Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible TDL3 Rootkit Infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 Jayann

Jayann

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 18 March 2011 - 02:16 AM

While trying to search Google today, I suddenly found myself fending off some anti-virus warnings along with a firewall request from a remote .de address. I mainly use my PC for work only and usually consider myself pretty security conscious so I rarely run into issues if at all.

Then it dawned on me that my daughter had "used the pc to print her paper" the night prior to these issues popping up. I wish I could say this is a rare thing for her too, but being that she’s 16, this wouldn't be the first time she has likely infected a PC. So... the first problem is, I have no idea where it possibly originated from.

My anti-virus (ESET) was flagging and quarantining files as they came in however my initial scan with ESET showed no issues other than the files that were intercepted. I did a system restore because at this point, autoruns was showing two totally foreign logon entries that despite being disabled, repeated themselves upon a reboot.

System restore took care of the foreign entries however, the most notable issues after the restore were; a setup file that was attempting to run that I was able to intercept and the biggest issue, a browser hijack. The hijack seemed to be mostly affected via Google searches. Right clicking any link to open in a new tab or window would hijack the page. Typing addresses in directly did not seem to be affected.

Since this time, I have run Spybot S&D which cleaned 4 issues. Malewarebytes did a full scan which cleaned 2 files. It was also suggested that I uninstall ESET and try Microsoft Security Essentials which I did a quick scan on and 4 files were removed and then a full scan in which 1 file was removed.

I have also run MBR which is where I am at with things now. My results indicated a possible TDL3 Rootkit Infection and all of this is starting to get a little out of my realm of knowledge. I must say, I have not turned off system restore to do a fresh clean as of yet but, I will end up doing that as my next step anyhow while I wait for some hopeful help from here.

I am attaching what logs I have at this point. If I can provide any additional information don’t hesitate to ask. Also if it helps any, being that I work from home "virtually" I worried that some of my legitimate programs I require for work may mimic some of the "symptoms" of a virus for instance the Interactive Intelligence Interaction Client.

Thanks in advance for any help it is greatly appreciated!

Attached Files


Edited by elise025, 18 March 2011 - 05:57 AM.
Moved to Malware Removal forum ~ Elise


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:06 AM

Posted 18 March 2011 - 10:38 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________


Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


NEXT:



Please be sure to provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 Jayann

Jayann
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 18 March 2011 - 11:03 AM

Hello ST and Ty for your reply. Please close this topic as I have requested assistance elsewhere. Your help is greatly appreciated. Ty for your time!

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:06 AM

Posted 18 March 2011 - 01:11 PM

Thanks for letting me know. I appreciate it.

This topic is now closed.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users