ATTENTION! essexboy new TDL4 botnet on client machine need help!

[akama1]

this is definitely a new variant the links of the ones i posted were the previous variants from june 2011

[true indian]

yes it is...i have informed essex that cd i can use...hope he has something that can come in handy 

[akama1]

wow thats intense man... good luck with killdisk man

[true indian]

I am facing problems with KILLDISK on ubuntu...I am going to wait until essexboy has a suggestion.

Gotta try slax since its quite good and new in linux...

[akama1]

why on earth is it on ubuntu O.o ? just kill the whole harddrive wipe it clean install fresh copy of windows xD and yes i understand the easy to say... hard to do thing ok

[true indian]

why on earth is it on ubuntu O.o ? just kill the whole harddrive wipe it clean install fresh copy of windows xD and yes i understand the easy to say... hard to do thing ok

No I tried a Ubuntu disk to load killdisk and remove the bot...didnt work!

The client machine is running on vista. and yeah! this piece of malware doesnt allow me to format my clients drive....when i tell it to format C:/ it formats the D: drive which is the recovery drive....so no luck! with that! 

[akama1]

clever virus indeed smart to outsmart humans..... ok about the qualified malware removal part on bleepingcomputer.com how do we get the test or watsoever thing to be one? just curious im only 15 and pretty interested to learn all these stuff

[true indian]

OK...see put a application here:

http://www.geekstogo.com/forum/forum-164/announcement-52-start-here-application-questions-and-instructions/


good luck!

I would prefer to watch the malware removal experts assisting and that itself brings me close to thier knowledge!

[essexboy]

OK lets Use OTLPE to give you a base to work from and then use FRST to check the system out

OK next we will work outside of windows then Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn  to burn the file to CD
  
• Reboot your system using the boot CD you just created.Note : If you do not know how to set your computer to boot from CD follow the steps here
  
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads  :)
• Your system should now display a Reatogo desktop.Note : as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location

Once you are at the reatogo desktop you should have access to your USB drive

For x32 (x86) bit systems download

Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.
 
Plug the flashdrive into the infected PC.

From the reatogo desktop select the USB and run  FRST

• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[true indian]

The bot master is fighting like mad to stop this! 

I have tried OTLPENet before and didnt work and it doesnt work this time too.

This time the end was a horror!.....A Epic BSOD....

Anything else  gotta give this PC back to the client clean my next wednesday!

KILLDISK LOG about the fake floppy image:

Code: [Select]

Floppy Disk 0
BLACKTERROR!!!!!!!!!!!!!!!
NAME:
VERSION:
SERIAL:
DEVICE GEOMETRY:
MODE LBA: NO
CYLINDERS: 80
TRACKS PER CYLINDER: 2
SECTORS PER TRACK: 36
TOTAL SECTORS: 5760
BYTES PER SECTOR: 512
TOTAL SIZE: 2.813 MB (2949120 bytes)
Writing Block (00)
CANNOT OVERWRITE
ERROR WRITING SECTORS 1 - 5760
ON FLOPPY DISK 0

Below is Image view of Floppy Disk 0:

-<<ROOT>> +$ EXTEND .HS... (Hidden, system, MFT)
$ Extend +$ RECYCLE.BIN .HS... (Hidden, system)
+$ Recycle.bin +$ SYSTEM ~ 1 .HS... (Hidden, system, resident)
System Volume Inf + $ EXTRA.!!! (Found)
+!!! Extra Deleted $ mft 262144 .HS... (Hidden, system, MFT)
$ mftmirr 4096 .HS... (Hidden, system, MFT)
$ logfile 4194304 .HS... (Hidden, system, MFT)
$ volume 0 .HS... (Hidden, system, resident)
$ attrdef 2560 .HS... (Hidden, system, MFT)
$ bitmap 1976752 .HS... (Hidden, system, MFT)
$ boot 8192 .HS... (Hidden, system, MFT)
$ badclus 0 .HS... (Hidden, system, resident)
$ Secure 0 .HS... (Hidden, system, MFT)
$ upcase 131072 .HS... (Hidden, system, MFT)

$ Extend $ quota .HSA.. (Archive, hidden, system, resident)
$ objid .HSA.. (Archive, hidden, system, resident)
$ reparse .HSA.. (Archive, hidden, system, resident)
+$ RECYCLE.BIN + S - 1 -5 - ~ 1 .hs...
+ S - 1 -5 - ~ 2 .hs...
+ S - 1 -5 - ~ 3 .hs...
SYSTEM VOLUME INF Tracking.log .HSA.. (Archive, hidden, system)
+!!! EXTRA DELETED +Folder 29 (Found)

 

[akama1]

wow tdl4 botnet that tough huh... even a complex technique cant cure it off :/ cant boot from cd... did you try tracking down wheres the tdl4 executing file is located in the mbr etc.? perhaps u can try using command prompt to force delete the file :/ dont delete system32 by accident

[essexboy]

Could you copy FSRT to a cd and run it from there ?  You will need to save the log to your hard drive

Have you tried removing the Floppy drive via the registry ?

[DonZ63]

Did you try the Avast recovery CD since you can boot from the CD drive?

[Left123]

clever virus indeed smart to outsmart humans..... ok about the qualified malware removal part on bleepingcomputer.com how do we get the test or watsoever thing to be one? just curious im only 15 and pretty interested to learn all these stuff

You're not here to spam,spam is not meant to be here,just a "note".It was needed,as well as proper punctuation.

[DonZ63]

Might also want to give this a try:

07/05/11 at 11:17 am
 
The rootkit is easy to remove, especially if there were no modifications made to the system and this method applies if all other removal methods failed. Using recovery disc from Microsoft and command prompt commands seem to fail to clear the MBR completely.

Download MBRTool.exe and burn a copy on a blank CD.

Print out a copy of the manual that comes with the MBRTool, it will be handy later.

Download a recovery disc from Microsoft for a corresponding operating system.

Restart your computer and boot into the CD.

Follow the instructions on the screen and the manual and view the MBR record.

Wipe the entire MBR record.

View MBR record to make sure there is nothing but zeros.

Remove the MBRTool disc and insert Windows Recovery disc.

Run Startup Recovery.

The Windows will be able to start but not completely boot.

Remove the disc, and now run Startup recovery from the Windows menu.

After it finishes - restart and the rootkit is gone.

http://www.popsci.com/technology/article/2011-06/new-tdl-4-botnet-really-indestructible#comment-110901