Firefox Root Kit ? MBR ?

Discussion in 'malware problems & news' started by zpro, Sep 27, 2012.

Thread Status:
Not open for further replies.
  1. zpro

    zpro Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    38
    I notice, for the pass couple of weeks, I am getting old behavior with firefox, on startup, I get avast, saying it block a site... like abc.info,
    when my startup page : in chrome comes up... then I was getting website,
    not coming up.... I did search on the net, and it mention about possible root kit installed .... and to run dds.com

    So, I did and it found this:

    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.1.7601 Disk: WDC_WD1001FAES-19W7A0 rev.05.01D05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: >>UNKNOWN [0x83008000]<< >>UNKNOWN [0x8B400000]<< >>UNKNOWN [0x8B7D3000]<< >>UNKNOWN [0x8379D000]<< >>UNKNOWN [0x8341A000]<< >>UNKNOWN [0x8B348000]<< >>UNKNOWN [0x8B2D8000]<<
    _asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
    1 ntkrnlpa!IofCallDriver[0x8303F55A] -> \Device\Harddisk0\DR0[0x86660718]
    \Driver\Disk[0x8665FA40] -> IRP_MJ_CREATE -> 0x8B40439F
    3 [0x8B40459E] -> ntkrnlpa!IofCallDriver[0x8303F55A] -> [0x860CE918]
    \Driver\ACPI[0x8575C920] -> IRP_MJ_CREATE -> 0x837A64CC
    5 [0x837A63D4] -> ntkrnlpa!IofCallDriver[0x8303F55A] -> \Device\Ide\IdeDeviceP2T0L0-2[0x8611A030]
    \Driver\atapi[0x8610EE58] -> IRP_MJ_CREATE -> 0x8B3628CC
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    -----

    So, have not installing software as of late, and all software goes threw
    avast, malwarebytes, and super-anti-spyware, before it gets installed.
    So, I download tdss, a gmer both found nothing? oddo_O?

    how does one get rid of this, for good !

    Thanks
    :doubt:
     
  2. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Make either a Kaspersky Rescue Disk 10 bootable CD or bootable USB Flash Drive.

    Boot the PC using Kaspersky Rescue Disk 10, update the Malware signatures and run a Full Scan (Before scanning, select All Drive Letters including the default selections).

    Also download the Emsisoft Emergency Kit and run a Full Scan, preferably in Windows Safe Mode. The Emsisoft Emergency Kit also scans the MBR's for Rootkits (by default).
     
  3. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
    Hi,
    I have successfully removed this rootkit using hitman pro :thumb:
    this would be my first port of call,
    Popcorn
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,736
  5. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
    Hi

    https://hitmanpro.wordpress.com/page/3/

    IMPROVED: Removal of TDL4 (and variants) on systems where Boot Configuration Data (BCD) was persistently malformed by TDL4. Removing TDL4 from those systems could cause a non-bootable system (BSOD). HitmanPro now repairs BCD before removing TDL4 (or variants).

    pretty sure the v-box I was running with no AV, no sandbox, in fact no real time at all, not even no-script :eek: for the sole purpose of looking at this rootkit was pretty much... er how you say ? "pawned" lol.
    As for it happening again... I might have another look at it dunno cant say.

    Thanx
    Popcorn
     
  6. zpro

    zpro Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    38
    What I used was a paid app called R-Wipeclean
    and selected System, where it will clean allot of system resources areas...

    Kaspersky Rescue Disk 10 and Hitman Pro both did not find anything.
    gmer and avast, both found nothing as well, and dds.com is clean
    so, no root kits at all..

    my system seem to be free and clear,
    very odd...thou, on how I got this in the first place.?

    :blink:
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    You might want to confirm with Kaspersky TDSSKiller:

    http://www.softpedia.com/progDownload/TDSSKiller-Download-165428.html

    Grab the EXE (easier than the zip). As the name suggests it's a dedicated to finding and removing the variants of TDSS.

    As to how you picked up the rootkit you will probably never know :)
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,736
    popcorn - i dont care about cleaner tools. i care about prevention and theses
    times any tdl, ukash & trojans will come with activated java in ANY browser.
    java has been broken again and again no fix in sight. it was discussed too
    many times here how to avoid this. (firefox noscript is NO option)

    HTH
     
  9. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
    Hi

    Oh dear I did fear the ironic nature of my response would be missed...
    How to say more simply o_O I had purposely infected a virtual machine with the rootkit with the sole intent of testing removal software.

    No-script stops Java from running in the browser, which as you say many malwares/exploits need to function.
    https://en.wikipedia.org
    /wiki/NoScript


    http://www.phpsolvent.com/wordpress/?p=3296

    been so interested in protection I would have thought you might have put more credence in NoScript.
    Thanx,
    Popcorn
     
  10. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,736
    i would if it would not miss that much. i read lots of people using firefox and that addons - and failed. from my point same issue with all secruity programs - they can prevent what they know. if unknown = fail.

    i'm sorry for painting too much black&white this way but i had no malware for 20 years now.

    your own experience in vbox is your pleasure ;)
     
  11. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
    Hi,

    I just like a layered approach to security, I run CIS and WSA primarily with NoScript, ExploitShield beta and HitMan Pro Alert as secondary. I have a have an average amount of memory and can happily say that this setup is surprisingly light :eek:

    Thanx
    Popcorn
     
  12. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    These types of infections are certainly far easier to prevent than cure.Personally I just couldn't trust a system that'd been compromised,no matter how thoroughly it was "cleaned".

    @ popcorn
    As a fan of a layered approach you might want to add EMET into the mix.Simply by enforcing good security practices it stops a large number of exploits in their tracks.
     
  13. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Noscript will block all scripts if configured that way, or won't block any scripts if setup that way - and all configurations in between.

    Basically user error if they get infected from a malicious script.

    Personally I find it hard to get infected with only one active browser plugin (Adobe Flash) and an up-to-date Windows 7 machine. Put Sandboxie into the mix and the most common ways of getting infected are nullified.
     
  14. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    A likely scenario is that you visited a site with a malicious script, that directed your browser to a malware server, whereupon it looked at: browser, operating system, and plugins in order to find a vulnerable piece of software to exploit.

    If you are like most people infected in this scenario, it would have been a vulnerable version of Java that was exploited.

    There are dedicated forums for disinfection you may look at.
     
  15. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,736
    so ad muncher licence is running out in november i try since yesterday noscript&abp in firefox and i hope the IE version from abp is ready soon. firefox loads and shows sites faster than ad muncher. for my special fun is proxomitron also working with some filters. ad muncher lacks some ability, http 1.1 & gzip.
     
  16. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
  17. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
    Hi

    Thanx am looking in to EMET :)
    I can honestly say I know virtually nothing about it,
    I am looking for worthy write ups :p

    Popcorn
     
  18. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
  19. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
    Hi

    thanx for links I will defo continue to look at EMET, right now tho I'm using ZeroVulnerabilityLabs ExploitShield beta which seems to pick up all the ZeroDay slack I may have.

    Thanx again
    Popcorn
     
Loading...
Thread Status:
Not open for further replies.