[Neurofunk]

I'll give it a shot, got about 7 tickets that came in this morning one of them is bound to be some unfortunate soul with it If not I still haven't fixed the machine from my screenshot post, for someone with a malware infection that is still active he seems to be taking it lightly, won't return my calls. Will report back here if I get a chance to run it for you.

[TwinHeadedEagle]

Can you provide this version for download, I cleaned it with FRST, nothing else worked...

Here are the corresponding files

[Neurofunk]

RogueKiller was able to blast all of it but the MBR portion. When trying to write to the MBR it was giving the following error:


(First run was the full check list for faked & antirootkit. I just ran the MBR only version so I could get a screenshot of the error message.)

Ended up tossing a Win 7 64 disk in the machine and repairing the mbr/doing a fixboot and that brought it back to functional and allowed for cleanup and removal. It's been a while since i've run into a bootkit in our environment. I guess the power user vs admin user ratio being heavily stacked on the power user side works to our advantage.

[thisisu]

thisisu do you have the sample Pihar combined with ZeroAccess?

No, but if I find one I will post it here.

[Quads]

For Pihar, look at the BCD entry.

cmd: bcdedit /deletevalue {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9} custom:26000022

Quads

[Tigzy]

@NeuroFunk: Can you send me the RK_Quarantine folder (%desktop%)
The faked MBR isn't good (Showing Win 7)

EDIT:

ERROR_INVALID_FUNCTION
1 (0x1)
Incorrect function.

I guess it's protected by the rootkit... :/

[Neurofunk]

Sure thing it is attached in this post, I also included the RKreport.txt in the zip file in case it is of use.

edit: some of the files that Rogue Killer touched got detected by mcafee and it quarantined them first so I went back and restored them to their original state and threw them into an extra zip file inside the main zip, not sure if they'll be useful or not but couldn't hurt.

[Tigzy]

All VTs are 0/42, there's no pihar inside :(

EDIT: Just saw the entire log, it's more maxSST right?
So the boostrap is ok.

1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312551424 | Size: 10 Mo

[Cody Johnston]

All VTs are 0/42, there's no pihar inside :(

EDIT: Just saw the entire log, it's more maxSST right?
So the boostrap is ok.

1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312551424 | Size: 10 Mo

I think you are right Tigzy. Looks like SST. From what I have been seeing lately with our customers, we have had combinations of ZeroAccess, SST.C, Pihar.C, Necurs. Pihar and SST have been interchangeable but it almost always has Necurs as well (lately anyways). Though I have scoured the systems for droppers for both Pihar and SST, I cannot find them. If dumping the files from the infections will help, I can get some in the next day or 2, otherwise if anyone else has some insight on how I can obtain this from an infected system specifically with SST and Pihar, I'd be happy to help :)

[thisisu]

Fresh dropper

Some differences, for one, n dll running through diff location
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Value created = CDBurn
File Path = c:\recycler\s-1-5-21-1214440339-813497703-1957994488-1003\$438cf004452a8273f4fd797c70f9d9ca\n.

Desktop.ini present but no more CLSID folders added to Installer or %appdata%

See pic of what is inside of Recycler (same as before, just moved here)



dump.dat (444kb) added to %userprofile%\local settings\temp

Not seeing any altered services or drivers.

Currently looking for any other changes.

Enjoy