[dba-Tech] Generic MBR Rootkit and Vipre

Jim Lawrence accessd at shaw.ca
Tue Apr 14 14:32:30 CDT 2009


Thanks so much John. 

I will test using the GMER and Rootkit Revealer and see if this bring some
sort of resolution. The OS have been through so many virus and malware scans
that part of system's degradation in response time is due these products as
well.

I am making a list of all the apps that are current running on the computer
and then I think a good nuking will clean up things permanently.

I am really amazed at the infections ability to resist all attempts at
completely removing it. It has been effectively blocked from outside access
but some of the components are still running at intervals and assisting in
various system crashes. It wrecked all the browsers (IE, FireFox and Chrome)
as well. 

Now I am very curious at what 'IT' could be. I will keep you posted as well
if any more details emerge. 

Jim


-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of John Bartow
Sent: Monday, April 13, 2009 8:16 PM
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Generic MBR Rootkit and Vipre

Hi Jim,
Have you run a separate rootkit detector? GMER and Rootkit Revealer come to
mind. AntiVir's (I'm testing the free edition) Rootkit detection seems to be
a really good too. Vipre's is good too but I tend to not depend on just one
thing. Of course, remove it from the network so it's not a worm driven
infection from somewhere else and then rootkit scan it. Boot into safe mode
and run Vipre. If Vipre finds something then it will automatically kick in a
boot time scan. Unfortunately there is no way to force a boot time scan
EXCEPT with PC Rescue (there's a small link for that on the bottom of the
Vipre web page). PC Rescue has four command line parameters including
enabling boot time scan. I also double check with Autoruns after all
scanning and cleaning is done in safe mode. 

Another thing you could do is remove the hard drive and connect it to
another machine (I use a USB-IDE connecter). Run scans with everything you
can on it. 

Apparently you can mount the registry from the infected machine and scan it.
We were discussing it the other day as something Sunbelt should add into
their PC rescue and Vipre products. IIRC it had something to do with opening
regedit and going to file | Load Hive. I've never done this so I have no
idea if it actually works.

One note about running Symantec (or other real time AVs) and Vipre on the
same computer, it can cause problems even if the real time and active
protection are disabled. I had heard of this from others but I had never run
into this until today when I was testing running a manual scan with AntiVir
and Vipre blocked something of AntiVir's even though active protection was
off. As soon as the file was executed it got tromped by Vipre. I've been
testing the two together for weeks so I'm not even sure yet what this was.

Also, if you are running Vipre then Sunbelt support is available for
unknowns. There is one fellow on the support list that has been infected
with something and SB support has been helping him through a really rough
one.

I just had "System Security 2009" a rogue anti-virus, show up on one of my
user's PC's last Thursday. Vipre stopped most of it and he turned the PC off
until I could get back to him. We turned the PC on Vipre updated and cleaned
the rest off. My guess is that the virtual machine figured out what it was
and stopped the infectious parts but left the icons and stuff laying around.
The newer updates cleaned up many of those harmless parts later. I tried to
load MalwareBytes on a few system lately where it won't load the setup file.
That's a shame, it usually cleaned quite well. I think they have to harden
their install process.

But you've probably got something much worse than that by the sounds of it.
If I see anything about that other fellow's nasty problem being resolved
I'll let you know. Best of luck!

John B.

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence
Sent: Monday, April 13, 2009 4:56 PM
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Generic MBR Rootkit and Vipre

Hi John:

I have run into an almost upstoppable virus/trojan. 

The system I have runs corporate Symatecs, has run malbytes, runs Vipre and
Spybot and still things are not acting normally. All the packages are
up-to-date, all have been run and no infection of any kind shows.

The only reason I know there are issues going on is that a command window
keep popping up and disappearing and none of the browsers are working
right... they keep bouncing to odd sites at random... today's site of choice
is Sybase though that site has never been accessed from that system.

Any ideas?

Jim

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com




More information about the dba-Tech mailing list