This thing got a hold of one of the computers at my work today and it was a real pain to remove.

It installs a rookit via Virtual Device, and replaces userinit.exe. It also killed my internet connection while it was running.

Nearly 4 hours before I could feel confident I had it removed, it killed the process of every antimalware/rootkit detection I tried and then it changes permissions so it can't run again without adjusting them.

http://forums.malwarebytes.org/?showtopic=70883

Probably the most aggressive I have ever come across. Thought someone might like to play with it.

Howdy,

I notice gmer isn't on the list. Have you tried it?

And for what its worth, that mal is a shitty "your computer is infected" type of mal.
It will hold you hostage until you buy it OR, get bright and learn how to take back control of you anti-mal/rootkit softs.

Mbytes removed it. I will reinstall it and try gmer.

Woodmann

Mbytes was my first goto solution, but as soon as the scan started Mbytes was terminated and mbam.exe was then locked group policy.

I tried Sophos Anti-Rootkit, GMER, RootkitRevealer, IceSword, F-Secure Blacklight, RKill, and a few others.

Finally I found a detailed removal guide

http://deletemalware.blogspot.com/2010/12/how-to-remove-internet-security-2011.html

I ended up doing a clean install of windows today, the PC still wasn't acting right. I was getting permission errors, and altogether a slow OS with lag spikes where the OS seemed to hang.

It was probably due anyways after XP -> Vista -> Win7 upgrades over the past few years.

Maybe it was just because of my inexperience with Malware or because it was Win7.

Howdy,

Get UBCD or something else that will rewrite the MBR to zeros.
I gut the whole damn thing, partitions, EVERYTHING.

If your going to start with a clean box, make sure its clean.

Addendum, in Win7 make sure you run things as admin.
Also there is a nifty prog called "take ownership" or something
similar in name that is helpful. I use it whenever I have problems
with programs that have been jacked. Sometimes it works,
sometimes it doesn't. If I cant get control, I just gut the fucking
box and start over. I am not willing to spend hours trying to reclaim
a poisoned box, even though I have

Woodmann

Usually the dropper will drop other rootkits like ZeroAccess/MAX++

You can not feel safe. Rootkit detectors is very primitive and mostly suitable for the analysis of changes in the sections of code. There is advanced methods of hiding.

I will definately take that into account should I ever come across something like this again, in 15 years this is my 1st Malware/Virus. I don't even run AV/AM prog's at home. I just know what should/shouldn't be there. how things should act. I've heard before that just because you think you're clean, you're probably not, but I do check periodically and so far so good. I have disinfected numerious friends/work computers but this one was a my 1st rootkit experience. This did peak my interest though, I may stop playing with unpacking and try malware analysis for SAG.

You have been extremely lucky.

You need to download more porn and limewire type shit. .

Woodmann

Ah, porn and P2P, its like puberty all over again

Woodmann

Hey whatever happened to yAtes? Haven't heard from him in a while,... and don't try going to his website ...

Hey D-Jester,

Is it because you're citing pr0n and p2p that you ask about [yAtEs] ?

He is still wandering around afaik.

yAtes is still around.

Dare I ask whats wrong with his site.

Woodmann

you mean hxxp://www.yates2k.net/ ? why nothing

Now I see where you got infected from Boy that domain really went downhill..

Try Yate's *real* site we have hosted here under Some Useful Places below...

Holy crap .

Errrrrrrrrrrr...........
Thats a bit too much for even me.

Woodmann

Just came across this threads, I've repaired a number of PC's recently with a rootkit called TDSS

Kaspersky have a solution for it, http://support.kaspersky.com/viruses/solutions?qid=208280684

http://www.securelist.com/en/analysis/204792131 not information on the latest version, but still an interesting read

If you happen to have it, after the killing it with the Kaspersky tool, run all the usual scanners/removers to clear up the mess the rootkit was hiding

I found http://www.eset.com/online-scanner particular useful

Hi, thanks for the link, it's an interesting read indeed - TDSS sounds really an interesting piece of software to be analyzed - the AV guys must have had fun with it

Not to forget the TDL3 analysis on rootkit.com and the recent TDL4 intro.

The same happened to one of my colleagues systems. It took a day to make the system available in working condition. Jesus, the H/w person went mad and the owner of the system got good shout after that. It wasted his whole day. What I have to say is take care before downloading from such sites.
__________________
pst repair (http://www.datanumen.com/aor/)