4 replies to this topic

[adam]

Hi!
My name is Adam and I remove spyware on frequent basis - I do have my onw small computer service company and it is a very good source of income for us (unfortunately).

Yesterday, I had to give up for the fist time ever - and could not remove spyware on both computers that belong to my client. At this point, looks lie a reformat is the only way to kill the unknown rootkit.

Symptoms of the infection:
Prevents Superantispyware from installing and running.
Prevents Malwarebytes from running and installing.
AVG Free 8.5 is fully functional, but its ability to run scan is disabled (!).
The rootkit redirects victim's machine to web sites with advertisments.

What I have tried to do in order to fix the infection:

1. Inspected PCs. Found that the AVG is not fully functional. Warned the client to backup important data. Client did not care about data and gave me a free hand with experimenting.

2. Booted the computer to my USBCD (great project, very useful) Cd, removed all of the temp files. Also ran the Hijackthis and removed maybe about 4 to 5 suspicious entries.
I have also scan the system32 folder manually and removed all of the randomly named and recently added dlls and .sys files

3. Rebooted the PC. It rebooted fine with no blue screen. Both Superantispyware and Malwarebytes would still get killed by something. AVG's real time virus shield was functional, and updated, and it was not picking up anything.

4. I have also run a combofix in safe mode. It has found few objects and fixed them all.

5. Knowing that the AVG is compromised, I was able to download, install, and update Avira AntiVir. It installed just fine and became FULLY functional with the latest updates applied (as indicated by the Avira's popup ). I ran a full scan with the AntiVir, but it did not pickup anything.

6. I have renamed the Supoeratispyware install executable to adam2.exe and ran it. I have told the install wizard to install it to programfiles/adam folder, but it still would not run.

7. I have finally managed to pull up the SAS by running the Runas patch. After updating it fully and running a full scan, it has found about 5 or 6 different types of trojans.

8. Upon reboot, SAS was still being blocked and the Malwarebytes gets terminated few seconds into preparing for the scan.

I gave up finally after spending about 4 hours at the client's location.

[GT500]

Probably the new TDSS variant. Version 1.41 will deal with it, but until then our main weapon is ComboFix run in normal mode. When ComboFix fails us, we have to fall back to doing it all the hard way with rootkit analyzers like GMER and RootRepeal.

When the going gets tough, and I am sitting in front of the computer, I like to fire up my BartPE disk and use RunAlyzer to look at the system start information. It'll load the registry of a copy of Windows that isn't booted, so you can see all of the startup information (exclusing the user-specific stuff, of course) without the possibility of rootkits interfering.

[TeMerc]

This is not news, it's been going on now for at least 6-8 months.

The very latest TDSS variants do alot more than block those listed, there is at least a dozen apps it kills, injects several system files too.

Real piece of work.

[adam]

TeMerc, on Sep 3 2009, 11:43 PM, said:

This is not news, it's been going on now for at least 6-8 months.

The very latest TDSS variants do alot more than block those listed, there is at least a dozen apps it kills, injects several system files too.

Real piece of work.

Thank you guys for your reply. I am really on the fence in regards to what to do with these "cookies". The professional curiosity and a challenge vs. loosing money big time on a service and few extra hours of frustration and a manual labor of working with a manual rootkit scanners..

[GT500]

adam said:

Thank you guys for your reply. I am really on the fence in regards to what to do with these "cookies". The professional curiosity and a challenge vs. loosing money big time on a service and few extra hours of frustration and a manual labor of working with a manual rootkit scanners..

You could always just analyze a boot log. You can also try to break the rootkit from a BartPE disk with utilities like RunAlyzer. Remember though that if you cannot take the time to do a full analysis, that you are probably not doing your customers much good in the long run.

I will assume that you are doing service in your customers homes, where I can understand the need to be quick. You can't really work on multiple customers' computers at once when doing the work in their homes, and a lot of those scans take hours.