gusl | Rootkit.TDss.gen

You're viewing

gusl's journal
Create a Dreamwidth Account Learn More

Reload page in style: site light

I'm struggling against the nastiest malware I've ever seen. It seems to be a rootkit that is immune to System Restore, Spyware Search & Destroy and HijackThis.

It messes with the redirecting of Google hits via the hosts file, even if the hosts file is "immunized" (locked). In the meantime, I am harboring paranoia worthy of a science fiction story. It seems to know when I'm trying to download protection software, and gets in the way. So I'm not logging in to my email or Facebook.

I'm pursuing the advice on this thread.

Suggested solutions:
http://www.malwarebytes.org
http://www.filecluster.com/reviews/112009/noredirect-firefox-extension-a-must-for-the-masses/
http://www.hitmanpro.com

Threaded | Top-Level Comments Only

From:

peamasii.livejournal.com

I've used Hitman pro before, with mixed results. Since I installed Kaspersky Internet Security though, about 2-3 years ago, I've never had any malware problems anymore ever. I like its pricing and configuration options much more than other AV products.

From:

bhudson.livejournal.com

Nuke from orbit and reinstall?

From:

xuande.livejournal.com

From:

elsumis.livejournal.com

We got a wonderful rootkit "mebroot" on one of our lab's computers this Christmas. Its injection vector was a PDF that contained a javascript-based sploit for Adobe Acrobat Reader (< 8.0 or so). After injection, it hijacked the MBR to load up payload code that was stored at the end of the harddrive (outside the filesystem). It modified the Windows bootup process, overriding several different low-level harddrive-access APIs so that any virus scanner would only see a clean MBR, and nothing suspicious at drive end. Cleverly, it also infected some APIs used for encrypted internet communication, so it was able to steal passwords from all HTTPS sessions.

We only realized that we were infected after being alerted by the sysadmins, who shut down our network since we were hosing the internet with packet spam. The only way I was able to find the zombie computer, and detect the rootkit, was with the GMER rootkit checker ( http://www.gmer.net ). I believe gmer.exe detected the suspicious rearrangement of API, and mbr.exe was able to dig low-level enough to see the infected MBR and remove it.