program Files\Cheat Engine 6
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

THEN

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

Ok, files attached as requested. In the OTS fix i noticed a couple of file not found errors occurred. I think i tried to use Add/Remove Programs to uninstall a couple of things on that list.

As far as redirects go, I don’t use IE much but I ran a quick test and it didn’t redirect. It did however happen once with Chrome.

Thanks for all your help EssexBoy!

Reference the sound problem - could you go to device manager and see if there are any yellow exclamation marks

No, exclamation marks in any section, still no sound though. Redirects seemed to have stopped completely across all browsers, still can’t update firefox.

Are you trying to update firefox from within the sanbox ?

Yes, I am, I have it set to always run in the sandbox. I’ll go take it out and see if the update works.

EDIT: When I take it out of the sandbox, it doesn’t even attempt to update. It does run faster but I assume running it in the sandbox has it’s tolls on the overall speed.

Did you try a manual update ?

Firefox said it had to download a complete update and did. It installed and everything worked fine. All that remains is the lack of sound. For clarification, there is no sound across the entire computer, not just internet browsers.

What is your soundcard make ? Is it on the motherboard or a PCI ?

Here’s all the information I can get on it. It’s not a custom soundcard so I would assume it’s attached to the motherboard.

Name Unimodem Half-Duplex Audio Device
Manufacturer Microsoft
Status OK
PNP Device ID MODEMWAVE\0{02E48346-99AA-45E2-8388-AFDB392481E8}
Driver c:\windows\system32\drivers\modemcsa.sys (5.1.2600.0 (xpclient.010817-1148), 15.75 KB (16,128 bytes), 4/17/2004 7:42 AM)

Name SoundMAX Integrated Digital Audio
Manufacturer Analog Devices, Inc.
Status OK
PNP Device ID PCI\VEN_8086&DEV_24C5&SUBSYS_01601028&REV_01\3&172E68DD&0&FD
I/O Port 0x0000EE00-0x0000EEFF
I/O Port 0x0000EDC0-0x0000EDFF
Memory Address 0xFEB7FA00-0xFEB7FBFF
Memory Address 0xFEB7F900-0xFEB7F9FF
IRQ Channel IRQ 17
Driver c:\windows\system32\drivers\smwdm.sys (5.12.01.3910, 577.94 KB (591,808 bytes), 12/31/1979 9:00 PM)

12/31/1979 the driver date looks very old - is your computer a dell perchance ?