Wow...crazy heavy malware calls today!

[HFultzjr]

Quote:

Originally Posted by YeOldeStonecat

Oh yeah..she's been rooty scanned. TDSS gets blocked..GMER finished and came up clean. Ran out of time...will continue Monday with MBR checks...which is what I'm starting to thing it is. Manually checked everything HJT would...quite clean. TCP/winsock rebuild. Scanned with SAS, MWB, Panda AV, even brought out old Spybot. Will have to continue with MRT (Microsoft tool) on Monday, and yank drive and slave to another machine and scan. TCP clean, no proxy in browser connection settings, browser set to default, even installed and tested Chrome and she still gets redirected.

Wooow....sounds quite a bit nastier than what I've been seeing.

Good luck and keep us posted.

Have you tried renaming TDSS to something like explorer.exe?

I have put it in the startup folder on occasion and sometimes it will run as the oprating sytem is loading......hopefully before it gets blocked.

[ReinforcedPanda]

Glad I'm not the only one that noticed that. I had 4 calls today about the same stupid virus. SMART HDD. Luckily it is easy to remove and clean up after but jeez it was odd.

[othersteve]

The absolute best approach IMO is to boot to a WinPE build and run TDSSKiller from within WinPE. Configure it to only scan Boot Sectors and TDSS File System.

[compnet]

I've yet to see a redirect combofix didn't kill.

[Slaters Kustum Machines]

Quote:

Originally Posted by Xander

Wish I had your troubles. I have seen virtually no viral infections for probably 3+ months.

I would have to agree, it's been about the same for me.

[YeOldeStonecat]

Quote:

Originally Posted by compnet

I've yet to see a redirect combofix didn't kill.

I've seen it fail to clean some in the past...and this one is added to the list...redirects still happening even after running combfix.
Will see what happens Monday...hopefully MWB or SAS will have updated definitions to deal with this new variant.

[4ycr]

have you tried hitmanpro it has found redirects in the past for me

[mrvoids]

I've been seeing alot more lately when in the same situation its a rootkit hidden in an small partition tacked on to the end of the drive that is set to hidden and boot last one was only 1 meg large. Used partition magic to delete grow the main drive over the now unused space and set the boot flag on the right partition. After this all the tools that wouldn't run work just fine. Hope this might help.

[othersteve]

Quote:

Originally Posted by mrvoids

I've been seeing alot more lately when in the same situation its a rootkit hidden in an small partition tacked on to the end of the drive that is set to hidden and boot last one was only 1 meg large. Used partition magic to delete grow the main drive over the now unused space and set the boot flag on the right partition. After this all the tools that wouldn't run work just fine. Hope this might help.

Yeah, Pihar.B is becoming increasingly common these days. I kill it offline with TDSSKiller.

You can also use partitioning software to do it though and then set the System Reserved partition as Active (if it's Windows 7). You have to be careful not to end up here however:

http://triplescomputers.com/blog/?p=81

[Patch22]

Quote:

Originally Posted by YeOldeStonecat

Tis my rule of thumb also...but one of the rigs I worked on today HAD all updated...Adobe 10, Flash 11, Java 6.31, IE 8.0.

This new variant here is leaving a redirector behind that we've not yet been able to clean off. Within several minutes your browser starts going to affiliate sites instead of what you hoped for. "letmehelpu" is one of them.

I had this exact same thing after removing the initial Security Fortress infection. Multiple root-kit infections left in place. Like you, I tried a lot of rootkit scanners and malware removal tools. Luckily it was an XP machine and combo-fix found and removed the rootkits. I then had to repair the TCP/IP stack manually, and all was good!! I'm not sure what I would've done if it had been a Vista or 7 P.C as I think combo-fix doesn't work on these O.S's.