Jump to content

Possible Tdl3 Rootkit Infection !


eusebios
 Share

Recommended Posts

Hi. :)

 

The computer is fast but, still is crasing on its will.

There is indication that the actual problem now may be Hard-Ware related but we can check this out further via the Mini-Dump file.

 

Thank you very much for you help.

You're welcome and some friendly advice steer clear of questionable downloads like cracks and keygens for example as such are nearly always packed with malware apart from being illegal.

 

If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware for example.

 

Custom OTL Script:

 

  • Double-click OTL.exe to start the program.
  • Copy the lines from the quote-box(do not copy the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Files

C:\Documents and Settings\Tamtum\My Documents\Downloads\EvID4226Patch223d-en.zip

C:\Documents and Settings\Tamtum\My Documents\Downloads\Internet_Download_Manager_5.18_Build_8_Retail.rar

E:\Downloads\ophcrack-win32-installer-3.3.1.exe

E:\Downloads\registrybooster.exe

E:\Downloads\ultrasurf997.zip

E:\Downloads\software\Cryptload_1.1.8.rar

E:\My Download\ProdKey

E:\My Download\Sniff

 

:Commands

[EmptyTemp]

[Reboot]

  • Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
  • Then click the red Run Fix button.
  • Let the program run unhindered.
  • If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

 

New Java Installation:

 

  • Click here to visit Java's website.
  • Scroll down to Java SE 7 (JDK or JRE). Click on Download JRE.
  • Check (tick) Java SE Runtime Environment 7 License Agreement box.
  • Click on jre-7-windows-i586.exe link next to Windows x86 Offline to download it and save this to a convenient location.
  • Double-click on on jre-7-windows-i586.exe to install Java.
Next:

 

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please navigate to this file:-

 

C:\WINDOWS\Minidump\Mini090111-01.dmp

 

Right click on \Mini090111-01.dmp >> Send To >> Compressed (zipped) Folder

 

Please attach the Zip file in your next reply along with the OTL Log from the Custom Script, thank you.

Edited by Dakeyras
Updated URL.
Link to comment
Share on other sites

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

Hi, Dakeyras,

 

Thank you for the sites recommendations. Seems that previous deletion did not worked out on these files.

 

Below are the log and minidumps file requested. Java installed fine.

 

 

 

------------------ OTL Log ------------------

All processes killed

========== FILES ==========

C:\Documents and Settings\Tamtum\My Documents\Downloads\EvID4226Patch223d-en.zip moved successfully.

C:\Documents and Settings\Tamtum\My Documents\Downloads\Internet_Download_Manager_5.18_Build_8_Retail.rar moved successfully.

E:\Downloads\ophcrack-win32-installer-3.3.1.exe moved successfully.

E:\Downloads\registrybooster.exe moved successfully.

E:\Downloads\ultrasurf997.zip moved successfully.

E:\Downloads\software\Cryptload_1.1.8.rar moved successfully.

E:\My Download\ProdKey folder moved successfully.

E:\My Download\Sniff folder moved successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: All Users

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: LocalService

->Temp folder emptied: 16384 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

User: NetworkService

->Temp folder emptied: 47070 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

User: Tamtum

->Temp folder emptied: 377336368 bytes

->Temporary Internet Files folder emptied: 7691421 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 18352880 bytes

->Google Chrome cache emptied: 0 bytes

->Apple Safari cache emptied: 0 bytes

->Opera cache emptied: 0 bytes

->Flash cache emptied: 470 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 112281 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 1062 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 385.00 mb

 

 

OTL by OldTimer - Version 3.2.26.4 log created on 09082011_004746

 

Files\Folders moved on Reboot...

 

Registry entries deleted on Reboot...

Mini090611-01.zip

Link to comment
Share on other sites

Hi. :)

 

Thank you for the sites recommendations. Seems that previous deletion did not worked out on these files.

You're welcome and not to worry they have been removed now.

 

Next:

 

Now it appears the remaining issues with your machine are Hard-Ware(may be either a RAM or CPU/PSU cooling issue for example) related and possibly a Driver conflict...unfortunately this is not my area of expertise if you will as primarily both myself and this part of the forum only provide Anti-Malware Support. My best advice now would be to seek further assistance with this matter in this part of the forum:-

 

User to User Help

 

By all means include a link back to this topic if you so wish and mention I advised such. This is this topics URL:-

 

http://forums.pcpitstop.com/index.php?/topic/196286-possible-tdl3-rootkit-infection/
Next:

 

Congratulations your computer appears to be malware free!

 

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

 

Importance of Regular System Maintenance:

 

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

 

Help! My computer is slow!

 

Also so is this:

 

What to do if your Computer is running slowly

 

Uninstall ComboFix:

 

  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image
Clean up with OTL:

 

  • Double-click OTL to start the program.
  • Close all other programs apart from OTL as this step will require a reboot.
  • On the OTL main screen, depress the CleanUp button.
  • Say Yes to the prompt and then allow the program to reboot your computer.
The above process should clean up and remove the vast majority of scanners used and logs created etc.

 

Any left over merely delete yourself and empty the Recycle Bin.

 

Now some advice for on-line safety:

 

Malwarebyte's Anti-Malware:

 

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

 

Other installed security software:

 

Your presently installed security application, Microsoft Security Essentials automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

 

I advise you also run a complete scan with this also once per week.

 

Erunt:

 

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

 

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

 

Keep your system updated:

 

Microsoft releases patches for Windows and other products regularly:

 

Be careful when opening attachments and downloading files:

 

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.

Never open emails from unknown senders.

Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.

Be careful of what you download. Only download files from known sources. Also, avoid cracked programs.

 

Stop malicious scripts:

 

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

 

Avoid Peer to Peer software:

 

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice is avoid these types of software applications.

 

Hosts File:

 

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

 

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

 

Here are some Hosts files:

 

Only use one of the above!

 

Install WinPatrol:

 

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

 

Download it from here.

 

You can find information about how WinPatrol works here.

 

Next:

 

This is a very helpful/useful set of advice from Microsoft: Microsoft Safety & Security Center

 

Any questions? Feel free to ask, if not stay safe!

Link to comment
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

 

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

 

Everyone else please begin a New Topic.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share


×
×
  • Create New...