Firefox Root Kit ? MBR ?

I notice, for the pass couple of weeks, I am getting old behavior with firefox, on startup, I get avast, saying it block a site... like abc.info,
when my startup page : in chrome comes up... then I was getting website,
not coming up.... I did search on the net, and it mention about possible root kit installed .... and to run dds.com

So, I did and it found this:

=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD1001FAES-19W7A0 rev.05.01D05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x83008000]<< >>UNKNOWN [0x8B400000]<< >>UNKNOWN [0x8B7D3000]<< >>UNKNOWN [0x8379D000]<< >>UNKNOWN [0x8341A000]<< >>UNKNOWN [0x8B348000]<< >>UNKNOWN [0x8B2D8000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x8303F55A] -> \Device\Harddisk0\DR0[0x86660718]
\Driver\Disk[0x8665FA40] -> IRP_MJ_CREATE -> 0x8B40439F
3 [0x8B40459E] -> ntkrnlpa!IofCallDriver[0x8303F55A] -> [0x860CE918]
\Driver\ACPI[0x8575C920] -> IRP_MJ_CREATE -> 0x837A64CC
5 [0x837A63D4] -> ntkrnlpa!IofCallDriver[0x8303F55A] -> \Device\Ide\IdeDeviceP2T0L0-2[0x8611A030]
\Driver\atapi[0x8610EE58] -> IRP_MJ_CREATE -> 0x8B3628CC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

-----

So, have not installing software as of late, and all software goes threw
avast, malwarebytes, and super-anti-spyware, before it gets installed.
So, I download tdss, a gmer both found nothing? odd?

how does one get rid of this, for good !

Thanks

 

Make either a Kaspersky Rescue Disk 10 bootable CD or bootable USB Flash Drive.

Boot the PC using Kaspersky Rescue Disk 10, update the Malware signatures and run a Full Scan (Before scanning, select All Drive Letters including the default selections).

Also download the Emsisoft Emergency Kit and run a Full Scan, preferably in Windows Safe Mode. The Emsisoft Emergency Kit also scans the MBR's for Rootkits (by default).

 

Hi,
I have successfully removed this rootkit using hitman pro
this would be my first port of call,
Popcorn

 

rofl...
► http://technet.microsoft.com/de-de/library/cc512587(en-us).aspx

anyway your doors are still wide open and it will happen again...

 

Hi

https://hitmanpro.wordpress.com/page/3/

IMPROVED: Removal of TDL4 (and variants) on systems where Boot Configuration Data (BCD) was persistently malformed by TDL4. Removing TDL4 from those systems could cause a non-bootable system (BSOD). HitmanPro now repairs BCD before removing TDL4 (or variants).

pretty sure the v-box I was running with no AV, no sandbox, in fact no real time at all, not even no-script for the sole purpose of looking at this rootkit was pretty much... er how you say ? "pawned" lol.
As for it happening again... I might have another look at it dunno cant say.

Thanx
Popcorn

 

What I used was a paid app called R-Wipeclean
and selected System, where it will clean allot of system resources areas...

Kaspersky Rescue Disk 10 and Hitman Pro both did not find anything.
gmer and avast, both found nothing as well, and dds.com is clean
so, no root kits at all..

my system seem to be free and clear,
very odd...thou, on how I got this in the first place.?

 

You might want to confirm with Kaspersky TDSSKiller:

http://www.softpedia.com/progDownload/TDSSKiller-Download-165428.html

Grab the EXE (easier than the zip). As the name suggests it's a dedicated to finding and removing the variants of TDSS.

As to how you picked up the rootkit you will probably never know

 

popcorn - i dont care about cleaner tools. i care about prevention and theses
times any tdl, ukash & trojans will come with activated java in ANY browser.
java has been broken again and again no fix in sight. it was discussed too
many times here how to avoid this. (firefox noscript is NO option)

HTH

 

Hi

Oh dear I did fear the ironic nature of my response would be missed...
How to say more simply I had purposely infected a virtual machine with the rootkit with the sole intent of testing removal software.

No-script stops Java from running in the browser, which as you say many malwares/exploits need to function.

https://en.wikipedia.org
/wiki/NoScript

http://www.phpsolvent.com/wordpress/?p=3296

been so interested in protection I would have thought you might have put more credence in NoScript.
Thanx,
Popcorn

 

i would if it would not miss that much. i read lots of people using firefox and that addons - and failed. from my point same issue with all secruity programs - they can prevent what they know. if unknown = fail.

i'm sorry for painting too much black&white this way but i had no malware for 20 years now.

your own experience in vbox is your pleasure

 

Hi,

I just like a layered approach to security, I run CIS and WSA primarily with NoScript, ExploitShield beta and HitMan Pro Alert as secondary. I have a have an average amount of memory and can happily say that this setup is surprisingly light

Thanx
Popcorn

 

These types of infections are certainly far easier to prevent than cure.Personally I just couldn't trust a system that'd been compromised,no matter how thoroughly it was "cleaned".

@ popcorn
As a fan of a layered approach you might want to add EMET into the mix.Simply by enforcing good security practices it stops a large number of exploits in their tracks.

 

Noscript will block all scripts if configured that way, or won't block any scripts if setup that way - and all configurations in between.

Basically user error if they get infected from a malicious script.

Personally I find it hard to get infected with only one active browser plugin (Adobe Flash) and an up-to-date Windows 7 machine. Put Sandboxie into the mix and the most common ways of getting infected are nullified.

 

A likely scenario is that you visited a site with a malicious script, that directed your browser to a malware server, whereupon it looked at: browser, operating system, and plugins in order to find a vulnerable piece of software to exploit.

If you are like most people infected in this scenario, it would have been a vulnerable version of Java that was exploited.

There are dedicated forums for disinfection you may look at.

 

so ad muncher licence is running out in november i try since yesterday noscript&abp in firefox and i hope the IE version from abp is ready soon. firefox loads and shows sites faster than ad muncher. for my special fun is proxomitron also working with some filters. ad muncher lacks some ability, http 1.1 & gzip.

 

Hi

This is a great thread if your thinking of using NoScript or new to it
https://www.wilderssecurity.com/showthread.php?t=331471

Thanx
Popcorn

 

Hi

Thanx am looking in to EMET
I can honestly say I know virtually nothing about it,
I am looking for worthy write ups

Popcorn

 

Here's some reviews for you popcorn:

http://windowssecrets.com/top-story/protecting-pcs-from-the-next-zero-day-threat/

http://www.dedoimedo.com/computers/windows-emet-v3.html

http://www.toolswatch.org/2012/09/c...toolkit-to-mitigate-to-ie-0day-vulnerability/

 

Hi

thanx for links I will defo continue to look at EMET, right now tho I'm using ZeroVulnerabilityLabs ExploitShield beta which seems to pick up all the ZeroDay slack I may have.

Thanx again
Popcorn