Rootkit / Malware outbreak in December 2011 - Fake AV and Google Redirects

Discussion in 'General Chat' started by Pelvis Popcan, Jan 2, 2012.

  1. Pelvis Popcan

    Pelvis Popcan Well-Known Member

    I got hit last week browsing and spent days restoring my systems with clean backup images. I later found out that this seems to be affecting a lot of people and started at the end of November 2011.

    The infection will happen simply by web browsing. Executable code runs then installs a rootkit which so far seems to be redirecting Google search results, as well as running fake scareware antivirus program .exe's (name depending on your OS; "XP/Vista/Windows 7 Security 2012", it might be called something else like "Cloud AV" as well).

    This outbreak appears to affect every version of Windows (including Win7 x64), and every browser (including Chrome, Firefox, and IE). It also appears that MalwareBytes, MSE, and most all other real time malware protection programs do not stop the infection. HijackThis won't show it. If you manage to find the infected files (I found one using TDSSKiller) and upload them to, only the uninfected portion of the file will be uploaded and it will return a clean scan. That's why it's a rootkit. Your system appears clean and all affected files have clean checksums, when in fact they don't.

    If you do get hit, you will be able to remove the fake AV programs and fix your registry (they change some registry keys so that any program or .exe file will start them up), but the Rootkit will remain on your system and redownload and rerun the scareware .exe's hours to days later, as well as continue to redirect Google search results. This is EXTREMELY SERIOUS because it means that it can run executables at any time. Essentially, someone somewhere has complete control of your PC.

    So far, very little is known on where this infection is coming from and how it's running executable code just by browsing. Everything from ad banners to imgur to reddit to servers on various websites have been suggested, as well as Flash, Java, Javascript, Microsoft .NET, and Adobe Reader.

    If you do get hit, barring a reformat, I would suggest:

    ComboFix: Save to the desktop. Boot into Safe Mode with Network Support, but disconnect your modem or router from the net. Run ComboFix from the desktop

    Reboot, then do TDSSKiller, then finally MalwareBytes.

    Some other tools I would suggest trying if you have problems:

    HitMan Pro 3.6

    McAfee Rootkit Remover (released recently and is supposed to clean all versions of the ZeroAccess rootkit that they know about)

    Microsoft did release four updates to .NET on 12/29, which is not only an out of band update, but one that must have required Microsoft employees to come in over the holidays to work on. I read on ZDNet the holes they patched do in fact allow arbitrary code execution, and that it affects every version of Windows from XP to 7 (workstation and server of all versions), so it certainly seems possible that could be the back door this infection is using. Make sure you go to and do a manual check there to insure you have everything.

    Make sure you update Flash, Java, Adobe Reader, Shockwave Player, and you have everything from Install AdBlock Plus and use the Easylist subscription. If you're on IE like me, use an IE Ad Blocker with Easylist; I used Simple Adblock which is $30. :p (This talks about a variant of this infection that runs from digitally signed standalone installers, like Adobe Flash.) (Microsoft .NET out of band critical updates released Thursday 12/29/11.) (Atlanta Hospital had to shut down because all their computers got hit with Malware in December 2011.)

    I have not seen anything this nasty since the days of IE6. In fact, even with the crap back then, it usually wasn't so bad that nothing could fix it except a complete reformat.

    HEADS UP! :bang::bang::bang:
    Last edited: Jan 2, 2012
  2. mike20021969

    mike20021969 Well-Known Member

    Stuff like this (normally) comes from visiting dodgy websites or installing rogue software.

    I guarantee it wont affect me ;)
  3. Pelvis Popcan

    Pelvis Popcan Well-Known Member

    Oh how lovely. First reply is from someone who indirectly accuses me of being a filthy pirate. I should have known better than to post this here.

    I got hit while doing nothing more than browsing the somethingawful forums. No other browser window was open.

    I heard from many other people who were hit when browsing imgur.

    A lot of people see the fake scareware/malware and are able to read and figure out how to remove it, and figure it was an easy fix, and don't realize the rootkit is still on their system and that it's wide open. Their antivirus won't alert on it.
  4. Pelvis Popcan

    Pelvis Popcan Well-Known Member

    Please re-read the post.
  5. Pelvis Popcan

    Pelvis Popcan Well-Known Member

  6. mike20021969

    mike20021969 Well-Known Member

    No-ones accusing anyone. I didn't even mention piracy.

    It's quite possible those two sites you mentioned have been hacked somehow? (A radio station site I've been a member of for over 7 years was hacked a few months ago resulting in it been shut down by the owners until the problem was sorted).
    Regarding software, I've heard that some sites who re-host genuine programs may alter executables.
    Last edited: Jan 2, 2012
  7. Clams

    Clams Well-Known Member

    No one accused you of being a pirate - filthy or otherwise.
    And I personally have no interest in the hygene of a poster. :D

    Question? Is there a simple way without tools to test for the rootkit?
    ie Will it still impact Google results once you remove the scareware?

  8. Hawk

    Hawk Well-Known Member

    It's quite sad when malware author get upper hand. But what is even more dangerous is few days ago I was reading blog in which talk about malware which reside in BIOS and is also rootkit based and that is really big concern.

    So even format the harddrive won't help. Lucky for us It only affect limited set of motherboard.

    Anyways good to know my computer is set up in such a way that it is immune to these pesky problems. In last seven years I never had a single virus on my system.
    Last edited: Jan 2, 2012
  9. Pelvis Popcan

    Pelvis Popcan Well-Known Member

    Same here, more or less. Until last week. :(
  10. Pelvis Popcan

    Pelvis Popcan Well-Known Member

    Without tools, no. Again, that's why it's a rootkit. It attaches itself to one or more of your digitally signed Windows driver files an forges a clean checksum (it will continue to pass the digital signature check). If for example TDSSKiller finds the file that has the rootkit on it, and you upload that file to, only the uninfected part of the file will be uploaded and it will return a clean scan. You system sees a clean file. In my case, TDSSKiller found it on ACPI.sys and was able to clean it, but the RootKit was still present. When I tried to get rid of it with ComboFix, ComboFix alerted on ZeroAccess, but it hung when I tried to run it. I had to reformat.

    Yes, if you remove the scareware, you will still get random redirects on Google search results, because the Rootkit remains on the system.
    Last edited: Jan 2, 2012
  11. slithu

    slithu Member

    I've found that as soon as I find a customers system with the zeroaccess rootkit, I just back up the data, grab the windows and office keys and nuke the whole PC. It's faster to wipe out the PC and get it back up and running than it is to try and remove it the damn thing especially as various other windows systems get screwed up. Also, the PC is much faster after having a clean install.

    Most people I deal with are getting infected through browser exploits and email attachments.
  12. NastyEvil

    NastyEvil New Member


    Looks like thats what my better halfs lappy has :bang:

    I rebuilt this pc on the 22-23 of December thinking, ill just use the lappy for drivers etc... instead i spent 5 hr cleaning the laptop of "VISTA ANTIVIRUS 2012".be warned the pop ups look exactly and work like the NORMAL windows alerts, for firewall etc..

    while on the laptop, block, 5 min later BLOCK, dam this is strange..dumb av:confused:

    after that it proceeded with a couple fake virus findings from "VISTA ANTIVIRUS 2012", which was not our normal av suit, and suspiciously like the fake AV programs of a couple years back.:eek: I went investigating.

    Thats when it started screwing with ie/firefox and not allowing searches etc.
    It was just comming up with a page that looks like the AVG page for blocked sites, no matter what i tried. Even Googles Crome was effected. with my desktop down i was stuck, and walked away.

    About 45 min later i was using my iphone and it hit me "safari" as a web browser, June installs all the extras for everything, and uses i-tunes for her i-pod.. back to the lappy and there was SAFARI hidden in the start menu.

    Safari worked no blocks nothing I was able to search out "vista anti virus 2012" with relative ease, apart from the fake system icon alerts every 2-3 min.

    3 hrs later i my account on the lappy was basicly clean, or so i thought, no fake system icons or pop ups. I proceeded to downlaod the drivers etc onto a usb stick for the desk top.

    on the 27th june tried her laptop, her account is still infected.
    Interestingly enough though the browsers still work.. no blocked pages. i havent tried to fix it yet but she has that vista AV 2012 icon in the system tray that pops up occasionially.

    Her facebook etc works fine, ive told her NOT to upload/download ANYTHING and only reply in text to face book for now.. untill i can get it sorted.

    From my experance so far, the root kit gets aggressive when you start doing searches in browsers. I has not spread to this pc through the network, we havent been swapping files lately, but are still viewable.

    does anyone know a sure fire solution to get rid of this besides a new install??? june uses her laptop for photo back ups, and there are literially hundreads of thousands there. can the virus attach itself to a photo?
  13. Hawk

    Hawk Well-Known Member

    What antivirus and antimalware you are using?
  14. NastyEvil

    NastyEvil New Member

    AVG was on there but now gone as ive been hearing alot of bad things about it recently( mainly after all this)

    now the lappy has MalwareBytes and Microsft security essentials. I know its not clean, first and formost is to get the photo's off safely with out antagonizing it again.

    this pc just mse i dont normially go anywhere or do much net wise, most of the sites i visit like here, had booked marked for years and trusted(mostly lol).

    also i dont trust spybot/spy doctor or whatever its called these days, but thats another story.
    Last edited: Jan 3, 2012
  15. Pelvis Popcan

    Pelvis Popcan Well-Known Member

    None. (Not even Windows Firewall.) I do however have Spybot Search & Destroy do "immunize" which does block known rouge domains via browsers and the HOSTS file (it doesn't have to stay running).

    I have Kaspersky 2009 but I usually don't run its realtime protection.

    This 12/2011 outbreak is not prevented by even the latest Kaspersky, MalwareBytes, or Microsoft Security Essentials.

    After my restore I updated Flash, Shockwave Player, Java, and Windows Update. I have Kaspersky 2009 turned on now, an I'm using Simple Adblock for IE (which uses the Easylist blocklist).
  16. Pelvis Popcan

    Pelvis Popcan Well-Known Member

    You can trust:

    Spybot Search & Destroy

    There are others that are OK I'm sure but those are the main ones I currently trust.
  17. slithu

    slithu Member

    Personally I use :

    Comodo Internet Security 5.9(free)
    Spyware Blaster 4.5
    Firefox w/Adblock and No Script

    I haven't run into any issues for years.

    The most important thing to remember is to keep Windows and all the tertiary programs (Flash, Java, Adobe Reader etc) fully updated.
  18. nodiaque

    nodiaque Member

    This thing isn't knew from december, it has been hitting me computers the last 3 years. I'm an IT at a school and I see this thing everywhere. I also got it from browsing the internet searching for source code I could use for various program, from a google hit. No AV could clear it. Nonetheless, the easiest way to remove it is to create a new profile and delete the older, carrying your documents and all (but not entire profile because it does reside there and at various other places). For now, it's the only way it have always worked without any issue.