Quick question for EP_X0FF and A_D_13
Do either of your RKScanners work on X64?
EP_X0FF wrote:MBRCheck will work and detect it AFAIK. Likely remove it also.I'm sure a_d_13 will have more to add to this than I.... :roll:
x64 detection/analysis/removal tool is currently in development. Well actually it will be cross-platform. However it will be private so no point to discuss it here.
Fabian Wosar wrote:Sorry Fabian. I believe that, i have done something wrong before.. Checked it now, works Good.4everyone wrote:Worked for me with Older Versions of TDL3.. Tried with the new mbr thingie, didn't work for me..Are you sure the rootkit is running? I used it for pretty much every single sample I posted on Windows 7 x64 and tried some older samples of TDL-3 on Windows XP as well. But it is still just a dirty hack. So failure is kind of expected.
Can you send me the sample you tried it with and what system you tried it on? Maybe I can adjust it.
LeastPrivilege wrote:This should be a lesson for people who own retail OEM machines that use recovery partitions to backup their MBR and put it away for safe keeping.Tis a good point. Though most "average" PC users would never know to do this. Nor would they know how it's done even if someone told them. Do any of the OEM's such as Dell, HP, etc... provide a tool for doing this? Something that is a simple point and click tool?