[NeonFx]

I wonder if it makes a difference if you run Hitman Pro in Safe Mode. The infection wouldn't be loaded if the driver isn't loaded.

[EP_X0FF]

They are system drivers. TDL seems to be checks driver group before infection.

C:\WINDOWS\system32\drivers\intelide.sys

Group - System Bus Extender.

edit:
I did some experiment with latest TDL3. It works in safe mode perfectly.

[gjf]

Hi,
Updated for fun :)
TDL3+ Cleaner 1.1
Tested on Windows Xp Sp2 and Sp3
Working with "Copy/Restore" exploit...

Sorry, but it does not work! OK, details....

I have used VMWare 7.0.1 build-227600 with WinXP SP3 Pro and altest updates. I have performed initial scan by VBA32 to be sure the system is clean.

Infected.zip

VBA32 log after infection and reboot
(23.57 KiB) Downloaded 53 times

. After that I have infected the system and reboot. Then perform the second scan by VBA32 to see that system is infected.

Initial.zip

Initial VBA32 log
(23.28 KiB) Downloaded 49 times

So I ahve started the file and install the service. After starting the process the PC beeps one time so I have rebooted the system. During the booting the message "pci.sys file is absent" was shown and booting stopped. I have no idea what's wrong with pci.sys (another driver was infected, it is clear from logs) and what's wrong at all.

So - no good! :(

AFAIK DrWeb cureIt utility cures TDL3, but there are a number of bugs with controllers other than ATA (especially SCSI, SATA etc). Another bug is BSOD with TrueCrypt partitions no matter is infection present or not.

So still have to wait. :roll:

[nullptr]

The TDL3+Cleaner Test Release from last week works fine as long as you identify the correct driver. The TDL3+ Cleaner 1.1 seems to delete a driver causing boot failure.
xp sp3 in Virtual PC.

[djpnuemo]

The TDL3+Cleaner Test Release from last week works fine as long as you identify the correct driver. The TDL3+ Cleaner 1.1 seems to delete a driver causing boot failure.
xp sp3 in Virtual PC.

i had the same problem on a test machine (non-virtual).

[STRELiTZIA]

Thanks for reports :)
Attached Test Release with New option to manually add the second infected driver name.
using "Gmer" to get the second infected driver name.

[djpnuemo]

Thanks for reports :)
Attached Test Release with New option to manually add the second infected driver name.
using "Gmer" to get the second infected driver name.

appreciate the update.

i ran it and entered the second driver found, tcpip.sys, and now cannot browse. done all normal tcp/ip resets/reinstalls to no avail. infection is gone though! ;)

[gjf]

Don't know - too many moves. The simpliest way is to boot up ERD Commander and scan for a non-valid files :)

[InsaneKaos]

Recovery Console and a batch-script mostly can do the whole job. I've atteched a batchfile that should find and remove TDL in two steps with the RC.

[gjf]

InsaneKaos, did you test your script on infected systems? I don't believe simple fc command will reveal rootkit. AFAIK TDL3 gives original unpatched file during file operations, doesn't it?