Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

[Jacee]

See if you can get those folders using "Trinity Rescue Kit"

Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines

Trinity Rescue Kit | CPR for your computer

 

[no cigar]

Okay guys, here's the screenshot with the drive slaved.

I should probably note that this is a Raid0 array with 2 64GB SSDs. The disk I am working on is F: in this screenshot

Another development as of last night I was able to run MS offline defender and it did find Alueron with a BUNCH of other stuff which I was able to remove, however the drive is still stuck in the boot loop.

 

[writhziden]

I can help with data recovery, but I think it would be wise to wait and let Jacee weigh in since you may still have some security concerns.

 

[no cigar]

Well I have discovered that the bug apparently altered properties of the entire drive to make all files hidden. I was able to view the entire drives' contents while it was slaved and best I can tell everything is still in tact. I used OnTrack recovery to run some tests and I believe the only issue lies in the boot sector of the drive, or with perhaps a hidden partition?

I was able to view the partitions on that drive and in addition to the main partition, there were two others < 1mb in size.

 

[writhziden]

Yes, these malicious items usually just add the hidden and system attributes to files. They can also change permissions for accessing files. To unhide, open an http://www.sevenforums.com/tutorials/783-elevated-command-prompt.html and type

F:
attrib /d /s -h -s *
​

The above will change attributes for all directories (/d flag) and files within the directories (/s flag) to unhide (-h flag) and remove the system attribute (-s flag).

 

[no cigar]

Thanks. This worked. A few misc. files gave me access denied errors but all is well and visible. I went ahead and rescued my user folder from the drive and am thinking about running the 4-8 pass dban format tool on it and calling it a day. Would this be an advisable way to clean the drives?

 

[writhziden]

You could also use the clean all command through Diskpart; that is what is usually recommended for clearing viruses and rootkit infections. http://www.sevenforums.com/tutorials/52129-disk-clean-clean-all-diskpart-command.html