Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

02 May 2012   #41
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

See if you can get those folders using "Trinity Rescue Kit"
Quote:
Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines
Trinity Rescue Kit | CPR for your computer


My System SpecsSystem Spec
.
05 May 2012   #42
no cigar

W7 Ult. x64
 
 

Okay guys, here's the screenshot with the drive slaved.

I should probably note that this is a Raid0 array with 2 64GB SSDs. The disk I am working on is F: in this screenshot

Another development as of last night I was able to run MS offline defender and it did find Alueron with a BUNCH of other stuff which I was able to remove, however the drive is still stuck in the boot loop.


Attached Thumbnails
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough-untitled.jpg  
My System SpecsSystem Spec
05 May 2012   #43
writhziden

Windows 7 Home Premium 64 Bit
 
 

I can help with data recovery, but I think it would be wise to wait and let Jacee weigh in since you may still have some security concerns.
My System SpecsSystem Spec
.

06 May 2012   #44
no cigar

W7 Ult. x64
 
 

Well I have discovered that the bug apparently altered properties of the entire drive to make all files hidden. I was able to view the entire drives' contents while it was slaved and best I can tell everything is still in tact. I used OnTrack recovery to run some tests and I believe the only issue lies in the boot sector of the drive, or with perhaps a hidden partition?

I was able to view the partitions on that drive and in addition to the main partition, there were two others < 1mb in size.
My System SpecsSystem Spec
06 May 2012   #45
writhziden

Windows 7 Home Premium 64 Bit
 
 

Yes, these malicious items usually just add the hidden and system attributes to files. They can also change permissions for accessing files. To unhide, open an Elevated Command Prompt and type
F:
attrib /d /s -h -s *
The above will change attributes for all directories (/d flag) and files within the directories (/s flag) to unhide (-h flag) and remove the system attribute (-s flag).
My System SpecsSystem Spec
07 May 2012   #46
no cigar

W7 Ult. x64
 
 

Thanks. This worked. A few misc. files gave me access denied errors but all is well and visible. I went ahead and rescued my user folder from the drive and am thinking about running the 4-8 pass dban format tool on it and calling it a day. Would this be an advisable way to clean the drives?
My System SpecsSystem Spec
08 May 2012   #47
writhziden

Windows 7 Home Premium 64 Bit
 
 

You could also use the clean all command through Diskpart; that is what is usually recommended for clearing viruses and rootkit infections. Disk - Clean and Clean All with Diskpart Command
My System SpecsSystem Spec
Reply

 Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough




Thread Tools




Similar help and support threads
Thread Forum
Power icon missing after removal ZeroAccess rootkit
I removed this nasty from my cousin's laptop about 5 months ago w/ a combination of RKill, Farbar's Service Scanner, Eset Sirifef tool & services repair, ComboFix, MBAM.... and a couple others. One of the residual problems was Action Center was missing from the notification area and I was able to...
General Discussion
ZA Reg Rootkit???
cannot access the internet using any browser, need some help, see capture below: Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0 Cached Online Validation Code: N/A, hr = 0x8007043c Windows Product Key:...
System Security
Stuck on verifying DMI Pool after TDSS removal, can't repair OS
I am using 64bit Pro. Core i7 920 12gb RAM, an eVGA X58 mobo I had the TDSS/Alureon malware on my pc. It was redirecting most google traffic, playing background ads that could not be seen in task manager or closed in any way. I downloaded some of the TDSSkiller etc files which did not seem...
General Discussion
How TDL4 rootkit gets around driver signing policy on 64-bit machine
How the TLD4 rootkit gets around driver signing policy on a 64-bit machine. Story at The Register: World's most advanced rootkit penetrates 64-bit Windows.
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:05.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App