[AccessD] Latest Outrage from Symantec

Jim Lawrence accessd at shaw.ca
Mon Apr 16 16:47:50 CDT 2012


I mean notepad... Jim

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence
Sent: Monday, April 16, 2012 2:35 PM
To: 'Access Developers discussion and problem solving'
Subject: Re: [AccessD] Latest Outrage from Symantec

Just a quick one as I am sure you have followed all the processes.

Msconfig at run, list all services and startup and then check all paths.
Every app you find that is suspect rename but, and this the trick, create a
new empty file through notebook and save it with the same name and set it to
read only.

The standard process for starting a malware app, is to have a run in your
registry, stick a file with the name of a good file in the path and start a
service. All the above at the same time so if you miss any it will
automatically rebuild itself. Finally, there is a rootkit hack:
http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm

Here appears to be a good link on the process:
http://www.howtogeek.com/74523/how-to-disable-startup-programs-in-windows/

...but it is going to be a lot of grunt work. Done this more times than I
can remember especially when the scanners fail.

Other that that, image backup, (DriveImageXML my recommendation as it can do
a full shadow copy backup while the station is running (XP or newer)),
reformat, reinstall and bring back the data files you need from the image
backup. 

PS If you go the reformate route make sure you have a copy of the
motherboard drivers, from the MB supplier as MS has been a little slack in
updating same.

Jim

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Jim Dettman
Sent: Monday, April 16, 2012 1:55 PM
To: 'Access Developers discussion and problem solving'
Subject: Re: [AccessD] Latest Outrage from Symantec


 Problem was, it was more then just registry changes.  Any restore point I
went to yielded a system that quickly re-loaded the rootkit and the viruses
(with in a matter of minutes).

 If I ran TDSKiller and ComboFix, I got a clean system, but explorer.exe
would not work (nor any program) and if I restarted, I had an un-bootable
system.

 I might have had better luck with just restoring the registry rather then
using a restore point, but after fooling with it for almost seven hours, I
figured enough was enough and wiped it.

 Like I said, it was a real nasty piece of work.  Worst I've ever seen.

Jim.

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Mark Simms
Sent: Monday, April 16, 2012 04:09 PM
To: 'Access Developers discussion and problem solving'
Subject: Re: [AccessD] Latest Outrage from Symantec

Registry back-ups are CRITICAL.



-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com



More information about the AccessD mailing list