KernelMode.info

[gjf]

Hi,
Updated for fun
TDL3+ Cleaner 1.1
Tested on Windows Xp Sp2 and Sp3
Working with "Copy/Restore" exploit...

Sorry, but it does not work! OK, details....

I have used VMWare 7.0.1 build-227600 with WinXP SP3 Pro and altest updates. I have performed initial scan by VBA32 to be sure the system is clean.

Infected.zip

. After that I have infected the system and reboot. Then perform the second scan by VBA32 to see that system is infected.

Initial.zip

So I ahve started the file and install the service. After starting the process the PC beeps one time so I have rebooted the system. During the booting the message "pci.sys file is absent" was shown and booting stopped. I have no idea what's wrong with pci.sys (another driver was infected, it is clear from logs) and what's wrong at all.

So - no good!

AFAIK DrWeb cureIt utility cures TDL3, but there are a number of bugs with controllers other than ATA (especially SCSI, SATA etc). Another bug is BSOD with TrueCrypt partitions no matter is infection present or not.

So still have to wait.

[nullptr]

The TDL3+Cleaner Test Release from last week works fine as long as you identify the correct driver. The TDL3+ Cleaner 1.1 seems to delete a driver causing boot failure.
xp sp3 in Virtual PC.

[djpnuemo]

The TDL3+Cleaner Test Release from last week works fine as long as you identify the correct driver. The TDL3+ Cleaner 1.1 seems to delete a driver causing boot failure.
xp sp3 in Virtual PC.

i had the same problem on a test machine (non-virtual).

[STRELiTZIA]

Thanks for reports
Attached Test Release with New option to manually add the second infected driver name.
using "Gmer" to get the second infected driver name.

[djpnuemo]

Thanks for reports
Attached Test Release with New option to manually add the second infected driver name.
using "Gmer" to get the second infected driver name.

appreciate the update.

i ran it and entered the second driver found, tcpip.sys, and now cannot browse. done all normal tcp/ip resets/reinstalls to no avail. infection is gone though!

[gjf]

Don't know - too many moves. The simpliest way is to boot up ERD Commander and scan for a non-valid files

[InsaneKaos]

Recovery Console and a batch-script mostly can do the whole job. I've atteched a batchfile that should find and remove TDL in two steps with the RC.

[gjf]

InsaneKaos, did you test your script on infected systems? I don't believe simple fc command will reveal rootkit. AFAIK TDL3 gives original unpatched file during file operations, doesn't it?

[InsaneKaos]

I've tested it over 10 times, for me it works.

FC will reveal it. The script copies all sys-files to Windows\DriversToCkeck while you are logged on RC. Then do the FC stuff against the driver in System32\Drivers while in normal mode. If it found a difference, it will copy the driver from System32\Drivers to Windows\ and replace it when you reboot again into RC. (The Driver in System32\Drivers is infected, but TDL will reflect a clean copy, so you can use it).

[gjf]

Oh, I've missed RC moment! In this case sure it will work. Thanks.
What about hypotetic situation when TDL3 infects system driver, but not from Microsoft one?