Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: DDS.txt shows "possible TDL3 rootkit infection" after checking for Click.Giftload

  1. #11
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Good evening cyfyr,


    From the name of the infected registry data item I guessed this was because I have switched off automatic windows update and also the notification about this

    Switched this back on using ...
    - Start > Control Panel > Security Center >
    - - Resources (blue text on left panel)
    - - - Change the way Security Centre alerts me

    Re-ran the quick M-AM scan and this time no problems found (I think) ...

    Yes, that item found by Malwarebyte's has to do with the notifications from security centre - so it's everything fine


    I dont really want to leave it in place if not compatible with AVG so I assume I run its own uninstaller ?
    C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe

    In fact ESET is compatible with AVG (it's just an online scanner, not a real time antivirus, it does not run in your machine all the time). However if you would like to uninstall it's components from your machine, the the OnlineScannerUninstaller.exe would be a good choice.


    Alright, the Format was successful and now we can safely state that the machine is clean. Please follow this last procedure:


    Step 1 | Please download OTC by OldTimer to your desktop and run it
    • Click Yes to beginning the Cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.



    Step 2 | Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

    Please follow these steps to remove older version Java components and update.

    • Click on the following link to visit java website: Java Runtime Environment (JRE) 6
    • Scroll down to where it says "JDK 6 Update 24 (JDK or JRE)".
    • Click the "Download" button to the right column (JRE).
    • Select the Windows platform from the dropdown menu.
    • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
    • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
      • On the General tab, under Temporary Internet Files, click the Settings button.
      • Next, click on the Delete Files button
      • There are two options in the window to clear the cache - Leave BOTH Checked
        • Applications and AppletsTrace and Log Files
      • Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel.


    Step 3 | Now that you uninstalled the Zone Alarm suite I don't see any evidence of a 3rd Party Firewall installed on your computer. As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access from the outside world. Firewalls protect against hackers and malicious intruders.

    I strongly recommend you download a free (for personal use) firewall NOW that monitors traffic in both directions... from one of these vendors:

    • Comodo (Is now bundled with AV software, toolbar and search provider. Opt to install only the firewall software... uncheck the rest)
    • Online Armor Free (Free version at bottom of page (XP/Vista/W7 (32bit).) 64bit version not available yet. Some reported conflicts with Avira AntiVir.
    • ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
    • Ashampoo


    If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a very basic firewall. This (XP) firewall is NO replacement for a dedicated software solution. Remember to install and have active, only one firewall at the same time. If you install one of these firewalls, remember to turn off Windows' firewall.


    Last Step | Now, in order to avoid future infections, please take time to read the following article:

    So how did I get infected in the first place?

    Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  2. #12
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default

    Hi Blottedisk,

    I checked the thread several times today before finally realising there was a second page containing your latest reply (!).
    I confirm I have now read this and will be actioning the remaining steps over the weekend so please keep the thread open little longer.

    Many thanks for your continued assistance.

  3. #13
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi cyfyr,


    Then I will keep this thread open
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  4. #14
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default

    If ESET can remain then I will keep it installed.
    I can use this as an extra scan in conjunction with AVG and Spybot scans I perform to make sure the PC is clean before doing any kind of online banking.
    Will also run Malwarebytes Anti-Malware and dds.scr and look for any suspicious differences since the last scan (as well as obvious warnings of infections and root kits !)

    Many thanks again for your help further advice - it has all been gratefully received.
    All of the steps have now been completed as follows ...

    Step 1:
    Ran OTC and allowed reboot
    Both dds.scr and OTC itself were no longer present on the Desktop after reboot

    Step 2:
    Removed Java(TM) 6 Update 20
    Confirmed no other Java related programs visible and rebooted
    Installed Java(TM) 6 Update 24 and deleted the temporary files
    Also switched off automatic updates - as with windows updates I prefer to do these manually as then I know what is accessing the internet

    Step 3:
    Decided to upgrade to the latest Zone Alarm 9.2.105 to keep things reasonably familiar ... but ...

    After the install it was not possible to launch ZA from the icon on the right of the Taskbar
    Hovering the mouse over this displayed "Protection is up, UI is initializing"
    Could not run ZA from the new desktop shortcut either
    Zlclient could not be cancelled from Task Manager
    Tried using MSCONFIG to disallow zlclient from the Startup tab but it made no difference and zlclinet re-appeared within the Startup tab (I assume because this is its default preference when installed)
    Eventually resolved this accidentally by using MSCONFIG Startup tab to disallow "jusched" (java update schedule)
    Unfortunately the fix did not "last" and the problem returned even when jusched was disallowed

    A second problem also exists in that when already connected to the internet my initial attempt to click a link to (eg, google) hangs for 10-15 seconds then fails (though refresh and further attempts are usually okay).
    My investigations last year found this problem was introduced after ZA 7.0.483.000 (which I was previously using) but I was not able to solve it.

    Decided to put the old version back for now as its better than nothing and does give me a working internet stop.

    Last step:
    Looked at the "How did I get infected" article and actioned the main points as follows ...
    1: Will not be using peer-to-peer.
    2: Will be keeping Windows updated - albeit manually under my control.
    3: Java will be updated as for windows.
    4: The IE settings have been checked - only one of them needed adjusting.
    5: Spyware Blaster 4.4 has been installed, updated and the various protections enabled.
    6: Confirmed Spybot has applied immunization.
    7: Read the firewall comparisons and will give Comodo or Outpost a try in the near future.
    - For now though its the old-but-useable ZA with internet lock.
    8: Anti-virus will remain with AVG in order to get verdict icons on search engine results.

    Will also be looking at WOT, Process Explorer and Process Monitor recommended later in the thread and generally get myself better educated on these kind of issues !


    Does this now mean the PC is both clean and safe ?

  5. #15
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi cyfyr,


    You are welcome


    Nice security set-up. With those programs, configuration and a safe networking practices I doubt you will ever get infected again


    Regarding ZA, It seems it's a a software issue. You can try Comodo or Outpost (I've used both and they are nice). Or, you can ask for help on that ZA issue. I'd recommend you a forum that we work hand to hand with: WhattheTech. Like Safer Networking, it's free, and you will need to create an account to ask for help.


    The format was successful, and your computer is now clean and safe.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  6. #16
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default

    Great stuff !

    Thanks for the forum recommendation.
    I may well progress the ZA issue in the near future depending on how I take to Comodo etc.

    I will just say a final THANK YOU for your help.
    Looking round the Spybot forums I am very impressed by the level of knowledge that is evident but even more impressed by the teams dedication in giving of their time to help people out.
    This being so I have made a small paypal donation to help fund the work.

    THANKS again and please feel free to close the thread.
    cyfyr.

  7. #17
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    You are welcome cyfyr - Thanks for considering a donation to the site


    Take Care,
    Blottedisk.


    Since this issue appears to be resolved, this Topic has been closed. Glad we could help.

    If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

    Everyone else please begin a New Topic.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •