Dustin wrote:

>Here's whats going on.. You were close tho.
>
>It actually sets all files from root down to hidden. You lose your
>desktop icons and your programs menu has no entries. It's also
>redirecting (via registry edit) executables to be launched thru it, so
>if you do remove the executable you get the infamous open with box when
>you try to run something. You edit the registry to fix this... It's one
>line. ;p

I wish I took pictures now. That's not what happened. My desktop icons
were present, all files were visible. When I checked the security
attributes "System and Admin" had no control. Here is a pic to explain
a little better:
http://img148.imageshack.us/img148/5871/unledus.jpg


>
>Reset your file attributes with attrib.
>
>> Oh yeah, it also eventually led to a DNS poisoning on that machine.
>> But it may be unrelated to the one that I was focused on. The
>
>I haven't seen DNS poisioning, You likely had the rootkit TDL4 as well.
>It's a ***** too, man. Patches key windows files.

I ran TDSS killer, nothing. Sas and MBAM, nothing.

What's next for rootkit detection and removal, GMER?