Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Live one here


  • Please log in to reply
3 replies to this topic

#1 Nordic PC

Nordic PC

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 06 June 2012 - 07:54 AM

Hi everyone,
I'm a longtime virus remover, with over 10 years of professional experience in this field. I wanted to make sure that everyone knew about a new rootkit that is floating around. The end user's experience is the "Your hard drive is dying" scareware, hidden files, and hijacked search results. My process of removal is a little different than the recommended processes here since I have machines dedicated to scanning hard drives, but I feel these guys here really know their stuff, so I won't go into that. Here's what I've found so far though:

From MSSE:
- Exploit:Java/Blacole.DY
- Backdoor:Win32/Simda.A
- Trojan: DOS/Alureon.E

I rewrote the MBR first with a Windows disk. After that, there was an .exe that wasn't identified in the AppData folder that I manually deleted. That got rid of the "Your hard drive is dying" messages and made the machine run fairly normally. I had to "unhide" files that were hidden (btw, thanks SO MUCH for that tool). However, the search results from Google are still being hijacked from an unknown rootkit. Tools like RootkitRevealer are being blocked, even when renamed, however MalwareBytes and others install and run just fine. I've run several tools (ComboFix, TDSSKiller, MSERT) so far to try and get to this thing, but nothing is finding it yet. I'm giving it a go with MalwareBytes, and hopefully this will get it. MB has been blocking a network call from explorer.exe to 206.161.121.6 on port 52592 also, which I suppose is this rootkit trying to communicate with it's server.

Anyways, just wanted to give everyone a head's up, and I'll reply once I can get the beast out of here.

Thanks for everything you do to help the community.

-Nate Solberg
President, Nordic PC, Inc.

Anyways, I've checked the easy things, like optical drive filters where I've seen rootkits hiding before, but this one is hiding pretty well.

BC AdBot (Login to Remove)

 


#2 Nordic PC

Nordic PC
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 06 June 2012 - 07:58 AM

Update: MalwareBytes doesn't have it in their signatures either apparently.

#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:35 AM

Posted 06 June 2012 - 08:09 AM

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here


Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Download

MiniToolBox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

#4 PCUser88

PCUser88

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 08 June 2012 - 04:10 PM

I just finished working on the fake AV "Data Recovery S.M.A.R.T check" malware.
I used the following instructions:
http://www.bleepingcomputer.com/virus-removal/remove-data-recovery#files
I also used RKill.

The only remaining problem-- which may or may not be related to the above issue was the fact that Malwarebytes was constantly blocking an outgoing attempt to IP 206.161.121.6

The only program I could find to identify and eliminate this rootkit was Kaspersky's TDSSKILLER
That did the trick.---TDSSKILLER identified the rootkit as:
Rootkit.Boot.SST.b
TDSSKILLER removed it and after a reboot -- no more outgoing attempts to IP 206.161.121.6

Hope this helps your situation.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users