Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

[rubyrubyroo]

anyone reccommend a good prog i can run from a boot disk or the likes (even a command prompt method), just not from the windows system drive, to

A.) alter / browse the registry (on win7 x64 system)

B.) remove the unknown encripted virtual partition system at the end of my hdd (although as long as the dropper is removed, I'm not seeing a route to their use, but just leaving the bad dll's and loaders in place makes my skin crawl, and I do know I could miss something, or even become reinfected once online again, since who knows what info they have and use from me (including ip address to reattack), so i dont plan on making it easier for them)

Mike

 

[Jacee]

B.) remove the unknown encripted virtual partition system at the end of my hdd (although as long as the dropper is removed, I'm not seeing a route to their use, but just leaving the bad dll's and loaders in place makes my skin crawl, and I do know I could miss something, or even become reinfected once online again, since who knows what info they have and use from me (including ip address to reattack), so i dont plan on making it easier for them)

Good luck ... and most certainly you could/would be re-infected again.

 

[rubyrubyroo]

B.) remove the unknown encripted virtual partition system at the end of my hdd (although as long as the dropper is removed, I'm not seeing a route to their use, but just leaving the bad dll's and loaders in place makes my skin crawl, and I do know I could miss something, or even become reinfected once online again, since who knows what info they have and use from me (including ip address to reattack), so i dont plan on making it easier for them)

Good luck ... and most certainly you could/would be re-infected again.

are you mostly refering to if I screw up and leave something behind (we both know this is a true risk) or since the attack origion "knows" the computer and therefore when it stops receiving keylogs or whatnot it will realize I zapped it and reattack me specifically?

Mike

 

[rubyrubyroo]

I could only find one rootkit similar to mine that has sucessfully written to BIOS (Trojan.Mebromi) and it does so in the same are I have checked line fore line. While I am unaware of the command to use to interact with the eeprom BIOS chip, I am certian It was not present. (boosts my odds just a bump up maybe) then there was another earlier one, win 9x based rootkit (CIH/Chernobyl) which acted directly from the win environment (this could be more plausible in my case, ALTHOUGH this was a win 9x based system were talking about, I HOPE MS made that a bit more difficult in their free time!) These two, i'm pretty sure, were the only two rootkits in the wild ever documnted with this capibility. Aside from one or two "POC" programs have been designed, but never leaked to the hacking community i presume, as they never found one infecting a computer outside the controlled enviroment.

I cant imagine that the biosflash op-codes are not manufacture specific to the chip or mobo brand, and the internal archetecture is different between the BIOs type, so effectively using BIOS to rewrite a rootkit to let's say the MBR at each boot (similar to what I have just one step past the chip itself) is unlikely to any signifigant portion of PC users.

That's my opinion, but more so my HOPE!

 

[Jacee]

This article might be of interest to you Mebromi: the first BIOS rootkit in the wild « Webroot Threat Blog

 

[rubyrubyroo]

nice

This article might be of interest to you Mebromi: the first BIOS rootkit in the wild « Webroot Threat Blog

Beautiful article, references all the ones i mentioned , but better detail. although ether my or their timeline is quite wrong. I read more than one ref. explaining that Mebromi was a late 90's discovery, ...the first of it's kind and I obviously inferred a possible 16-bit or more likely 32-bit rootkit had to be so different in a pre-xp OS (as xp was a ground-up rewrite, technologically speaking, rather than the common misconception that it was a merge/hybrid of NT with 9x-2000!) But I was clearly mixed up, as I was head deep in hex until i fell-out at the computer around 7am est! what is wrong with me!

and I love texts with intermittant code captures, so they can talk and explain then show me so i know their not exaggerating or lying, I can believe them cause it's right there, although I am getting dizzy from going from C++ to Assembly to hex/binary! I wan't to read it over a bit closer, but i just wanted to say thanks or rather mean it!

I Also read a dozen or so articals revealing some scary S about this thing, which is often refered to as approching "the perfect virus" or nearly "impenetrable". It seems in the past week or so the writers, have kicked it up a notch with features, which I have not seen on my machine, but I obviously couldn't have seen more than 0.001% of the system files yet, you know! The new "features" are transfer by usb drive to other machines.... uhhh....yea! Autostart did popup too in one computer i plugged the flash ram into ( I canceled it fearing just such a thing so I'm guessing it couldn't run as it had no advantage on my laptop yet) I just dont ever get that with my options set as they are...autostart. And there was no files other than the dirs I made (like autostart files were absent, so... hmmm. and I keep hidden files and systemfiles/dirs visible on all my personal systems at least (as well as known exts visible, justlike everyone should, as easy as it would be to trick someone with a copied icon into running a "trojan" that way. but im getting of topic.) The other feature just discovered at some university by a "viral professor"?!?! is the ability to spontaniously "worm-ize" and migrate along with take over a peer network as the default DHCP and use its own routing table that connects infected comp's tx to uninfected peers rx every time! So I'm guessin' I potentially have 8 infected computers (2 of which arn't mine, but I am fully responsible for [or technacally the entity that is my LLC!] Luckily I havn't found any signs yet, so hopefully I got a glitchy/older version!

Im guessing the bios is just about the only impressive feat left untackled, and must be on the "to do" list for the creaters! "TDDS.TDL1 thru 4" is suposedly infecting 3.2 million machines as of last check. Good God! The profits are sick as well, I never heard of this, but I'm sure you have: Their selling the service of making the average entrpeneur a bot-net (since that size is an overkill, 3.2million+ zombies wouldn't be needed to brute force attack every country in the wolrd in 10 seconds (dont quote me on the math there!) but that's what their doing, "Too dumb to write your own hacking army, we'll take care of you for a mere $100-300/per bot" Now weve got people out there using some GUI to control them like a game! Thant's just ......for once....me...speechless...


Oh and if you do take the time to get this far into my ramblings,..(A.)thanks & (B.) what are the chances of the bot-nets server-network keeping logs to reinfect me remotle however it was done originally, they know "where i live" and I would not be transmitting them my personal keystrokes any more, so might they reattack, from your experience or prior research?

sincerely,
rootkit-mike

 

[Layback Bear]

If you haven't done this I would.
https://connect.microsoft.com/systemsweeper

 

[Corrine]

If you haven't done this I would.
https://connect.microsoft.com/systemsweeper

Yes, he did.

 

[Borg 386]

Have you tried Norton Power Eraser yet? It offers a rootkit scan that reboots your PC and checks for infections.

Norton Rescue Tools

Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully.

 

[Jacee]

Sometimes it becomes necessary to "destroy/tear down", in order to fix a known problem. In this case, rubyrubyroo knows what has to be done.

A "gloss-over patch/removal" will not save this OS from being infected again.

 

[ICIT2LOL]

Ok

I had a quick scan through the thread ruby and I see Corinne suggested the Kaspersky TDSS and I think you said you had it ona stick.

Mate as General rule I always download it fresh before using it so I don't miss any up to date stuff. I am running KIS 2012 so I very rarely have this problem.

Having said that machines I clean up for friends the K TDSS Killer is the first one I head for.

Tried DrWebCureit yet?? Dr.Web CureIt! — download free anti-virus! Cure viruses, Best free anti-virus scanner!

Also as general rule as for the TDSS I delete any downloads when finished with for the same reasons above.

Nearly forgot - http://www.antirootkit.com/software/index.htm - take your pick

 

[rubyrubyroo]

ive got all your notese and advice, I'm not ignoring, just piled fixing by backload of broken cllient computers onto the workload, so physically no tme to type.

all thanks, !!!!!!

i'll respond more soon,

heres what shold be a simple question, I have a file in the main system drive c:/ named " .rnd " yes, thats <dot><r><n><d> and is exactly 1kB (1024b) /I know there was never any autoCAD type software in use on this computer and no puTTY or knock-off SSL s/w. Any ideas? could this had anything to do with the encrypted disk area/partiton/volume that was I/O'ed to? (of course "IT COULD" i mean does anyone know of this concept?") my reseach produces results about as coherant and focused as my posts to this thread!! I can't fin'd it on any of 5 other win 7 PC's.

thank you all I am using your ideas... i did get trinity btw jacee

and thanks for remembering it was sweepwr that i used 1st (or quasi-1st), corrine

you are all on top of your game at least I can say!! Thanks!


and ICit2lol, thanks for the advice, i (as anticipated) have just had to move my time line a couple times so I'll definately remember to update EVERYTHING! TDDSKILLER has has the most sucess (or at least so the user is lead to believe) and seem to have the shortest lag in this specific rootkit's "mutatation to new-fix" event-horizon time window!

Although, ultil I see it at that stage, thats all ...."heresay"??? or whatever the term would be... since this is supposed to be the rootkit that you never know you have (which even superficially proves my point that my "strain" of the viri is glitchy since, it was alllllll toooo obvious)

thanks, I'll be back

Sincerely,
Mike

 

[ICIT2LOL]

OK

Hiyya Mike Well mate my first line of action would be to get KIS on board and dump the ?AVG I know you have to pay for it but at something like - I think I pay about $0.16 a day for a one year licence it's a suite that once config'd is set / forget. The config also has active run time rootkit detection.

My argument has always been why use a freebie when for that sort of money you are (relatively) safe cos nothing is 100% competent.

If you do get the KIS though mate just make sure the machine is absolutely clear of any other AV stuff bar Malwarebytes and even that has to be the free one with scan settings set as this. Everything else go for

I'll ask mate of mine who's fairly cluey re that .rnd too,

 

[rubyrubyroo]

Well, I have had some seriously promising results as of today. It has been about a full 24 hour stretch of "my homemade glossover" and I havn't detected any rouge code execution, I've even monitored changes to the registry over a period of many standard system operations with no apparent HACKERY going on to unknown/unusual keys, etc.

I hate to go on and on about all the software used, system files replaced, and physical changes to the code (esp intitial code) I used, but I think, hope I have had a ..... sucessfull experience!?!!! (maybe just got lucky, maybe It will indeed return, maybe anything...I admit, but, I'm just walkin' on eggshells here, fingers crossed and maybe smiling a tiny tiny bit (as I can always say I gave it my best even if it does fail down the road)

I do still agree with the advice of the most wise/intelligent members of these forums as well as the world in general who advised...no, Insisted that I do the right thing, clean wipe/format/reinstall.

for the sake of the general users of the forum, I COMPLETELY ADVISE YOU NOT, NEVER-EVER and in NO WAY TO TRY TO DO ANYTHING TO COMBAT THIS DEVIENT ROOTKIT, BUT ONLY DO A COMPLETE REINSTALL (as just about anyone here can quickyly talk you through) .... Don't use my crazy ideas, as their mentioning was not intended to inspire this whatsoever!

I only wanted help, which I got a considerable bit of, (thank you all kindly) and to inform those interested in this interesting area ,albeit dangerous, which I myself had never explored before. (I also had specific personal reasons for my "Quest" as I have mentioned related to the owner)



But It is hooked up to the O's network again, and after more monitering, checking for a period of time, I will be litterally insisting on a full s/w, h/w, & network upgrade with fully integrated/automated backup & security, in addition to other things.

While I will be compensaded for considerably well with all these new implementations, I want everone to know, you were not used to make money, as I have refued payment for this, not out of being a great nobel guy or anyting, but it was a chance I had to take that I could have or still may, hurt more than I help. So with the fact that I will be indebted to Bob for the rest of my days to some degree (for other reasons), I can quite easily say that I did owe him, so I don't feel stupid for "wasting" so much time and energy on a pro bono case!


I can't believe (to a high degree of certianty - im my head anyway), that I irradiated that ......Thing!

I will update if i find anything inconsistant with this in further test findings! I promise to let you know if it returns (w/details)

thanks soooo much
Mike / Link / Rubyrubyroo / Me

 

[ICIT2LOL]

Got it

Hiyya rubyrubyroo I did ask around and a fellow who I know is really on the ball has told me that it is A VMWare issue and that it will recreate itself how ever mant times you delete it.

If you want to see what he said - http://forums.whirlpool.net.au/forum-replies.cfm?t=1796028 and there is a sub thread ref too.

This might not be what you had however it's a job knowing whats going on at times but there again it might answer a few of your queries.

 

[rubyrubyroo]

icit2
thank you kindly for checking that out for me! I can't say it wasn't a VM file, but, the machine never was "purposely", or rather..."without malicious intent" loaded with any type of virtualization s/w, of that I am certain (unless it was something another app or the os did behind the scenes!?!). But the file was merely data and contained no reconizable, executable code, but to be sure I did delete it, and it didn't reappear as the referrenced thread(s) mentioned, maybe because I had already erased the source that it would have copied the replacement from, or maybe because the best way to hide nasty viral components is to disguise them as files that you wouldn't expect (and I'd bet - the ones that border on making one scared to erase it, just find a filename that googles back "this is a NORMAL FILE, and you should not remove it" or "it often produces false positives, and such results should not cause one to worry" ! At least thats what I'd do if I was trying to do what these baddies are doing, see you have to get in their mind a bit to understand the best way to take them out I believe :sarc: )

it's long gone now and I was tempted to, although didn't keep a copy for later analysis, just to scary even on a seemingly isolated system (i.e. next thing you know your WLAN button LED changed color w/o pressing it and who knows what other network computers might get infected, it was....dare I say it...(fun)...or interesting in some sick twisted way to battle the thing, but I only wish I didn't have to do it with such impportant stakes, .... although they are what compelled me to "go there" in the first place!!! kinda like a vicious cycle!

thanks for the lookup, (BTW I was thinking maybe it was a linux file ".rnd" ...like ".htaccess" etc. ---- and as the thread said *.rnd indicates that rnd is the extension a nd the name is either an "invisible char" or a "null"-sih name. I was more under the impression that ".rnd" was he filename and the extension was not present (a.k.a null/void/noExtension) but I didn't analyse it that closely I guess. )

Guess I'm focusing too much on this likely meaningless file, and avoiding the mention of the status: all is okay (superficially for SURE) seemingly at a deeper analytical level as well! I am still monitoring, pushing the system, trying to poke anything in there with a stick, to see what pokes it's head out!

thanks again!
Mike

 

[ICIT2LOL]

No probs mate

No prbs Mike I would guess you're right with it being downloaded unintentionally or on the bcak of something else - who knows anymore.

Pity you didn't still have the readouts to send to one of those places like
VirusTotal - Free Online Virus, Malware and URL Scanner or one the others from this search for an analysis of the files. Google

Still glad it's fixed - so time consuming eh?

 

[rubyrubyroo]

I was just workin' off a "boot disk" & win7 DVD, etc, so i had trouble finding s/w that could do decent analysis/reporting from this angle, I just used a dissassembler, and some raw code readers (bin,hex,reassembled assembler)

thx
mike

 

[no cigar]

Greetings,

I found this thread on a google search and wanted to clarify that you were able to get into the system by utilizing the non DSE mode? I'm locked in a boot loop and am trying to get the system to boot up so I can grab a couple of folders of pictures from my drive.

I have been able to slave the drive but cannot browse it at all as all I get is a bare, empty folder.

 

[writhziden]

Slave the drive, and go into disk management: Start Menu -> Right click Computer -> Manage -> Disk Management

Upload a screenshot of your disk management window and tell us which drive is the drive you are trying to access.