PDA

View Full Version : new antivirus 2010 with new rootkit


Galdorf
09-27-2010, 07:37 PM
Wow this one is nasty it runs both in normal and safe mode prevents ANY even renamed security apps from running , if you install them it deletes them.
Ran autoruns from live cd tried removing the startup for the rootkit gave me an error could not remove it, tdsskiller,gmer and 18 other rootkit scanners found nothing.
Ran antivir from ubcd4win it picked up BDS/TDSS.VN seems none of the rootkit scanners can pick this up i tried 20 of them.
Funny thing is you can install malwarebytes in safemode as soon as you run it it terminates it and deletes the EXE file.
I tried renaming the exe from malwarebytes same thing it terminates and deletes the EXE file.
Tried autoruns and renamed autoruns it terminates it as well including process explorer.

Technotch
09-27-2010, 07:49 PM
never encountered anything like this yet but its probably smarter to backup and do a clean install.

gunslinger
09-27-2010, 08:40 PM
I had a system come in the other day with the owner complaining it was "slow". I checked and it was running Vista with a gig of RAM so I was like "well duh its slow" Vista just runs that way. After scanning with both superantispyware and malwarebytes found a total of 953 infected files. Not tracking cookies but actual infected files. After removing them I did a virus scan and came up with 19 more.

I have also had a few machines come back after a very thorough cleaning. Only to have the infection come right back due to an undetected rootkit. Its almost to the point were I just want to do a backup and clean install on almost every system that comes in "slow".

MobileTechie
09-27-2010, 10:00 PM
Wow this one is nasty it runs both in normal and safe mode prevents ANY even renamed security apps from running , if you install them it deletes them.
Ran autoruns from live cd tried removing the startup for the rootkit gave me an error could not remove it, tdsskiller,gmer and 18 other rootkit scanners found nothing.
Ran antivir from ubcd4win it picked up BDS/TDSS.VN seems none of the rootkit scanners can pick this up i tried 20 of them.
Funny thing is you can install malwarebytes in safemode as soon as you run it it terminates it and deletes the EXE file.
I tried renaming the exe from malwarebytes same thing it terminates and deletes the EXE file.
Tried autoruns and renamed autoruns it terminates it as well including process explorer.

So you're saying that a generic rootkit tool like say Rootkit Unhooker doesn't flag up any file, process, driver, service etc as being hidden or hooked?

And you couldn't remove a start up registry key from a boot CD? Are you talking about the DART disk?

Galdorf
09-27-2010, 10:39 PM
So you're saying that a generic rootkit tool like say Rootkit Unhooker doesn't flag up any file, process, driver, service etc as being hidden or hooked?

And you couldn't remove a start up registry key from a boot CD? Are you talking about the DART disk?

Nothing showed up on any rootkit scanner this was on xp so i used erd 2005 from sysinternals slipstreamed with a bunch of my favorite utilites.

Most rootkit scanners are VERY outdated and will not find anything current.

MobileTechie
09-27-2010, 11:25 PM
Nothing showed up on any rootkit scanner this was on xp so i used erd 2005 from sysinternals slipstreamed with a bunch of my favorite utilites.

Most rootkit scanners are VERY outdated and will not find anything current.

Rootkit Unhooker isn't just a scanner. It just flags up objects that are hooked or hidden.

RedFoxComp
09-27-2010, 11:57 PM
Wow this one is nasty it runs both in normal and safe mode prevents ANY even renamed security apps from running , if you install them it deletes them.
Ran autoruns from live cd tried removing the startup for the rootkit gave me an error could not remove it, tdsskiller,gmer and 18 other rootkit scanners found nothing.
Ran antivir from ubcd4win it picked up BDS/TDSS.VN seems none of the rootkit scanners can pick this up i tried 20 of them.
Funny thing is you can install malwarebytes in safemode as soon as you run it it terminates it and deletes the EXE file.
I tried renaming the exe from malwarebytes same thing it terminates and deletes the EXE file.
Tried autoruns and renamed autoruns it terminates it as well including process explorer.

You need to get in there manually and start investigating services, drivers and processes. Once you kill them you'll be able to scan and check for more using malwarebytes, autoruns etc.

I think I know the infection you're dealing with. In my case it had patched explorer.exe and winlogon.exe in system32 AS WELL as the DLL cache (sneaky). I cleared the DLL cache, booted from a CD and deleted explorer.exe and winlogon.exe replacing them with files from an XP SP3 install CD. Then I did an SFC /scannow and let it rebuild the DLL cache from the CD.

That was step 3 of 7 or something though, I don't recall everything else but you are right it was VERY nasty to clean completely.

MobileTechie
09-28-2010, 07:49 AM
So how did you discover which files it had patched?

RedFoxComp
09-28-2010, 02:20 PM
So how did you discover which files it had patched?

I believe it was one of 2 ways, I think this patching virus created an additional file 'explorer .exe' So i searched for "* .exe" and found it had patched a lot of .exe's. So what was happening was any time you ran a patched file it was restoring the service or driver that was causing the problems. If you don't have a good method of dealing with a threat like this it's probably easier to reinstall, otherwise it's like boxing with someone that has 8 arms :)

I also searched for files dated a week old or newer in the windows directory. Anything new was suspect.

You can use a tool like systemlook (http://jpshortstuff.247fixes.com/SystemLook.html) to check out processes and see if they are up to anything funny.

To find out what you're dealing with you can use Dr. Web and/or Avira Live CD and hopefully it will give you an idea of the type of infection you're dealing with and you can go from there.

MobileTechie
09-28-2010, 02:52 PM
I believe it was one of 2 ways, I think this patching virus created an additional file 'explorer .exe' So i searched for "* .exe" and found it had patched a lot of .exe's. So what was happening was any time you ran a patched file it was restoring the service or driver that was causing the problems. If you don't have a good method of dealing with a threat like this it's probably easier to reinstall, otherwise it's like boxing with someone that has 8 arms :)

I also searched for files dated a week old or newer in the windows directory. Anything new was suspect.

You can use a tool like systemlook (http://jpshortstuff.247fixes.com/SystemLook.html) to check out processes and see if they are up to anything funny.

To find out what you're dealing with you can use Dr. Web and/or Avira Live CD and hopefully it will give you an idea of the type of infection you're dealing with and you can go from there.

Yes I understand that. I'm intereted to know how you knew which files it patched. It sounds like you did it through the dates alone?

totalPCTechs
09-28-2010, 03:41 PM
Yeah i had this yesterday after a friends client watched 1 too many porn vids lol..but anyways a friend but technically a competitor had it on a customers computer. he removed all the traces manually including the virus, rootkit, the false driver it produced, and the connected registry..it didnt boot after that. Not even safe mode so what he did is did an in place upgrade from the xp media center and it crashed midway and now the pc is totally screwed lol nothing will run

time for a NUKE and PAVE lol

Galdorf
09-28-2010, 10:05 PM
I use malware defender it like a combo of autoruns, process explorer, rootkit unhooker,winpatrol,hips all in one i got fed up installed malware defender looked for non-verified hook unhooked it and then ran all my malware cleaners.
Malware Defender is just amazing all the tools i need at my finger tips.

Nomad Computer Repair
09-29-2010, 04:53 AM
Dr. Web Cure-it has done a great job in the past dealing with patching viruses, and it comes in a Live CD version. Might be worth checking out. http://www.freedrweb.com/livecd/

Galdorf
09-29-2010, 01:32 PM
One really cool feature of malware defender it logs all files written and changes to registry you can set it up to be totally silent then when a customer gets a fake av that was missed you can look at logs and undo all changes that lead to the infection it is sooo easy to find and unhook a rootkit to allow your software to do it's cleaning.
It also has a debuggers you can watch malware and see the files that are used although it is not for anyone but advanced users you can even watch dll calls and track what is going on under the hood.

ell
10-25-2010, 08:53 PM
I use malware defender it like a combo of autoruns, process explorer, rootkit unhooker,winpatrol,hips all in one i got fed up installed malware defender looked for non-verified hook unhooked it and then ran all my malware cleaners.
Malware Defender is just amazing all the tools i need at my finger tips.

So where do I find Malware Defender? Who makes it? Its not listed in our tool section here, and when I google, well you can imagine....

Lone99star
10-25-2010, 09:22 PM
Find the file hotfix.exe, move it from current folder and reboot in safe mode.
Start your manual process then you will probably still be left with a browser hijack.
I worked long and hard on the hijack, found gmer or combo will help there.
This is the same as Think Point.

If you don't find the hotfix.exe file it has probably been renamed.
Try to start TM as soon as bootstrap, look for abnormal process, kill it.

Or just slave the drive and be done with it.

Lone99star

Galdorf
10-25-2010, 11:38 PM
So where do I find Malware Defender? Who makes it? Its not listed in our tool section here, and when I google, well you can imagine....

Malware Defender (http://dl.360safe.com/md_setup_en.exe)
Yes i know there is a fake av called malware defender you don't want that one :).

ell
10-26-2010, 12:06 AM
Malware Defender (http://dl.360safe.com/md_setup_en.exe)
Yes i know there is a fake av called malware defender you don't want that one :).

thanks! I'm going to play around with it in my Vbox, is this something that I can install on repeat infected customers pc's, so I can tell them when they got infected??

Galdorf
10-26-2010, 02:59 AM
Yes it has been around for quite some time it is number 1 hips so far you can read about it here:
Matousec proactive security challenge (http://www.matousec.com/projects/proactive-security-challenge/archive.php)
It is more than hips though once you master all of the tools it is the only one you need for manual malware removal.

Galdorf
10-26-2010, 07:04 PM
What is annoying is most av's cannot clean clean this boot block rootkit yet tdsskiller, most popular av's still fail to this date to remove it.