Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

11 Oct 2011   #11
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

L. Bear

Hey, there!
Yes, i't was a suprisingly informative level of info for wikipedia (not that wiki is weak at all) just a rather specific artical that a lot could be derived from.

and by the way... I agree too, were all in agreement, but then theres them pesky client files, all kinds of propriatory apps for court forms and a whole macro and mergeing web of code that could be just as bad the situation you referenced once I reinstall the flash... so even with a new computer, the whole thing can never be trusted fully again, thats life?! Isn't it possible that the malicious code has made its way to BIOS, ( it's a dual-bios-backup board - probibly making it even more plausable. I have no real references on the bios infection potential, but maybe you know... plausible?

so do I tell him you gotta close down? IM REALLY NOT GOING FOR THE PITTY ANGLE HERE!!! I am just pouring my guts out, and being a decent guy, I can't screw this up...i just havn't figured out how not to yet!

mike


My System SpecsSystem Spec
.
11 Oct 2011   #12
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

As I did my pre-workup described in the initial post, I was repeated told by a reliable source during my initial "general" thread:

Quote   Quote: Originally Posted by gregrocker View Post
The only question to me is whether you should reimport those files even after repeat disinfection. I'd ask in Security forum for the odds on doing so.

You may risk infecting the BIOS if you try to juggle such a badly infected system. The experts there will know this with certainty.
So my BIO's fears seem grounded in the real "modern" world (I thought that was a "bug" that was basically fixed in the modern computer MB archetecture, but I was right to doubt myself when uncertian.)

Without the legal docs the computer basically is just a big black heavy aluminum box to the owner.

But Greg does speak rather highly of the security team,... seemingly describing them as more elite than the malware's creater(s)!

Funny, and sad. (the hackers) .... probibly china's military doing their daily probing (ha)
Mike
My System SpecsSystem Spec
12 Oct 2011   #13
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

Yes the Bios can also get infected from the reading I have done. The Bios can also be wiped and reinstalled. Here comes another ouch; any backup made might be infected also. A Rootkit could come with all the permission it needs to do anything. Another brain twister; how did this nasty thing get in the computer. From internet, C/D, USB. Knowing how it got there if possible one would have a good chance not to allow it again. Any P2P or Torrents can drop these little goodies in a heart beat.
My System SpecsSystem Spec
.

12 Oct 2011   #14
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

this computer was on a peer network and they designated it "the server" as if every computer at the office wasn't! it was all wide open! The "SERVER" or rather a name pipe that is shared freely had all the client info on it. and they NEVER did use the computer, they didn't know how to turn it on or off, so no A/V or P2P vectors. The other computers have no signs of infection, but i am working on the files (USB) and the system. I disassembled quite a bit of interesting stuff incl the boot/mbr and found plenty of stolen hooks in the interupt vect. table including the initial 13h interupt which triggers the reinfection at each boot time, before ANYTHING the damn thing decrypts itself and starts the chain of events. I tryed lookig up info online but its all otdated as the virus is "mutation" into quite a beast. It is said to swap a set of flags triggering winPE (which lacks driver signing requirement in 64-bit win7) then after loading some patches directlly kernel, it uses a clever word play on a prameter name sent to winload.exe, and as it doesn't recognize the sent flag/switch it aborts the winPE load (although the kernel and user mode has long since been patched) and it reverts to the normal win7 boot. With kernel-mode control freedom there's obviously nothing gonna take it out from the booted HDD, so that's like 75% of the best tools, useless. Then it injects any I/O processess with it's own hooks, removing the installed ones (ie.winsock's hooks) It supposedly enters via the same printspooler method they all use these days, but I have reason to believe that this entry point has become obsolete in this infection althoguh I'm working at that right now before I wrote this message! Oh, and after it snatches the DR0, it intercepts every system Drive I/O command in the chain, responding as it chooses!

My infection uses the code integrety file dy-link-lib ci.dll to bypass the driver cypher calls, I can't get a look at the file thoguh, there's almost lkke a real corruption that is eather a shotty hacking bug or maybe a mistake unique to my infection. I also need to figure out what the "algorythem" or rather "unique files system" the encrypted area at the end of the drive that contains the nasty files is encoded with. Its some odd encrypted FS not EFS or even close. But I can take this thing down in a day or two i bet, (with assistance I might have been done by now! who knows?) It's quite hard to find low level analysis software for win7 64, ......Since it's impenetrable with the whole driver signing requirement right? but I found some open source tools that produce some decent assembly code from the system native.

anyway enough of your time, I'm just happy with my progress...

and I can't for the life of me figure out why they dont put a physical jumper or switch or whatever on the mobo, so most people who shouldn't be flashing their bios cant and the ones intelligent enough to follow directions can easily move a 1mm x 2mm plastic jumper one pin over to physically disconnect or at least flag the bios when not flashing it and visa versa. What terrible concequense would that have???? uhhh...saving lots of mobos w/unremovable chips from malware as well as the huge set of rather computer illeterates which think that should update the chip but dont know why! (AHHHH)

I'm translating to much hex and binary my brain is melting ....

thats for the moment away from the devil system!
mike
My System SpecsSystem Spec
12 Oct 2011   #15
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

You might try the Trinity Rescue Kit Trinity Rescue Kit | CPR for your computer
My System SpecsSystem Spec
12 Oct 2011   #16
Corrine

Windows 7 & Windows Vista Ultimate
 
 

I also agree that a clean install is the best/only way to go, particularly due to the sensitive nature of the files on the computer. However, in an attempt to feel a bit more confident about the client files, you might want to give Kaspersky's TDSS Killer a run. How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?
My System SpecsSystem Spec
12 Oct 2011   #17
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

jacee
thanks for the link i'm going to go check it out right now as ive never run across the name (Trinity) B4. But I trust it will prove useful. I'll repspond later if it helps or not.

thank you
mike
My System SpecsSystem Spec
12 Oct 2011   #18
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

Corrine,

thanks for the post!
I do indeed have K's TDSSkill on a drive (along with rootkill/rootreveal/mabm/cclean/viper and any other tool I could thin of fully updated!) I will be running TDSSkill'a as my first line of attack when I do finally boot to the sys drive (post MBR/BCD "repair") I'm uncertian of if i can use safemode as there is atleast 2 instances i have found that do not allow a keyboard to be recognized (one for ps2 and the othr USB) I think I have taken care of that but I do not know that other measures have not been detected by my tedious manual searches. I am going to be watching for anthing "weird" in the kernel various processes and stack using GNER or a similar tool suite. I will break the hardwired LAN and even go as far as unplugging the WLAN to take the task of mmonitering I/O net/web can be done at my convience, followed by full dns flush and checking all hosts/DNS/network related tables/file and then maybe try poking it with a stick to get any last pieces to come out of the woodwork by runnig obvious antivirus s/w (norton/AVG etc) under their original filenames!

Take Home Point: Debugging a debugger (kdcom.dll) without the use of a debugger....really sucks!

AND thank you again!
Mike
My System SpecsSystem Spec
12 Oct 2011   #19
Corazon

Windows 7 Professional SP1 32-bit
 
 

Whew. I've been following your adventures and I gotta say, you're really extremely patient and determined. (I don't even really understand everything you've been doing...)
You seem to be making headway too, which is good. Here's hoping you make it to a complete recovery of the system. Good luck!!
My System SpecsSystem Spec
12 Oct 2011   #20
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

too kind corazon! I question myself many times if I know what Im doing, but it more often then not (fingers crossed this time) I end up feeling like I get lucky, then realize it was not luck, just feels like it, cause I remember learning the paticular info somewhere (unless maybe I have just been lucky like thousands of times with every computer I have worked on...i guess its possible!) but seriously thank you!

mike
My System SpecsSystem Spec
Reply

 Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Power icon missing after removal ZeroAccess rootkit
I removed this nasty from my cousin's laptop about 5 months ago w/ a combination of RKill, Farbar's Service Scanner, Eset Sirifef tool & services repair, ComboFix, MBAM.... and a couple others. One of the residual problems was Action Center was missing from the notification area and I was able to...
General Discussion
ZA Reg Rootkit???
cannot access the internet using any browser, need some help, see capture below: Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0 Cached Online Validation Code: N/A, hr = 0x8007043c Windows Product Key:...
System Security
Stuck on verifying DMI Pool after TDSS removal, can't repair OS
I am using 64bit Pro. Core i7 920 12gb RAM, an eVGA X58 mobo I had the TDSS/Alureon malware on my pc. It was redirecting most google traffic, playing background ads that could not be seen in task manager or closed in any way. I downloaded some of the TDSSkiller etc files which did not seem...
General Discussion
How TDL4 rootkit gets around driver signing policy on 64-bit machine
How the TLD4 rootkit gets around driver signing policy on a 64-bit machine. Story at The Register: World's most advanced rootkit penetrates 64-bit Windows.
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:31.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App