tdl3 rootkit browsers hook to directdr.com & urbtk.com

[nailzuk]

:devil:this is a 3rd generation tdl rootkit (tdl3):devil:
for 1 week i fought with this nasty wee rootkit, tried loads of online scanners rootkit scanners nothin helped, then i searched for .dlls viewed by date found a couple which lokked shady googled em and sure enuff malware, after deleting them i was still getting redirects, and the bugger fried a 250gb hdd external drive, by writing malicious code to disk so i lost all the data, was full of bad sectors never seen a hdd so corrupt, also i noticed that my c drive was not showing in disk management, and all drive letters in removable drive ports had exclamation marks, tried updating drivers to no avail, all the while still getting redirects in google search from directdr.com and urbtk.com everyone told me to format c and i was just about to when i thought id roll the dice once more, id read on forums that combofix wouldnt run on windows 7, as i was gonna format i decided to give it a go, if anyone trying this fix please disable all scanners av & adware and firewall/win defender, i ran combofix in safe mode, got a warning about compatibility issues then a box tellin me the combofix was only a beta build, i clicked yes to let it proceed, very important not to touch youre keyboard or mouse unless promped whilst combofx is running, it had barely started the scan when "rootkit activity detected" combofix needs to reboot ur machine, i let it boot into normal mode combofix carried on till it f inished its 50 stages then told me nvstor.sys was infected and disenfected (explains the hdd issues) its the hd controller since then (yesterday)machine running like new, once completed search for .tdl files on c yk62x86.dll vp7vfw.dll umstartup.etl startup.etl. nvstor.sys [affected tdl3 files] 3 cheers for combofix only thing that found and killed this nasty wee sleekit beastie,
p.s * stay away from cracks/keygens , crack really does f**k you up '
* Sysinternals Forums - Rootkit TDL 3 - Page 1

peace out stay safe/ isnt 7 da bomb . hijack this gmer are usless against this so are most av scanners, hitman pro 3.5 sposed to detect dont know bout disenfectin crucial .sys files tho, id stick with combo, apparently this rootkit is spreading like wildfire. it goes undetected as it enters via spools.exe which is a trusted windows file, then injects malicious code into winlogon.exe, if ur av has flagged any activity in spools folder lately u been bitten, took me 1 week 2 clean i wouldnt give in everyone tellin me 2 format and reinstall but my motto is "no surrender", nailzuk glasgow scotland, uk

 

[IggyAZ]

Thanks for the update and suggestion for Hitman Pro V3.5
I plan to use it today ont he infected system via Remote Aceess on my brothers computer.
It seems that it is the only thing that fully removes TDL3.

Are you still clean?
Have you seen any aftereffects that may have been left behind?

Thanks
Iggy

 

[Jacee]

IggyAZ, after running Hitman Pro V3.5 on your brother's machine, fulsh the DNS cache and restore Windows Hosts files:
Download the HostsXpert 4.3 - Hosts File Manager.

• Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
• Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
• Click "Make Hosts Writable?" in the upper right corner (If available).
• Click Restore Microsoft's Hosts file and then click OK.
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Next, run MalwareBytes' Anti-Malware.

I personally will not deal with Rootkits. You can never be sure if the OS will ever be stable again. Therefore, I suggest a wipe and clean install.

 

[IggyAZ]

Thanks nailzuk for your advice to download and run Hitman Pro.
It found and removed tdl3 Rootkit virus. Brother is very happy.
Thanks again

 

[nailzuk]

yes system still clean, scanned with avira, and nod32 and online panda scan oh and hitman , superantispyware and malwarebytes, only thing found was 2 ad tracking cookies, i have also replaced hosts file and made it read only, if i used this pc for sensitive documents , ie banking etc i would /wipe but its really just for media so ill leave it be, should the worst happen, (corrupted hdd)(bsod) then its no prob to put a new hdd in and reinstall 7, but combofix did the trick for me. search c drive for .tdl files and delete when u have disenfected also good luck;

 

[nailzuk]

pleased to hear it m8 u gettin a good xmas present from ur bros now )

 

[IggyAZ]

yes system still clean, scanned with avira, and nod32 and online panda scan oh and hitman , superantispyware and malwarebytes, only thing found was 2 ad tracking cookies, i have also replaced hosts file and made it readable, if i used this pc for sensitive documents , ie banking etc i would /wipe but its really just for media so ill leave it be, should the worst happen, (corrupted hdd)(bsod) then its no prob to put a new hdd in and reinstall 7, but combofix did the trick for me. search c drive for .tdl files and delete when u have disenfected also good luck;

He only uses it to login to Hotmail and browse around. No banking or buying anything online. I have been trying to educate him as I go but sometimes I don't think he gets it. lol

Anyway he's clean for the moment and I have all his pictures and docs backed up on CD's I have no idea what I would have done for him without MS Remote Access.

Thanks again and have a merry hoho or whatever.

Iggy in the cool part of Arizona

 

[gamepro127]

Do a scan with Hitman Pro 3.5
Now, Go to start, Type RUN, hit Enter. Type/copy and paste this:
C:\windows\system32\drivers\etc
Open up HOSTS file in notepad and delete what you think is bad...You'll know it when you see it!

I could make a BAT file to do this but im too lazy and its a little late
=P

 

[Jacee]

Combofix was pulled yesterday (due to arising problems with the scanner and until further notice) .... it doesn't work with Windows 7. I'm curious to know what version you have that (you say) "fixed" your problem.

 

[nailzuk]

windows 7 32 bit 7600 oem pc appears fine as i said it was a beta build of combo i used and it disenfected corrupt .sys file (kitty ate it) hope this satisfies ur curiosity this was the message i got when starting combo ........
This is a BETA version ComboFix mean for compatibility testing --_ !! WARNING !! --- Under no circumstances should this be run on a live machine. Heed this warning or be prepared to buy a new machine
i let it run .
and this is the version of combo i used,
http://www.software112.com/search-program

ive been googlin to try and find news on combo being "pulled" cant seem to find anythin plz post a link to satisfy my curiosity as i said above i had read in numerous posts that combo wasnt compatible with 7 but as i was gonna format i gave it a try and what can i say, it seems to have done the trick. nailzuk, glasgow,scotland,U.K

 

[nailzuk]

os still stable

almost 1 month later and have had no ill effects, just a wee update. still a happy camper :>

 

[Jacee]

Good to know, thanks for the update

 

[chrysalis]

my question is how does infect machines? I mean how does it get on in the first place.

is it drive by or something you have to execute.

 

[nailzuk]

reply to chrysalis

usually people get infected by downloading "cracked software" or from p2p sites torrents ect, and u can also get bitten by visiting malicious sites,u could even download and install a codec which isnt what it seems, these rootkits are very clever my advice would be to use the wot (web of trust add on) which is available for firefox and internet explorer,malwareytes updated and scheduled to scan daily is another advantage for the end user [you], for that extra wee bit of security id recommend no script add on for firefox, which will disable any malicious sites from doing a drive by on you, hope u found this usefull and remember, "google is ur friend" he is wiser than yoda

 

[chrysalis]

well I mean how does this specific trojan infect.

 

[IggyAZ]

well I mean how does this specific trojan infect.

I don't understand it but if you want the details here you go.
http://virusvn.com/download/video-tutorial/tdl3_analysis_paper.pdf

 

[nailzuk]

NEW TDSS TDL 4 PFFT combofix pwns

my machine still goin strong 1 year later, but yesterday a family member brought me their laptop saying it was unusable due to the large amount of fake A.V alerts, my first port of call was to install mbam from a thumbdrive and it found 3000+ infections (seriously) thats a record for me, i let mbam clean em all (took a while) , afterward i decided to put FF on the lappy & prompt the owner to say goodbye to internet exploder, however on doing this i was redirected to gala search engine and the FF download was not pointing to mozilla.com , having seen this type of behaviour before, i downloaded combofix from bleeping computer to a thumbdrive, renamed it 123.exe and copied over to infected machine, i let combofix do its thing and yup it found a TDL 4 , corrupt MBR, im glad to say combofix also fixed this laptop which was running xp sp2 java version 5 & slimewire i left a READ ME.txt on desktop prompting owner to delete limewire, and of course i updated java,flash sp3, windows updates ect, so we have a new tdss in our midst and combofix nailed it once more )