new antivirus 2010 with new rootkit

[Galdorf]

Wow this one is nasty it runs both in normal and safe mode prevents ANY even renamed security apps from running , if you install them it deletes them.
Ran autoruns from live cd tried removing the startup for the rootkit gave me an error could not remove it, tdsskiller,gmer and 18 other rootkit scanners found nothing.
Ran antivir from ubcd4win it picked up BDS/TDSS.VN seems none of the rootkit scanners can pick this up i tried 20 of them.
Funny thing is you can install malwarebytes in safemode as soon as you run it it terminates it and deletes the EXE file.
I tried renaming the exe from malwarebytes same thing it terminates and deletes the EXE file.
Tried autoruns and renamed autoruns it terminates it as well including process explorer.

[Technotch]

never encountered anything like this yet but its probably smarter to backup and do a clean install.

[gunslinger]

I had a system come in the other day with the owner complaining it was "slow". I checked and it was running Vista with a gig of RAM so I was like "well duh its slow" Vista just runs that way. After scanning with both superantispyware and malwarebytes found a total of 953 infected files. Not tracking cookies but actual infected files. After removing them I did a virus scan and came up with 19 more.

I have also had a few machines come back after a very thorough cleaning. Only to have the infection come right back due to an undetected rootkit. Its almost to the point were I just want to do a backup and clean install on almost every system that comes in "slow".

[MobileTechie]

Quote:

Originally Posted by Galdorf

Wow this one is nasty it runs both in normal and safe mode prevents ANY even renamed security apps from running , if you install them it deletes them.
Ran autoruns from live cd tried removing the startup for the rootkit gave me an error could not remove it, tdsskiller,gmer and 18 other rootkit scanners found nothing.
Ran antivir from ubcd4win it picked up BDS/TDSS.VN seems none of the rootkit scanners can pick this up i tried 20 of them.
Funny thing is you can install malwarebytes in safemode as soon as you run it it terminates it and deletes the EXE file.
I tried renaming the exe from malwarebytes same thing it terminates and deletes the EXE file.
Tried autoruns and renamed autoruns it terminates it as well including process explorer.

So you're saying that a generic rootkit tool like say Rootkit Unhooker doesn't flag up any file, process, driver, service etc as being hidden or hooked?

And you couldn't remove a start up registry key from a boot CD? Are you talking about the DART disk?

[Galdorf]

Quote:

Originally Posted by MobileTechie

So you're saying that a generic rootkit tool like say Rootkit Unhooker doesn't flag up any file, process, driver, service etc as being hidden or hooked?

And you couldn't remove a start up registry key from a boot CD? Are you talking about the DART disk?

Nothing showed up on any rootkit scanner this was on xp so i used erd 2005 from sysinternals slipstreamed with a bunch of my favorite utilites.

Most rootkit scanners are VERY outdated and will not find anything current.

[MobileTechie]

Quote:

Originally Posted by Galdorf

Nothing showed up on any rootkit scanner this was on xp so i used erd 2005 from sysinternals slipstreamed with a bunch of my favorite utilites.

Most rootkit scanners are VERY outdated and will not find anything current.

Rootkit Unhooker isn't just a scanner. It just flags up objects that are hooked or hidden.

[RedFoxComp]

Quote:

Originally Posted by Galdorf

Wow this one is nasty it runs both in normal and safe mode prevents ANY even renamed security apps from running , if you install them it deletes them.
Ran autoruns from live cd tried removing the startup for the rootkit gave me an error could not remove it, tdsskiller,gmer and 18 other rootkit scanners found nothing.
Ran antivir from ubcd4win it picked up BDS/TDSS.VN seems none of the rootkit scanners can pick this up i tried 20 of them.
Funny thing is you can install malwarebytes in safemode as soon as you run it it terminates it and deletes the EXE file.
I tried renaming the exe from malwarebytes same thing it terminates and deletes the EXE file.
Tried autoruns and renamed autoruns it terminates it as well including process explorer.

You need to get in there manually and start investigating services, drivers and processes. Once you kill them you'll be able to scan and check for more using malwarebytes, autoruns etc.

I think I know the infection you're dealing with. In my case it had patched explorer.exe and winlogon.exe in system32 AS WELL as the DLL cache (sneaky). I cleared the DLL cache, booted from a CD and deleted explorer.exe and winlogon.exe replacing them with files from an XP SP3 install CD. Then I did an SFC /scannow and let it rebuild the DLL cache from the CD.

That was step 3 of 7 or something though, I don't recall everything else but you are right it was VERY nasty to clean completely.

[MobileTechie]

So how did you discover which files it had patched?

[RedFoxComp]

Quote:

Originally Posted by MobileTechie

So how did you discover which files it had patched?

I believe it was one of 2 ways, I think this patching virus created an additional file 'explorer .exe' So i searched for "* .exe" and found it had patched a lot of .exe's. So what was happening was any time you ran a patched file it was restoring the service or driver that was causing the problems. If you don't have a good method of dealing with a threat like this it's probably easier to reinstall, otherwise it's like boxing with someone that has 8 arms

I also searched for files dated a week old or newer in the windows directory. Anything new was suspect.

You can use a tool like systemlook to check out processes and see if they are up to anything funny.

To find out what you're dealing with you can use Dr. Web and/or Avira Live CD and hopefully it will give you an idea of the type of infection you're dealing with and you can go from there.

[MobileTechie]

Quote:

Originally Posted by RedFoxComp

I believe it was one of 2 ways, I think this patching virus created an additional file 'explorer .exe' So i searched for "* .exe" and found it had patched a lot of .exe's. So what was happening was any time you ran a patched file it was restoring the service or driver that was causing the problems. If you don't have a good method of dealing with a threat like this it's probably easier to reinstall, otherwise it's like boxing with someone that has 8 arms

I also searched for files dated a week old or newer in the windows directory. Anything new was suspect.

You can use a tool like systemlook to check out processes and see if they are up to anything funny.

To find out what you're dealing with you can use Dr. Web and/or Avira Live CD and hopefully it will give you an idea of the type of infection you're dealing with and you can go from there.

Yes I understand that. I'm intereted to know how you knew which files it patched. It sounds like you did it through the dates alone?