[Neurofunk]

Is sirefef moving back into the bootkit market? On this Win 7 x64 build I just found a machine hit with the services.exe infection but on top of that i found the following detections using Hitman Pro:



It is killing TDSSKiller, aswMBR and other similar tools that are used to repair the infection which seems to be its usual trademark.. Also McAfee was trashed on this guys machine. User was admin.

[Quads]

I am seeing zeroaccess come with pihar,

I use FRST to break zeroaccess and remove the pihar custom code, plus other bits, then I use TDSSkiller to remove the TDLFS and files inside etc.

I then go though cleaning up the system as a whole.

Quads

[Tigzy]

@Neurofunk : Do you have a dropper for this?

[malwarian]

It is killing TDSSKiller, aswMBR and other similar tools that are used to repair the infection which seems to be its usual trademark.. Also McAfee was trashed on this guys machine. User was admin.

Yes,it creates a rootkit partition in disk management which is set to active.So it cannot removed like previous version(unknown partition).TDSSkiller,FIXTDSS,ASWMBR will not run on these machines.There is way to run TDSSkiller on XP and vista(32 bit) systems.Thanks to Root repeal :D On 64 bit systems ,rootkit partition has to be set inactive and boot partition has to changed to active.It is hard day at work because we are seeing both MAXSS and zero access on same systems . :(

[Quads]

I am getting machines with the likes of this

Attached logs, used FRST to break then TDSSkiller can run and deal with what it wants to.

Quads

[thisisu]

Yep. Seeing Pihar combined with ZeroAccess lately. NPE unable to cure :(

[Quads]

NPE should not be used, causes Windows not to load a lot of the times.
leaves this to be fixed

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
custom:26000022 Yes

Sometimes Windows does boot only in Safe Mode, other times not at all.

After the correction Windows boots. ( a little slow first time).

Quads

[Britec]

thisisu do you have the sample Pihar combined with ZeroAccess?

[Neurofunk]

@Neurofunk : Do you have a dropper for this?

Sorry but I don't :( I checked around on the machine for anything that would resemble the dropper but came up empty handed. Judging by the access protection logs for our AV suite that we use it was using the install_flash_player.exe + malicious msimg32.dll method to do the install from %temp% on the users machine but no traces were left behind in there once it was done.

[Tigzy]

ok
if someone can test roguekiller on this, it should be able to handle both infection
(for pihar, go into MBR tab and choose to fix it)