Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Rootkit.mbr.pihar.f (boot Image); Trojan.iframe.aip
sinbad
post Apr 10 2012, 11:00 PM
Post #1


Newbie


Group: Regular Bitdefender Poster
Posts: 12
Joined: 10-April 12
Member No.: 103,194



Re: Windows XP Pro, SP3

I upgraded from BD Ativirus 2009 to 2012. Without any scan, the first event BD 2012 detected was:

File: C
Action Taken: Deny
Date: April 10, 2012
Virus Name: Rootkit.MBR.Pihar.F (Boot image)

Other subsequent events showed that the Autoscan was being turned off and then on --again and again.

I ran a deep system scan and it ran for about 5 minutes and then everything halted and poof, it gave me the blue screen of death with the usual message. I rebooted with the on/off switch into the last known configuration that worked, ran another deep system scan and no threats were detected.

First, what does “deny” mean? Who/what is denying what, and to whom?

Second, how do I get rid of the Rootkit virus?

Third, what is with the on/off of the Autoscan?

P.S. My problems started when BD AV 2009 detected a Trojan.Iframe.AIP virus that it was unable to disinfect -- some were deleted. The PC kept pinging me with the windows “asterisk” sound and it created 2,800 junk files in one of the Content.IE5 subdirectories, and hundreds of junk files in the other Content.IE5 subdirectories. Using Unlocker, I managed to delete most of these junk files – even as the virus was creating them right before my eyes, as fast as I could delete them. However, the pinging is still around and file creation seems to still be going on, but no more Iframe has been detected.
Go to the top of the page
 
+Quote Post
sinbad
post Apr 10 2012, 11:27 PM
Post #2


Newbie


Group: Regular Bitdefender Poster
Posts: 12
Joined: 10-April 12
Member No.: 103,194



I tried the 32 bit Bootkit removal tool mentioned above and it gave zero files cleaned from zero infected files. It has been tested on the *.A thru *.D, but not the *.F variant file.
Go to the top of the page
 
+Quote Post
sinbad
post Apr 11 2012, 12:05 AM
Post #3


Newbie


Group: Regular Bitdefender Poster
Posts: 12
Joined: 10-April 12
Member No.: 103,194



QUOTE (sinbad @ Apr 10 2012, 05:27 PM) *
I tried the 32 bit Bootkit removal tool mentioned above and it gave zero files cleaned from zero infected files. It has been tested on the *.A thru *.D, but not the *.F variant file.


Re: my Ticket ID:201204061029276

Is this the solution [except do for XP, not Vista]?

Restore the MBR (Master Boot Record) of your hard disk using the Windows CD.
the command that you need to run is: fixmbr
Full info is available here: http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

I saw where forum member "walkerbraces" did this and still had the Bootkit. He then ran a BDSYS log. but the BDSYS log I ran as the first suggestion gave me the blue screen of death.

This post has been edited by sinbad: Apr 11 2012, 12:09 AM
Go to the top of the page
 
+Quote Post
Christian
post Apr 11 2012, 12:28 AM
Post #4


Bitdefender Support
******

Group: Root Admin
Posts: 14,009
Joined: 27-January 08
From: BitDefender HQ
Member No.: 9,374



Hello (IMG:style_emoticons/default/smile.gif)

Welcome to the forums.

For the MBR infection, that is the solution, fix the MBR using the Windows CD.

It's the only way to do it and it's the safest.

Let me know if you have other questions.

Take care.
Go to the top of the page
 
+Quote Post
sinbad
post Apr 11 2012, 07:24 AM
Post #5


Newbie


Group: Regular Bitdefender Poster
Posts: 12
Joined: 10-April 12
Member No.: 103,194



QUOTE (Christian @ Apr 10 2012, 06:28 PM) *
Hello (IMG:style_emoticons/default/smile.gif)

Welcome to the forums.

For the MBR infection, that is the solution, fix the MBR using the Windows CD.

It's the only way to do it and it's the safest.

Let me know if you have other questions.

Take care.


Christian, so what action was taken by BD as described by the word "deny"?

Has BD made changes such that access to the the offending file is now "denied" so that it now no longer poses a threat?

OR...was BD "denied" access to the file, thereby preventing BD from doing any operations on the file, and it therefore continues as a threat?

The 2 blue screen tech infos mentioned Kdcom.dll and iAstor.sys. Do I need to safe-mode delete these files or what?
Go to the top of the page
 
+Quote Post
sinbad
post Apr 11 2012, 07:59 PM
Post #6


Newbie


Group: Regular Bitdefender Poster
Posts: 12
Joined: 10-April 12
Member No.: 103,194



Christian:

I disabled BD On Access Scanning and ran the tool

(http://www.malwarecity.com/blog/free-removal-tool-for-tdl4-available-now-1106.html)

and got no threats detected.

Earlier this morning I ran a scan on my "C:\Documents and Settings" directory and found one threat: "Gen:Varient.Zusy.Elzob.1758." I deleted this file. Afterwards, all my programs loaded promptly (they just "popped" open) and ran really fast without hanging up like in the past. My PC is now running faster than it ever has in the past!

Also, there is no more pinging of the Windows "asterisk" sound -- I think this meant that something was opening or some operation was executing.

Also I ran a scan on all my Content.ie5 subdirectories and found no threats. One of the subdirectories had over 3,000 junk files and I was able to delete these with the UNLOCKER program.

I just searched all the Content.IE5 subdirectories and no more junk files have been generated and they are all empty except for one index.dat file and one desktop.ini file.

I am going to now run a deep system scan.

QUESTION: Is RootKit.MBR.Pihar.F virus still a threat? Am I good to go?

Please advise.
Go to the top of the page
 
+Quote Post
sinbad
post Apr 11 2012, 09:44 PM
Post #7


Newbie


Group: Regular Bitdefender Poster
Posts: 12
Joined: 10-April 12
Member No.: 103,194



OK. I did a custom scan that included a target scan for Rootkits and a scan for Boot Sectors and no threats were detected.

I then learned that a deep system scan includes, by default, a Rootkit scan setting and I checked the log of such a scan done yesterday and the Rootkit target found no threats.

So does this mean that the virus Rootkit.MBR.Pihar.F has been deleted? If so then who/what deleted it and when?

Is there a record (log) of the deletion?
Go to the top of the page
 
+Quote Post
Christian
post Apr 13 2012, 06:51 PM
Post #8


Bitdefender Support
******

Group: Root Admin
Posts: 14,009
Joined: 27-January 08
From: BitDefender HQ
Member No.: 9,374



Hello (IMG:style_emoticons/default/smile.gif)

Welcome back.

In order to be able to assist you please run a Full System Scan task with Bitdefender and send us the resulting scan report.

[how to GENERATE A FULL SYSTEM SCAN LOG]
- Before running the scan please make sure that you have the latest virus definitions downloaded via the Update module.
For this you need to open Bitdefender and from the main interface click on Update now;

- After the update process has completed successfully you can proceed to
running the scan task.
In the same window go to Antivirus and press the Scan now button =>Full system scan.
- After the scan has finished you need to submit the scan log file.

This is accomplished by running the Support tool file that can be
downloaded from this location:

http://www.bitdefender.com/files/Knowledge...or_scanlogs.exe

Save the file prior to running it and to continue you need to accept the terms of use.
At the end of this process an archive will be created on your Desktop starting with bdamst.
. Send me that file via PM.

Take care.
Go to the top of the page
 
+Quote Post
sinbad
post Apr 14 2012, 08:29 PM
Post #9


Newbie


Group: Regular Bitdefender Poster
Posts: 12
Joined: 10-April 12
Member No.: 103,194



QUOTE (Christian @ Apr 13 2012, 12:51 PM) *
Hello (IMG:style_emoticons/default/smile.gif)

Welcome back.

In order to be able to assist you please run a Full System Scan task with Bitdefender and send us the resulting scan report.

[how to GENERATE A FULL SYSTEM SCAN LOG]
- Before running the scan please make sure that you have the latest virus definitions downloaded via the Update module.
For this you need to open Bitdefender and from the main interface click on Update now;

- After the update process has completed successfully you can proceed to
running the scan task.
In the same window go to Antivirus and press the Scan now button =>Full system scan.
- After the scan has finished you need to submit the scan log file.

This is accomplished by running the Support tool file that can be
downloaded from this location:

http://www.bitdefender.com/files/Knowledge...or_scanlogs.exe

Save the file prior to running it and to continue you need to accept the terms of use.
At the end of this process an archive will be created on your Desktop starting with bdamst.
. Send me that file via PM.

Take care.


Christian, all issues appear to have been resolved, and therefore there is no need to send a log file. My PC is running fast with no hang ups or blue screens like before. The virus "Rootkit.MBR.Pihar.F" has been eliminated per email from George Poienaru of your office, which is self-explanatory, copy enclosed below for your information. Thanks for all your help.

****************************
To: George Poienaru
Bitdefender Technical Support Engineer

Re: "DENY"

I respectfully suggest that you tell your developers to change the "Action Taken: Deny." That message is confusing and tells the user absolutely nothing about what action is taken. The user is left wondering whether or not he still has an infected system.

I suggest "Action Taken: will not be loaded and will be deleted on next boot." Or: "Deletion failed, but will be deleted on next reboot."

Or else put a help "balloon" that says: "Deny" means that BD was unable to delete the file, but that it will prevent the file from loading on the next reboot and it will then be deleted. No log will be created."

Sinbad

-----Original Message-----
From: BitDefender Customer Care [mailto:support@bitdefender.com]
Sent: Thursday, April 12, 2012 9:13 AM
To: Sinbad
Subject: Re: [Ticket ID:201204061029276] virus infection


Dear Sinbad,

Thank you for your interest in our security solution, Bitdefender.

Every time Bitdefender fails to remove an infected item it schedules the removal for the next boot, when the file is not loaded by the operating system.

Unfortunately these actions are not logged because the logging module is not loaded at boot.

Have a great day!

Best regards,
George Poienaru
Bitdefender Technical Support Engineer
Go to the top of the page
 
+Quote Post
Christian
post Apr 15 2012, 05:43 AM
Post #10


Bitdefender Support
******

Group: Root Admin
Posts: 14,009
Joined: 27-January 08
From: BitDefender HQ
Member No.: 9,374



Hello (IMG:style_emoticons/default/smile.gif)

These are great news. I am glad that the initial issue was resolve.

Let me know if you have other questions.

Take care.
Go to the top of the page
 
+Quote Post
sinbad
post Apr 15 2012, 11:47 PM
Post #11


Newbie


Group: Regular Bitdefender Poster
Posts: 12
Joined: 10-April 12
Member No.: 103,194



QUOTE (Christian @ Apr 14 2012, 11:43 PM) *
Hello (IMG:style_emoticons/default/smile.gif)

These are great news. I am glad that the initial issue was resolve.

Let me know if you have other questions.

Take care.

As I requested in my message: please tell the developers to consider changing and clarifying the "deny" message in order that the user will understand how Rootkits are detected and what action is taken.

Until then, may the Totemic Essence of the Dragon Wolf safeguard and watch over us all.

(IMG:http://upload.wikimedia.org/wikipedia/commons/thumb/4/4b/Decebal.jpg/220px-Decebal.jpg)
Go to the top of the page
 
+Quote Post
Christian
post Apr 17 2012, 08:12 AM
Post #12


Bitdefender Support
******

Group: Root Admin
Posts: 14,009
Joined: 27-January 08
From: BitDefender HQ
Member No.: 9,374



Hello (IMG:style_emoticons/default/smile.gif)

I will make a feature request regarding logs and actions on your behalf.

Thank you very much for your feedback.

Take care.
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 31st October 2014 - 09:24 AM