[EP_X0FF]

Hello,

Perhaps this can shred some light on this mysterious file (it is now even PE file)
http://answers.google.com/answers/threa ... 79159.html

I still have a question. Exactly what does tdl3 do once infected? How bad has my system been
compromised? Should I be changing all my passwords?

Your system is part of huge botnet. Actually TDL working like backdoor, downloader and DNS changer.
It is storing all downloaded files inside its own encrypted file system, so you can't find these files with usual tools.
TDL downloaded content varies. It can download additional 3rd party malware. This malware can download another malware and so on.
I recommend you after system cleanup change all your passwords.

Regards.

[ConanTheLibrarian]

All bow to google and pay homage! Its power is mysterious but always your friend. :lol:

[wealllbe20]

That's interesting, because when I change the Registrykey, after a reboot it is changed back. My changes are discarded.

What sample of tdl3 are you using?

[InsaneKaos]

What sample of tdl3 are you using?

This one, that I've posted.

I've tested this sample very often, 15 times or more. At one test Gmer didn't spotted the infected driver. Gmer only picked up that the atapi.sys were modified and didn't found the infected dmio.sys.

[kmd]

you need reboot machine after each reinfection :)

[STRELiTZIA]

Hi,
Updated for fun :)
TDL3+ Cleaner 1.1
Tested on Windows Xp Sp2 and Sp3
Working with "Copy/Restore" exploit...

Edit:
Deleted attachement cause Bug.

[NeonFx]

I've heard that the new guy will remove all services from restore point backups leaving you with a registry without services after a system restore. Is there any truth to this?

Another odd symptom reported was it preventing users from posting longer replies in online forums. Short replies would go through without a problem.

[NeonFx]

It's possible Hitman Pro is capable of removing this version. See this user being helped here w/ serial.sys & atapi.sys showing up in GMER:

http://www.geekstogo.com/forum/Google-R ... 73754.html

Here's a link to their intro to TDL3 page and a link to their tool at the bottom of the page:

http://www.surfright.nl/en/home/press/t ... s-programs

[InsaneKaos]

Hitman Pro needs a license for removal. It doesn't found the infected driver on my VM.

[IndiGenus]

Hitman Pro needs a license for removal. It doesn't found the infected driver on my VM.

You can activate it for 30 days without purchasing a license. Unfortunately, it did not work on this new variant against 3 different "drops" on my VM.

The 3 drivers found by GMER were:
C:\WINDOWS\system32\drivers\intelide.sys
C:\WINDOWS\system32\DRIVERS\i8042prt.sys
C:\WINDOWS\system32\DRIVERS\tcpip.sys

Hitman Pro version 3.5.4 - build 92 did not find or remove any of them.