[SecConnex]

Worth reading? http://forum.avira.com/wbb/index.php?pa ... dID=145859

[thisisu]

Worth reading? http://forum.avira.com/wbb/index.php?pa ... dID=145859

Yes, perhaps the AV companies should read and be faster to update their software.

[Cody Johnston]

MSS actually did not completely remove the infection for me when services.exe was infected. I was able to get a fix together for a live system if anyone has interest. This fix assumes that you have a clean copy of services.exe in the C:\ drive.

Here is what I did:

First find which of my controlsets is currently loaded by looking here:

Code: Select all

HKEY_LOCAL_MACHINE\SYSTEM\Select | Default = 1

Assuming my value was 1 (ControlSet001), I would add the following values to ControlSet002 or 003:

Code: Select all

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager
         Value: PendingFileRenameOperations
         Data: \??\C:\services.exe !\??\C:\windows\system32\services.exe

Switch Default value to match modified ControlSet002

Code: Select all

HKEY_LOCAL_MACHINE\SYSTEM\Select | Default = 2 

Then started MSS in full scan and was clean when it rebooted. Doing this same thing within the CurrentControlSet did not work properly. Can anyone tell me why I would have to switch outside of the CurrentControlSet for the PendingFileRenameOperations to work properly? I remember having to use a similar method when removing the "consrv.dll" variant as well. Thanks :D

[SecConnex]

I have a RKU log from ZA...please give a second opinion for whom can do an analysis.

Anyone know a good tool for MBR dump...I haven't known why MBRCheck does not do dumps anymore.

Log is attached from RKU on fully infected, yet super hidden ZA...

RKit.txt

(137.56 KiB) Downloaded 44 times

[B-boy/StyLe/]

Guys, any idea why AV-guys not detected infected services.exe so far?

Maybe because of this: (Avira report)

File ID
26923409

Filename - services.exe.vir

Size (Byte) - 273 KB

Result - DAMAGED FILE (UNKNOWN)

The file 'services.exe.vir' has been determined to be 'DAMAGED FILE (UNKNOWN)'. In particular this means that this file is damaged and not working properly. We could not find any malicious content. However the heuristic detection module may still detect this particular file even though it is damaged. In that case we will not adjust and remove detection for this damaged file.

Regards,
Georgi

[kmd]

oh lolz i start to believe in gostev words, can anyone do ads dump of services.exe from infected box? Services.exe samples ar NOT IMPORTANT - they are damaged by ZA and WON'T work without ZA additional part.

[thisisu]

Fresh ZA dropper
MD5: 8ee1ed41733af9f8ea481353e7276dd4
https://www.virustotal.com/file/51b0dc0 ... 339980664/

[ResearchMalware]

http://www.f-secure.com/weblog/archives/00002385.html

[Gabethebabe]

Anyone know a good tool for MBR dump...I haven't known why MBRCheck does not do dumps anymore.

MBRFix

http://www.sysint.no/products/Download/ ... fault.aspx

I think MBRcheck only allows you to make a dump if a non standard MBR is found.

[rkhunter]

oh lolz i start to believe in gostev words...

Don't believe to Gostev, Kaspersky can't detect infected files and it payload as others...