Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

12 Oct 2011   #21
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

anyone reccommend a good prog i can run from a boot disk or the likes (even a command prompt method), just not from the windows system drive, to

A.) alter / browse the registry (on win7 x64 system)

B.) remove the unknown encripted virtual partition system at the end of my hdd (although as long as the dropper is removed, I'm not seeing a route to their use, but just leaving the bad dll's and loaders in place makes my skin crawl, and I do know I could miss something, or even become reinfected once online again, since who knows what info they have and use from me (including ip address to reattack), so i dont plan on making it easier for them)

Mike


My System SpecsSystem Spec
.
12 Oct 2011   #22
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote:
B.) remove the unknown encripted virtual partition system at the end of my hdd (although as long as the dropper is removed, I'm not seeing a route to their use, but just leaving the bad dll's and loaders in place makes my skin crawl, and I do know I could miss something, or even become reinfected once online again, since who knows what info they have and use from me (including ip address to reattack), so i dont plan on making it easier for them)
Good luck ... and most certainly you could/would be re-infected again.
My System SpecsSystem Spec
12 Oct 2011   #23
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

Quote   Quote: Originally Posted by Jacee View Post
Quote:
B.) remove the unknown encripted virtual partition system at the end of my hdd (although as long as the dropper is removed, I'm not seeing a route to their use, but just leaving the bad dll's and loaders in place makes my skin crawl, and I do know I could miss something, or even become reinfected once online again, since who knows what info they have and use from me (including ip address to reattack), so i dont plan on making it easier for them)
Good luck ... and most certainly you could/would be re-infected again.
are you mostly refering to if I screw up and leave something behind (we both know this is a true risk) or since the attack origion "knows" the computer and therefore when it stops receiving keylogs or whatnot it will realize I zapped it and reattack me specifically?

Mike
My System SpecsSystem Spec
.

13 Oct 2011   #24
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

I could only find one rootkit similar to mine that has sucessfully written to BIOS (Trojan.Mebromi) and it does so in the same are I have checked line fore line. While I am unaware of the command to use to interact with the eeprom BIOS chip, I am certian It was not present. (boosts my odds just a bump up maybe) then there was another earlier one, win 9x based rootkit (CIH/Chernobyl) which acted directly from the win environment (this could be more plausible in my case, ALTHOUGH this was a win 9x based system were talking about, I HOPE MS made that a bit more difficult in their free time!) These two, i'm pretty sure, were the only two rootkits in the wild ever documnted with this capibility. Aside from one or two "POC" programs have been designed, but never leaked to the hacking community i presume, as they never found one infecting a computer outside the controlled enviroment.

I cant imagine that the biosflash op-codes are not manufacture specific to the chip or mobo brand, and the internal archetecture is different between the BIOs type, so effectively using BIOS to rewrite a rootkit to let's say the MBR at each boot (similar to what I have just one step past the chip itself) is unlikely to any signifigant portion of PC users.

That's my opinion, but more so my HOPE!
My System SpecsSystem Spec
13 Oct 2011   #25
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

This article might be of interest to you Mebromi: the first BIOS rootkit in the wild Webroot Threat Blog
My System SpecsSystem Spec
13 Oct 2011   #26
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 
nice

Quote   Quote: Originally Posted by Jacee View Post
Beautiful article, references all the ones i mentioned , but better detail. although ether my or their timeline is quite wrong. I read more than one ref. explaining that Mebromi was a late 90's discovery, ...the first of it's kind and I obviously inferred a possible 16-bit or more likely 32-bit rootkit had to be so different in a pre-xp OS (as xp was a ground-up rewrite, technologically speaking, rather than the common misconception that it was a merge/hybrid of NT with 9x-2000!) But I was clearly mixed up, as I was head deep in hex until i fell-out at the computer around 7am est! what is wrong with me!

and I love texts with intermittant code captures, so they can talk and explain then show me so i know their not exaggerating or lying, I can believe them cause it's right there, although I am getting dizzy from going from C++ to Assembly to hex/binary! I wan't to read it over a bit closer, but i just wanted to say thanks or rather mean it!

I Also read a dozen or so articals revealing some scary S about this thing, which is often refered to as approching "the perfect virus" or nearly "impenetrable". It seems in the past week or so the writers, have kicked it up a notch with features, which I have not seen on my machine, but I obviously couldn't have seen more than 0.001% of the system files yet, you know! The new "features" are transfer by usb drive to other machines.... uhhh....yea! Autostart did popup too in one computer i plugged the flash ram into ( I canceled it fearing just such a thing so I'm guessing it couldn't run as it had no advantage on my laptop yet) I just dont ever get that with my options set as they are...autostart. And there was no files other than the dirs I made (like autostart files were absent, so... hmmm. and I keep hidden files and systemfiles/dirs visible on all my personal systems at least (as well as known exts visible, justlike everyone should, as easy as it would be to trick someone with a copied icon into running a "trojan" that way. but im getting of topic.) The other feature just discovered at some university by a "viral professor"?!?! is the ability to spontaniously "worm-ize" and migrate along with take over a peer network as the default DHCP and use its own routing table that connects infected comp's tx to uninfected peers rx every time! So I'm guessin' I potentially have 8 infected computers (2 of which arn't mine, but I am fully responsible for [or technacally the entity that is my LLC!] Luckily I havn't found any signs yet, so hopefully I got a glitchy/older version!

Im guessing the bios is just about the only impressive feat left untackled, and must be on the "to do" list for the creaters! "TDDS.TDL1 thru 4" is suposedly infecting 3.2 million machines as of last check. Good God! The profits are sick as well, I never heard of this, but I'm sure you have: Their selling the service of making the average entrpeneur a bot-net (since that size is an overkill, 3.2million+ zombies wouldn't be needed to brute force attack every country in the wolrd in 10 seconds (dont quote me on the math there!) but that's what their doing, "Too dumb to write your own hacking army, we'll take care of you for a mere $100-300/per bot" Now weve got people out there using some GUI to control them like a game! Thant's just ......for once....me...speechless...


Oh and if you do take the time to get this far into my ramblings,..(A.)thanks & (B.) what are the chances of the bot-nets server-network keeping logs to reinfect me remotle however it was done originally, they know "where i live" and I would not be transmitting them my personal keystrokes any more, so might they reattack, from your experience or prior research?

sincerely,
rootkit-mike
My System SpecsSystem Spec
14 Oct 2011   #27
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

If you haven't done this I would.
https://connect.microsoft.com/systemsweeper
My System SpecsSystem Spec
14 Oct 2011   #28
Corrine

Windows 7 & Windows Vista Ultimate
 
 

Quote   Quote: Originally Posted by Layback Bear View Post
If you haven't done this I would.
https://connect.microsoft.com/systemsweeper
Yes, he did.
My System SpecsSystem Spec
14 Oct 2011   #29
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

Have you tried Norton Power Eraser yet? It offers a rootkit scan that reboots your PC and checks for infections.

Norton Rescue Tools

Quote:
Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully.
My System SpecsSystem Spec
14 Oct 2011   #30
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Sometimes it becomes necessary to "destroy/tear down", in order to fix a known problem. In this case, rubyrubyroo knows what has to be done.

A "gloss-over patch/removal" will not save this OS from being infected again.
My System SpecsSystem Spec
Reply

 Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Power icon missing after removal ZeroAccess rootkit
I removed this nasty from my cousin's laptop about 5 months ago w/ a combination of RKill, Farbar's Service Scanner, Eset Sirifef tool & services repair, ComboFix, MBAM.... and a couple others. One of the residual problems was Action Center was missing from the notification area and I was able to...
General Discussion
ZA Reg Rootkit???
cannot access the internet using any browser, need some help, see capture below: Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0 Cached Online Validation Code: N/A, hr = 0x8007043c Windows Product Key:...
System Security
Stuck on verifying DMI Pool after TDSS removal, can't repair OS
I am using 64bit Pro. Core i7 920 12gb RAM, an eVGA X58 mobo I had the TDSS/Alureon malware on my pc. It was redirecting most google traffic, playing background ads that could not be seen in task manager or closed in any way. I downloaded some of the TDSSkiller etc files which did not seem...
General Discussion
How TDL4 rootkit gets around driver signing policy on 64-bit machine
How the TLD4 rootkit gets around driver signing policy on a 64-bit machine. Story at The Register: World's most advanced rootkit penetrates 64-bit Windows.
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 13:35.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App