Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

So, yeah...Bootkit TDL4


  • Please log in to reply
2 replies to this topic

#1 gRockIT 777

gRockIT 777

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 PM

Posted 19 April 2011 - 09:08 PM

Hey,

I work at a computer repair shop but I basically just started a few weeks ago and so I'm still being trained. But I'm just looking for some extra info on my own, because I can get actual help from my boss. My dad called me up a few days ago and said he ran Windows XP automatic updates on his PC over night, and in the morning he quickly realized something was wrong. He got some errors for starters, among them the usual "The system has recovered from a serious error." He declined to send an error report...and, it asks him again. And again, several more times until he finally accepts. However, that didn't go too well either. I don't know exactly what happened next because I wasn't there, but he got another error saying the report was corrupted and that it failed. Soon after that, he had shut it down and found he could not boot normally, so he tried safe mode, and that worked fine.

So I finally went to check myself. I ended up loading Hiren's and ran some scans which caught, along with some registry issues, 8 instances of (I forget how the dots and slashes went) Adware Vundo Variant MS Fake. Thinking it was all set, I left only to hear the next morning that the same issues were still happening. So I brought it to work for some help, where upon bootup there were no issues whatsoever. I ran MBAM once or twice on my own just to make sure, not even bothering my boss yet, and nothing came up. Brought it home, left again, and you probably figured...the issues persisted. I DID see it myself. Trying to boot normally simply causes it to reboot. So I brought it back to work today and got my boss partially involved this time. He knew right away when I described the problem, so we ran TDSSKiller, which actually failed to catch anything for some reason. We followed up with Combofix and caught and removed a Bootkit TDL4. Again thinking it was over, I brought it home and still it would not boot normally. Which I thought was REALLY weird because we tested it and it worked fine at the shop after the scans. So to wrap up, the bootkit has obviously dug itself in quite well and I was wondering (I didn't even ask my boss yet) will I need to run the drive as a secondary, back everything up, disinfect the backup, then literally destroy/throw away the drive and get a new one? Or might a Darik's boot and nuke followed by a reinstall do the job? We're gonna throw our full effort at this thing tomorrow.

Some quick last questions, is it possible to infect a CD? Should I snap my Hiren's disk? And also, I had used my good USB flash drive to copy some of my old files from the PC after we ran the scans, thinking at the time that it was all clear. I wouldn't doubt that it's infected now, but how would I safely clean it up? I have my own PC and wouldn't DARE plug it in to that at this point. I even stuck a Post-it warning note to the USB drive just in case. I can always make a new Hiren's, because I have TONS of CDs, but I would really HATE to lose my only USB drive.

I apologize for such a lengthy post. Any info would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 JacobHall

JacobHall

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 20 April 2011 - 05:43 AM

You don't need to trash anything! (Except for the system maybe?)

The drives, no. You can simply back up the VERY IMPORTANT stuff and then reformat the drive with a fresh copy of XP or whatever, and before you copy over the very important files make sure you give them a good brisk over with AV and malware scanning products, and when your ready them back over.

USB's can be disinfected,

Download FlashDisinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


(Taken from a post by quietman7)


Hopefully I have helped, however you may be able to recover the system depending on what the system was infected with. We need some logs to try and diagnose exactly the state of the system and how bad it was infected.

Edited by Super Panda, 20 April 2011 - 05:45 AM.


#3 gRockIT 777

gRockIT 777
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 PM

Posted 20 April 2011 - 08:35 AM

Thanks for the reply! I really wish that I actually had logs and screenshots, but I didn't save/take any and right now I'm at MY PC. So lemme double check this: a simple reformat and reinstall should do the trick? But if it somehow doesn't, would my back-up plan would be a run of Darik's? Although, I'm about to leave for work any minute now so I guess it's too late to ask before I actually go at this thing. Anyway, I will let you know what happens/how things went. I'll post visuals later if I can. Thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users