TDL4 (Rootkit) - 10.29.2011 - Analysis and Removal

TDL4

System Restore (FakeAV) - 10.26.2011 - Analysis and Removal

This was performed on a Virtual Machine.
The infection places the hidden attribute on the entire OS drive.

Security AntiVirus (FakeAV) - 10.22.2011 - Analysis and Removal

This was performed on a Virtual Machine.

Modifies host file

Some obvious traces missed by MBAM shown.

Security Sphere 2012 (FakeAV) - 10.22.2011 - Analysis and Removal

This was performed on a Virtual Machine.

Zentom System Guard (FakeAV) - 10.20.2011 - Analysis and Removal

This was done on a Virtual Machine on 10.20.2011

Possibly included a ZeroAccess driver if it were not for me being on a VM.

Did not find the random RunOnce registry .exe spawns like I wanted to analyze.

Max++/Sirefef/ZeroAccess Rootkit Analysis . Volume III

Testing ESET's removal tool for this infection. Results shown.

Max++/Sirefef/ZeroAccess Rootkit Analysis . Volume II

Max++/Sirefef/ZeroAccess Rootkit Analysis

 

September 2011 max++/sirefef/zaccess sample used.

ComboFix did warn that TCP/IP was infected as well but I didn't capture that footage unfortunately. The video program I was using must have closed. The same happened when I was testing RKill and RogueKiller. Both were unsuccessful.

Prior to removing any components of infection, here are the results of various tools:

webroot's antiza tool v0.8.0.1 = PASS
tdsskiller v2.6.2.0 = PASS
hitman pro v3.5.9.130 = PASS
aswmbr v0.9.8.986 = FAIL (was shutdown during middle of scan)
ntfsaccess v2.1 = FAIL (did not restore permissions while rootkit was active, restored permissions successfully afterwards)
grantperms v3.3.6.1 = FAIL
rkill (.scr, .com, and .exe versions) = FAIL
roguekiller (winlogon.exe) v6.1.1.0 = FAIL (reports it terminated process, but process is still running in taskmgr)
mbam (mb.exe) v1.51.2.1300 = FAIL (shuts down within ~10 seconds)
sas v5.0.1128 = FAIL (shuts down within ~25 seconds)
processexplorer = FAIL (shutdown immediately after injection)