Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: tdl3 rootkit browsers hook to directdr.com & urbtk.com


14 Dec 2009   #1

Windows 7 ultimate 32 bit oem & Arch Linux x86_64
 
 
tdl3 rootkit browsers hook to directdr.com & urbtk.com

this is a 3rd generation tdl rootkit (tdl3)
for 1 week i fought with this nasty wee rootkit, tried loads of online scanners rootkit scanners nothin helped, then i searched for .dlls viewed by date found a couple which lokked shady googled em and sure enuff malware, after deleting them i was still getting redirects, and the bugger fried a 250gb hdd external drive, by writing malicious code to disk so i lost all the data, was full of bad sectors never seen a hdd so corrupt, also i noticed that my c drive was not showing in disk management, and all drive letters in removable drive ports had exclamation marks, tried updating drivers to no avail, all the while still getting redirects in google search from directdr.com and urbtk.com everyone told me to format c and i was just about to when i thought id roll the dice once more, id read on forums that combofix wouldnt run on windows 7, as i was gonna format i decided to give it a go, if anyone trying this fix please disable all scanners av & adware and firewall/win defender, i ran combofix in safe mode, got a warning about compatibility issues then a box tellin me the combofix was only a beta build, i clicked yes to let it proceed, very important not to touch youre keyboard or mouse unless promped whilst combofx is running, it had barely started the scan when "rootkit activity detected" combofix needs to reboot ur machine, i let it boot into normal mode combofix carried on till it f inished its 50 stages then told me nvstor.sys was infected and disenfected (explains the hdd issues) its the hd controller since then (yesterday)machine running like new, once completed search for .tdl files on c yk62x86.dll vp7vfw.dll umstartup.etl startup.etl. nvstor.sys [affected tdl3 files] 3 cheers for combofix only thing that found and killed this nasty wee sleekit beastie,
p.s * stay away from cracks/keygens , crack really does f**k you up '
* Sysinternals Forums - Rootkit TDL 3 - Page 1

peace out stay safe/ isnt 7 da bomb . hijack this gmer are usless against this so are most av scanners, hitman pro 3.5 sposed to detect dont know bout disenfectin crucial .sys files tho, id stick with combo, apparently this rootkit is spreading like wildfire. it goes undetected as it enters via spools.exe which is a trusted windows file, then injects malicious code into winlogon.exe, if ur av has flagged any activity in spools folder lately u been bitten, took me 1 week 2 clean i wouldnt give in everyone tellin me 2 format and reinstall but my motto is "no surrender", nailzuk glasgow scotland, uk

My System SpecsSystem Spec
.

15 Dec 2009   #2

Windows 7 Ultimate (32 bit)
 
 

Thanks for the update and suggestion for Hitman Pro V3.5
I plan to use it today ont he infected system via Remote Aceess on my brothers computer.
It seems that it is the only thing that fully removes TDL3.

Are you still clean?
Have you seen any aftereffects that may have been left behind?

Thanks
Iggy
My System SpecsSystem Spec
15 Dec 2009   #3
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

IggyAZ, after running Hitman Pro V3.5 on your brother's machine, fulsh the DNS cache and restore Windows Hosts files:
Download the HostsXpert 4.3 - Hosts File Manager.
  • Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Next, run MalwareBytes' Anti-Malware.

I personally will not deal with Rootkits. You can never be sure if the OS will ever be stable again. Therefore, I suggest a wipe and clean install.
My System SpecsSystem Spec
.


15 Dec 2009   #4

Windows 7 Ultimate (32 bit)
 
 

Thanks nailzuk for your advice to download and run Hitman Pro.
It found and removed tdl3 Rootkit virus. Brother is very happy.
Thanks again
My System SpecsSystem Spec
15 Dec 2009   #5

Windows 7 ultimate 32 bit oem & Arch Linux x86_64
 
 

yes system still clean, scanned with avira, and nod32 and online panda scan oh and hitman , superantispyware and malwarebytes, only thing found was 2 ad tracking cookies, i have also replaced hosts file and made it read only, if i used this pc for sensitive documents , ie banking etc i would /wipe but its really just for media so ill leave it be, should the worst happen, (corrupted hdd)(bsod) then its no prob to put a new hdd in and reinstall 7, but combofix did the trick for me. search c drive for .tdl files and delete when u have disenfected also good luck;
My System SpecsSystem Spec
15 Dec 2009   #6

Windows 7 ultimate 32 bit oem & Arch Linux x86_64
 
 

pleased to hear it m8 u gettin a good xmas present from ur bros now )
My System SpecsSystem Spec
15 Dec 2009   #7

Windows 7 Ultimate (32 bit)
 
 

Quote   Quote: Originally Posted by nailzuk View Post
yes system still clean, scanned with avira, and nod32 and online panda scan oh and hitman , superantispyware and malwarebytes, only thing found was 2 ad tracking cookies, i have also replaced hosts file and made it readable, if i used this pc for sensitive documents , ie banking etc i would /wipe but its really just for media so ill leave it be, should the worst happen, (corrupted hdd)(bsod) then its no prob to put a new hdd in and reinstall 7, but combofix did the trick for me. search c drive for .tdl files and delete when u have disenfected also good luck;
He only uses it to login to Hotmail and browse around. No banking or buying anything online. I have been trying to educate him as I go but sometimes I don't think he gets it. lol

Anyway he's clean for the moment and I have all his pictures and docs backed up on CD's I have no idea what I would have done for him without MS Remote Access.

Thanks again and have a merry hoho or whatever.

Iggy in the cool part of Arizona
My System SpecsSystem Spec
15 Dec 2009   #8

Windows 7 Enterprise x64
 
 

Do a scan with Hitman Pro 3.5
Now, Go to start, Type RUN, hit Enter. Type/copy and paste this:
C:\windows\system32\drivers\etc
Open up HOSTS file in notepad and delete what you think is bad...You'll know it when you see it!

I could make a BAT file to do this but im too lazy and its a little late
=P
My System SpecsSystem Spec
16 Dec 2009   #9
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Combofix was pulled yesterday (due to arising problems with the scanner and until further notice) .... it doesn't work with Windows 7. I'm curious to know what version you have that (you say) "fixed" your problem.
My System SpecsSystem Spec
16 Dec 2009   #10

Windows 7 ultimate 32 bit oem & Arch Linux x86_64
 
 

windows 7 32 bit 7600 oem pc appears fine as i said it was a beta build of combo i used and it disenfected corrupt .sys file (kitty ate it) hope this satisfies ur curiosity this was the message i got when starting combo ........
This is a BETA version ComboFix mean for compatibility testing --_ !! WARNING !! --- Under no circumstances should this be run on a live machine. Heed this warning or be prepared to buy a new machine
i let it run .
and this is the version of combo i used,
http://www.software112.com/search-program

ive been googlin to try and find news on combo being "pulled" cant seem to find anythin plz post a link to satisfy my curiosity as i said above i had read in numerous posts that combo wasnt compatible with 7 but as i was gonna format i gave it a try and what can i say, it seems to have done the trick. nailzuk, glasgow,scotland,U.K
My System SpecsSystem Spec
Reply

 tdl3 rootkit browsers hook to directdr.com & urbtk.com




Thread Tools



Similar help and support threads for2: tdl3 rootkit browsers hook to directdr.com & urbtk.com
Thread Forum
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough System Security
salvaging a TDL3 infected HDD System Security
TDL3 Rootkit 64 Bit Driver System Security
x64 TDL3 rootkit - follow up. News
TDL3 rootkit x64 goes in the wild News
Interesting 'Read' about tdl3 rootkit Security News
Hook up Sound & Audio

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:53 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33