IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Open Forum / Re: It's getting very rough out there.
Post #343,621
by Andrew Grygus
Picture of Andrew Grygus
6/12/11 12:44:56 PM
Reply
New Re: It's getting very rough out there.
If you look with allocation tools like fdisk, there's usually about 8 megs of unalocated space. That's where the infection would place its file system.

Kaspersky's tdsskiller utility is supposed to detect these infections and clean them up. Haven't tried that yet, because I got this one by another means. Only by doing so was I able to find out what to look for to fix it.

I ran Combofix in Safe Mode. It found root kit activity as usual and started its special reboot for clean-up (which doesn't work in this case). I killed the reboot, booted into Recovery Console and replaced the MBR using fixmbr (which runs only from the recovery console). I then rebooted into Safe Mode. The startup was intercepted by Combofix as usual but this time it detected TDS4 infection and killed it.

I don't know if fdisk would cure this problem - it might, but it might not. If I really wanted to be sure, I'd hook the drive to another system and use a disk editor to overwrite the whole MBR with $00.

Post #343,638
by folkert
Picture of folkert
6/12/11 7:28:34 PM
Reply
New dd if=/dev/zero of=/dev/hda bs=1048576 count=1024
That will get past the 1024 limit just fine... Though 100MB should be fine.
Post #343,682
by jake123
6/13/11 11:18:25 PM
Reply
New Re: dd if=/dev/zero of=/dev/hda bs=1048576 count=1024
That's exactly what I thought of when I read Andrew's post.

God, I've become a Unix junkie. What has happened to me? ;)
Post #343,686
by folkert
Picture of folkert
6/14/11 12:13:04 AM
Reply
New Hey... you see that... +
That is the world's smallest digital violin playing for you.
     It's getting very rough out there. - (Andrew Grygus) - (11) - June 11, 2011, 09:44:50 PM EDT
         Joy. - (Another Scott) - June 11, 2011, 10:25:58 PM EDT
         Malware is one of the things that drove me off Windows. - (static) - (1) - June 11, 2011, 11:59:06 PM EDT
             Well, it may drive more off. - (Andrew Grygus) - June 12, 2011, 01:05:58 AM EDT
         Re: It's getting very rough out there. - (Ashton) - (5) - June 12, 2011, 04:12:02 AM EDT
             It shouldn't - (scoenye) - June 12, 2011, 10:52:02 AM EDT
             Re: It's getting very rough out there. - (Andrew Grygus) - (3) - June 12, 2011, 12:44:56 PM EDT
                 dd if=/dev/zero of=/dev/hda bs=1048576 count=1024 - (folkert) - (2) - June 12, 2011, 07:28:34 PM EDT
                     Re: dd if=/dev/zero of=/dev/hda bs=1048576 count=1024 - (jake123) - (1) - June 13, 2011, 11:18:25 PM EDT
                         Hey... you see that... + - (folkert) - June 14, 2011, 12:13:04 AM EDT
         Sound a lot like.. - (folkert) - June 12, 2011, 07:24:36 PM EDT
         It does have some virtues... - (scoenye) - June 29, 2011, 08:08:16 PM EDT

Calculate projected nexus.
170 ms