New
#1
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough
I would really appreciate some help from someone with experience with this matter.
Introduction:
Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence.
Presentation: Installed a 2nd HDD (Exclusively for daily backups - ironic!) I did manage to fire off one Backup with win 7 backup including an image, but I doubt it is clean. Then next morning the computer was no longer in WIN7 environment but had rebooted to System Repair Panel, and despite a week of working on the problem with lots of pro and sub-pro advice online and offline, I could not get the startup repair to stop reporting that my code integrety file"C:\ci.dll" was corrupt and it could not help me. I was locked in a loop [boot start->system repair]. Safe mode, bios changes/resets, drive removals rearrangments, win7 orig DVD repair, triple startup repair cycle, replacing ci.dll w/ correct sized version (which simply reverted to "corrupt size on reboot"), restore points, using the one imagefile i had made .... no help - all roads lead to the sys rec panel.
B.T.W. SafeMode would halt boot at driver #5 "CLFS.sys" to enter system recovery console.
Positive (hopefully) Headway I've Made: I researched the details of the component library ci.dll and looked for a vulenerability or weakness I could exploit to avoid the error, and I learned it doesn't lend it's function set during kernel debug mode and unsigned drive ignore mode, I Immediately tryed the latter and was in windows 7 like noting had ever happened (superficially anyway).
Cause(s): Although I am unaware out the timeline/origin of the malicious event, a trojan appaerntly infiltrated my Win7/home/64 system's defences and left plently of malware components across the filesystem, most notable is a rootkit the MBR, named TROJAN:Win32/Alureon.DX, Also present was TROJAN:Win32/Alureon.A, i believe they work "together" so to speak.
AVG reident sheild took pleny of notes as it watched ~20 "trojens" execute as "setup.exe" from temp folders as well as the main malware file (name not availble at this time) I ran a full rootkit scan w/AVG - ~15 results (one main and the rest named after the win32 smoke and mirrors command they impliment (i.e. FILE_LIST_REQUEST, ALTER_USER_PERMISSION). OF course AVG can't help with these so I ran MS System Security Sweeper from a newly reconnected DVD and a full scan produced the two malwares (TROJAN:Win32/Alureon.A & TROJAN:Win32/Alureon.DX) using the MS sweeper's nomeclature, but I'm hoping it's the same code.
Currently: So after stairing at the screen (letters MBR) for 10 min or so I reluctantly instructed Sweeper to remove both. and it reported sucess. I did a full scan w/sweeper afterwords, and it reported not problems. I powered off and have not rebooted since as not to reactivate any viral safegurard it may have had implemented for just that type of removal! Thats where I am now.
I still worry it was not removed in it's entirety, or it left the Master Boot Record or other boot files corrupt. I would prefer a thourough step-by-step guide from someone of knowledge, befoe I go trying to rebuild/fix MBR from a WinRE cmd prmpt or use ineffective software. I know this malware is known at boot-time to dup itself @random location and alter reg entrys to boot the currently unexecuting clone, so removing it should have no noticable effect unless both copys are located. It's known for altering hosts file...not on m computer, but internet setting ...yes all kinds of prompts and alterd settings in IE reg keys. And it's known for stealing (changing) one's DNS lookup tables and online DNS ref connection (and flusing dnsbuffers for quick affect). I mention these only out of fear that something get's overlooked, but I'll get to the end since this is the short version, (HA).
I only wish I could work on it inertly from another computer, via usb etc, but i cant find any of my sata->usb adapters, and thumbdrives are filled 1/2way with other backed up data files i removed using xcopy cmd which i will keep as a second chance if everything falls apart now, although i do not have all the vital files, so i'd REALLLLLY like to not do a wipe/reinstall.
Thanks for the listening to the long explination and spelling errors,
Mike
Last edited by rubyrubyroo; 10 Oct 2011 at 23:11.