PDA

View Full Version : spyware or not?


Jeffreynya
12-01-2010, 12:08 AM
Has anybody seen microsoftblacklists.com

I recently had to clean the fave AV8 off a work pc and that was simple enouhg even with our limited tools, but its still getting the microsoftblocklist coming up when opening IE7.

IE7 looks clean and everything has been reset. I can only use spybot on corporate PC and that helped in getting ride of some stuff and the scans are clean now but still getting the blocked web popup and I am only going to a corporate homepage.

The firewall sees it everyother time I launch a page, so it see it as a threat. Just am not able to find anything on the PC about it and noting really online either.

Any help would be grerat.

Thanks

MobileTechie
12-03-2010, 09:54 PM
I just saw this one today. All I can tell you is that it has a TDL4 rootkit in it which is why hardly anything finds it.

Galdorf
12-04-2010, 05:55 PM
You are going to need to run tdsskiller or gmer you need to remove the rootkit first before you can clean the rest, then you can run malwarebytes and spybot.

Just hope it is not one of the newer boot block rootkits none of the rootkit scanners even pick this up it seems to rely on an encrypted file.

MobileTechie
12-04-2010, 06:00 PM
I thought TDL4 rootkits were inherently bootkits?

The latest TDSSKiller (which checks the mbr) finds this one and recognises it as a TDL4 rootkit. mbr.exe can see the infected bootblock, encrypted or not.

Galdorf
12-05-2010, 06:32 PM
I thought TDL4 rootkits were inherently bootkits?

The latest TDSSKiller (which checks the mbr) finds this one and recognises it as a TDL4 rootkit. mbr.exe can see the infected bootblock, encrypted or not.

So far i have had 12 machines in with this boot block rootkit tried every major av recovery cd not one picked up rootkit including tdsskiller and even gmer.
If you look manually you can see the hooks and a file that has a random name that is encrypted.
If the file is removed it causes the bootkit to crash before OS loads locking on boot sector.

joydivision
12-05-2010, 07:29 PM
Is it the case now that with a lot of these machines there could still be a rootkit there when there are no symptons of one at all?

Would rewriting the MBR to every infected PC we get be something to as a routine or would the new MBR just get infected with the rootkit?

Still learning the art of advanced rootkit diasnoses and removal (aka rootkits for dummies :p:p)

MobileTechie
12-07-2010, 06:26 PM
So far i have had 12 machines in with this boot block rootkit tried every major av recovery cd not one picked up rootkit including tdsskiller and even gmer.
If you look manually you can see the hooks and a file that has a random name that is encrypted.
If the file is removed it causes the bootkit to crash before OS loads locking on boot sector.

This particular one, well the example I found, was picked up easily with tdsskiller but that nuked the boot process.

Have you checked out Reg Run's Warrior CD system? It doesn't use the usual methods but with the Examiner app it does an online/offline file comparison. Seems promising but oddly implemented.

Out of interest, how are you telling that the boot sector is infected?

I don't suppose you have any examples of this BK available do you? I'm limited to those I can get off malwaredomainlist.com. and always looking new ones?

MobileTechie
12-07-2010, 06:27 PM
I think there must be a random infected driver if you look at files at Windows PE as the rootkit may replace the safe driver in the normal mode just like TDSS do.

Another is the rootkit infected the MBR sector.

that maybe a new rootkit that TDSSKiller do not detect.

so first check whether the machine MBR is infected

2.try to find out the infected driver in Windows PE.

What method are you suggesting to:

1. Find out if the mbr is infected and
2. Find the infected driver easily in PE?

Jake77444
12-09-2010, 05:29 PM
Mobile have you tried hitman pro?

TDSS failed for me on cleaning TDL4 rootkit where hitman pro succeeded.

MobileTechie
12-09-2010, 06:33 PM
Mobile have you tried hitman pro?

TDSS failed for me on cleaning TDL4 rootkit where hitman pro succeeded.

Yeah I use it all the time. It's very good.