A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1706  by 4everyone
 Fri Jul 30, 2010 10:02 pm
Hi,

I have 2 Question.

1. Some one over here said that "Root-kit Unhooker can work in safe-mode but needs to be configured". So how to configure ?

2. I've also seen someone saying, "TDL Cleaner tool by Sterilizia can fix TDL3 with little help from RKU". Ive identified the Entry Point file by using RKU. I put that name in Second Driver Box(located in TDL3+ cleaner). Finally its saying "cannot find the File". Anybody aware of , Where exactly TDL cleaner is looking for a backup file. So that, i can place a good copy in that location for TDL3 to pick it up.
Last edited by EP_X0FF on Sun Aug 01, 2010 3:05 am, edited 1 time in total. Reason: added more sense to topic title
 #1709  by nullptr
 Sat Jul 31, 2010 3:44 am
1. Setup > Settings > use "Extended Mode".......reboot.
2. Remove Load Image callback first, then remove TDL3 Ntxxx hooks before starting the cleaner.
Are you entering the exact driver name (w/ correct spelling) e.g serial.sys?
 #1721  by 4everyone
 Sat Jul 31, 2010 12:16 pm
Thanks null.
Remove Load Image callback first, then remove TDL3 Ntxxx hooks before starting the cleaner.
To be frank, i don't know what does that mean & how to do it.. But i will try to figure out the meaning for the above Quote.

And YES, i type the exact file name(eg afd.sys) .

If there is a scenario, where "afd.sys" is not located anywhere else in the system --- - Here i Hope TDL3+ cleaner can not cure the pc as No replacement is available . Correct ? I have tried placing a Good copy of afd.sys in many locations. But TDL3+ cleaner is not identifying the backup file placed by me & says "cannot find the file".

Again, Thanks a Ton for your Kind reply.
 #1722  by EP_X0FF
 Sat Jul 31, 2010 1:11 pm
4everyone wrote:Thanks null.
Remove Load Image callback first, then remove TDL3 Ntxxx hooks before starting the cleaner.
To be frank, i don't know what does that mean & how to do it.. But i will try to figure out the meaning for the above Quote.
goto Tools->Kernel Callback Routines, find LoadImage callback with unknown_notify_handler, select it, press delete
goto Code Hooks->Scan, if you infected with TDL3 you will see a lot of hooks with NtWriteVirtualMemory stuff. Select all of them and unhook it by appreciate button.
See screenshot.

Image

Probably for TDL3 cleaner you need specify full path e.g. C:\Windows\System32\drivers\afd.sys not only driver name.
 #1725  by 4everyone
 Sat Jul 31, 2010 3:50 pm
Hi EP_XOFF

Thanks for the detailed Info. I am going to try that..

On TDL3+ Cleaner, the below is the Error message i get... In example, they've given just the File alone & not the path.. Hope, i tried file name & full path too. But no Go..

Image

Anyhow, thanks a lot for all your help .. :)
 #1733  by STRELiTZIA
 Sat Jul 31, 2010 5:49 pm
Hi,
TDL3+ Cleaner consists of two files:
- GUI: TDLCleaner.exe
- Service: TDLCleanerSv.exe

Your error message relates to the presence of the "service" "TDLCleanerSv.exe" and not of second infected driver...
Look, Operation message: Start cleaner service Status: The system cannot find the file specified.

Solution:
1- Make sure both files are in the same directory.Important...
2- Unistall service and reinstall it if you changes TDL3+ Cleaner place. Important...
3- Infected driver name is all that's needed. (no path) eg. "pci.sys" Important...

Direct link: TDL3 Cleaner 1.1 final
http://www.at4re.com/tools/Releases/STR ... _final.rar

Attached TDL3+ Cleaner Help.

Regards
Attachments
(111.71 KiB) Downloaded 53 times
 #1734  by 4everyone
 Sat Jul 31, 2010 10:15 pm
Worked like a charm... :D

Thanks to STRELiTZIA, Null, EP_XOFF. :)

Till now i was thinking like, TDL3+ Cleaner is replacing using a backup copy. I dont find a bacup copy of agp440.sys in my pc. Still, Cleaner fixed it..

Not sure how agp440.sys is fixed. STRELITZIA , Is it does the job of Cleaning & hence no need for a back up copy ?? Orelse TDL Cleaner searches for a backup in .cab file ?
 #1736  by EP_X0FF
 Sun Aug 01, 2010 3:16 am
Topic renamed and moved to Tools / Software subforum.
 #1737  by STRELiTZIA
 Sun Aug 01, 2010 10:03 am
4everyone wrote:Worked like a charm... :D
Till now i was thinking like, TDL3+ Cleaner is replacing using a backup copy. I dont find a bacup copy of agp440.sys in my pc. Still, Cleaner fixed it..

Not sure how agp440.sys is fixed. STRELITZIA , Is it does the job of Cleaning & hence no need for a back up copy ?? Orelse TDL Cleaner searches for a backup in .cab file ?
Neither one nor the other :)
The principle is quite simple, TDL3+ Cleaner copies infected driver(s) to Windows Temp folder and restore it to his
original path, this trick clear infected driver image.

But the rootkit reinfects the driver using Watchdog threads, so I used TDL3+ Cleaner Service to work at the moment when Windows shuts down.