Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 11-30-2010, 11:08 PM
Jeffreynya's Avatar
Jeffreynya Jeffreynya is offline
 
Join Date: Aug 2010
Location: Young America, MN
Posts: 229
Jeffreynya is an unknown quantity at this point
Default spyware or not?

Has anybody seen microsoftblacklists.com

I recently had to clean the fave AV8 off a work pc and that was simple enouhg even with our limited tools, but its still getting the microsoftblocklist coming up when opening IE7.

IE7 looks clean and everything has been reset. I can only use spybot on corporate PC and that helped in getting ride of some stuff and the scans are clean now but still getting the blocked web popup and I am only going to a corporate homepage.

The firewall sees it everyother time I launch a page, so it see it as a threat. Just am not able to find anything on the PC about it and noting really online either.

Any help would be grerat.

Thanks
Reply With Quote
  #2  
Old 12-03-2010, 08:54 PM
MobileTechie's Avatar
MobileTechie MobileTechie is online now
 
Join Date: Oct 2009
Location: UK
Posts: 4,171
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

I just saw this one today. All I can tell you is that it has a TDL4 rootkit in it which is why hardly anything finds it.
Reply With Quote
  #3  
Old 12-04-2010, 04:55 PM
Galdorf Galdorf is offline
 
Join Date: Feb 2009
Location: Ontario, Canada
Posts: 1,527
Galdorf will become famous soon enough
Default

You are going to need to run tdsskiller or gmer you need to remove the rootkit first before you can clean the rest, then you can run malwarebytes and spybot.

Just hope it is not one of the newer boot block rootkits none of the rootkit scanners even pick this up it seems to rely on an encrypted file.
Reply With Quote
  #4  
Old 12-04-2010, 05:00 PM
MobileTechie's Avatar
MobileTechie MobileTechie is online now
 
Join Date: Oct 2009
Location: UK
Posts: 4,171
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

I thought TDL4 rootkits were inherently bootkits?

The latest TDSSKiller (which checks the mbr) finds this one and recognises it as a TDL4 rootkit. mbr.exe can see the infected bootblock, encrypted or not.
Reply With Quote
  #5  
Old 12-05-2010, 05:32 PM
Galdorf Galdorf is offline
 
Join Date: Feb 2009
Location: Ontario, Canada
Posts: 1,527
Galdorf will become famous soon enough
Default

Quote:
Originally Posted by MobileTechie View Post
I thought TDL4 rootkits were inherently bootkits?

The latest TDSSKiller (which checks the mbr) finds this one and recognises it as a TDL4 rootkit. mbr.exe can see the infected bootblock, encrypted or not.
So far i have had 12 machines in with this boot block rootkit tried every major av recovery cd not one picked up rootkit including tdsskiller and even gmer.
If you look manually you can see the hooks and a file that has a random name that is encrypted.
If the file is removed it causes the bootkit to crash before OS loads locking on boot sector.
Reply With Quote
  #6  
Old 12-05-2010, 06:29 PM
joydivision's Avatar
joydivision joydivision is offline
 
Join Date: Jul 2009
Location: Manchester, UK
Posts: 3,093
joydivision is on a distinguished road
Default

Is it the case now that with a lot of these machines there could still be a rootkit there when there are no symptons of one at all?

Would rewriting the MBR to every infected PC we get be something to as a routine or would the new MBR just get infected with the rootkit?

Still learning the art of advanced rootkit diasnoses and removal (aka rootkits for dummies )
Reply With Quote
  #7  
Old 12-07-2010, 05:26 PM
MobileTechie's Avatar
MobileTechie MobileTechie is online now
 
Join Date: Oct 2009
Location: UK
Posts: 4,171
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Quote:
Originally Posted by Galdorf View Post
So far i have had 12 machines in with this boot block rootkit tried every major av recovery cd not one picked up rootkit including tdsskiller and even gmer.
If you look manually you can see the hooks and a file that has a random name that is encrypted.
If the file is removed it causes the bootkit to crash before OS loads locking on boot sector.
This particular one, well the example I found, was picked up easily with tdsskiller but that nuked the boot process.

Have you checked out Reg Run's Warrior CD system? It doesn't use the usual methods but with the Examiner app it does an online/offline file comparison. Seems promising but oddly implemented.

Out of interest, how are you telling that the boot sector is infected?

I don't suppose you have any examples of this BK available do you? I'm limited to those I can get off malwaredomainlist.com. and always looking new ones?
Reply With Quote
  #8  
Old 12-07-2010, 05:27 PM
MobileTechie's Avatar
MobileTechie MobileTechie is online now
 
Join Date: Oct 2009
Location: UK
Posts: 4,171
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Quote:
Originally Posted by petter2010 View Post
I think there must be a random infected driver if you look at files at Windows PE as the rootkit may replace the safe driver in the normal mode just like TDSS do.

Another is the rootkit infected the MBR sector.

that maybe a new rootkit that TDSSKiller do not detect.

so first check whether the machine MBR is infected

2.try to find out the infected driver in Windows PE.
What method are you suggesting to:

1. Find out if the mbr is infected and
2. Find the infected driver easily in PE?
Reply With Quote
  #9  
Old 12-09-2010, 04:29 PM
Jake77444 Jake77444 is offline
 
Join Date: Jul 2009
Location: Arizona
Posts: 82
Jake77444 is an unknown quantity at this point
Default

Mobile have you tried hitman pro?

TDSS failed for me on cleaning TDL4 rootkit where hitman pro succeeded.
__________________

Cardinal Computer Services
Reply With Quote
  #10  
Old 12-09-2010, 05:33 PM
MobileTechie's Avatar
MobileTechie MobileTechie is online now
 
Join Date: Oct 2009
Location: UK
Posts: 4,171
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Quote:
Originally Posted by Jake77444 View Post
Mobile have you tried hitman pro?

TDSS failed for me on cleaning TDL4 rootkit where hitman pro succeeded.
Yeah I use it all the time. It's very good.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:01 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.