tdl4 rootkit prevelance; is connected to rogue antivirus problem?

Curious whether there is a known link between rogue anti-virus programs suddenly appearing on a Windows system and hidden TDL4 processes.

Does removing the rogue anti-virus program fix the computer to a clean state?

Fix often used is system restore; a not useful tool in my book, as other bad files can be restored and not removed by this process.

Note: This type of incident has not happened to me, yet.

mchain

Often rogue av’s(mostly Fake Defragmenter tools)download TDSS variants,i am not surprised.

Many of these rogue security applications are hidden by rootkit, though once a tdl4 (or other rootkit is on the system then it is possible to download malware or rogue software. So one is not a perquisite of the other.

So analysis of your system is required to say what the removal plan would be, there isn’t a one size fits all type of answer.

Many of these trojan downloaders may also be hidden by rootkit, fortunately the network shield is quite good at blocking the connection attempts to the malicious sites that they try to connect to.

DavidR & Left123,

Thank you for your reply.

Notice as I browse the forum there are quite a few posts re: “Google Redirects blocked by Avast!” Related to above query? Or is current hot topic problem, thus new?

Notice too, a user, “com155” who seems not to know what he/she is doing. Isn’t there a way to (eventually) block this user from this forum so as to prevent this user from doing more harm than good?

At least I know OTS is a useful tool, but without the proper training, advice to remove certain files (that may well be legitimate OS files) is way worse than the proper cure. Many users are not versed in OS file cleaning. or in this case, the removal of malicious drivers found by OTS.

Would you have a doctor without certification and training, and a MD degree, give you opium instead of valium to treat your condition? What I am seeing is utter nonsense from com155. :o

mchain

You’re welcome.

Unfortunately it is a buyer beware, in the case of malware removal assistance. There are some very new members on the forums who have a little knowledge and that can be more harm than good when combined with over confidence in their own abilities.

I’m no qualified malware removal specialist, I know my limitations and when I meet them I call for assistance, rather than plough on throwing different tools at the problem. That is when a strong analysis tool like OTS is required and it should only be used by someone trained in its use.

Here one can read about the interconnections of TDL4 botnets, Zeus, roque AV and other cybercriminal activities: http://www.extremetech.com/internet/88770-tdl4-botnet-smarter-more-sophisticated-and-not-for-use-in-russia (linksource Ziff Davis)

Additionally to what our forum friend, DavidR, says about certain malware removal tools, these specialistic tools should only be used in the hands of/and under supervision of a qualified malware removal expert. They have been trained and followed bootcamp at sites like our forum member, essexboy (geek2go), and will undergo further perpetual training to keep up with the latest official malware removal tools, methods and insights, like our forum member, the trained qualified malware remover “oldman” a.o.
Every removal routine should be performed exclusively and individually for each victim. Cleansing without the right supervion and by socalled “wannabee” removal specialists can seriously damage your Operational System even to such a degree that it has been rendered useless or only open to a complete reinstall.
However if someone of the avast staff has specific advice on a topic presented in a thread, read that posting first. It has priority because they may have been posting on the avast blog about that subject or could have specific news that may help,

I wish you safety and security online,

polonus

The TDL bootkits are now fairly cheap, so every rogue programmer out there can buy a copy and add it to the programme. Then he can control your searches, download new malware, or in extreme cases snaffle your data

essexboy et al,

I have been truly enlightened.

Is Avast! ever going to broaden their a/v engine to be able to detect this rootkit? It would seem to be a competitive advantage over other a/v vendors to have this ability.

I am aware that few, if any, a/v vendors can intercept or detect rogue antivirus programs, but such programs are known to cause much distress and dismay for the average internet user if it happens to land on their system. I can attest to this as I have seen the many disasters wrought at http://www.cnet.com

mchain

XP Home Edition SP3 P4 2.8 2 GB RAM Avast! v 6.0.1203 Free

Did you read my post @ Security warnings?If no,go ahead and read this article http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot

Lefty123,

No, I have not read the link you provided above. Thank you, as I did read it, and mostly understand what it is.

I understand the authors of TDL-4 could be in real trouble for “stealing” a free GNU license to enable use of the kad network feature.

Very interesting reading.

BTW, I have come across another tool, provided by Microsoft, called Microsoft Standalone System Sweeper and used it to clean my son’s computer of a dangerous and nasty file called Trojan.Downloader (forget the exact classification) found in D:\flashget.exe. Interesting thing here is that his machine is set up as C:\HDD 0, E:\HDD 1, F:\HDD 2, with D:\DVD/CD-ROM.

As he is still young, he would not truly understand the risks involved in running a program as above utilizing torrents, etc.

I did run this machine in a PE environment as MSSS, and updated the definitions online before scanning. Could the trojan have come in when run in this mode? Or was the file hidden in this way so a/v and anti-spyware could not find it?

The link for MSSS is here: http://connect.microsoft.com/systemsweeper

Note: Options for 32-bit and 64-bit are available.

I am not assuming you or anyone else here has not heard of MSSS. Any thoughts re this program?

Clearly, browser redirects in search engines are a sign of possible TDL-4 infection. Avast! Forums show currently numerous user topics and threads re this behavior.

I would think (for now, anyway) that the only real solution is to wipe the C: drive thoroughly and reinstall Windows.

Thanks.

mchain

XP Home Edition SP3 P4 2.8 2 GB RAM Avast! 6.0.1203 Free

Avast does detect all TDL variants even the new one and to date it can clear the TDL4 and posssibly this other variant, but I am still waiting for a few results. For TDL3 TDSSKiller will get that

essexboy,

Nice to know Avast! can kill this nasty if found.

mchain