Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

I would really appreciate some help from someone with experience with this matter.

Introduction:

Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence.

Presentation: Installed a 2nd HDD (Exclusively for daily backups - ironic!) I did manage to fire off one Backup with win 7 backup including an image, but I doubt it is clean. Then next morning the computer was no longer in WIN7 environment but had rebooted to System Repair Panel, and despite a week of working on the problem with lots of pro and sub-pro advice online and offline, I could not get the startup repair to stop reporting that my code integrety file"C:\ci.dll" was corrupt and it could not help me. I was locked in a loop [boot start->system repair]. Safe mode, bios changes/resets, drive removals rearrangments, win7 orig DVD repair, triple startup repair cycle, replacing ci.dll w/ correct sized version (which simply reverted to "corrupt size on reboot"), restore points, using the one imagefile i had made .... no help - all roads lead to the sys rec panel.

B.T.W. SafeMode would halt boot at driver #5 "CLFS.sys" to enter system recovery console.

Positive (hopefully) Headway I've Made: I researched the details of the component library ci.dll and looked for a vulenerability or weakness I could exploit to avoid the error, and I learned it doesn't lend it's function set during kernel debug mode and unsigned drive ignore mode, I Immediately tryed the latter and was in windows 7 like noting had ever happened (superficially anyway).

Cause(s): Although I am unaware out the timeline/origin of the malicious event, a trojan appaerntly infiltrated my Win7/home/64 system's defences and left plently of malware components across the filesystem, most notable is a rootkit the MBR, named TROJAN:Win32/Alureon.DX, Also present was TROJAN:Win32/Alureon.A, i believe they work "together" so to speak.


AVG reident sheild took pleny of notes as it watched ~20 "trojens" execute as "setup.exe" from temp folders as well as the main malware file (name not availble at this time) I ran a full rootkit scan w/AVG - ~15 results (one main and the rest named after the win32 smoke and mirrors command they impliment (i.e. FILE_LIST_REQUEST, ALTER_USER_PERMISSION). OF course AVG can't help with these so I ran MS System Security Sweeper from a newly reconnected DVD and a full scan produced the two malwares (TROJAN:Win32/Alureon.A & TROJAN:Win32/Alureon.DX) using the MS sweeper's nomeclature, but I'm hoping it's the same code.

Currently: So after stairing at the screen (letters MBR) for 10 min or so I reluctantly instructed Sweeper to remove both. and it reported sucess. I did a full scan w/sweeper afterwords, and it reported not problems. I powered off and have not rebooted since as not to reactivate any viral safegurard it may have had implemented for just that type of removal! Thats where I am now.

I still worry it was not removed in it's entirety, or it left the Master Boot Record or other boot files corrupt. I would prefer a thourough step-by-step guide from someone of knowledge, befoe I go trying to rebuild/fix MBR from a WinRE cmd prmpt or use ineffective software. I know this malware is known at boot-time to dup itself @random location and alter reg entrys to boot the currently unexecuting clone, so removing it should have no noticable effect unless both copys are located. It's known for altering hosts file...not on m computer, but internet setting ...yes all kinds of prompts and alterd settings in IE reg keys. And it's known for stealing (changing) one's DNS lookup tables and online DNS ref connection (and flusing dnsbuffers for quick affect). I mention these only out of fear that something get's overlooked, but I'll get to the end since this is the short version, (HA).

I only wish I could work on it inertly from another computer, via usb etc, but i cant find any of my sata->usb adapters, and thumbdrives are filled 1/2way with other backed up data files i removed using xcopy cmd which i will keep as a second chance if everything falls apart now, although i do not have all the vital files, so i'd REALLLLLY like to not do a wipe/reinstall.

Thanks for the listening to the long explination and spelling errors,
Mike

Mike,

You need Jacee and/or Corinne's help with this - they are our resident security MVP's. No doubt they will see this, but I'll drop them a message and ask them to have a look at this for you.

Regards,
Golden

Golden,

Thank you for the advice and help!

Mike

rubyrubyroo said:

I powered off and have not rebooted since as not to reactivate any viral safegurard it may have had implemented for just that type of removal! Thats where I am now.

Click to expand...

Mike, I just had a read again, and whilst we wait for Jacee/Corinne to offer some advice, I thought I might make a suggestion.

Since, you are concerned about possible remnants remaining, and you do not wish to boot this disk into Windows, you might want to try with a bootable anti-virus disk. I have used F-Secure in the past to clean out some less troublesome trojans than yours:

Rescue CD

It boots from Knoppix (Linux distro), from outside of the Windows environment.

Let us know what you decide to do, but if Jacee/Corinne offer other advice then please follow their instructions instead.

Regards,
Golden

While there are some 'specialists' who will work on a Rootkit infected computer ... I am not one of them. My advice is to wipe and do a clean install. If that isn't done, then how can you ever trust your computer to be stable again?

Read this and especially "Bootkits" Rootkit - Wikipedia, the free encyclopedia

thats avg for you :/

Golden,

Thanks, i've been considering a linux dvd boot, and a friend rec'd it to me too, I just was hoping to here an answer just a little bit better (perfectionist type thing) but there is no correct answer except for what I was fearfully anticipating - just what Jacee said...

I'm thinking...plotting maybe....

Thanks again
Mike

Jacee,

Nice to meet you. I own a computer repair biz and thats what I tell all my customers too, because you are absolutly right, a 100% wipe / reformat / and reinstall is the only way to "cure" most malware and be sure you are good! But this, being a sticky situation, I think I need to do this. The computer belongs to my absolute best VIP customer, friend and formr boss, an attorney that has no backups whatsoever except the one I made "as" the attack was likely underway, so I would not feel safe reloading the files from there or the flash card I xcopyed post-attack. This guy isn't a blood sucker lawer, he's a will's and trusts kinda atty practiced over 30 years and this is every file he has on his clients (pretty stupid I reaalize, but nonetheless, I will not let him get disbarred or even jailedfor neglecting to secure the files.

Not to go on about the reason for my "nobel cause" crusade, but I'm basically saying this... I NEED to reload the files from that flash drive, so since any portion of that could be contaminated, there is no truely sterile path back to fix the computer "in whole", I will then have to settle for the best I can get. Your advice I have no disagreements with, it's spot on.

I can't afford a "specialist", I just would like someone, that has possibly delt with this or a similarly virulant strand of beast, more than one time hopefully! I'm not trying to talk you into helping me, but if someone else reads this or you know someone or a good soure, Id be better off. I am fairly computer literate (I get down into the low-level MSAM and C++ mostly, and like I said fix computers for a living (The Reliable Computer Guy, LLC) So I will try it on my own if i can't find help, albeit outside of my comfort zone, as I usually do the reinstall for everyone else.

Anything?
Anyone?
Don't be afraid to "chime in" !

Thanks for the original reply, and as of now the add'l reading of my rant!
Mike

Mercurial,

and I have always had such good luck w/ avg free ed. catching viri on client's computers and keeping them nice and spotless, aside from the preformance ataxia that I hate!, I think I'll be loading new anti s/w in my customers and friends computers after this one incident.

Mike

That would nail it for me

Jacee said:

While there are some 'specialists' who will work on a Rootkit infected computer ... I am not one of them. My advice is to wipe and do a clean install. If that isn't done, then how can you ever trust your computer to be stable again?

Read this and especially "Bootkits" Rootkit - Wikipedia, the free encyclopedia

Click to expand...

--------------------------------------------------------------
After that great read on Rootkit I would do a wipe and a new intall just like Jacee recommended. How else would one know the Rootkit is completely gone. If you did a format and install with out doing a wipe the Rootkit could just install it's self again and you might not know it.

L. Bear

Hey, there!
Yes, i't was a suprisingly informative level of info for wikipedia (not that wiki is weak at all) just a rather specific artical that a lot could be derived from.

and by the way... I agree too, were all in agreement, but then theres them pesky client files, all kinds of propriatory apps for court forms and a whole macro and mergeing web of code that could be just as bad the situation you referenced once I reinstall the flash... so even with a new computer, the whole thing can never be trusted fully again, thats life?! Isn't it possible that the malicious code has made its way to BIOS, ( it's a dual-bios-backup board - probibly making it even more plausable. I have no real references on the bios infection potential, but maybe you know... plausible?

so do I tell him you gotta close down? IM REALLY NOT GOING FOR THE PITTY ANGLE HERE!!! I am just pouring my guts out, and being a decent guy, I can't screw this up...i just havn't figured out how not to yet!

mike

As I did my pre-workup described in the initial post, I was repeated told by a reliable source during my initial "general" thread:

gregrocker said:

The only question to me is whether you should reimport those files even after repeat disinfection. I'd ask in Security forum for the odds on doing so.

You may risk infecting the BIOS if you try to juggle such a badly infected system. The experts there will know this with certainty.

Click to expand...

So my BIO's fears seem grounded in the real "modern" world (I thought that was a "bug" that was basically fixed in the modern computer MB archetecture, but I was right to doubt myself when uncertian.)

Without the legal docs the computer basically is just a big black heavy aluminum box to the owner.

But Greg does speak rather highly of the security team,... seemingly describing them as more elite than the malware's creater(s)!

Funny, and sad. (the hackers) .... probibly china's military doing their daily probing (ha)
Mike

Yes the Bios can also get infected from the reading I have done. The Bios can also be wiped and reinstalled. Here comes another ouch; any backup made might be infected also. A Rootkit could come with all the permission it needs to do anything. Another brain twister; how did this nasty thing get in the computer. From internet, C/D, USB. Knowing how it got there if possible one would have a good chance not to allow it again. Any P2P or Torrents can drop these little goodies in a heart beat.

this computer was on a peer network and they designated it "the server" as if every computer at the office wasn't! it was all wide open! The "SERVER" or rather a name pipe that is shared freely had all the client info on it. and they NEVER did use the computer, they didn't know how to turn it on or off, so no A/V or P2P vectors. The other computers have no signs of infection, but i am working on the files (USB) and the system. I disassembled quite a bit of interesting stuff incl the boot/mbr and found plenty of stolen hooks in the interupt vect. table including the initial 13h interupt which triggers the reinfection at each boot time, before ANYTHING the damn thing decrypts itself and starts the chain of events. I tryed lookig up info online but its all otdated as the virus is "mutation" into quite a beast. It is said to swap a set of flags triggering winPE (which lacks driver signing requirement in 64-bit win7) then after loading some patches directlly kernel, it uses a clever word play on a prameter name sent to winload.exe, and as it doesn't recognize the sent flag/switch it aborts the winPE load (although the kernel and user mode has long since been patched) and it reverts to the normal win7 boot. With kernel-mode control freedom there's obviously nothing gonna take it out from the booted HDD, so that's like 75% of the best tools, useless. Then it injects any I/O processess with it's own hooks, removing the installed ones (ie.winsock's hooks) It supposedly enters via the same printspooler method they all use these days, but I have reason to believe that this entry point has become obsolete in this infection althoguh I'm working at that right now before I wrote this message! Oh, and after it snatches the DR0, it intercepts every system Drive I/O command in the chain, responding as it chooses!

My infection uses the code integrety file dy-link-lib ci.dll to bypass the driver cypher calls, I can't get a look at the file thoguh, there's almost lkke a real corruption that is eather a shotty hacking bug or maybe a mistake unique to my infection. I also need to figure out what the "algorythem" or rather "unique files system" the encrypted area at the end of the drive that contains the nasty files is encoded with. Its some odd encrypted FS not EFS or even close. But I can take this thing down in a day or two i bet, (with assistance I might have been done by now! who knows?) It's quite hard to find low level analysis software for win7 64, ......Since it's impenetrable with the whole driver signing requirement right? but I found some open source tools that produce some decent assembly code from the system native.

anyway enough of your time, I'm just happy with my progress...

and I can't for the life of me figure out why they dont put a physical jumper or switch or whatever on the mobo, so most people who shouldn't be flashing their bios cant and the ones intelligent enough to follow directions can easily move a 1mm x 2mm plastic jumper one pin over to physically disconnect or at least flag the bios when not flashing it and visa versa. What terrible concequense would that have???? uhhh...saving lots of mobos w/unremovable chips from malware as well as the huge set of rather computer illeterates which think that should update the chip but dont know why! (AHHHH)

I'm translating to much hex and binary my brain is melting ....

thats for the moment away from the devil system!
mike

You might try the Trinity Rescue Kit Trinity Rescue Kit | CPR for your computer

I also agree that a clean install is the best/only way to go, particularly due to the sensitive nature of the files on the computer. However, in an attempt to feel a bit more confident about the client files, you might want to give Kaspersky's TDSS Killer a run. How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?

jacee
thanks for the link i'm going to go check it out right now as ive never run across the name (Trinity) B4. But I trust it will prove useful. I'll repspond later if it helps or not.

thank you
mike

Corrine,

thanks for the post!
I do indeed have K's TDSSkill on a drive (along with rootkill/rootreveal/mabm/cclean/viper and any other tool I could thin of fully updated!) I will be running TDSSkill'a as my first line of attack when I do finally boot to the sys drive (post MBR/BCD "repair") I'm uncertian of if i can use safemode as there is atleast 2 instances i have found that do not allow a keyboard to be recognized (one for ps2 and the othr USB) I think I have taken care of that but I do not know that other measures have not been detected by my tedious manual searches. I am going to be watching for anthing "weird" in the kernel various processes and stack using GNER or a similar tool suite. I will break the hardwired LAN and even go as far as unplugging the WLAN to take the task of mmonitering I/O net/web can be done at my convience, followed by full dns flush and checking all hosts/DNS/network related tables/file and then maybe try poking it with a stick to get any last pieces to come out of the woodwork by runnig obvious antivirus s/w (norton/AVG etc) under their original filenames!

Take Home Point: Debugging a debugger (kdcom.dll) without the use of a debugger....really sucks!

AND thank you again!
Mike

Whew. I've been following your adventures and I gotta say, you're really extremely patient and determined. (I don't even really understand everything you've been doing...)
You seem to be making headway too, which is good. Here's hoping you make it to a complete recovery of the system. Good luck!!

too kind corazon! I question myself many times if I know what Im doing, but it more often then not (fingers crossed this time) I end up feeling like I get lucky, then realize it was not luck, just feels like it, cause I remember learning the paticular info somewhere (unless maybe I have just been lucky like thousands of times with every computer I have worked on...i guess its possible!) but seriously thank you!

mike