Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

15 Oct 2011   #31
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 
Ok

I had a quick scan through the thread ruby and I see Corinne suggested the Kaspersky TDSS and I think you said you had it ona stick.

Mate as General rule I always download it fresh before using it so I don't miss any up to date stuff. I am running KIS 2012 so I very rarely have this problem.

Having said that machines I clean up for friends the K TDSS Killer is the first one I head for.

Tried DrWebCureit yet?? Dr.Web CureIt! — download free anti-virus! Cure viruses, Best free anti-virus scanner!

Also as general rule as for the TDSS I delete any downloads when finished with for the same reasons above.

Nearly forgot - http://www.antirootkit.com/software/index.htm - take your pick


My System SpecsSystem Spec
.
17 Oct 2011   #32
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

ive got all your notese and advice, I'm not ignoring, just piled fixing by backload of broken cllient computers onto the workload, so physically no tme to type.

all thanks, !!!!!!

i'll respond more soon,

heres what shold be a simple question, I have a file in the main system drive c:/ named " .rnd " yes, thats <dot><r><n><d> and is exactly 1kB (1024b) /I know there was never any autoCAD type software in use on this computer and no puTTY or knock-off SSL s/w. Any ideas? could this had anything to do with the encrypted disk area/partiton/volume that was I/O'ed to? (of course "IT COULD" i mean does anyone know of this concept?") my reseach produces results about as coherant and focused as my posts to this thread!! I can't fin'd it on any of 5 other win 7 PC's.

thank you all I am using your ideas... i did get trinity btw jacee

and thanks for remembering it was sweepwr that i used 1st (or quasi-1st), corrine

you are all on top of your game at least I can say!! Thanks!


and ICit2lol, thanks for the advice, i (as anticipated) have just had to move my time line a couple times so I'll definately remember to update EVERYTHING! TDDSKILLER has has the most sucess (or at least so the user is lead to believe) and seem to have the shortest lag in this specific rootkit's "mutatation to new-fix" event-horizon time window!

Although, ultil I see it at that stage, thats all ...."heresay"??? or whatever the term would be... since this is supposed to be the rootkit that you never know you have (which even superficially proves my point that my "strain" of the viri is glitchy since, it was alllllll toooo obvious)

thanks, I'll be back

Sincerely,
Mike
My System SpecsSystem Spec
17 Oct 2011   #33
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 
OK

Hiyya Mike Well mate my first line of action would be to get KIS on board and dump the ?AVG I know you have to pay for it but at something like - I think I pay about $0.16 a day for a one year licence it's a suite that once config'd is set / forget. The config also has active run time rootkit detection.

My argument has always been why use a freebie when for that sort of money you are (relatively) safe cos nothing is 100% competent.

If you do get the KIS though mate just make sure the machine is absolutely clear of any other AV stuff bar Malwarebytes and even that has to be the free one with scan settings set as this. Everything else go for

I'll ask mate of mine who's fairly cluey re that .rnd too,


Attached Thumbnails
Require (Rootkit.TDSS.TDL4) Rootkit Removal &amp; Cleanup walkthrough-capturembam1.png  
My System SpecsSystem Spec
.

21 Oct 2011   #34
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

Well, I have had some seriously promising results as of today. It has been about a full 24 hour stretch of "my homemade glossover" and I havn't detected any rouge code execution, I've even monitored changes to the registry over a period of many standard system operations with no apparent HACKERY going on to unknown/unusual keys, etc.

I hate to go on and on about all the software used, system files replaced, and physical changes to the code (esp intitial code) I used, but I think, hope I have had a ..... sucessfull experience!?!!! (maybe just got lucky, maybe It will indeed return, maybe anything...I admit, but, I'm just walkin' on eggshells here, fingers crossed and maybe smiling a tiny tiny bit (as I can always say I gave it my best even if it does fail down the road)

I do still agree with the advice of the most wise/intelligent members of these forums as well as the world in general who advised...no, Insisted that I do the right thing, clean wipe/format/reinstall.

for the sake of the general users of the forum, I COMPLETELY ADVISE YOU NOT, NEVER-EVER and in NO WAY TO TRY TO DO ANYTHING TO COMBAT THIS DEVIENT ROOTKIT, BUT ONLY DO A COMPLETE REINSTALL (as just about anyone here can quickyly talk you through) .... Don't use my crazy ideas, as their mentioning was not intended to inspire this whatsoever!

I only wanted help, which I got a considerable bit of, (thank you all kindly) and to inform those interested in this interesting area ,albeit dangerous, which I myself had never explored before. (I also had specific personal reasons for my "Quest" as I have mentioned related to the owner)



But It is hooked up to the O's network again, and after more monitering, checking for a period of time, I will be litterally insisting on a full s/w, h/w, & network upgrade with fully integrated/automated backup & security, in addition to other things.

While I will be compensaded for considerably well with all these new implementations, I want everone to know, you were not used to make money, as I have refued payment for this, not out of being a great nobel guy or anyting, but it was a chance I had to take that I could have or still may, hurt more than I help. So with the fact that I will be indebted to Bob for the rest of my days to some degree (for other reasons), I can quite easily say that I did owe him, so I don't feel stupid for "wasting" so much time and energy on a pro bono case!


I can't believe (to a high degree of certianty - im my head anyway), that I irradiated that ......Thing!

I will update if i find anything inconsistant with this in further test findings! I promise to let you know if it returns (w/details)

thanks soooo much
Mike / Link / Rubyrubyroo / Me
My System SpecsSystem Spec
21 Oct 2011   #35
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 
Got it

Hiyya rubyrubyroo I did ask around and a fellow who I know is really on the ball has told me that it is A VMWare issue and that it will recreate itself how ever mant times you delete it.

If you want to see what he said - http://forums.whirlpool.net.au/forum....cfm?t=1796028 and there is a sub thread ref too.

This might not be what you had however it's a job knowing whats going on at times but there again it might answer a few of your queries.
My System SpecsSystem Spec
23 Oct 2011   #36
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

icit2
thank you kindly for checking that out for me! I can't say it wasn't a VM file, but, the machine never was "purposely", or rather..."without malicious intent" loaded with any type of virtualization s/w, of that I am certain (unless it was something another app or the os did behind the scenes!?!). But the file was merely data and contained no reconizable, executable code, but to be sure I did delete it, and it didn't reappear as the referrenced thread(s) mentioned, maybe because I had already erased the source that it would have copied the replacement from, or maybe because the best way to hide nasty viral components is to disguise them as files that you wouldn't expect (and I'd bet - the ones that border on making one scared to erase it, just find a filename that googles back "this is a NORMAL FILE, and you should not remove it" or "it often produces false positives, and such results should not cause one to worry" ! At least thats what I'd do if I was trying to do what these baddies are doing, see you have to get in their mind a bit to understand the best way to take them out I believe )

it's long gone now and I was tempted to, although didn't keep a copy for later analysis, just to scary even on a seemingly isolated system (i.e. next thing you know your WLAN button LED changed color w/o pressing it and who knows what other network computers might get infected, it was....dare I say it...(fun)...or interesting in some sick twisted way to battle the thing, but I only wish I didn't have to do it with such impportant stakes, .... although they are what compelled me to "go there" in the first place!!! kinda like a vicious cycle!

thanks for the lookup, (BTW I was thinking maybe it was a linux file ".rnd" ...like ".htaccess" etc. ---- and as the thread said *.rnd indicates that rnd is the extension a nd the name is either an "invisible char" or a "null"-sih name. I was more under the impression that ".rnd" was he filename and the extension was not present (a.k.a null/void/noExtension) but I didn't analyse it that closely I guess. )

Guess I'm focusing too much on this likely meaningless file, and avoiding the mention of the status: all is okay (superficially for SURE) seemingly at a deeper analytical level as well! I am still monitoring, pushing the system, trying to poke anything in there with a stick, to see what pokes it's head out!

thanks again!
Mike
My System SpecsSystem Spec
24 Oct 2011   #37
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 
No probs mate

No prbs Mike I would guess you're right with it being downloaded unintentionally or on the bcak of something else - who knows anymore.

Pity you didn't still have the readouts to send to one of those places like
VirusTotal - Free Online Virus, Malware and URL Scanner or one the others from this search for an analysis of the files. Google

Still glad it's fixed - so time consuming eh?
My System SpecsSystem Spec
25 Oct 2011   #38
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

I was just workin' off a "boot disk" & win7 DVD, etc, so i had trouble finding s/w that could do decent analysis/reporting from this angle, I just used a dissassembler, and some raw code readers (bin,hex,reassembled assembler)

thx
mike
My System SpecsSystem Spec
02 May 2012   #39
no cigar

W7 Ult. x64
 
 

Greetings,

I found this thread on a google search and wanted to clarify that you were able to get into the system by utilizing the non DSE mode? I'm locked in a boot loop and am trying to get the system to boot up so I can grab a couple of folders of pictures from my drive.

I have been able to slave the drive but cannot browse it at all as all I get is a bare, empty folder.
My System SpecsSystem Spec
02 May 2012   #40
writhziden

Windows 7 Home Premium 64 Bit
 
 

Slave the drive, and go into disk management: Start Menu -> Right click Computer -> Manage -> Disk Management

Upload a screenshot of your disk management window and tell us which drive is the drive you are trying to access.
My System SpecsSystem Spec
Reply

 Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Power icon missing after removal ZeroAccess rootkit
I removed this nasty from my cousin's laptop about 5 months ago w/ a combination of RKill, Farbar's Service Scanner, Eset Sirifef tool & services repair, ComboFix, MBAM.... and a couple others. One of the residual problems was Action Center was missing from the notification area and I was able to...
General Discussion
ZA Reg Rootkit???
cannot access the internet using any browser, need some help, see capture below: Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0 Cached Online Validation Code: N/A, hr = 0x8007043c Windows Product Key:...
System Security
Stuck on verifying DMI Pool after TDSS removal, can't repair OS
I am using 64bit Pro. Core i7 920 12gb RAM, an eVGA X58 mobo I had the TDSS/Alureon malware on my pc. It was redirecting most google traffic, playing background ads that could not be seen in task manager or closed in any way. I downloaded some of the TDSSkiller etc files which did not seem...
General Discussion
How TDL4 rootkit gets around driver signing policy on 64-bit machine
How the TLD4 rootkit gets around driver signing policy on a 64-bit machine. Story at The Register: World's most advanced rootkit penetrates 64-bit Windows.
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:42.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App