Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough


10 Oct 2011   #1
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

I would really appreciate some help from someone with experience with this matter.

Introduction:

Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence.

Presentation: Installed a 2nd HDD (Exclusively for daily backups - ironic!) I did manage to fire off one Backup with win 7 backup including an image, but I doubt it is clean. Then next morning the computer was no longer in WIN7 environment but had rebooted to System Repair Panel, and despite a week of working on the problem with lots of pro and sub-pro advice online and offline, I could not get the startup repair to stop reporting that my code integrety file"C:\ci.dll" was corrupt and it could not help me. I was locked in a loop [boot start->system repair]. Safe mode, bios changes/resets, drive removals rearrangments, win7 orig DVD repair, triple startup repair cycle, replacing ci.dll w/ correct sized version (which simply reverted to "corrupt size on reboot"), restore points, using the one imagefile i had made .... no help - all roads lead to the sys rec panel.

B.T.W. SafeMode would halt boot at driver #5 "CLFS.sys" to enter system recovery console.

Positive (hopefully) Headway I've Made: I researched the details of the component library ci.dll and looked for a vulenerability or weakness I could exploit to avoid the error, and I learned it doesn't lend it's function set during kernel debug mode and unsigned drive ignore mode, I Immediately tryed the latter and was in windows 7 like noting had ever happened (superficially anyway).

Cause(s): Although I am unaware out the timeline/origin of the malicious event, a trojan appaerntly infiltrated my Win7/home/64 system's defences and left plently of malware components across the filesystem, most notable is a rootkit the MBR, named TROJAN:Win32/Alureon.DX, Also present was TROJAN:Win32/Alureon.A, i believe they work "together" so to speak.


AVG reident sheild took pleny of notes as it watched ~20 "trojens" execute as "setup.exe" from temp folders as well as the main malware file (name not availble at this time) I ran a full rootkit scan w/AVG - ~15 results (one main and the rest named after the win32 smoke and mirrors command they impliment (i.e. FILE_LIST_REQUEST, ALTER_USER_PERMISSION). OF course AVG can't help with these so I ran MS System Security Sweeper from a newly reconnected DVD and a full scan produced the two malwares (TROJAN:Win32/Alureon.A & TROJAN:Win32/Alureon.DX) using the MS sweeper's nomeclature, but I'm hoping it's the same code.

Currently: So after stairing at the screen (letters MBR) for 10 min or so I reluctantly instructed Sweeper to remove both. and it reported sucess. I did a full scan w/sweeper afterwords, and it reported not problems. I powered off and have not rebooted since as not to reactivate any viral safegurard it may have had implemented for just that type of removal! Thats where I am now.

I still worry it was not removed in it's entirety, or it left the Master Boot Record or other boot files corrupt. I would prefer a thourough step-by-step guide from someone of knowledge, befoe I go trying to rebuild/fix MBR from a WinRE cmd prmpt or use ineffective software. I know this malware is known at boot-time to dup itself @random location and alter reg entrys to boot the currently unexecuting clone, so removing it should have no noticable effect unless both copys are located. It's known for altering hosts file...not on m computer, but internet setting ...yes all kinds of prompts and alterd settings in IE reg keys. And it's known for stealing (changing) one's DNS lookup tables and online DNS ref connection (and flusing dnsbuffers for quick affect). I mention these only out of fear that something get's overlooked, but I'll get to the end since this is the short version, (HA).

I only wish I could work on it inertly from another computer, via usb etc, but i cant find any of my sata->usb adapters, and thumbdrives are filled 1/2way with other backed up data files i removed using xcopy cmd which i will keep as a second chance if everything falls apart now, although i do not have all the vital files, so i'd REALLLLLY like to not do a wipe/reinstall.

Thanks for the listening to the long explination and spelling errors,
Mike


My System SpecsSystem Spec
11 Oct 2011   #2
Golden

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64
 
 

Mike,

You need Jacee and/or Corinne's help with this - they are our resident security MVP's. No doubt they will see this, but I'll drop them a message and ask them to have a look at this for you.

Regards,
Golden
My System SpecsSystem Spec
11 Oct 2011   #3
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

Golden,

Thank you for the advice and help!

Mike
My System SpecsSystem Spec
11 Oct 2011   #4
Golden

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64
 
 

Quote   Quote: Originally Posted by rubyrubyroo View Post
I powered off and have not rebooted since as not to reactivate any viral safegurard it may have had implemented for just that type of removal! Thats where I am now.
Mike, I just had a read again, and whilst we wait for Jacee/Corinne to offer some advice, I thought I might make a suggestion.

Since, you are concerned about possible remnants remaining, and you do not wish to boot this disk into Windows, you might want to try with a bootable anti-virus disk. I have used F-Secure in the past to clean out some less troublesome trojans than yours:

Rescue CD

It boots from Knoppix (Linux distro), from outside of the Windows environment.

Let us know what you decide to do, but if Jacee/Corinne offer other advice then please follow their instructions instead.

Regards,
Golden
My System SpecsSystem Spec
11 Oct 2011   #5
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

While there are some 'specialists' who will work on a Rootkit infected computer ... I am not one of them. My advice is to wipe and do a clean install. If that isn't done, then how can you ever trust your computer to be stable again?

Read this and especially "Bootkits" Rootkit - Wikipedia, the free encyclopedia
My System SpecsSystem Spec
11 Oct 2011   #6
Mercurial

Windows 7 32bit RTM
 
 

thats avg for you :/
My System SpecsSystem Spec
11 Oct 2011   #7
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

Golden,

Thanks, i've been considering a linux dvd boot, and a friend rec'd it to me too, I just was hoping to here an answer just a little bit better (perfectionist type thing) but there is no correct answer except for what I was fearfully anticipating - just what Jacee said...

I'm thinking...plotting maybe....

Thanks again
Mike
My System SpecsSystem Spec
11 Oct 2011   #8
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

Jacee,

Nice to meet you. I own a computer repair biz and thats what I tell all my customers too, because you are absolutly right, a 100% wipe / reformat / and reinstall is the only way to "cure" most malware and be sure you are good! But this, being a sticky situation, I think I need to do this. The computer belongs to my absolute best VIP customer, friend and formr boss, an attorney that has no backups whatsoever except the one I made "as" the attack was likely underway, so I would not feel safe reloading the files from there or the flash card I xcopyed post-attack. This guy isn't a blood sucker lawer, he's a will's and trusts kinda atty practiced over 30 years and this is every file he has on his clients (pretty stupid I reaalize, but nonetheless, I will not let him get disbarred or even jailedfor neglecting to secure the files.

Not to go on about the reason for my "nobel cause" crusade, but I'm basically saying this... I NEED to reload the files from that flash drive, so since any portion of that could be contaminated, there is no truely sterile path back to fix the computer "in whole", I will then have to settle for the best I can get. Your advice I have no disagreements with, it's spot on.

I can't afford a "specialist", I just would like someone, that has possibly delt with this or a similarly virulant strand of beast, more than one time hopefully! I'm not trying to talk you into helping me, but if someone else reads this or you know someone or a good soure, Id be better off. I am fairly computer literate (I get down into the low-level MSAM and C++ mostly, and like I said fix computers for a living (The Reliable Computer Guy, LLC) So I will try it on my own if i can't find help, albeit outside of my comfort zone, as I usually do the reinstall for everyone else.

Anything?
Anyone?
Don't be afraid to "chime in" !

Thanks for the original reply, and as of now the add'l reading of my rant!
Mike
My System SpecsSystem Spec
11 Oct 2011   #9
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

Mercurial,

and I have always had such good luck w/ avg free ed. catching viri on client's computers and keeping them nice and spotless, aside from the preformance ataxia that I hate!, I think I'll be loading new anti s/w in my customers and friends computers after this one incident.

Mike
My System SpecsSystem Spec
11 Oct 2011   #10
Layback Bear

Windows 7 Pro. 64/SP-1
 
 
That would nail it for me

Quote   Quote: Originally Posted by Jacee View Post
While there are some 'specialists' who will work on a Rootkit infected computer ... I am not one of them. My advice is to wipe and do a clean install. If that isn't done, then how can you ever trust your computer to be stable again?

Read this and especially "Bootkits" Rootkit - Wikipedia, the free encyclopedia
--------------------------------------------------------------
After that great read on Rootkit I would do a wipe and a new intall just like Jacee recommended. How else would one know the Rootkit is completely gone. If you did a format and install with out doing a wipe the Rootkit could just install it's self again and you might not know it.
My System SpecsSystem Spec
Reply

 Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough




Thread Tools



Similar help and support threads for2: Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough
Thread Forum
ZA Reg Rootkit??? System Security
New TDL4 rootkit successfully hiding from AV Security News
Solved Stuck on verifying DMI Pool after TDSS removal, can't repair OS General Discussion
Researchers Discover Link Between TDSS Rootkit and DNSchanger Trojan Security News
Need help with Rootkit problem? Performance & Maintenance
How TDL4 rootkit gets around driver signing policy on 64-bit machine System Security
rootkit System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 11:08 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App