A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #815  by EP_X0FF
 Wed Apr 21, 2010 9:44 am
lars wrote:Just updated Norman TDSS Cleaner: http://download.norman.no/public/Norman ... leaner.exe
In my tests so far, it cleans the newest 3.273+ (random driver infector). I would love if someone could verify or report any issues ;)
Windows XP SP3
NTC works :)
 #816  by nullptr
 Wed Apr 21, 2010 9:46 am
lars wrote:Just updated Norman TDSS Cleaner: http://download.norman.no/public/Norman ... leaner.exe
In my tests so far, it cleans the newest 3.273+ (random driver infector). I would love if someone could verify or report any issues ;)
Tested on xp sp3 in Virtual PC - successful removal of infection, but for some reason the cleaner saw fit to remove the appmgmt service and its respective dll.
 #818  by lars
 Wed Apr 21, 2010 10:05 am
nullptr wrote: successful removal of infection, but for some reason the cleaner saw fit to remove the appmgmt service and its respective dll.
Thanks for testing guys!

Did you notice what the log file said when it removed appmgmt?
 #820  by nullptr
 Wed Apr 21, 2010 10:48 am
I just realised that I loaded my xp sp3 home image where there is no appmgmt - MS just forgot to remove the service entry, so Norman cleaner was kind enough to remove it for them. :)
In further testing on xp sp3 pro there's no problems with removal.
Last edited by nullptr on Wed Apr 21, 2010 10:52 am, edited 1 time in total.
 #822  by erikloman
 Wed Apr 21, 2010 11:34 am
lars wrote:Just updated Norman TDSS Cleaner: http://download.norman.no/public/Norman ... leaner.exe

In my tests so far, it cleans the newest 3.273+ (random driver infector). I would love if someone could verify or report any issues ;)
I get a BSOD right before rebooting.
Using VMware Workstation 7 with guest Windows XP SP3 + vmscsi.sys as its disk driver.
 #823  by lars
 Wed Apr 21, 2010 11:50 am
Yikes,

So, you're saying that all is well while it runs and while the system shuts down. And then it blue screens just before rebooting? Does it come back up?

Any chance to obtain a minidump (or any memory dump for that matter)? Log files might help as well.
 #824  by erikloman
 Wed Apr 21, 2010 12:21 pm
I have made a movie of what happens.
I am currently unable to retrieve the memory dump as the guest will no longer boot.
When I have time I'll try to retrieve the file using a boot CD.
You do not have the required permissions to view the files attached to this post.
 #825  by IndiGenus
 Wed Apr 21, 2010 12:29 pm
erikloman wrote:I have made a movie of what happens.
I am currently unable to retrieve the memory dump as the guest will no longer boot.
When I have time I'll try to retrieve the file using a boot CD.
Have you tried Last Known Good? My guess and experience with this is it won't work, but it's easy to check.