Malware toolkit | browser redirects | OpenKB::Open Access Technical Information

Published by exdone

Posted on February 13, 2015

I must say this Malware is getting out of control. Recently I had the pleasure of working on a system that got infected. Now I thought this would be a 30min job tops. But it ended up being 2 days worth of work. I brought in the usual fellas (hijackthis, superantispyware, malwarebytes, AVG, Avast, Windows process explorer) . I was ready for war at this point, AS each tool found some type of trojan/malware process running. There was one rootkit that was not being detected by my usual fellas except for process explorer. Process explorer can only kill the process and not remove it from your system.

I called in for my backup and manage to get a application call unhackme and wireshark on board. Wireshark is a packet sniffer to see what data is leaving the system as well as request coming in. Watching wireshark I see the system was connecting to a external website without the browser even being open. (This is a WTF moment). So I kill the process that is controlling these connections. Bam it comes righ back in a matter of seconds. So at this point I am sure there is a hidden service running (rootkit) that i can not see. This is where unhackme came in handy. I loaded up unhackme and found the hidden process and was able to stop it from running. Unhackme did a good job at stopping the service but left the rootkit files on the system. I used combofix to completly remove the rootkits files from c:\window\system32\ and c:\window\system32\drivers. Combofix requires some patience

Tools Used
Free AVG
Avast
Malwarebytes
Combofix
SpywareBlaster
unhackme – Free 30 day trial
HiJackThis
Process Explorer
Wireshark portable
SuperAntispyware

TDSkiller

Malware removal forum

Requirement* some knowledge about Windows processes. This is a must so you will not crash the computer and causing your system to not boot. If you are unsure about this, I can be available for remote repair or guidance. There is a fee to have me remote into your system which can be discussed. Feel free to chat with me on IRC network Quakenet channel #mas1 or use our web client

I normally run Hijackthis first to stop some malware apps from running during boottime. Next I would run malwarebytes or superantispyware. Normally these 3 apps would get the job done for most infections. Then install avast for continued support.

I am considering creating a toolkit for download which will include these apps so you will not need to GoogleIT .. stay tuned for that.

How Do I get infected?
Good question
Most infections occur from a website that has been compromised in some way. Google and Bing Search Engines try to scan website that are indexed in there engines. Google will give you a alert ““This site may harm your computer”” please pay attention to this and do not enter the website. Once the notification is removed you should be good to enter. This normally occurs after the site owner has cleaned up the website.

You can also check the status of a website by going to
http://www.google.com/safebrowsing/diagnostic?site=EXAMPLE.COM

changing example.com to the site you are about to visit. or visit stopbadware

Other infections can occur if you install some free games or screensavers. The rule of thumb is if its free and not opensource then dont install it. Also research it online before installing it or ask your Tech Guy/Gal

Lastly , Porn sites, Warez sites(warez was known for a place to get free apps, movies, ebooks, music +) Some community sites cough cough BlackPlanet,myspace,tagged. They use a lot of remote advertising firms which can have a virus embedded into a image loaded on the website. They themselves have limited control over this.

How Come my anit-virus can not remove malware? I spent a lot of money on Norton or mcafee.
Another Good question.
Most commercial Anti-virus application was designed to fight viruses. Malware is not considered a virus as is not modifying existing system files but instead added files to your system. A virus modifies the system files and open backdoors to allow someone to enter into your system without your knowledge. Malware is mostly a advertising scam that tries to force you to certain websites. but these idiots do it in a way where you can’t even surf the internet anymore or slow down your computer. Now some malware can include viruses or rootkits depending on the author.

*be a happy surfer and read before clicking anything**
Additional information: Be careful when adding the html refresh tag to your website. This can cause your website to be flag on Google search engines as hacked.

Mas for Powserve.com

Categories: Windows