Major Browser Hijack.

Low level format isn't necessary as long as MBR is clean prior to formatting. Think of it in terms of loading points... if there is nothing to tell the PC where to find the infection, the infection doesn't exist for all intents and purposes. The MBR is the only thing outside of the operating system that can accomplish that.

You just have to be sure that compromised files don't also exist... and that can be tough with some infectors, as they get into literally everything. If you found 500 infected objects, that's almost certainly what you were dealing with. An MBR restoration followed by a regular old format will also do the trick.
 
Last edited:
Cadishead Computers said:
yep. thats the only thing that cleared it im afraid. I ran mbr.exe which found 1 infection, cleared that, and the redirect was still there!.

Luckily this ones nearly done now. Over 8 hours work on this, for just £85!. (inc sas pro licence). Win some, lose some..
Click to expand...

That's the reason I said fixmbr, rather than mbr.exe. Fixmbr is a Microsoft command which REPLACES the mbr, rather than "fixing" it. Only sure way.

Rick
 
Tdss

Make sure you're constantly updating your TDSS killer application, new versions are coming out all the time. In this case, your combofix log file showed the culprit:

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 09:41
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\MyPc\Start Menu\Programs\Startup\rxxjkfmn.exe 166768 bytes executable
.
scan completed successfully
hidden files: 1
Click to expand...

I'd have loved to get a sniff of that rxxjkfmn.exe file with something like virustotal to find out what you have. You probably would have gotten it clean with an offline deletion of that hidden startup executable along with writing a clean mbr.

Do you know what version of tdsskiller you were using?
 
red12049 said:
That's the reason I said fixmbr, rather than mbr.exe. Fixmbr is a Microsoft command which REPLACES the mbr, rather than "fixing" it. Only sure way.

Rick
Click to expand...

I did do the fixmbr command from the repair function Rick and still got hijacked. Ran it again prior to reinstall, and still got hijacked.

mbr.exe was another tool I had up my sleeve, which found and was supposed to of fixed the root cause of the virus. Again that failed, hence why i low leveled it.
 
Cadishead Computers said:
I'm using version 2.4.4.0. To be honest, i'm not sure if this is the latest version or not. I last downloaded this one on the 4th April 2011.
Click to expand...

TDSS Killer will automatically check for new versions if you run it on a PC with internet connectivity.

I know how you feel Nige, I spent the bank holiday weekend repairing a system after removing Ramnit from the system. The customer refused to allow a N&P.
 
I don't freaking beleive this!!.

Heres the scenario, rather what I did start to finish.

Previously backed up clients data to external drive with fabs.
Used dell xp cd to install windows, all fine.
Installed all updates via wsus, all fine.
Loaded all drivers, all fine.
Fab's over clients data,
Nlited my usual programs, all fine.
Loaded FF, started browser, checked bbc's site, comes out fine.
Attempted to download my clients chat program, and back comes the broswer hijack!
Next thing MSSE starts saying its infected with ramint.gen!B - Currently its looking at 487 threats!!
Installed SAS Pro, and checking external drive with clients data, thats found 11 threats so far, 2 of these are Vundo/Variant-MSFake

Most of the msse threats are the drivers I downloaded from the Asus Website for this netbook!. After unzipping them, and installing them, I deleted the zips and installs all to the recycle bin.

What the fecks going on here!?. I am slowly tearing my hair out.

Yes I should of checked my clients data before transferring it back over - Something I will add to my process check list now.
 
Last edited:
Could it be the chat client Nige which is causing the infection? I wouldn't have thought the processes would be there in the users files to kick of the infection without some kind of catalyst.
 
Last edited:
That I dont know Mike.

I have an idea of what could be causing it, won't know for sure for the next 30mins or so. Will post back if my inkling is correct.

Have reformatted it yet again, only this time with a toshy special xp cd, instead of the dell one. Will install kaspersky 30 day trial, before I do anything, ie driver wise, and fingers crossed give it a whirl from there.
 
Hey Nige, I would have shot this netbook already. It would have looked like this when I go done with it.

bullet-hole-laptop-iraq-zaw2.png
 
Nige,

If you are using any sort of read/write toolkit (e.g. USB flash drive) to accomplish these tasks, it's likely your toolkit has become infected and thus is reinfecting the computer with each run of a tool. Is that what's going on possibly?

Ramint can be disinfected, so don't fret if you don't have a backup of your toolkit. But it sucks if that's what's up! Had the same happen to me once with a Sality infection. However, I image my toolkit daily, and I keep multiple copies on backup drives as well.
 
Last edited:
LOL cheers for that I needed the laugh.

Right FINALLY cracked it!.

The virus(es), hundreds of the beggars, were inside my clients data. On the recommendation of Martyn, I installed Kaspersky trial version. Ran his data through that, and found in excess of 400 viruses inside there. Contacted my client and told him, its his data which is virused up to the eyeballs.

Now I have FINALLY got this one sorted. It's been a marathon effort. Thanks to all concerned with tips and advice.
 
othersteve said:
Nige,

If you are using any sort of read/write toolkit (e.g. USB flash drive) to accomplish these tasks, it's likely your toolkit has become infected and thus is reinfecting the computer with each run of a tool. Is that what's going on possibly?
Click to expand...

Yes Steve, my pen was part of the issue at hand. I either use it, or a usb drive as my storage of choice. I have another pen with my toolkit on, which I also have used on this machine. That was virused up to the eyeballs also.

Both have now had a thorough cleansing, tools put back over again (like you, I have multiple backups), and are back in clean working order.

Thanks for the tip though :). Apologies in late reply, I've been at a pre Scout AGM meeting all night. Thats another kettle of fish i've opened.. lol
 
I'm using version 2.4.4.0. To be honest, i'm not sure if this is the latest version or not. I last downloaded this one on the 4th April 2011.
Click to expand...

That's a very old version. I don't think it can detect tld4 variants. The current version is 2.4.21.0. If you really got 2.4.4.0 earlier this month, you didn't get it directly from the Kaspersky website and I'd be very suspicious of it.

TDSS Killer will automatically check for new versions if you run it on a PC with internet connectivity.
Click to expand...

2.4.4.0 won't check, that function was added in a much later version.
 
homebase said:
That's a very old version. I don't think it can detect tld4 variants. The current version is 2.4.21.0. If you really got 2.4.4.0 earlier this month, you didn't get it directly from the Kaspersky website and I'd be very suspicious of it.



2.4.4.0 won't check, that function was added in a much later version.
Click to expand...

Thanks for the heads up. I have just downloaded the latest version, and added it to my toolkit. The date I assumed I downloaded it, was the file date, but that could of been when I transferred it from another place or not.
 
Cadishead Computers said:
Yes Steve, my pen was part of the issue at hand. I either use it, or a usb drive as my storage of choice. I have another pen with my toolkit on, which I also have used on this machine. That was virused up to the eyeballs also.
Click to expand...

This is the primary reason I only use CD/DVD "tools" disks in customer systems. I constantly update the discs, and burn new ones weekly... I NEVER use USB devices in any customer system...
 
wtigger said:
This is the primary reason I only use CD/DVD "tools" disks in customer systems. I constantly update the discs, and burn new ones weekly... I NEVER use USB devices in any customer system...
Click to expand...
It really isn't a problem provided you keep regular images of your USB toolkit on hand and multiple copies. Plus, if your toolkit scripts auto-log your services like mine do, having a R/W device handy is really a nice thing.
 
Cadishead Computers said:
Yes Steve, my pen was part of the issue at hand. I either use it, or a usb drive as my storage of choice. I have another pen with my toolkit on, which I also have used on this machine. That was virused up to the eyeballs also.

Both have now had a thorough cleansing, tools put back over again (like you, I have multiple backups), and are back in clean working order.

Thanks for the tip though :). Apologies in late reply, I've been at a pre Scout AGM meeting all night. Thats another kettle of fish i've opened.. lol
Click to expand...

Panda have a free tool to vaccinate thumb drives. I regularly reimage from a backup but on particular nasty variants i've found a couple of hundred viruses in the recycle area but with no autorun they have no way to run. I need r/w as scripts write to the drive when they run.
The bigger problem is when it infects the exes on the usb drive, Ramnit loved this, hence the regular reimage.
 
ZenTree said:
Panda have a free tool to vaccinate thumb drives. I regularly reimage from a backup but on particular nasty variants i've found a couple of hundred viruses in the recycle area but with no autorun they have no way to run. I need r/w as scripts write to the drive when they run.
The bigger problem is when it infects the exes on the usb drive, Ramnit loved this, hence the regular reimage.
Click to expand...
Yeah, the various thumbdrive vaccination techniques are all based on the creation of a system/hidden autorun.inf folder, which thereby tricks the malware's autorun.inf creation code into failing as it generally tries to edit/delete autorun.inf as a file, and thus kicks back an error when a folder of that name exists instead (most do not account for that scenario, which is why it works). Unfortunately, this does nothing to combat the running of infected EXEs on the thumbdrive as you've said... and generally this occurs before any AV software is installed, because if you guys are anything like me, the AV software itself comes from the thumbdrive!

It's just that you have to be super careful when dealing with these sorts of infections. I watch for excessive flash drive activity and sluggish performance... those are definitive indicators of suspect activity. :) But it's so uncommon it really isn't worth going to read-only media as a result IMO.
 
You must log in or register to reply here.

Similar threads

GTP
Got this missive this morning...
Replies
13
Views
1K
xrobwx71
xrobwx71
HCHTech
Google Workspace OUs
Replies
0
Views
462
HCHTech
HCHTech
Metanis
[TIP] Automatic updates to digital wallets!
Replies
1
Views
440
britechguy
britechguy
GTP
Microsoft Edge is back!
Replies
5
Views
2K
Philippe
Philippe
Rosco
[SOLVED] G suite for Outlook sync tool
Replies
7
Views
943
callthatgirl
callthatgirl
Back
Top