EP_X0FF wrote:tested with TDSSKiller from KL.Yes, we are working on it.
after reboot infection is alive.
A forum for reverse engineering, OS internals and malware analysis
Kaspersky Lab
Kernel Detective + GMER + RkU + clean system drivers backup and tdl3 will left the building. You need only know which driver is infected. Then it is only question of skills to replace it with original.
If you speak about full automatic or half-automatic remover, it not exists in public.
If you speak about full automatic or half-automatic remover, it not exists in public.
Ring0 - the source of inspiration
After finding the random driver, simply disable it in Registry (Start value 4) and reboot. It takes the random drive offline and u can replace it on reboot. Then re-enable it (Start value 0). Works pretty well until they get an automated way.
AT4RE site seems to be changed, so link to TDLCleaner is invalid. Somebody tried TDL3+ Cleaner against new release?
Ring0 - the source of inspiration
Blitskrieg wrote:Good to know, obviously it is not a big problem to adopt TDSSKiller for this new release.EP_X0FF wrote:tested with TDSSKiller from KL.Yes, we are working on it.
after reboot infection is alive.
Ring0 - the source of inspiration
windbreaker11 wrote:After finding the random driver, simply disable it in Registry (Start value 4) and reboot. It takes the random drive offline and u can replace it on reboot. Then re-enable it (Start value 0). Works pretty well until they get an automated way.What about drivers that are critical for OS load?
Kaspersky Lab
So far I've seen 5 now this morning and all worked fine with no BSOD. If that ever happens just use LKGC. Then replace offline in RC. I believe that u will not have any problems though. The drivers are not critical to boot. So far - intelide.sys, compbatt.sys, mouclass.sys, etc....
Blitskrieg wrote: What about drivers that are critical for OS load?
goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\(drivername)
copy the same driver,but clean driver to c:\windows\system32\driver\(randomname.sys)
ImagePath=(put your copied good driver here(randomname.sys))
reboot
delete original atapi.sys or whatever the driver is .
copy (randomname.sys) to atapi.sys or whatever the driver name is.
change ImagePath in the registry, whalla
wealllbe20 wrote: goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\(drivername)Good solution in two reboots if we have backup of these system drivers of course :)
copy the same driver,but clean driver to c:\windows\system32\driver\(randomname.sys)
ImagePath=(put your copied good driver here(randomname.sys))
reboot
delete original atapi.sys or whatever the driver is .
copy (randomname.sys) to atapi.sys or whatever the driver name is.
change ImagePath in the registry, whalla
And it will work if rootkit doesn't checks it's registry settings. So this solution will be completely destroyed in several strings of code by rootkit author :)
Blitskrieg, hope you will create what you told me. Sincerely - good luck!