Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #11  
Old 03-31-2012, 02:11 AM
HFultzjr HFultzjr is offline
 
Join Date: Jul 2010
Location: Central PA, USA
Posts: 905
HFultzjr will become famous soon enough
Default

Quote:
Originally Posted by YeOldeStonecat View Post
Oh yeah..she's been rooty scanned. TDSS gets blocked..GMER finished and came up clean. Ran out of time...will continue Monday with MBR checks...which is what I'm starting to thing it is. Manually checked everything HJT would...quite clean. TCP/winsock rebuild. Scanned with SAS, MWB, Panda AV, even brought out old Spybot. Will have to continue with MRT (Microsoft tool) on Monday, and yank drive and slave to another machine and scan. TCP clean, no proxy in browser connection settings, browser set to default, even installed and tested Chrome and she still gets redirected.
Wooow....sounds quite a bit nastier than what I've been seeing.

Good luck and keep us posted.

Have you tried renaming TDSS to something like explorer.exe?

I have put it in the startup folder on occasion and sometimes it will run as the oprating sytem is loading......hopefully before it gets blocked.
__________________
Harold
ACS Alternative Computer Solutions
Reply With Quote
  #12  
Old 03-31-2012, 03:20 AM
ReinforcedPanda ReinforcedPanda is offline
 
Join Date: Dec 2011
Posts: 33
ReinforcedPanda is an unknown quantity at this point
Default

Glad I'm not the only one that noticed that. I had 4 calls today about the same stupid virus. SMART HDD. Luckily it is easy to remove and clean up after but jeez it was odd.
Reply With Quote
  #13  
Old 03-31-2012, 03:33 AM
othersteve othersteve is offline
 
Join Date: Feb 2010
Posts: 517
othersteve is on a distinguished road
Default

The absolute best approach IMO is to boot to a WinPE build and run TDSSKiller from within WinPE. Configure it to only scan Boot Sectors and TDSS File System.
__________________
-Steve

Born a technician, though always willing to learn and improve. :)

Managing Editor, DigitalChumps.com
Senior Editor, Notebookcheck
Laptop Dude, PC Perspective
Owner/Sole Proprieter, Triple-S Computers
Reply With Quote
  #14  
Old 03-31-2012, 04:10 AM
compnet compnet is offline
 
Join Date: Feb 2012
Posts: 757
compnet will become famous soon enough
Default

I've yet to see a redirect combofix didn't kill.
Reply With Quote
  #15  
Old 03-31-2012, 04:50 AM
Slaters Kustum Machines's Avatar
Slaters Kustum Machines Slaters Kustum Machines is offline
 
Join Date: Jun 2011
Location: Iowa
Posts: 1,190
Slaters Kustum Machines is on a distinguished road
Default

Quote:
Originally Posted by Xander View Post
Wish I had your troubles. I have seen virtually no viral infections for probably 3+ months.
I would have to agree, it's been about the same for me.
Reply With Quote
  #16  
Old 03-31-2012, 12:10 PM
YeOldeStonecat's Avatar
YeOldeStonecat YeOldeStonecat is online now
 
Join Date: Nov 2011
Location: Southeast Connecticut
Posts: 8,075
YeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to behold
Default

Quote:
Originally Posted by compnet View Post
I've yet to see a redirect combofix didn't kill.
I've seen it fail to clean some in the past...and this one is added to the list...redirects still happening even after running combfix.
Will see what happens Monday...hopefully MWB or SAS will have updated definitions to deal with this new variant.
__________________
Resident "Geek on a Harley" doing IT in Southeast Connecticut
http://www.dynamic-alliance.com/
https://www.facebook.com/YeOldeStonecat
Reply With Quote
  #17  
Old 03-31-2012, 12:44 PM
4ycr's Avatar
4ycr 4ycr is online now
 
Join Date: Jun 2010
Location: West Lothian, Scotland
Posts: 1,511
4ycr has a spectacular aura about4ycr has a spectacular aura about
Send a message via Skype™ to 4ycr
Default

have you tried hitmanpro it has found redirects in the past for me
Reply With Quote
  #18  
Old 03-31-2012, 12:52 PM
mrvoids mrvoids is offline
 
Join Date: Nov 2011
Posts: 8
mrvoids is an unknown quantity at this point
Default

I've been seeing alot more lately when in the same situation its a rootkit hidden in an small partition tacked on to the end of the drive that is set to hidden and boot last one was only 1 meg large. Used partition magic to delete grow the main drive over the now unused space and set the boot flag on the right partition. After this all the tools that wouldn't run work just fine. Hope this might help.
Reply With Quote
  #19  
Old 03-31-2012, 02:13 PM
othersteve othersteve is offline
 
Join Date: Feb 2010
Posts: 517
othersteve is on a distinguished road
Default

Quote:
Originally Posted by mrvoids View Post
I've been seeing alot more lately when in the same situation its a rootkit hidden in an small partition tacked on to the end of the drive that is set to hidden and boot last one was only 1 meg large. Used partition magic to delete grow the main drive over the now unused space and set the boot flag on the right partition. After this all the tools that wouldn't run work just fine. Hope this might help.
Yeah, Pihar.B is becoming increasingly common these days. I kill it offline with TDSSKiller.

You can also use partitioning software to do it though and then set the System Reserved partition as Active (if it's Windows 7). You have to be careful not to end up here however:

http://triplescomputers.com/blog/?p=81
__________________
-Steve

Born a technician, though always willing to learn and improve. :)

Managing Editor, DigitalChumps.com
Senior Editor, Notebookcheck
Laptop Dude, PC Perspective
Owner/Sole Proprieter, Triple-S Computers
Reply With Quote
  #20  
Old 04-01-2012, 12:10 AM
Patch22 Patch22 is offline
 
Join Date: Feb 2012
Posts: 103
Patch22 is an unknown quantity at this point
Default

Quote:
Originally Posted by YeOldeStonecat View Post
Tis my rule of thumb also...but one of the rigs I worked on today HAD all updated...Adobe 10, Flash 11, Java 6.31, IE 8.0.

This new variant here is leaving a redirector behind that we've not yet been able to clean off. Within several minutes your browser starts going to affiliate sites instead of what you hoped for. "letmehelpu" is one of them.
I had this exact same thing after removing the initial Security Fortress infection. Multiple root-kit infections left in place. Like you, I tried a lot of rootkit scanners and malware removal tools. Luckily it was an XP machine and combo-fix found and removed the rootkits. I then had to repair the TCP/IP stack manually, and all was good!! I'm not sure what I would've done if it had been a Vista or 7 P.C as I think combo-fix doesn't work on these O.S's.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:26 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.