• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos7 Stats

TDSSkiller / TDL4

TDSSkiller now correctly detects and cures TDL4  (as of Today)

I tested only like 10 minutes ago, The scan checks via the raw I/O.

Screenshot below, plus attached to this post is the log of the scan

Be aware though if you are infected with more than TDL3 / TDL4,  like the thread for houston,

http://community.norton.com/t5/Other-Norton-Products/Ads-popping-up-randomly-and-cannot-open-task-manager/td-p/229633

This may mean that TDSSkiller may not work due to other Malware blocking it. Other Malware may have to be stopped first and maybe removed before using TDSSkiller.

Multiple infections have to be stopped a lot of the time in the correct order of steps.

Quads

Replies

Kudos0

Re: TDSSkiller / TDL4

The latest TDL (Tidserv)  I have found, 

http://www.virustotal.com/analisis/1531b39e217bbac673b621b0f6a5f020ebae48a216832cf3d038ff65d46d1883-1274240886

I have the list of servers (not posted here)

Quads

Kudos4 Stats

Re: TDSSkiller / TDL4

UPDATE:

After infecting the PC with the latest installer,

TDSSkiller, Did not detect the driver

TDSS Remover,  Did not detect the driver

http://www.virustotal.com/analisis/474509fae08f6040fc69366d628ac7e23645e53e41d3882f2375d2773196daf4-1274276299

Intrusion Prevention 

For some reason, (maybe something went wrong, but I had to swap "kernel32.dll" over to.

Quads

Kudos0

Re: TDSSkiller / TDL4

I did find a product that doesn't need to be installed scanned and detected the infected swapped drivers,

One Problem, it deleted the drivers while still scanning, didn't wait and ask the user if the files were to be deleted, Just deleted.

 Quads

Kudos0

Re: TDSSkiller / TDL4

Thanks Quads

Does not look like they are slowing down in producing these things.

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: TDSSkiller / TDL4

It the "Backdoor.TDSS.2459" variant  that TDSSkiller and TDSS Remover can't detect

Quads

Kudos0

Re: TDSSkiller / TDL4

There are Rogues one being "Data Protection" that come with a TDL2 variant "PRAGMA"


Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA]"slrd"=dword:00000018"slrm"=dword:00000005[HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\injector]"explorer.exe"="pragmaserf""iexplore.exe"="pragmaserf;pragmabbr""firefox.exe"="pragmabbr""safari.exe"="pragmabbr""chrome.exe"="pragmabbr""opera.exe"="pragmabbr"

http://www.virustotal.com/analisis/d159f0059cfb2f1919cd4017e197a9167eca556fd2d32e02fea04ac7c1fd7bb2-1274670145

http://www.threatexpert.com/report.aspx?md5=0d41357d15d5cff6ac74a81fd314779d

With the ability to try and uninstall Security Software as part of the rogue

Quads

Kudos6 Stats

Re: TDSSkiller / TDL4

Interesting I was reading the Symantec "Backdoor.Tidserv"  Writeup

Warning, it's a mix and match of different TDL2's and TDL3's 

Including this entry

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\H8SRTd.sys" which actually belongs to "Backdoor.Tidserv.J"

I can see how people reading the writeup are going to get confused, seeing the different variants in one writeup. When a lot of the variants have to be looked at separately due to differences 

Including differences in the removal procedures and programs used.

Sure a PC may be infected with more than one TDL2 (more than on set of files and registry entries) or TDL2 +TDL3. But the removal of them have to be looked at differently.

TDL2's   can have it's files and registry entries removed / deleted (correctly),               TDL3's this is not the case

TDL3's   the infected driver (disk controller)  has to be swapped with a clean copy,    TDL2's this is not the case

TDL3 Infected drivers detected as "Backdoor.Tidserv!inf"

Quads

Kudos0

Re: TDSSkiller / TDL4

Nice work , Quads

"All that we are is the result of what we have thought"
Kudos0

Re: TDSSkiller / TDL4

TDSSkiller has been updated again

Quads

Kudos2 Stats

Re: TDSSkiller / TDL4

One version on TDSS (Tidserv) creates these entries and fools some removal programs in to thinking a Windows file like "userinit.exe" or "kernel32.dll" is infected when the Windows file seems clean Although it could have tried to infect a driver but failed due to some sort of flaw in the file I got. A bug inside a bug.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[file name].exeC:\WINDOWS\system32\ernel32.dllC:\System Volume Information\_restore{3CE24A12-6763-49ED-BA82-A731C C696DD0}\RP1\A0000056.dllC:\WINDOWS\system32\spool\prtprocs\w32x86\[random].dll  (can be a few created in that folder)C:\documents and settings\[username]\application data\[random].exeScheduler change: Tasks: d:\windows\tasks\mswd-[random].jobDNS ChangerO17 - HKLM\System\CCS\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198O17 - HKLM\System\CS1\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198O17 - HKLM\System\CS3\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198Quads
Kudos0

Re: TDSSkiller / TDL4

Good to know they make mistakes as well...

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: TDSSkiller / TDL4

Mo

I'm not sure is a bug or with someone trying to change things but has left something out of the installer (programming) but this one is to easy for those who can deal to TDL 2, 3, 4 successfully

I got another installer from a Malware researcher I ran the installer and it's the same,  with  "TDL with a twist".

It's a matter of whether this is like a beta or first build of this change and so will only get better over time.

Quads

Kudos0

Re: TDSSkiller / TDL4

Ok I will sound like a dunce but you meant there was a mistake in the TDL removal software or a mistake/programming error in the TDL itself...sorry if I am a bit slow...

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: TDSSkiller / TDL4

A mistake in the TDL, TDSS, Tidserv malware itself.

Quads

Kudos0

Re: TDSSkiller / TDL4

Thanks for making it clearer.Do you think they know it's there and will correct it?

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: TDSSkiller / TDL4

I'm starting to think these things are like unraveling DNA code... 

Kudos0

Re: TDSSkiller / TDL4


TracyLCraw wrote:

I'm starting to think these things are like unraveling DNA code... 


Somewhat similar

We look forward to the time when the Power of Love will replace the Love of Power. Then will our world know the blessings of peace. ~William Ewart Gladstone
Kudos1 Stats

Re: TDSSkiller / TDL4

Articles on TDL (1,2,3 & unofficial 4) there are other names it's known as.

Has hit number 1

http://www.infoworld.com/t/malware/four-year-old-rootkit-tops-the-charts-pc-threats-791 

Pesky rootkit looks like it's getting refined for attacks

Remember Alureon, the pesky rootkit, which hit the Windows enterprise scene in 2006 and absolutely bum rushed some Windows systems earlier this year?

Microsoft does and will for quite some time. The rootkit, which also goes by some of its technical aliases -- TDSS, Zlob and DNSChanger -- has to date infected nearly 2 million Windows systems.

Alureon is the guest of honor rootkit in Microsoft's recently released May Threat Report. Alureon accounted for 18 percent of all malware-infected Windows PCs in May.

This is Alureon's encore performance as the rootkit du jour in the April Threat Report.

Alureon is considered the culprit for the "screen of death," and system crash issues widely reported when users installed Microsoft Security Bulletin MS10-015.

Microsoft Malware Prevention Center staffers Vishal Kapoor and Joe Johnson said there were "several changes to the design of the rootkit to avoid detection and cleaning, revealing that the rootkit is still under active development and distribution."

This means that Alureon is going to be around for a while yet

By Jabulani Leffall

At least it can't beat Quads for PC's that turn up at my door  

Bring on the next change 

Quads

Kudos0

Re: TDSSkiller / TDL4

Nice article that you linked to thanks!

Quads to you play detective with this stuff?

Kudos0

Re: TDSSkiller / TDL4

I do find articles 

But I also find Malware to run and install on my Computer in the real world (Not VM), whether it's Rootkits like TDL3 / TDL4, worms, Rogues, Trojans........................

If the infection is downloading more Malware from somewhere I let it download everything that it wants. Once completed I then set about breaking the Malware piece by piece to allow other programs to run and remove all the files and registry entries etc.

Like this thread for a user.

http://community.norton.com/t5/Norton-Internet-Security-Norton/conime-virus/m-p/207475#M103235

Quads

Kudos0

Re: TDSSkiller / TDL4

TDL installers are still appearing that Norton does not detect once downloaded or just sitting on the Desktop.

They do have some sort of sense of humour this one is by Chuck Norris with the Firefox icon, pic below

 

Quads

Kudos0

Re: TDSSkiller / TDL4

I wonder does Chuck Norris know he is now a Virus/TDL.... It could date the creator as Chucky boy was big in Videos in the 80s -90s

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: TDSSkiller / TDL4

Kudos0

Re: TDSSkiller / TDL4

Hahaha

On testing I infected with TDL3 /4 and ran Norton Power Eraser,  It detected the driver, but it also detected legit files so I don't know the actual reason for the detection or if it just happened to be a fuke in between the False Positives

NPE restarted the PC an preceeded to deleted or try and delete the driver and Controlset registry entry for it. Like Norton previously trying to or succeeding to delete the driver like "atapi.sys"


 <Remediate DateAndTime="Saturday, 26 June 2010 Time: 09:52">

- <Infections_Selected_For_Remediation>- <DRIVERS Count="1">- <Driver ID="1">- <File_Information>  <Path>D:\WINDOWS\system32\DRIVERS\intelppm.sys</Path>   <FileVersion><></FileVersion>   <ProductVersion><></ProductVersion>   <ProductName><></ProductName>   <Company><></Company>   <Copyrights><></Copyrights>   <MD5>27FDB47F3F2EFE36F72C0971A03406C0</MD5>   <SHA256>D2C269B6686A9B8769BB5546FC711FDE33FBA400 9B96863D241CD6B9D64506CB</SHA256>   <FileSize>36352 bytes</FileSize>   </File_Information>- <SideEffects Count="2">  <File>D:\WINDOWS\system32\DRIVERS\intelppm.sys</File>   <RegistryKey>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\intelppm</RegistryKey>   </SideEffects>  </Driver>  </DRIVERS>  <SERVICES Count="0" />   <PROCESSES Count="0" />   <LAYERED_SERVICE_PROVIDERS Count="0" />   <DESKTOP_SHORTCUTS Count="0" />   <AUTORUN_FILES Count="0" />   <STARTUP_ITEMS Count="0" />   <BROWSER_HELPER_OBJECTS Count="0" />   <BROWSER_TOOLBARS Count="0" />   <BROWSER_PLUGINS Count="0" />   <SHELL_EXTENSIONS Count="0" />   <EXPLORER_PLUGINS Count="0" />   <DIRECTORIES Count="0" />   <FILES Count="0" />   <SYSTEM_SETTINGS Count="0" />   </Infections_Selected_For_Remediation>  </Remediate>- <RemediationStatusPostReboot DateAndTime="Saturday, 26 June 2010 Time: 09:54">- <Infections_Remediated>- <DRIVERS Count="1">- <Driver ID="1">- <File_Information>  <Path>D:\WINDOWS\system32\DRIVERS\intelppm.sys</Path>   <FileVersion><></FileVersion>   <ProductVersion><></ProductVersion>   <ProductName><></ProductName>   <Company><></Company>   <Copyrights><></Copyrights>   <MD5>27FDB47F3F2EFE36F72C0971A03406C0</MD5>   <SHA256>D2C269B6686A9B8769BB5546FC711FDE33FBA400 9B96863D241CD6B9D64506CB</SHA256>   <FileSize><></FileSize>   </File_Information>- <SideEffects Count="2" Status="Remediate_Failed">  <File>D:\WINDOWS\system32\DRIVERS\intelppm.sys</File>   <RegistryKey>\REGISTRY\MACHINE\SYSTEM\CurrentCon trolSet\Services\intelppm</RegistryKey>   </SideEffects>

On checking I found that actually the driver had gone, So I placed it all back.

intelppm.sys = Intel Processor Driver

BSOD territory  as we know from people on the forum previously and why Norton won't remove the driver for ".........Tidserv!inf" or shouldn't, unless a definition has been added causing the removal problem again

If Malware that infects /patches legit system files etc.  is suspected, Tidserv is just one group, zeloaces is one other off the top of my head. it is not advised to use Norton Power Eraser to remove the types of infections as bigger problems can occur with removing drivers Windows needs.

Quads

Kudos0

Re: TDSSkiller / TDL4

Symantec has tested NPE on TDL3 and NPE did detect the driver infected (I don't know which driver in this case).  NPE removed it and made the system (PC) unusable.

Quads

Kudos4 Stats

Re: TDSSkiller / TDL4

TDL3 (+) and the Symantec free download "TDSS Fixtool"

It does "REPAIR" older TDL3 variant's, doesn't delete the file in question. If it's a newer variant at least the tool stops and does not attempt to instead delete the file even if it notifies that basically it can't repair the file.

 

Better than causing a non bootable Windows.

Quads

Kudos2 Stats

Re: TDSSkiller / TDL4

Boot.Tidserv, Tidserv.L  Bootkit

version 0.01, without x64 code (one dropper it seems), 
version 0.02 fully workable, (just few droppers)   buggy, can cause non booting XP
version 0.03 with changed infector (driver too), also few samples,   buggy, can cause non booting XP

Quads

Kudos0

Re: TDSSkiller / TDL4

Does TDDS tool detect latest TDDS?

Norton Internet Security 2011 , Windows 7 Home Premium 64 bit (Check if you are eligable for a FREE Norton upgrade)Success is 10 percent inspiration and 90 percent perspiration.”--Thomas Alva EdisonI'm not a Symantec employee and my posts do not represent the views of Symantec.
Kudos0

Re: TDSSkiller / TDL4

Kudos0

Re: TDSSkiller / TDL4

Looks like Boot.Tidserv (TDL4) Bootkit will cause patched / cracked versions of Windows 7 to become non bootable   

Quads

Kudos0

Re: TDSSkiller / TDL4

TDL4 is now being seen using or trying to use the Task Scheduler Privilege Escalation vulnerability as that appeared as seen with W32.Stuxnet 

Quads  

Kudos0

Re: TDSSkiller / TDL4

TDL4 has a version change, from 0.15 to 0.169

Can still cause this major problem


On running the installer  The  Computer shuts down or restarts. The computer will not POST or enter bios setup, will only show bios logo and then blinking cursor in top left no matter boot device selected.


Quads

Kudos0

Re: TDSSkiller / TDL4

Is Norton able to detect?

"Or" has the version change made it harder to detect!

Midou
Kudos0

Re: TDSSkiller / TDL4

There are still FakeAV (Rogues) appearing with the TDL2 like PRAGMA, _VOID, H8SRT group.

Looks like more in the Rogues like HDD Rescue, Windows Recovery and the defragmenters.

Quads

Kudos2 Stats

Re: TDSSkiller / TDL4

Looks like Microsoft is trying to combat TDL4.03 on x64 systems.

http://www.microsoft.com/technet/security/advisory/2506014.mspx

Quads

Kudos2 Stats

Re: TDSSkiller / TDL4

Looks like there is a new TDL4 that gets around the Microsoft patch, and stops TDSSkiller from completeing the scan.  Other tools may not detect the newbie or cannot cure it.

Quads

Kudos1 Stats

Re: TDSSkiller / TDL4

Infected the PC with a new sample of Tidserv / TDSS /TDL4

I downloaded the FixTDSS tool for the most up to date version from the site http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99 It did run the scan but "No Infection Found" was the result.TDSSkiller from that download site got stuck at 80% on startup.The updated TDSSkiller (not from the download page, not updated with new version yet) was able to run, detect and cure the new samples.


One sample though places a randomly named file with registry key so that when the MBR gets cured on the restart (or after using a CD/DVD to fix) on the startup the MBR gets reinfected again, and again and again. The registry key and /or random file has to be dealt with first, before dealing with the MBR, otherwise you would be going around in circles somewhat.

Quads

Kudos0

Re: TDSSkiller / TDL4


Quads wrote:

One sample though places a randomly named file with registry key so that when the MBR gets cured on the restart (or after using a CD/DVD to fix) on the startup the MBR gets reinfected again, and again and again. The registry key and /or random file has to be dealt with first, before dealing with the MBR, otherwise you would be going around in circles somewhat.


They never give up, do they.

Kudos0

Re: TDSSkiller / TDL4

Just like aftershocks 

Quads

Kudos0

Re: TDSSkiller / TDL4

For Peter

FixTDSS did not find or detect the infected MBR (Boot.Tidserv), here is a screenshot and the 2 logs attached.  I downloaded FixTDSS from Symantec's download page again this morning incase it was updated during my night time.

Quads

Kudos0

Re: TDSSkiller / TDL4

Okay, I'm new here... obviously since this is my first post.

NIS is telling me that I've got Boot.Tidserv on my computer (Windows 7 64)... cant' remove it...

Tried FixTDSS and NPE: both said there is "no infection", yet every time the computer boots Norton pops up stating it's still there.

There are NO other signs/symptoms that I'm aware of, but I'm scared to do anything with a password (like online financial work) in case someone somewhere is able to access this information.

What next?

Kudos3 Stats

Re: TDSSkiller / TDL4

Run TDSSkiller 2.5.0.0,  FixTDSS does not detect Tidserv (the newer variants) on my PC.

Quads

Kudos0

Re: TDSSkiller / TDL4

THANKS! that worked.... did have to clear the history on Norton to stop it from warning.

Kudos1 Stats

Re: TDSSkiller / TDL4

Due to the fact you used another program to cure TDL4 (boot.Tidserv) Norton do the curing so still has the Unresolved Threat listing and so still has the listing.

The same listing would have still been there if it was FixTDSS that cured the Bookit instead.

The problems woth FixTDSS are being looked into over the last few days.

Quads

Kudos0

Re: TDSSkiller / TDL4

There are now other Rootkit groups that have found a way to infect x64 bit systems ( like maxx++, zeloacres)

Quads

Kudos0

Re: TDSSkiller / TDL4

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: TDSSkiller / TDL4

We have had Maax++ infected users turn up on this forum in the past 

Quads

Kudos4 Stats

Re: TDSSkiller / TDL4

Hi Guys

The latest version of NPE Beta can detect and cure the MBR infected with TDL4 (TDSS / Boot.Tidserv).

On the download page of NPE instead further down the page select to download the Beta version,  When downloaded you should have the file NPE-Beta.exe, Version 2.0.0.51.

After starting NPE, select to Scan for Risks then choose Include Rootkit Scan, click Restart.

NPE will now restart your Computer.  On the restart NPE will carry on through the process and run a scan.

After the scan has finished you will have listed a list of Risks including False Positives, I have shown in this screenshot below the False Positives as well to show users.

The TDL4 /  TDSS / Tidserv detection listed above is the first listed, as PhysicalDrive# (# = the Hard Drive number, 0, 1, 2 etc.)

Have this selected / ticked to fix as I have above and then click FIX.

File Details 

After clicking FIX, NPE will notify you that it's about to remove the Risk ................... Which had my eyes open further, Don't worry it's just a wrong choice of word for this fix, it should be Repair, Cure or Disinfect.

After probably restarting the Computer again NPE after the restart will show the Results 

Once again don't worry about the wording of Removal or Removed. You can now click DONE.

Quads

This thread is closed from further comment. Please visit the forum to start a new thread.