Bootkit(s) just too stealthy! - Page 2

emmjay · 26. Jul 2010, 08:50 PM

Quote:

Originally Posted by emmjay

Hi Aunupam.

After much searching I found a post on MBAM from a user who was infected. MBAM tried but could not help, however the user forged ahead. They posted their experience (a very involved and complicated process ... they provided a translation from German, so it is a little hard to follow). The user believes the bootkit was removed using a fix they got from another source. They provided a link to the fix (it is a rar). I can provide a link to it, if it is allowed here at Gizmo (not sure where you stand on these types of links). Hopefully it will help if one of our members or guests get infected, let me know. .

Did not get your advise on this.

Here is the link http://www.esagelab.com

Download bootkit_remover.rar and use 7-zip to open it up.

Update: This bootkit is showing up now in North America (mostly within the past 2 weeks). It is hitting IE, however one AVG user stated that he only uses Chrome and Firefox and he is seeing adds from IE popping up on his browser screen.

I noticed that users of MSE have been hit too (MSE tech support is recommending a clean reinstall). I took a look at the Avast Forum today and there are quite a few instances there. The Avast Forum gurus are pointing their users to the above link (users are reporting success with this fix).

Anupam · 26. Jul 2010, 09:21 PM

Sorry emmjay, I forgot to reply to that post of yours. It slipped my mind.

Thanks a lot for the link. It is really useful. I downloaded both Bootkit Remover, and TDSS Remover from there. I think such tools should be with everyone.

The site offers other research papers for reading too. That also looks interesting, and I would read them when I have sometime. Thanks a lot for the link again.

About our policy, we do not allow direct link to exe, or zip files, but a link to the download page is OK.

MidnightCowboy · 27. Jul 2010, 11:36 AM

I installed and ran both the tools from emmjays's link without any problems on Windows 7 Ultimate x32.

Please though note the following which applies to the TDSS Remover:

"Currently we are aware of the following false positives:
- Microsoft Windows 7 license files. The files look like this:
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
DO NOT REMOVE THEM!"

We shouldn't need to keep reminding folks to digest the "read me" files before using software, especially security apps, but a failure to do so here will be a painful lesson if you then choose to "clean" this "infection" LOL

Thanks emmjay

XweAponX · 03. Feb 2012, 08:27 PM

Quote:

Originally Posted by MidnightCowboy

"Currently we are aware of the following false positives:
- Microsoft Windows 7 license files. The files look like this:
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-3D-8115-601632D005A0
DO NOT REMOVE THEM!"

-I know this is an old post - but I've been seeing these files for a long time not knowing what they were - As I use TDSSkiller all the time, now that I know, I'll leave them alone.

Sometimes, files show up in my Windows folder that have nonsense letters, usually they are some kind of Virus. But once in a while they have to do with a program I have installed... For Example, when I use Digidesign Pro Tools, each time I use a Bomb Factory Plug in, it generates an Aladdin Key, which is always a bunch of nonsense letters and numbers. These you can actually delete, cos the Aladdin program generates new keys each time you use it.

Anyway, I can determine what these files are a lot easier now, I suggest to everyone install Foolish IT D7, it has a shell extension that allows you to right click on any file and google it. That's how I found this post!

Than you so much for the information, it is rare I find someone who knows what this stuff actually IS and can give a definitive answer. Most of the time, people generate long posts which mean "I don't know what this is" - Your answer was straight at to the point!

26. Jul 2010, 09:21 PM	#12 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Sorry emmjay, I forgot to reply to that post of yours. It slipped my mind. Thanks a lot for the link. It is really useful. I downloaded both Bootkit Remover, and TDSS Remover from there. I think such tools should be with everyone. The site offers other research papers for reading too. That also looks interesting, and I would read them when I have sometime. Thanks a lot for the link again. About our policy, we do not allow direct link to exe, or zip files, but a link to the download page is OK. __________________ Anupam

27. Jul 2010, 11:36 AM	#13 (permalink)
MidnightCowboy Site Manager Join Date: Aug 2008 Location: South American Banana Republic, third bunch from the left Posts: 9,250	I installed and ran both the tools from emmjays's link without any problems on Windows 7 Ultimate x32. Please though note the following which applies to the TDSS Remover: "Currently we are aware of the following false positives: - Microsoft Windows 7 license files. The files look like this: C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 DO NOT REMOVE THEM!" We shouldn't need to keep reminding folks to digest the "read me" files before using software, especially security apps, but a failure to do so here will be a painful lesson if you then choose to "clean" this "infection" LOL Thanks emmjay __________________ Knows nothing and cares even less

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode