Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL3 Rootkit Help


  • This topic is locked This topic is locked
4 replies to this topic

#1 djbj

djbj

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 19 October 2010 - 02:10 PM

Hey guys,
So I started having problems a few days ago when I began to notice that my computer was running very slowly and when looking at the task manager I found that my CPU usage holding steady at 100%. Shortly after this, a window popped up for "Just In Time Debugging" and I started getting some tabs that popped up in my Firefox browser after Google searches.

I did not click on the popups and did a virus scan using Sophos Anti-virus.
It came up with two files that it said were associated with Troj/TDL3Mem-B. These were quarantined but it says they need to be manually removed.

I decided to do some research and found some threads on this forum as well as other information through Google searches for information on this problem. I probably should have posted here before doing anything... but I guess I wanted a quick fix.

Anyway, after reading up on similar problems, I ran TDSSkiller, followed MalwareBytes, and then Combofix while my computer was in safe mode.

TDSSkiller found malware in system32 that it called tdl4. It successfully cleaned that.

Malwarebytes found one infected file, here is the excerpt from the log.
C:\Documents and Settings\Administrator\Application Data\jsfhjjsd.bat (Malware.Trace) -> Quarantined and deleted successfully.

Finally I ran Combofix, and I don't think it found anything.

After rebooting my computer, I scanned with Panda Anti-Rootkit and it says that my computer is clean.

My computer now appears to be running normally, there is normal processor usage, and I have not gotten any popups or been redirected to any other sites. It should also be noted that whatever I had was blocking my access to the Malwarebytes download directly through their website, and I can now access that. (I originally managed to download it through a different site)

It seems that the problem is fixed, but after all I've read about rootkits and the TDL3 rootkit, I'm not confident that my problem is actually solved. (Especially considering that those TDL3 files are still in the sophos quarantine) I know that I should have probably come here in the first place instead of doing all this screwing around beforehand, but this is where I am now, and I'm wondering if you guys can help me be sure that this thing is gone?

Thanks so much,
djbj

Edited by hamluis, 19 October 2010 - 02:31 PM.
Moved from XP forum to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:47 AM

Posted 19 October 2010 - 02:22 PM

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 PM

Posted 19 October 2010 - 04:21 PM

There are no guarantees or shortcuts when it comes to malware removal, especially when dealing with backdoor Trojans, Botnets, IRCBots or rootkit components that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install.

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is an undetected hidden piece of malware (rootkit) which protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Infections will vary and some will cause more harm to your system then others as backdoor Trojans not only compromise your system, they have the ability to download more malicious files. Thus, it may take several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous.

In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned, repaired or trusted. Security vendors that claim to be able to remove rootkits and backdoor Trojans cannot guarantee that all traces will be removed as their tools may not find all the remnants. Further, if something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to your data.

The Malware Response Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. If you do not mind waiting and want someone to check your system thoroughly, then please follow the directions provided by cryptodan. If you want to continue in this forum, continue as follows:


Please post the complete results of your TDSSkiller scan for review.

After running TDSSkiller, a log file named TDSSKiller_version_date_time_log.txt will have been created and saved to the root directory (usually Local Disk C:). Open that file in notepad, then copy and paste the contents of that file in your next reply.

You indicated you performed scans in safe mode. Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Why? MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally. If that is the case, after completing a safe mode scan, reboot normally, update the database definitions through the program's interface (preferable method) and try rescanning again in normal mode. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.


Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.


IMPORTANT NOTE: TDSS, TDL3/TDL4 (Backdoor.Tidserv) is the third and fourth generation of TDSS which uses rootkit technology to hide itself on a system by infecting system files/drivers like atapi.sys which is a common target because it loads early during the boot process and is difficult to detect. Newer varinats, however, can target a number of other legitimate drivers in the Windows drivers folder. Common symptoms/signs of this infection include:
  • Google search results redirected as TDL3 modifies DNS query results.
  • Infected (patched/forged) files in the Windows drivers folder.
  • Slowness of the computer and poor performance.
  • Multiple instances of IEXPLORE.exe in Task Manager.
  • Internet Explorer opens on its own.
  • BSODs as described in this article.
For more specific analysis and explanation of the infection, please refer to: TDL3: The Rootkit of All Evil?

Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by backdoor Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 djbj

djbj
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 19 October 2010 - 07:26 PM

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.


Here is my post to the appropriate section of the forum with the requested logs. Thanks for your help.
New Post

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 PM

Posted 19 October 2010 - 08:48 PM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users