Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

Page 2 of 5 FirstFirst 1234 ... LastLast

  1. Posts : 1,777
    MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
    Thread Starter
       #11

    L. Bear

    Hey, there!
    Yes, i't was a suprisingly informative level of info for wikipedia (not that wiki is weak at all) just a rather specific artical that a lot could be derived from.

    and by the way... I agree too, were all in agreement, but then theres them pesky client files, all kinds of propriatory apps for court forms and a whole macro and mergeing web of code that could be just as bad the situation you referenced once I reinstall the flash... so even with a new computer, the whole thing can never be trusted fully again, thats life?! Isn't it possible that the malicious code has made its way to BIOS, ( it's a dual-bios-backup board - probibly making it even more plausable. I have no real references on the bios infection potential, but maybe you know... plausible?

    so do I tell him you gotta close down? IM REALLY NOT GOING FOR THE PITTY ANGLE HERE!!! I am just pouring my guts out, and being a decent guy, I can't screw this up...i just havn't figured out how not to yet!

    mike
      My Computer


  2. Posts : 1,777
    MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
    Thread Starter
       #12

    As I did my pre-workup described in the initial post, I was repeated told by a reliable source during my initial "general" thread:

    gregrocker said:
    The only question to me is whether you should reimport those files even after repeat disinfection. I'd ask in Security forum for the odds on doing so.

    You may risk infecting the BIOS if you try to juggle such a badly infected system. The experts there will know this with certainty.
    So my BIO's fears seem grounded in the real "modern" world (I thought that was a "bug" that was basically fixed in the modern computer MB archetecture, but I was right to doubt myself when uncertian.)

    Without the legal docs the computer basically is just a big black heavy aluminum box to the owner.

    But Greg does speak rather highly of the security team,... seemingly describing them as more elite than the malware's creater(s)!

    Funny, and sad. (the hackers) .... probibly china's military doing their daily probing (ha)
    Mike
      My Computer


  3. Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       #13

    Yes the Bios can also get infected from the reading I have done. The Bios can also be wiped and reinstalled. Here comes another ouch; any backup made might be infected also. A Rootkit could come with all the permission it needs to do anything. Another brain twister; how did this nasty thing get in the computer. From internet, C/D, USB. Knowing how it got there if possible one would have a good chance not to allow it again. Any P2P or Torrents can drop these little goodies in a heart beat.
      My Computer


  4. Posts : 1,777
    MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
    Thread Starter
       #14

    this computer was on a peer network and they designated it "the server" as if every computer at the office wasn't! it was all wide open! The "SERVER" or rather a name pipe that is shared freely had all the client info on it. and they NEVER did use the computer, they didn't know how to turn it on or off, so no A/V or P2P vectors. The other computers have no signs of infection, but i am working on the files (USB) and the system. I disassembled quite a bit of interesting stuff incl the boot/mbr and found plenty of stolen hooks in the interupt vect. table including the initial 13h interupt which triggers the reinfection at each boot time, before ANYTHING the damn thing decrypts itself and starts the chain of events. I tryed lookig up info online but its all otdated as the virus is "mutation" into quite a beast. It is said to swap a set of flags triggering winPE (which lacks driver signing requirement in 64-bit win7) then after loading some patches directlly kernel, it uses a clever word play on a prameter name sent to winload.exe, and as it doesn't recognize the sent flag/switch it aborts the winPE load (although the kernel and user mode has long since been patched) and it reverts to the normal win7 boot. With kernel-mode control freedom there's obviously nothing gonna take it out from the booted HDD, so that's like 75% of the best tools, useless. Then it injects any I/O processess with it's own hooks, removing the installed ones (ie.winsock's hooks) It supposedly enters via the same printspooler method they all use these days, but I have reason to believe that this entry point has become obsolete in this infection althoguh I'm working at that right now before I wrote this message! Oh, and after it snatches the DR0, it intercepts every system Drive I/O command in the chain, responding as it chooses!

    My infection uses the code integrety file dy-link-lib ci.dll to bypass the driver cypher calls, I can't get a look at the file thoguh, there's almost lkke a real corruption that is eather a shotty hacking bug or maybe a mistake unique to my infection. I also need to figure out what the "algorythem" or rather "unique files system" the encrypted area at the end of the drive that contains the nasty files is encoded with. Its some odd encrypted FS not EFS or even close. But I can take this thing down in a day or two i bet, (with assistance I might have been done by now! who knows?) It's quite hard to find low level analysis software for win7 64, ......Since it's impenetrable with the whole driver signing requirement right? but I found some open source tools that produce some decent assembly code from the system native.

    anyway enough of your time, I'm just happy with my progress...

    and I can't for the life of me figure out why they dont put a physical jumper or switch or whatever on the mobo, so most people who shouldn't be flashing their bios cant and the ones intelligent enough to follow directions can easily move a 1mm x 2mm plastic jumper one pin over to physically disconnect or at least flag the bios when not flashing it and visa versa. What terrible concequense would that have???? uhhh...saving lots of mobos w/unremovable chips from malware as well as the huge set of rather computer illeterates which think that should update the chip but dont know why! (AHHHH)

    I'm translating to much hex and binary my brain is melting ....

    thats for the moment away from the devil system!
    mike
      My Computer


  5. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #15

    You might try the Trinity Rescue Kit Trinity Rescue Kit | CPR for your computer
      My Computer


  6. Posts : 2,303
    Windows 7 & Windows Vista Ultimate
       #16

    I also agree that a clean install is the best/only way to go, particularly due to the sensitive nature of the files on the computer. However, in an attempt to feel a bit more confident about the client files, you might want to give Kaspersky's TDSS Killer a run. How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?
      My Computer


  7. Posts : 1,777
    MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
    Thread Starter
       #17

    jacee
    thanks for the link i'm going to go check it out right now as ive never run across the name (Trinity) B4. But I trust it will prove useful. I'll repspond later if it helps or not.

    thank you
    mike
      My Computer


  8. Posts : 1,777
    MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
    Thread Starter
       #18

    Corrine,

    thanks for the post!
    I do indeed have K's TDSSkill on a drive (along with rootkill/rootreveal/mabm/cclean/viper and any other tool I could thin of fully updated!) I will be running TDSSkill'a as my first line of attack when I do finally boot to the sys drive (post MBR/BCD "repair") I'm uncertian of if i can use safemode as there is atleast 2 instances i have found that do not allow a keyboard to be recognized (one for ps2 and the othr USB) I think I have taken care of that but I do not know that other measures have not been detected by my tedious manual searches. I am going to be watching for anthing "weird" in the kernel various processes and stack using GNER or a similar tool suite. I will break the hardwired LAN and even go as far as unplugging the WLAN to take the task of mmonitering I/O net/web can be done at my convience, followed by full dns flush and checking all hosts/DNS/network related tables/file and then maybe try poking it with a stick to get any last pieces to come out of the woodwork by runnig obvious antivirus s/w (norton/AVG etc) under their original filenames!

    Take Home Point: Debugging a debugger (kdcom.dll) without the use of a debugger....really sucks!

    AND thank you again!
    Mike
    Last edited by rubyrubyroo; 12 Oct 2011 at 22:01.
      My Computer


  9. Posts : 1,781
    Windows 7 Professional SP1 32-bit
       #19

    Whew. I've been following your adventures and I gotta say, you're really extremely patient and determined. (I don't even really understand everything you've been doing...)
    You seem to be making headway too, which is good. :) Here's hoping you make it to a complete recovery of the system. Good luck!!
      My Computer


  10. Posts : 1,777
    MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
    Thread Starter
       #20

    too kind corazon! I question myself many times if I know what Im doing, but it more often then not (fingers crossed this time) I end up feeling like I get lucky, then realize it was not luck, just feels like it, cause I remember learning the paticular info somewhere (unless maybe I have just been lucky like thousands of times with every computer I have worked on...i guess its possible!) but seriously thank you!

    mike
      My Computer


 
Page 2 of 5 FirstFirst 1234 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 20:52.
Find Us