Got a new one out there!!!
55 views
Skip to first unread message
BubbaJoe
Jan 18, 2013, 10:52:44 PM1/18/13
to
pleaes remove all ity.im ads from your website virus/rootkit
Appears to be a rootkit with 0A like behavior. About 4 days old. Blocks TDSS killer and Fixtdss from running. Appears to infect explorer.exe. Loads bogus dlls in appdata.
Neither restore nor reloading the OS seems to have any effect which would seem to indicate a MBR rootkit...
I haven't been able to look at a machine myself yet..so I haven't been able to look at the registry or Disk Managment (to check for empty partitions).
Anyone else?
Edit: OK, looks like it creates a 7MB partition.
Edit2: Looks like HMP will take care of it natively or any rootkit removal tool launched from an external boot device. Still don't have any insight to damage...
Appears to be a rootkit with 0A like behavior. About 4 days old. Blocks TDSS killer and Fixtdss from running. Appears to infect explorer.exe. Loads bogus dlls in appdata.
Neither restore nor reloading the OS seems to have any effect which would seem to indicate a MBR rootkit...
I haven't been able to look at a machine myself yet..so I haven't been able to look at the registry or Disk Managment (to check for empty partitions).
Anyone else?
Edit: OK, looks like it creates a 7MB partition.
Edit2: Looks like HMP will take care of it natively or any rootkit removal tool launched from an external boot device. Still don't have any insight to damage...
Ramrunner
Jan 23, 2013, 3:19:47 AM1/23/13
to fooli...@googlegroups.com
Sorry - bit slow on acronyms sometimes. HMP is?
Message has been deleted
Cybercrypt
Jan 23, 2013, 5:55:42 PM1/23/13
to fooli...@googlegroups.com
HMP = Hitman Pro
Had similar: ran my base config including aswMBR, and D7 malwarescan.... in offline mode ie: the hdd was mounted from my service PC.
Hot booted the infected machine, swept the floor. to remove the conduit, sweetIM, searchqu and mywebsearch rubbish...by the time I got to it HMP didn't know what I was complaining about ;)
Had similar: ran my base config including aswMBR, and D7 malwarescan.... in offline mode ie: the hdd was mounted from my service PC.
Hot booted the infected machine, swept the floor. to remove the conduit, sweetIM, searchqu and mywebsearch rubbish...by the time I got to it HMP didn't know what I was complaining about ;)
Reply all
Reply to author
Forward
0 new messages