Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Infected with Rootkit.Win32.TDSS.tdl4 (tidserv)

Created: 17 Sep 2010 | 8 comments

Using SEP 11.0.6005.562 which gives numerous warnings about HTTP Tidserv requests for internet access.

Getting numerous browser re-directs & pop-ups (ad pages) symptomatic of this rootkit.

Downloaded the Symantec FixTDSS.exe removal tool but after execution I just get an infinite re-boot loop until I boot to last known good configuration and then the rootkit is still there (the FixTDSS tool just stalls after the reboot). 

Also tried the Kaspersky TDSSKiller tool which identifies the Rootkit.Win32.TDSS.tdl4 object in the Master Boot Record, but again is not able to remove it as billed.

Would be very grateful if anyone has had any success in repairing this rootkit infection.  Otherwise I guess it's reformat and re-install windows xp.

 

Many thanks!

Comments 8 CommentsJump to latest comment

AravindKM's picture

Try by scan in safe mode.If not hepls boot from symantec recovery cd and perform a scan

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

VSK's picture

Look at your risk logs in sep? Does it show any detections? Could you export the  risk logs, and post  it?

Also, please tell me, what features of sep you have?

Also, disable auto-play, system restore.

Run sep support  tool with loadpoint analysis selected, and save the  logs, and post  it here...

-VSK

.Brian's picture

Boot the machine with BartPE or similar PE disk and replace the infected file (atapi.sys?) with a known good one.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

3play's picture

Dear Surridgn ,

It is easy to fix this . As it is in the MBR , format might not fix the problem .

If you use Windows XP , get your Windows XP installation disk , boot from it , start the Recovery Console and fix the Master Boot Sector (MBR) Instructions here (in the middle of the article) :   http://support.microsoft.com/kb/314058

If you use Windows Vista or Windows 7 , use your Vista/7 installation disk , boot from it , start Computer Repair (tools) , open Command-Prompt and use bootrec option . Instructions here:  http://support.microsoft.com/kb/927392

Use Hitman Pro (free program) http://www.surfright.nl/en/hitmanpro to perform scan and fix whatever files might be patched.

--
Microsoft Certified Professional (MCP,MCTS,MCITP)

coolraygun's picture

One of my users managed to get the tdl4 variant. SEP detected but could not clean it. Kaspersky detected it but could not clean it.

Hitman Pro seems to have worked. http://www.surfright.nl/en/hitmanpro

 

 

.Brian's picture

Hitman Pro kills it every time

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

MkFly1's picture

enlightened I've seen earlier variants of the Alureon/Tidserv/TDSS, but just ran across TDL4 for the first time today. TDL3 & TDL4 variants infect the master boot record (thus, when you boot your PE disk, the system drive is not seen). I understand that it can even defeat driver signing policy and successfully infects 64-bit versions of Vista and Win 7 as well. Reading this thread I'd have to say Hitman Pro looks like a winner, and comes in 32 and 64-bit flavors. I always use ComboFix when rootkit activity is suspected, but I wouldn't want to try it on a 64-bit OS. I have not seen a rootkit yet that ComboFix couldn't break, and it made fast work of TDL4 on an XP Pro machine. Updating the McAfee AV and performing a full scan successfully cleaned the remnants.

clawunf's picture

my brothers computer got infected with this rootkit, first it was detected by Avast and only gives you the alert to quarantine or delete, but many attempts never deleted it. Ran combofix and never picked it up.. I did try hitman pro and found many bad infections..... looks like hitman pro did the trick on this particular instance...