Jump to content

Google Redirect, TDL4 Rootkit


Recommended Posts

Hi,

I've been having issues attempting to remove a TDL4 Rootkit from a computer I'm working on. These are the following symptoms:

- Google will redirect searches and results from time to time

- Internet Explorer will not play sound

- I notice that there are 2 iexplorer.exe tasks that start up even though Internet Explorer is not open (I have checked with Process Explorer and it is in fact IE that is being started up). I can kill these processes, but they just come back

What I've tried to do:

- Kaspersky AV sees it in the memory (I see these errors: "MEM:Rootkit.Win32.Sst.a" and "physical disk sector \DEVICE\HARDDISK0\DR0: detected Trojan program 'Rootkit.Boot.Sst.a'". However I cannot remove it

- I ran MBAM, but it does not see the issue (attached log)

- I cannot run TDSS Killer (from Kaspersky). I tried renaming the file but it doesn't work

- I run aswMBR and it sees the Rootkit, however upon issuing a fix it appears to clean the issue and needs a reboot. But after the reboot, the Rootkit is still there. The reboot doesn't seem to be clean (Windows doesn't go through the normal shut down procedures, instead it just turns off and back on).

- GMER has the following error on bootup: "LoadDriver("C:\DOCUM~1\ADMINI~1.HHO\LOCALS~1\Temp\kxldypod.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key". GMER then boots up, but I cannot select any settings apart from Services, Registry, Files (C:), ADS. Subsequent scans show nothing and logs are empty)

- I've also ran ESET scanner, but it doesn't locate the Rootkit.

I've attached all the logs from DDS, MBAM, and HiJackThis.

Any help would be greatly appreciated!

Sorry, I forgot to press "Attach this File" and attach the logs

logs.zip

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please do not attach the scan results from Combofx. Use copy/paste.

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please give this a try:

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

avpsettings.gif

Allow AVP to delete all infections found

Once it has finished select report tab (last tab)

Select Detected threads report from the left and press Save button

Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

AVPAnalysis.gif

On completion click the link to locate the zip file to upload and attach to your next post

AVPZiplocation.gif

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.