Sponsored by..

Tuesday 21 October 2008

6700.cn browser hijack (bad), SUPERAntiSpyware (good)

I've just spent several days investigating a machine with a particularly nasty rootkit infection. Despite throwing several tools at it and rummaging around the hard disk, the rootkit remained. The most obvious sign was a browser hijack pointing at 6700.cn but there were dozens of malware components installed too.

The F-Secure online scanner and ComboFix removed quite a lot of the malware, but hats off to SUPERAntiSpyware which identified and removed the last, tricky part of the rootkit. I haven't come across this application before, but it is definitely worth a look and it has a free trial.

In retrospect, a lot of the rootkit is also plainly visible using Sysinternal Autoruns - the malware components tend to lack "Publisher" details and can be easily identified. You may well need to take the hard disk out and mount it in a USB drive on a second PC, but a word of caution - it is possible to infect the second PC too, so try to avoid using anything mission critical for the cleanup.

No comments: