{"id":582,"date":"2010-12-05T21:46:15","date_gmt":"2010-12-06T02:46:15","guid":{"rendered":"http:\/\/swildow.darktech.org\/wp\/?p=582"},"modified":"2010-12-05T21:46:15","modified_gmt":"2010-12-06T02:46:15","slug":"alureon-bootkit-trojan","status":"publish","type":"post","link":"http:\/\/www.wildow.com\/blog\/?p=582","title":{"rendered":"Alureon Bootkit Trojan"},"content":{"rendered":"

Alureon Bootkit Trojan – Crossing the 64 bit Barrier<\/h3>\n
\n
\n

There is a very prevalent rootkit (hidden malicious program) that has been infecting Windows computers for quite some time now. The general name the <\/em>Microsoft Malware Protection Center<\/em><\/a> has assigned to this for-profit motivated threat family is <\/em>Alureon<\/em><\/a>.<\/em><\/h2>\n


\n<\/em><\/p>\n

The primary symptom of infection is browser redirects<\/strong> – this means that your search results will take You to sites other than the ones they should normally resolve to<\/strong>. Security companies and researchers have a variety of names for this malicious program – while Microsoft refers to it as Alureon<\/strong>,\u00a0 some call it TDSS<\/strong>, some call it TDL#x<\/strong> where x represents the # of the variant that’s detected.\u00a0 The most advanced and most insidious variant of this infection is called TDL4.\u00a0 However, many if not most malware researchers have resisted calling it TDL4, and still consider it to TDL3, because it’s infection cycle has too much in common with its TDL3 predecessor to be labeled as a completely new variant.<\/p>\n

Over time, this rookit has progressively gotten more and more crafty and it is now more difficult to detect and remove than it was previously because it began to infect the Master Boot Record (MBR) on an infected computer, making it technically a Bootkit.<\/strong> The MBR <\/strong>code is what enables your computer to boot up when your start it, and if it is corrupted your computer may not boot at all.\u00a0 Because it is so vital to the functioning of a Windows-based computer, Microsoft has provided Windows users with recovery commands that run from the Windows Recovery Environment, to replace the MBR with default Windows code appropriate to the Windows operating system that’s installed.<\/p>\n

More recently, in early August 2010, a new Alureon TDL variant that displayed the ability to infect Vista and Windows 7 64 bit based computers emerged<\/strong>.<\/h2>\n

This was a very unsettling but significant development, because very strict security measures that were integrated into\u00a0 64 bit versions of\u00a0 Vista and Windows 7 (Patchguard and very stringent driver signing requirements) had to be bypassed to allow this to happen!<\/strong><\/h3>\n

However, it’s important to note, the infection can only compromise a 64 bit Windows 7 or Vista system,\u00a0 if\u00a0 User Account Control (UAC) is turned OFF or if the user casually approves the malicious action.\u00a0 Since UAC is ON by default, a user would either have to intentionally disable it, or approve a questionable action initiated by malware (if it was ON), thereby leaving themselves vulnerable to this type of exploit. <\/strong> When a user’s behavior helps usher in a threat in this manner, the infection is said to rely upon “social engineering” techniques to compromise a system! Though this rootkit also infects 32 bit operating systems, it does so without initiating the automatic reboot that’s required for it to circumvent the 64 bit operating system kernel safeguards.\u00a0 On 64 bit systems, this random reboot may serve as a small clue that something is amiss.<\/p>\n

You can determine if your infected by opening Disk Management feature of the Microsoft Computer Management Console.\u00a0 This can be done very quickly and directly by doing the following::<\/h3>\n

Click on the Start<\/strong> button -> Choose the Run<\/strong> option and type diskmgmt.msc,<\/strong> and click OK<\/strong>.<\/h3>\n

If your 64 bit Windows 7 or Vista system is infected by the Alureon Bootkit (rootkit trojan),\u00a0 your system drive (normally C:) will NOT be visible:<\/h2>\n
    \n
  1. \n

    Under the Disk Management functions of the Computer Management Console.<\/a><\/h2>\n<\/li>\n
  2. \n

    When Diskpart<\/strong><\/a> is run with the “list disk” directive to obtain a summary about each fixed disk in the computer.<\/h2>\n<\/li>\n<\/ol>\n

    On a clean system the primary drive is listed as so:<\/strong><\/h3>\n

    DISKPART> list disk<\/strong><\/h3>\n


    \nDisk ###\u00a0 Status\u00a0\u00a0\u00a0\u00a0\u00a0 Size\u00a0\u00a0\u00a0\u00a0 Free\u00a0\u00a0\u00a0\u00a0 Dyn\u00a0 Gpt<\/strong><\/h3>\n

    ——–\u00a0 ———-\u00a0 ——-\u00a0 ——-\u00a0 —\u00a0 —<\/strong><\/h3>\n

    Disk 0\u00a0\u00a0\u00a0 Online\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 112 GB\u00a0\u00a0\u00a0\u00a0\u00a0 0 B<\/strong><\/h3>\n

    Disk 1\u00a0\u00a0\u00a0 Online\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 233 GB\u00a0\u00a0\u00a0\u00a0\u00a0 0 B<\/strong><\/h3>\n

    ________________________<\/strong><\/h3>\n

    On TDL3 X64 Alureon Bootkit infected system Diskpart will return the following, as it does not see the primary drive:<\/h2>\n

    DISKPART>list disk<\/strong><\/h3>\n

    There are no fixed disks to show.<\/strong><\/h3>\n

    These are unintentional side effects of this critter that can be used to check whether your system is infected!!<\/em><\/h2>\n

    Though it sounds pretty ominous, the Alureon MBR rootkit trojan can be fixed quite easily by running the fixmbr<\/strong> command at the Command Prompt <\/strong>by either booting to the Recovery Console<\/a> in Windows XP\u00a0 , or the Windows Recovery Environment<\/a> (Windows RE) in Windows Vista or Windows 7 through bootrec (Boot Recovery):<\/h2>\n

    In Windows XP – the command to issue is:<\/strong><\/h2>\n

    fixmbr<\/strong><\/h2>\n

    In Windows 7 and Vista – the command to issue is:<\/strong><\/h2>\n

    bootrec.exe \/fixmbr <\/strong><\/h2>\n

    This Windows 7 Themes tutorial explains exactly how to access and use the Windows 7 recovery options to repair the MBR via the Command Prompt:<\/strong>
    \n    http:\/\/windows7themes.net\/how-to-fix-mbr-in-windows-7.html<\/a><\/p>\n

    This Bleeping Computer tutorial explains how to access\u00a0 the Command Prompt from the Windows Vista Recovery Environment,after which fixmbr must be run:<\/strong>
    \n    http:\/\/www.bleepingcomputer.com\/tutorials\/tutorial147.html<\/a><\/p>\n

    <\/strong>I recommend backing up your MBR, <\/strong>in the interest of being “safe rather than sorry” – so you can restore an original copy of that essential code, in the event your computer’s MBR should become corrupted.<\/h2>\n

    You may rightly ask, “Why is it necessary to back-up my computer’s MBR, if it’s so easy to repair it, by simply running the Fixmbr command?”<\/strong> That’s a very good question, I would reply and now I’ll elaborate on my response. <\/strong><\/h3>\n

    The reason it is better to repair a corrupted MBR by restoring it with a backup of the original is because your MBR may contain customized code<\/strong> that your Computer Manufacturer placed there to enable you to access your computer’s recovery and restore options.<\/h3>\n

    Many original equipment manufacturers (OEMs) have adopted the practice of not including Windows installation media (DVDs )when you purchase a computer from them, because they install a recovery partition instead.\u00a0 Booting to the recovery partition (rather than booting to the Windows DVD), is how you enter to the Windows Recovery Environment.\u00a0 Dell and Hewlett Packard (HP) are two major computer manufacturers, among others, that install recovery\/restore partitions rather than providing Windows installation disks. <\/strong><\/h3>\n

    If you use the fixmbr<\/strong> command it overwrites the MBR with default Windows code.\u00a0 If the MBR contained proprietary OEM MBR code that enabled your computer to access the recovery partition, then you will lose the ability to access your computer’s recovery partition after using the fixmbr command.\u00a0 That’s why restoring your MBR from an original backup<\/span> is preferable.<\/strong><\/h2>\n

    There are several programs that enable you to back up your MBR very easily and I will name a couple I’ve tested.\u00a0 One of these programs, MBRCheck, can also detect whether your computer’s MBR is infected, and if it is, it can restore it with default Windows MBR code.<\/h2>\n

    It’s important to backup your MBR not just to your computer’s primary hard drive but to a alternate media, such as a\u00a0 CDROM so it can be accessed even if your system becomes unbootable.<\/h3>\n

    Preventative Protection: <\/strong><\/h1>\n

    Tools to Backup and Restore the MBR<\/strong><\/h1>\n

    1. MBRCheck<\/a><\/strong> by AD<\/strong><\/h1>\n

    MBRCheck is a tool created by AD aka Ad13, the author of RootRepeal<\/a> an excellent AntiRootkit detector.<\/strong><\/p>\n

    MBRCheck does the following when it is run (without command line switches)<\/strong><\/p>\n

      \n
    1. Checks the MBR for non-standard Code<\/li>\n
    2. Creates a log<\/li>\n
    3. Backs up (dumps) the MBR<\/li>\n
    4. Gives you the option to restore the\u00a0 MBR (with a default Windows MBR) if your computer’s MBR is found to be “non-standard”<\/li>\n<\/ol>\n

      Help File listing of MBRCheck commands:<\/h3>\n

      \"MBRCheckHelp.jpg\"<\/p>\n

      To check the MBR of your Primary Drive for MBR modification:<\/strong><\/h3>\n

      Type MBRCheck and hit Enter<\/h3>\n

      This will invoke MBRCheck\u00a0 to execute with this default command line:<\/h3>\n

      -s 0 -d dump.dat<\/strong><\/h3>\n

      This causes the system drive MBR to be dumped to a file called dump.dat and it also produces a log <\/strong><\/h3>\n

      \"MBRCheckCMDWindow.jpg\"<\/h3>\n

      The MBRCheck log is created in the folder where the MBRCheck executable resides (here the Desktop)<\/h3>\n

      After the identifying header information the log lists:\u00a0 loaded kernel drivers, running processes, and it tells You that it has dumped the MBR in a file called dump.dat:<\/h3>\n

      The following text is excerpted from a MBRCheck log (driver and process list has been truncated):<\/strong><\/h3>\n

      MBRCheck, version 1.2.3(c) 2010, AD<\/p>\n

      Command-line:\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0-s 0 -d dump.dat
      \nWindows Version:\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0Windows Vista Home Premium Edition
      \nWindows Information:\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0Service Pack 2 (build 6002), 32-bit
      \nBase Board Manufacturer:\u00a0\u00a0 \u00a0Dell Inc.
      \nBIOS Manufacturer:\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0Dell Inc.
      \nSystem Manufacturer:\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0Dell Inc.
      \nSystem Product Name:\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0MXC062
      \nLogical Drives Mask:\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a00x0000001c<\/p>\n

      Kernel Drivers (total 183):
      \n0x8204A000 \\SystemRoot\\system32\\ntkrnlpa.exe
      \n0x82017000 \\SystemRoot\\system32\\hal.dll<\/p>\n

      Processes (total 61):
      \n0 System Idle Process
      \n4 System
      \n684 C:\\Windows\\System32\\smss.exe
      \n800 csrss.exe<\/p>\n

      Dumping \\\\.\\PhysicalDrive0 to dump.dat…
      \nDumped successfully!<\/p>\n

      Just as the MBRCheck says – the MBR has been “dumped” to a file called dump.dat on the Desktop<\/strong><\/p>\n

      Backing up the MBRCheck is that EASY!!<\/strong><\/h3>\n

      Restoring the MBR with MBRCheck<\/h1>\n

      If MBRCheck returns the following notification:<\/h3>\n

      Found non-standard or infected MBR<\/strong><\/h3>\n

      You’ll be prompted to hit Y (yes) to be presented with these “Additional Options”<\/h3>\n
      [1] Dump the MBR of a physical disk to file<\/pre>\n
      [2] Restore the MBR of a physical disk with a standard boot code<\/pre>\n
      [3] Exit<\/pre>\n
      Choosing option [2] presents the following list of  operating systems<\/strong>:[ 0] Default (Windows Vista)
      \n<\/strong><\/p>\n
      [ 1] Windows XP<\/p>\n
      [ 2] Windows Server 2003<\/p>\n
      [ 3] Windows Vista<\/p>\n
      [ 4] Windows 2008<\/p>\n
      [ 5] Windows 7<\/p>\n
      [-1] Cancel<\/p>\n
      Choosing “0” instructs\u00a0 MBRCheck to overwrite your MBR with a default  Windows MBR for your installed operating system\u00a0 (here Vista) upon reboot.<\/h3>\n
      Do you want to fix the MBR code? \u00a0Type ‘YES’ and hit ENTER to  continue: yes<\/strong><\/h2>\n
      Successfully wrote new MBR code!<\/h2>\n
      Please reboot your computer to complete the fix<\/h2>\n
      2. HDHacker<\/a> by Dimio <\/strong><\/h2>\n
      To Backup the MBR: <\/strong><\/h2>\n
      Select the settings pictured in the image below:<\/h3>\n
      Under the “Read Commands” section:<\/strong><\/h3>\n
      Click the “Read Sector from Disk” <\/strong>button, and the sector  image for MBR HardDisk0 will be displayed in the window.<\/h3>\n
      Under the “Write Commands” section:<\/strong><\/h3>\n
      Select the “Save sector to file”<\/strong> button and by default,  your MBR will be saved to the following file within the HDHacker folder:<\/h3>\n
      MBR_HardDisk0.dat<\/h2>\n
      To Restore the MBR (from MBR_HardDisk0.dat): <\/strong><\/h2>\n
      Select the settings pictured in the image below:<\/h3>\n
      Under the “Read Commands” section:<\/strong><\/h3>\n
      Click the “Load Sector from File” <\/strong>button, and the sector  image for MBR HardDisk0.dat<\/strong> will be displayed in the  window.<\/h3>\n
      Under the “Write Commands” section:<\/strong><\/h3>\n
      Select the “Write Sector on Disk”<\/strong> button and by default,\u00a0  the backed up MBR,<\/h3>\n
      MBR HardDisk0.dat, will overwrite the MBR on the Logical  DriveC:
      \n<\/strong><\/h3>\n
      \"HDHackerGUI.JPG\"<\/p>\n
      3. Mbr.exe<\/a> by  Gmer<\/strong><\/h2>\n
      Gmer’s mbr.exe is a versatile and effective command line tool that  can detect and repair a TDL infected MBR on all Windows platforms including  the 64 bit versions of Windows<\/span>.\u00a0 Mbr.exe can also back-up the MBR, so it is  one of the most comprehensive and valuable programs to have when dealing with  the MBR Bootkit.<\/strong><\/h2>\n
      Download mbr.exe<\/a> to  your desktop.<\/strong><\/h2>\n
      Open a Command Prompt (elevated in Vista and Windows 7) and issue  the following command <\/strong>to view the mbr.exe help listing of  available switches and their output:
      \n<\/strong><\/h2>\n
      %userprofile%\\desktop\\mbr.exe -h<\/strong><\/h2>\n
      Help Listing:<\/h2>\n
      Stealth MBR rootkit\/Mebroot\/Sinowal\/TDL4 detector 0.4.1 by Gmer,  http:\/\/www.gmer.net<\/h3>\n
      Usage: mbr.exe [options]<\/h3>\n
      -f\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 – fix mbr<\/h3>\n
      -c start_sector size_in_sectors filename\u00a0\u00a0\u00a0 – copy selected sectors to  file<\/h3>\n
      -t\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 – trace called modules<\/h3>\n
      -k\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 – list all disk devices<\/h3>\n
      -dPHYSICALDRIVE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 – set physical drive  numer<\/h3>\n
      -l logfile\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 – specify log filename<\/h3>\n
      -s\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 – disassembly unknown  hookers<\/h3>\n
      -u\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 – unload driver<\/h3>\n
      \nsamples of usage:<\/h3>\n
      \nmbr.exe -c 0 1 copy_of_sector_00<\/h3>\n
      mbr.exe -c 0x3fdc80 0x1ca copy_of_mbr_rk<\/h3>\n
      mbr.exe -d0 -t<\/h3>\n
      To have mbr.exe check your MBR for bootkit Infection:<\/strong><\/h2>\n
      Open a Command Prompt (elevated in Vista and Windows 7) and issue the  following command from your desktop:<\/h2>\n
      “%userprofile%\\desktop\\mbr.exe” -t<\/strong><\/h2>\n
      A log is produced called mbr.log<\/strong> (in the same folder as  mbr.exe)<\/h2>\n
      If your MBR is clean the mbr.log will look like this:<\/h2>\n
      C:\\>%userprofile%\\desktop\\mbr.exe -t<\/strong><\/h3>\n
      Stealth MBR rootkit\/Mebroot\/Sinowal\/TDL4 detector 0.4.1 by Gmer,  http:\/\/www.gmer.net<\/strong><\/h3>\n
      Windows 6.0.6002 Disk: TOSHIBA_MK1234GSX rev.AH001D ->  \\Device\\Ide\\IdeDeviceP0T0L0-0<\/strong><\/h3>\n
      device: opened successfully<\/strong><\/h3>\n
      user: MBR read successfully<\/strong><\/h3>\n
      called modules: ntkrnlpa.exe hal.dll CLASSPNP.SYS disk.sys acpi.sys  dxgkrnl.sys<\/strong><\/h3>\n
      igdkmd32.sys watchdog.sys win32k.sys win32k.sys<\/strong><\/h3>\n
      1 ntkrnlpa!IofCallDriver[0x82080962] ->  \\Device\\Harddisk0\\DR0[0x873ED640]<\/strong><\/h3>\n
      3 CLASSPNP[0x82FA68B3] -> ntkrnlpa!IofCallDriver[0x82080962]  -> [0x845F0F08]<\/strong><\/h3>\n
      kernel: MBR read successfully<\/strong><\/h3>\n
      user & kernel MBR OK<\/strong><\/h3>\n
      If your MBR is infected with MBR Bootkit TDL3 variant of Alureon,  one of the disk drive controllers will be hooked and show up as “UNKNOWN” in  the called module listing<\/em>.\u00a0 In this instance, the hooked driver is  needs to be identified by running a more in depth Anti-Rootkit Program (such as  Gmer Anti-Rootkit<\/a>, or Rootkit  Unhooker<\/a> with “Code Sections” or “Code Hooks” scanning  enabled.<\/strong><\/h2>\n
      ________________________________<\/p>\n
      TDL3 infection is detected by running mbr.exe with the -s  switch (to disassemble code for unknown hookers):<\/strong><\/strong><\/h2>\n
      Stealth MBR rootkit\/Mebroot\/Sinowal\/TDL4 detector 0.4.1 by Gmer, http:\/\/www.gmer.net<\/a>
      \nWindows  5.1.2600 Disk: HTS726060M9AT00 rev.MH4OA6EA ->  \\Device\\Ide\\IdePort0<\/p>\n
      device: opened successfully
      \nuser: MBR read  successfully
      \ncalled modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A9DEC5]<< <\/strong>
      \n_asm { PUSH EBP; MOV EBP,  ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86344872; SUB  DWORD [EBP-0x4], 0x8634412e; PUSH EDI; CALL 0xffffffffffffdf33; }
      \n1  nt!IofCallDriver[0x804E37D5] -> \\Device\\Harddisk0\\DR0[0x87785AB8]
      \n3  CLASSPNP[0xF786EFD7] -> nt!IofCallDriver[0x804E37D5] ->  [0x87506930]
      \n[0x86974CA8] -> IRP_MJ_CREATE -> 0x86A9DEC5
      \nkernel: MBR  read successfully
      \n_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ;  MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD  ; JMP FAR 0x0:0x62f; }
      \ndetected hooks:
      \n\\Device\\Ide\\IdeDeviceP0T0L0-3 ->  \\??\\IDE#DiskHTS726060M9AT00_________________________MH4OA6EA#5&17ce0675&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}  device not found
      \n\\Driver\\atapi DriverStartIo -> 0x86A9DAEA
      \nuser &  kernel MBR OK
      \nsectors 117210238 (+255): user != kernel
      \nWarning:  possible TDL3 rootkit infection !<\/strong> <=====<\/p>\n
      Filesystem  trace:
      \ncalled modules: ntoskrnl.exe hal.dll fltmgr.sys Ntfs.sys
      \n1  nt!IofCallDriver[0x804E37D5] -> [0x8772C250]
      \n3 fltmgr[0xF77435C8] ->  nt!IofCallDriver[0x804E37D5] -> [0x8778F020]
      \n5 nt[0x80567F6C] ->  nt!IofCallDriver[0x804E37D5] -> [0x8772C250]
      \n7 fltmgr[0xF7736FB5] ->  nt!IofCallDriver[0x804E37D5] -> [0x8778F020]<\/p>\n
      Registry trace:
      \ncalled  modules: ntoskrnl.exe hal.dll
      \n______________________________<\/h3>\n
      TDL4 infected MBR is exposed by running mbr.exe with the -s  switch:<\/strong><\/h2>\n
      C:\\>”%userprofile%\\desktop\\mbr.exe” -s<\/h2>\n
      Stealth MBR rootkit\/Mebroot\/Sinowal\/TDL4 detector 0.4.1 by Gmer, http:\/\/www.gmer.net<\/a>
      \nWindows 5.1.2600 Disk:  ST360015A rev.3.33 -> \\Device\\Ide\\IdePort0<\/strong><\/h3>\n
      device: opened successfully<\/h3>\n
      user: MBR read successfully<\/strong><\/h3>\n
      called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN  [0x83B49446]<<<\/strong><\/h3>\n
      _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP  EAX, [0x83b4f504]; MOV EAX, [0x83b4f580]; PUSH EBX; PUSH ESI; MOV ESI,  [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX;  }<\/strong><\/h3>\n
      1 nt!IofCallDriver[0x804E37D5] ->  \\Device\\Harddisk0\\DR0[0x83B62AB8]<\/strong><\/h3>\n
      3 CLASSPNP[0xF756FFD7] -> nt!IofCallDriver[0x804E37D5] ->  [0x83B3F300]<\/strong><\/h3>\n
      \\Driver\\atapi[0x83B7AD10] -> IRP_MJ_CREATE ->  0x83B49446<\/strong><\/h3>\n
      kernel: MBR read successfully<\/strong><\/h3>\n
      detected hooks:<\/strong><\/h3>\n
      \\Device\\Ide\\IdeDeviceP0T0L0-3 ->  \\??\\IDE#DiskST360015A_______________________________3.33____#4b333143394a4241202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}  device not found<\/strong><\/h3>\n
      \\Driver\\atapi DriverStartIo -> 0x83B49292<\/strong><\/h3>\n
      user != kernel MBR !!!\u00a0\u00a0 <====
      \n<\/strong><\/h3>\n
      sectors 117231406 (+230): user != kernel<\/strong><\/h3>\n
      Warning: possible TDL4 rootkit infection !\u00a0\u00a0  <====
      \n<\/strong><\/h3>\n
      TDL4 rootkit infection detected ! Use: “mbr.exe -f” to  fix.<\/strong><\/h3>\n
      ============================================<\/h3>\n
      To have mbr.exe fix a TDL4 infected MBR issue the following  command:<\/strong><\/h2>\n
      %userprofile%\\desktop\\mbr.exe -f<\/em><\/h2>\n
      To have mbr.exe backup your MBR,<\/strong><\/h2>\n
      Issue this command at the Comand Prompt:<\/strong><\/h2>\n
      %userprofile%\\desktop\\mbr.exe -c 0 1  mbr-backup.dat<\/strong><\/em><\/h2>\n
      And a copy of the MBR<\/strong> will be placed in the file: <\/strong>mbr-backup.dat<\/strong><\/strong> on your  Desktop.<\/strong><\/h2>\n
      4. MBR  Backup<\/a> by Mischel Internet Security <\/strong><\/h2>\n
      To Back up the MBR select: “Save MBR….” <\/strong><\/h2>\n
      The MBR is saved to a BIN file with this format:<\/h2>\n
      MBR_<yyyy-month-day>.bin<\/strong><\/h3>\n
      To Restore the MBR select: “Restore MBR….” <\/strong><\/h2>\n
      To Print the MBR select: “Print MBR”<\/h2>\n
      \"MBRBackupPic.jpg\"<\/h3>\n
      Detecting and removing the MBR rootkit infection<\/h1>\n
      (including repairing the MBR)<\/h2>\n
      If you are infected or are experiencing the symptoms of TDSS  (Alureon, TDSS, TDL3, TDL4) infection,\u00a0 then <\/strong>TDSSKiller<\/a> by Kaspersky Labs can:<\/strong><\/h2>\n
      \n
      1. Scan your system for TDSS infection<\/h2>\n
      2. Clean the infection<\/h2>\n
      3. Replace the infected MBR with a clean default Windows copy<\/h2>\n
      4. Produce a Scan Report<\/h2>\n<\/blockquote>\n
      TDSSKiller<\/a> <\/strong>Specifically targets (Detects and Cleans) ALL variants of the Alureon  bootkit trojan (TDSS ) on 32 bit and 64 bit Windows Systems<\/h2>\n
      \"TDSKillerStart.jpg\"<\/p>\n
      If You are infected with the Alureon Bootkit:<\/h1>\n
      Here are my recommendations:<\/h1>\n
        \n
      1. \n
        Scan with TDSSKiller<\/strong><\/a> and Cure or Remove Malicious objects as advised by TDSSKiller’s default<\/span> action.<\/h2>\n<\/li>\n
      2. \n
        If TDSSKiller says you’re infected with TDL4 – You will see this in your  TDSSKiller Log:<\/h2>\n
        2010\/11\/06 16:11:04.0265 Detected object count: 1<\/strong><\/h3>\n
        2010\/11\/06 16:11:23.0281 \\HardDisk0 – will be cured after  reboot<\/strong><\/h3>\n
        2010\/11\/06 16:11:23.0281 Rootkit.Win32.TDSS.tdl4(\\HardDisk0) – User  select action: Cure<\/strong><\/h3>\n
        If you have TDL4, AND You have a clean, pre-infection<\/span> MBR  Backup:<\/h2>\n