PDA

View Full Version : Problem with TDSS/Alureon rootkit removal.



Tony.br
15-10-2010, 12:00 PM
Some time ago I became aware that my Windows XP Pro had stopped updating.

If I tried to go to the update site it gave an “Error 0x80072eff” which indicates that the server could not be reached.

Also for quite a few weeks my AV program has been popping up and blocking certain malicious sites even if I am doing nothing more than using Word. I suspect some sort of virus so I did Virus scans, ran MalwareBytes, SuperAntiSpyware but only a few tracking cookies were found.

For weeks I hunted through various forums and trying various “cures” when I found a number of replies recommended downloading and running "tdsskiller.exe" from Kaspersky.

I downloaded this, ran it and it found 3 problems. Here is an extract from the log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2010/10/11 12:02:45.0671 Detected object count: 3
2010/10/11 12:03:03.0406 Locked file(atapi) - User select action: Skip
2010/10/11 12:03:03.0406 Forged file(audstub) - User select action: Skip
2010/10/11 12:03:03.0484 Kbdclass (6a19457459a040db46efe3101eb0cd90) C:\windows\system32\DRIVERS\kbdclass.sys
2010/10/11 12:03:03.0484 Suspicious file (Forged): C:\windows\system32\DRIVERS\kbdclass.sys. Real md5: 6a19457459a040db46efe3101eb0cd90, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2010/10/11 12:03:04.0937 Backup copy found, using it..
2010/10/11 12:03:04.0953 C:\windows\system32\DRIVERS\kbdclass.sys - will be cured after reboot
2010/10/11 12:03:04.0953 Rootkit.Win32.TDSS.tdl3(Kbdclass) - User select action: Cure
2010/10/11 12:03:12.0531 Deinitialize success

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Literally a couple of minutes after running it, the UPDATE shield popped up and it started downloading.

I let it run for a while (at about the 5% stage) then I decided to restart and there were 2 updates to be installed. Woopee!!!

It installed these and restarted windows and the Shield popped up again and resumed updating. I started to click on an icon and suddenly windows and the mouse pointer froze. Nothing worked, not even the task manager. I restarted and repeated it several times and that same thing happened every time. The first mouse click and "Freeze."

Fortunately I had made an Acronis Backup before running tdsskiller.exe so I restored this and this is how I am using it until I can find out what is going on.

I ran HiJackthis but nothing really showed. Obviously tdsskiller.exe cures the problem but something about the cure causes this lockup issue.

If anyone has any suggestions, it would be appreciated.

nofam
15-10-2010, 12:08 PM
Can you get a Run box up?

If so try doing an sfc /scannow, let that run through, do a reboot, and see if that fixes it.

Also, did you disable system restore before running tdsskiller?

Speedy Gonzales
15-10-2010, 12:10 PM
Disable system restore then try trojan remover. Thats the point of a rootkit it hides. Depending on the variant, you'll be lucky to boot into windows. Since it infects atapi.sys

Tony.br
16-10-2010, 06:13 AM
Many thanks guys.

re SYSTEM RESTORE, I must confess (and I should know better) that I forgot to turn that off

I do an image backup and try SFC /scannow

Tony.br
17-10-2010, 04:16 PM
Just an update

First I cloned my C: partition to another 80 gb Drive so I could test it,
then hooked that up and tried it and it worked, so I replaced the main drive

As suggested, I turned off System restore, Ran sfc /scannow, Rebooted and checked the update web site and Bingo I am on and downloading 39 updates (112meg)

When all updates installed I turned on System Restore and created a restore point

I suspect that where ever TDSSKILLER.EXE found that replacement files to
replace the ones it identified as suspect, they were not the correct ones
hence causing my Lockup problem after it replaced them.

Very Many thanks Guys