A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #741  by Boooooo
 Thu Apr 15, 2010 7:47 pm
yes, I am agree, but if revealing infected driver (for example with Rootkit Unhooker v3.8) then replace on boot with RC can be a possible workaround of the problem..... :lol:

by the way I tried Rootkit Unhooker v3.8 I can't find any file name in "Stealth code" tab but only 3 "unknown page" I will try on safe mode.

Rootkit Unhooker gave a warning on startup about a running process dll "advapi32.dll"
 #742  by EP_X0FF
 Fri Apr 16, 2010 3:20 am
Rootkit Unhooker needs to be configured to run in safe mode.
it must be started with command line -console, then you should type "forcesafemode" without quotes and reboot machine.
However if it was unable to identify driver in normal mode I'm not sure that running in Safe mode will help.
Is there any unknown notify callbacks present in system? rku->tools->kernel callbacks routines?
 #748  by gjf
 Fri Apr 16, 2010 10:55 am
bardamu wrote:Does this vba32 scan show signs of TDL or are these false positives?

http://img641.imageshack.us/img641/4010/28618257.jpg
http://img526.imageshack.us/img526/8317/84743417.jpg
http://img411.imageshack.us/img411/5647/66131029.jpg
Please provide the version of VBA32 you have used.
 #749  by EP_X0FF
 Fri Apr 16, 2010 1:45 pm
bardamu wrote:Does this vba32 scan show signs of TDL or are these false positives?

http://img641.imageshack.us/img641/4010/28618257.jpg
http://img526.imageshack.us/img526/8317/84743417.jpg
http://img411.imageshack.us/img411/5647/66131029.jpg
Post full log from GMER and Rootkit Unhooker (3.8 SR2) additionally.
 #771  by Boooooo
 Mon Apr 19, 2010 4:25 pm
Hi guys, I solved with a windows XP installation reparation, I didn' try a Rescue antivirus CD simply because the notebook is not mine and I had only few time for trying repairing it, now rootkit seems absolutely gone!

The notebook owner reported me that after some days of notebook usage (even if TDSSkiller was saying File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit the notebook functionality was appearing good), suddenly he couldn't boot because of a corrupted
isapnp.sys, so as soon as I had the notebook I took Windows XP CD and repaired installation.

Now infection seems cleared, TDSSkiller doesn't report any rootkit infection
 #776  by djpnuemo
 Mon Apr 19, 2010 10:58 pm
in my daily tests of tools that USED to work, i found that combofix (downloaded today) removed the infection from the my test system (non-virtual). not a fan of combofix, but it may be something to tide people over.
 #787  by Boooooo
 Tue Apr 20, 2010 9:01 am
I even tried combofix but he crashed (BSOD) I supposed because of gmer combofix session, infact if I run a scan with the stand alone gmer tool I hade same BSOD.

Probably a complete scan with a live rescue CD (for example a kaspersky one) would fix the problem, but I was too bored and a windows installation reparation was for me the quick and easy way :lol:
 #795  by djpnuemo
 Tue Apr 20, 2010 5:29 pm
FYI

ran dr.web cureit (downloaded today) and scanned the infected test system (used sample from http://www.kernelmode.info/forum/viewto ... p=779#p779). it found the pciide.sys infection (cured it about 12 times) and prompted for reboot. upon reboot, infection is gone (confirmed with RkU and GMER).
Last edited by djpnuemo on Tue Apr 20, 2010 5:36 pm, edited 1 time in total.