HELP. Virus can only be removed "manually"?? (Troj/TDL3Mem-A)

Hi,

I would suggest contacting support.  I believe they might have a new tool for this rootkit.

The online analysis has:

"Please contact Sophos support for assistance removing this threat."

I think contacting support will save you time in the long run.

Thanks,

Jak

Hello Mazheoa,

Here's the mentioned analysis for Troj/TDL3Mem-A and a recent thread with the same question (you would have found it searching for TDL3Mem-A)

Christian

Thank you guys for helping. I went ahead and emailed support for help. We'll see how it goes.

I've received to cases of this infection in a weeks time. Calling Sophos as the website states worked great. The procedure they proivded resolved the infections.

I've deleted the REMAINDER of TEXT from this post, please see my comments below - Sandy

Sandy,

Hi,

Todd Chaloupka here from Auburn University. I have laptop with this Trojan on it. I need the instructions to get it removed.

Thanks for your assistance.

My question on this particular virus is where is it coming from? Has Sophos been able to identify specific sources on the web?

I've had about ten machines get it so far and can do the removal quickly, but it is a pain.

Yes download from sophos emergency copy of sav32cli and follow instructions for removal of trojans.

Sandy our systems do have web protection enabled on them.

Removing the trojan is not a problem, Kapersky's tool is a much easier method than doing it manually. 

My initial query was more geared on where this trojan is coming from so that we can block the source at our firewall. 

Hi mdporter,

Sophos also has a tool that will remove the product and is avaliable through the Technical Support team. As for where these viruses come from, trojans like this are literally all over the web on legitimate websites that have been infected so that when a machine visits the site the machine downloads and installs the Trojan straight onto the machine. Knowing the scale of the number of sites infected is a huge undertaking and something no security company can claim to know or protect against as it is very easy to infect a site and even easier to create a new site and infect it.

As for protecting yourself fully from this threat please make sure web protection is on as this will block websites that are known to contain malware and also please fully enable HIPS as this is the most complete method of avoiding the trojan from installing if you do get onto an infected website.

For more information on HIPS please view the following pages.

Sophos Anti-Virus for Windows 2000+: Host Intrusion Prevention System (HIPS) overview

http://www.sophos.com/support/knowledgebase/article/25044.html

Sophos Anti-virus for Windows 2000+: HIPS runtime behavior Frequently Asked Questions

http://www.sophos.com/support/knowledgebase/article/48765.html

Sophos Anti-Virus: managing the detection of suspicious files and behavior

http://www.sophos.com/support/knowledgebase/article/23949.html

Good article on general settings.

Anti-Virus and HIPS settings: guide to on-access settings

http://www.sophos.com/support/knowledgebase/article/63923.html

AK