[InsaneKaos]

I've tested it over 10 times, for me it works.

FC will reveal it. The script copies all sys-files to Windows\DriversToCkeck while you are logged on RC. Then do the FC stuff against the driver in System32\Drivers while in normal mode. If it found a difference, it will copy the driver from System32\Drivers to Windows\ and replace it when you reboot again into RC. (The Driver in System32\Drivers is infected, but TDL will reflect a clean copy, so you can use it).

[gjf]

Oh, I've missed RC moment! In this case sure it will work. Thanks.
What about hypotetic situation when TDL3 infects system driver, but not from Microsoft one?

[InsaneKaos]

It will work, because FC checks the differences of the file itself, not the signing.

[gjf]

No, I meant another situation. Let's assume I have ElbyCDIO.sys driver installed in system and exactly this driver was infected. This driver was installed by another software, not by Microsoft, so it will be absent at RC. Nothing to compare with.

[InsaneKaos]

Why this should not be listed under RC. It is there and the batchfile will copy it to DriversToCheck. It worked already with VboxGuest.sys and avipbb.sys (Avira's ARK-Driver) on my VM.

[gjf]

OK, have to test by myself. Not sure... and I believe small modification of code in rootkit which will give the crap when copying driver can cause a problem.

Anyway - thanks a lot!

[EP_X0FF]

Boooooo request to help and all replies were moved to separate thread Help with TDSS removal.

[zack]

I've seen a lot of posts detailing some of the files found within the hidden filesystem of this rootkit. I was just wondering how this data is read and what tools are needed?

[EP_X0FF]

Hello,


they are:
extracted from processes address space
intercepted while uploading
extracted from rootkit body with RE
gathered from tdl file system with private tools

Regards.

[Gabethebabe]

1st poast :)

Hey guys, very interesting forum you got here for the malware helpers. I picked up some TDSS samples from this threat, but the samples don´t seem to work in my Virtualbox system (version 3.1.6). Either running WINXP SP3 up-to-date or an outdated WINXP SP2 and trying to run any of the newer droppers triggers a Vbox reboot. Virtualbox is not a good testing system?

Thanks and keep up the good work!