Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

Jacee said:

B.) remove the unknown encripted virtual partition system at the end of my hdd (although as long as the dropper is removed, I'm not seeing a route to their use, but just leaving the bad dll's and loaders in place makes my skin crawl, and I do know I could miss something, or even become reinfected once online again, since who knows what info they have and use from me (including ip address to reattack), so i dont plan on making it easier for them)

Good luck ... and most certainly you could/would be re-infected again.

are you mostly refering to if I screw up and leave something behind (we both know this is a true risk) or since the attack origion "knows" the computer and therefore when it stops receiving keylogs or whatnot it will realize I zapped it and reattack me specifically?

Mike

I could only find one rootkit similar to mine that has sucessfully written to BIOS (Trojan.Mebromi) and it does so in the same are I have checked line fore line. While I am unaware of the command to use to interact with the eeprom BIOS chip, I am certian It was not present. (boosts my odds just a bump up maybe) then there was another earlier one, win 9x based rootkit (CIH/Chernobyl) which acted directly from the win environment (this could be more plausible in my case, ALTHOUGH this was a win 9x based system were talking about, I HOPE MS made that a bit more difficult in their free time!) These two, i'm pretty sure, were the only two rootkits in the wild ever documnted with this capibility. Aside from one or two "POC" programs have been designed, but never leaked to the hacking community i presume, as they never found one infecting a computer outside the controlled enviroment.

I cant imagine that the biosflash op-codes are not manufacture specific to the chip or mobo brand, and the internal archetecture is different between the BIOs type, so effectively using BIOS to rewrite a rootkit to let's say the MBR at each boot (similar to what I have just one step past the chip itself) is unlikely to any signifigant portion of PC users.

That's my opinion, but more so my HOPE!

Jacee said:

This article might be of interest to you Mebromi: the first BIOS rootkit in the wild « Webroot Threat Blog

Beautiful article, references all the ones i mentioned , but better detail. although ether my or their timeline is quite wrong. I read more than one ref. explaining that Mebromi was a late 90's discovery, ...the first of it's kind and I obviously inferred a possible 16-bit or more likely 32-bit rootkit had to be so different in a pre-xp OS (as xp was a ground-up rewrite, technologically speaking, rather than the common misconception that it was a merge/hybrid of NT with 9x-2000!) But I was clearly mixed up, as I was head deep in hex until i fell-out at the computer around 7am est! what is wrong with me!

and I love texts with intermittant code captures, so they can talk and explain then show me so i know their not exaggerating or lying, I can believe them cause it's right there, although I am getting dizzy from going from C++ to Assembly to hex/binary! I wan't to read it over a bit closer, but i just wanted to say thanks or rather mean it!

I Also read a dozen or so articals revealing some scary S about this thing, which is often refered to as approching "the perfect virus" or nearly "impenetrable". It seems in the past week or so the writers, have kicked it up a notch with features, which I have not seen on my machine, but I obviously couldn't have seen more than 0.001% of the system files yet, you know! The new "features" are transfer by usb drive to other machines.... uhhh....yea! Autostart did popup too in one computer i plugged the flash ram into ( I canceled it fearing just such a thing so I'm guessing it couldn't run as it had no advantage on my laptop yet) I just dont ever get that with my options set as they are...autostart. And there was no files other than the dirs I made (like autostart files were absent, so... hmmm. and I keep hidden files and systemfiles/dirs visible on all my personal systems at least (as well as known exts visible, justlike everyone should, as easy as it would be to trick someone with a copied icon into running a "trojan" that way. but im getting of topic.) The other feature just discovered at some university by a "viral professor"?!?! is the ability to spontaniously "worm-ize" and migrate along with take over a peer network as the default DHCP and use its own routing table that connects infected comp's tx to uninfected peers rx every time! So I'm guessin' I potentially have 8 infected computers (2 of which arn't mine, but I am fully responsible for [or technacally the entity that is my LLC!] Luckily I havn't found any signs yet, so hopefully I got a glitchy/older version!

Im guessing the bios is just about the only impressive feat left untackled, and must be on the "to do" list for the creaters! "TDDS.TDL1 thru 4" is suposedly infecting 3.2 million machines as of last check. Good God! The profits are sick as well, I never heard of this, but I'm sure you have: Their selling the service of making the average entrpeneur a bot-net (since that size is an overkill, 3.2million+ zombies wouldn't be needed to brute force attack every country in the wolrd in 10 seconds (dont quote me on the math there!) but that's what their doing, "Too dumb to write your own hacking army, we'll take care of you for a mere $100-300/per bot" Now weve got people out there using some GUI to control them like a game! Thant's just ......for once....me...speechless...


Oh and if you do take the time to get this far into my ramblings,..(A.)thanks & (B.) what are the chances of the bot-nets server-network keeping logs to reinfect me remotle however it was done originally, they know "where i live" and I would not be transmitting them my personal keystrokes any more, so might they reattack, from your experience or prior research?

sincerely,
rootkit-mike

Layback Bear said:

If you haven't done this I would.
https://connect.microsoft.com/systemsweeper

Yes, he did. :)