G. Morgan <G_Morgan@easy.com> wrote in
news:eqqbv696rjq4scsm5k5jjean47fg08bdma@Osama-is-dead.net:

> Dustin wrote:
>
>>Here's whats going on.. You were close tho.
>>
>>It actually sets all files from root down to hidden. You lose your
>>desktop icons and your programs menu has no entries. It's also
>>redirecting (via registry edit) executables to be launched thru it,
>>so if you do remove the executable you get the infamous open with
>>box when you try to run something. You edit the registry to fix
>>this... It's one line. ;p
>
> I wish I took pictures now. That's not what happened. My desktop
> icons were present, all files were visible. When I checked the
> security attributes "System and Admin" had no control. Here is a
> pic to explain a little better:
> http://img148.imageshack.us/img148/5871/unledus.jpg

Hmm. I've yet to run across one quite like this that's just a main
executable on it's own. Likely something else present that set the
stage.

>>I haven't seen DNS poisioning, You likely had the rootkit TDL4 as
>>well. It's a ***** too, man. Patches key windows files.
>
> I ran TDSS killer, nothing. Sas and MBAM, nothing.

if tdl4 rootkit was active, you wouldn't have loaded tdsskiller
successfully. The programmers made it very easy to get itself marked
and killed when it loads in memory.

> What's next for rootkit detection and removal, GMER?

Doubtful rootkit is present...
Wish I could have seen that box man.


--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again