Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 1 subscriber
  • Views 4696 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trojan\TDL3Mem-A Cleaning

hsimah

Hello,

We run Sophos as our enterprise anti-virus solution. Yesterday one of our machines was found to have this trojan on it: TDL3Mem-A (http://www.sophos.com/security/analyses/viruses-and-spyware/trojtdl3mema.html). It says it needs to be manually cleaned, but the Sophos site linked does not have instructions for it.

According to the scan it has infected ntdll.dll:pid:00000ab0.

Any help offered would be greatly appreciated.

Cheers.

:2983


This thread was automatically locked due to age.
  • 0

    Hello hsimah,

    indeed there is a very clear instruction under Actions: Please contact Sophos support for assistance removing this threat. This is what you should do.

    Christian

    :2987
  • 0

    Malwarebytes' anti-malware can already remove it. Or you can try TDSSKiller. Works like a charm. If you don't know where to get it, just search with Google.

    :3097
  • 0

    I have tried malwarebytes. it doesn't eliminate the trojan but blocks all the website the trojan tries to open. Could you share how you have removed it, like under safe mode? any information is appreciated.

    my observation is that after checking startup with msconfig, one 'NvCpl' always shows up after I check it off and restart. Officially, it relates to nvidia video cards and I have no doubt it's infected. additional proof is i tried to delete it in the registry and it always comes back right away. and I am 100% sure it was not there before troj/tdl3mem-a showed up.

    simply deleting that video related file may cause some trouble. i am wondering if i just reinstall the video card, will it be ok again. so far, sophos is the only one reporting this trojan and the customer support kicked me to the university IT b/c i get the softward from my university. and the IT guy asked me to try AVG, spybot etc which none of them worked. sigh.

    :3098
  • 0

    Hi There,

    We would suggest contacting support for details on the removal, we have very specific instructions when dealing with such threats and if removed incorrectly can potentially damage your system.

    Support is open 24/7

    http://www.sophos.com/support/queries/enterprise.html

    Regards,

    Mark

    :3099
  • 0

    If a trojan can penetrate a machine so deep that an automated desinfection with Sophos AV is not possible, the machine is no longer trustworthy. Modern malware will often not only infect files, it will also temper with access control lists for files and registry, change com-permissions or change firewall settings.

    You should reinstall the machine.

    Best regards,

    Detlev

    :3103
  • 0

    Detlev has a point, unless you know the exact variant that got on your machine you don't know exactly what has changed.

    But as long as you remove the malicious content, the machine is yours again and you can reverse any changes generally made (things to stop you using the machine normally).

    TDL3 is a crazy rootkit with ongoing development and it really depends on the variant of it as to whether any current cleanup tool/av will clean it.  There is a specific bug fix (from TDL3 coders) that "fixed" the TDSSkiller cleanup. (I don't follow their cleanup tool, so not sure what variants it will clean)

    Like all malware its an ongoing chase.

    At the moment we prefer to let people contact support so we can handle it correctly and safely.

    OD

    :3118
  • 0

    Did you update your malwarebytes to the latest? That is what I did and it worked.

    In addition, TDSSkiller works like a charm. If you don't know where to get it, using google. Other companies have developed tools to kill those malwares months earlier while sophos still keeps this as if it were a great secret.

    BTW, the CS of sophos is bad, as you encountered. I did not even bother to ask our IT guys, because usually they are the last ones knowing how to do a good job.

    :3131
  • 0
    Got infected with tdl3mem-b from a compromise legit website and received a cocktail of viruses in the payload. Sophos cleared some but needed Combofix to clean a couple of others. Finally left with tdl3mem-b (the only apparent effect was unwanted redirections) and TDSSKILLER cleaned it without requiring to work in WinXP safe boot mode. No prob's now.
    :7051
  • 0

    My PC was infected with TDL3Mem-A. Kaspersky's TDSKiller.exe removed the infection completely.

    I followed instructions on this links .. http://tech.ebugg-i.com/2011/02/how-to-remove-trojan-trojtdl3mem-b.html

    :11641
  • 0

    As sophosfan you shouldn't link to a page which incorrectly states that There is no removal utility from Sophos Antivirus
    and also promotes a competitor :smileywink:. 

    Not surprising such a tool is available from Sophos - just not as a "self-service" download. Sophos targets organizations, not individual or home users, and support end users through their organization's IT staff only. There's a reason why specialised tools are necessary and they are in some way similar to Restricted Use Pesticides - powerful, effective but with possible side effects and potentially harmful in the hands of "amateurs" (I'm not implying that you are one)

    I'm aware that some Sophos customers don't give support to (some of) their end users although they should do so. Do you think Sophos should therefore make these tools publicly available?

    And yes, I had some encounters with TDL3Mem and no problems obtaining the Sophos tool and removing the pest with it.

    Christian     

    :11645