KernelMode.info

Hi,

I have 2 Question.

1. Some one over here said that "Root-kit Unhooker can work in safe-mode but needs to be configured". So how to configure ?

2. I've also seen someone saying, "TDL Cleaner tool by Sterilizia can fix TDL3 with little help from RKU". Ive identified the Entry Point file by using RKU. I put that name in Second Driver Box(located in TDL3+ cleaner). Finally its saying "cannot find the File". Anybody aware of , Where exactly TDL cleaner is looking for a backup file. So that, i can place a good copy in that location for TDL3 to pick it up.

1. Setup > Settings > use "Extended Mode".......reboot.
2. Remove Load Image callback first, then remove TDL3 Ntxxx hooks before starting the cleaner.
Are you entering the exact driver name (w/ correct spelling) e.g serial.sys?

Thanks null.

Remove Load Image callback first, then remove TDL3 Ntxxx hooks before starting the cleaner.

To be frank, i don't know what does that mean & how to do it.. But i will try to figure out the meaning for the above Quote.

And YES, i type the exact file name(eg afd.sys) .

If there is a scenario, where "afd.sys" is not located anywhere else in the system --- - Here i Hope TDL3+ cleaner can not cure the pc as No replacement is available . Correct ? I have tried placing a Good copy of afd.sys in many locations. But TDL3+ cleaner is not identifying the backup file placed by me & says "cannot find the file".

Again, Thanks a Ton for your Kind reply.

4everyone wrote:Thanks null.

Remove Load Image callback first, then remove TDL3 Ntxxx hooks before starting the cleaner.

To be frank, i don't know what does that mean & how to do it.. But i will try to figure out the meaning for the above Quote.

goto Tools->Kernel Callback Routines, find LoadImage callback with unknown_notify_handler, select it, press delete
goto Code Hooks->Scan, if you infected with TDL3 you will see a lot of hooks with NtWriteVirtualMemory stuff. Select all of them and unhook it by appreciate button.
See screenshot.



Probably for TDL3 cleaner you need specify full path e.g. C:\Windows\System32\drivers\afd.sys not only driver name.

Hi EP_XOFF

Thanks for the detailed Info. I am going to try that..

On TDL3+ Cleaner, the below is the Error message i get... In example, they've given just the File alone & not the path.. Hope, i tried file name & full path too. But no Go..



Anyhow, thanks a lot for all your help .. :)

Use this build - http://www.kernelmode.info/forum/downlo ... .php?id=85

Infected driver name is all that's needed. (no path)

Hi,
TDL3+ Cleaner consists of two files:
- GUI: TDLCleaner.exe
- Service: TDLCleanerSv.exe

Your error message relates to the presence of the "service" "TDLCleanerSv.exe" and not of second infected driver...
Look, Operation message: Start cleaner service Status: The system cannot find the file specified.

Solution:
1- Make sure both files are in the same directory.Important...
2- Unistall service and reinstall it if you changes TDL3+ Cleaner place. Important...
3- Infected driver name is all that's needed. (no path) eg. "pci.sys" Important...

Direct link: TDL3 Cleaner 1.1 final
http://www.at4re.com/tools/Releases/STR ... _final.rar

Attached TDL3+ Cleaner Help.

Regards

Worked like a charm... :D

Thanks to STRELiTZIA, Null, EP_XOFF. :)

Till now i was thinking like, TDL3+ Cleaner is replacing using a backup copy. I dont find a bacup copy of agp440.sys in my pc. Still, Cleaner fixed it..

Not sure how agp440.sys is fixed. STRELITZIA , Is it does the job of Cleaning & hence no need for a back up copy ?? Orelse TDL Cleaner searches for a backup in .cab file ?

Topic renamed and moved to Tools / Software subforum.

4everyone wrote:Worked like a charm... :D
Till now i was thinking like, TDL3+ Cleaner is replacing using a backup copy. I dont find a bacup copy of agp440.sys in my pc. Still, Cleaner fixed it..

Not sure how agp440.sys is fixed. STRELITZIA , Is it does the job of Cleaning & hence no need for a back up copy ?? Orelse TDL Cleaner searches for a backup in .cab file ?

Neither one nor the other :)
The principle is quite simple, TDL3+ Cleaner copies infected driver(s) to Windows Temp folder and restore it to his
original path, this trick clear infected driver image.

But the rootkit reinfects the driver using Watchdog threads, so I used TDL3+ Cleaner Service to work at the moment when Windows shuts down.