Sponsored by..

Showing posts with label Rootkits. Show all posts
Showing posts with label Rootkits. Show all posts

Tuesday, 21 October 2008

6700.cn browser hijack (bad), SUPERAntiSpyware (good)

I've just spent several days investigating a machine with a particularly nasty rootkit infection. Despite throwing several tools at it and rummaging around the hard disk, the rootkit remained. The most obvious sign was a browser hijack pointing at 6700.cn but there were dozens of malware components installed too.

The F-Secure online scanner and ComboFix removed quite a lot of the malware, but hats off to SUPERAntiSpyware which identified and removed the last, tricky part of the rootkit. I haven't come across this application before, but it is definitely worth a look and it has a free trial.

In retrospect, a lot of the rootkit is also plainly visible using Sysinternal Autoruns - the malware components tend to lack "Publisher" details and can be easily identified. You may well need to take the hard disk out and mount it in a USB drive on a second PC, but a word of caution - it is possible to infect the second PC too, so try to avoid using anything mission critical for the cleanup.