Comments on: I still like Avira http://www.nicholasoverstreet.com/2009/11/i-still-like-avira/ Computers are hard. Sat, 31 Jul 2010 05:10:12 +0000 hourly 1 http://wordpress.org/?v=abc By: Nick http://www.nicholasoverstreet.com/2009/11/i-still-like-avira/#comment-224 Nick Tue, 22 Dec 2009 14:11:22 +0000 http://www.nicholasoverstreet.com/?p=565#comment-224 Thanks for the comment Saltspring. Yes, that is the exact symptom of this rootkit. I have been seeing this A LOT lately. It's a nasty little rootkit. Some systems this rootkit infect will boot. If it can, I have found the latest version of combofix can clean this rootkit. Some infected systems will NOT boot and will just bluescreen, yup, even in safe mode. The only fix I know of is to pull the drive, hook it up to another computer, remove the infected file, and find a good copy of the file to replace it with. What I have done is search the whole hard drive for iaStor.sys. Usually you can find some archived copies from service pack installs and stuff. If you can, you need to find one that is the same size as the old. Delete the old, and copy over your newly-found clean one. Then put the drive back in and you should be able to boot once again. Once booted, be sure to run Malwarebytes to cleanup any other infections! Chances are if the machine got hit with this rootkit, there are other infections on the system that used the same injection vector as this rootkit. Happy virus hunting and good luck. Thanks for the comment Saltspring. Yes, that is the exact symptom of this rootkit.
I have been seeing this A LOT lately. It’s a nasty little rootkit.

Some systems this rootkit infect will boot. If it can, I have found the latest version of combofix can clean this rootkit. Some infected systems will NOT boot and will just bluescreen, yup, even in safe mode. The only fix I know of is to pull the drive, hook it up to another computer, remove the infected file, and find a good copy of the file to replace it with.
What I have done is search the whole hard drive for iaStor.sys. Usually you can find some archived copies from service pack installs and stuff. If you can, you need to find one that is the same size as the old. Delete the old, and copy over your newly-found clean one.
Then put the drive back in and you should be able to boot once again.

Once booted, be sure to run Malwarebytes to cleanup any other infections! Chances are if the machine got hit with this rootkit, there are other infections on the system that used the same injection vector as this rootkit.

Happy virus hunting and good luck.

]]> By: Saltspring http://www.nicholasoverstreet.com/2009/11/i-still-like-avira/#comment-223 Saltspring Tue, 22 Dec 2009 05:06:50 +0000 http://www.nicholasoverstreet.com/?p=565#comment-223 I have a Dell Dimension 8400 on the bench with a Stop 0x000007E error - as this particular Dell's BIOS defaults to an AHCI disk config, the infection of the iastor.sys file prevents the system from loading windows (safemode included) changing to ATA mode doesn't help (without a repair install at least). Avira found (but can't clean) the iastor.sys infection for me as well. Thought to leave this note for others searching for this issue. I have a Dell Dimension 8400 on the bench with a Stop 0x000007E error – as this particular Dell’s BIOS defaults to an AHCI disk config, the infection of the iastor.sys file prevents the system from loading windows (safemode included) changing to ATA mode doesn’t help (without a repair install at least).

Avira found (but can’t clean) the iastor.sys infection for me as well.

Thought to leave this note for others searching for this issue.

]]> By: Nick http://www.nicholasoverstreet.com/2009/11/i-still-like-avira/#comment-213 Nick Sun, 06 Dec 2009 02:33:22 +0000 http://www.nicholasoverstreet.com/?p=565#comment-213 Hmm... I haven't had any issues with ignore. I have it set to ignore a specific directory and that seems to work pretty good. Hmm… I haven’t had any issues with ignore. I have it set to ignore a specific directory and that seems to work pretty good.

]]> By: KrAzE http://www.nicholasoverstreet.com/2009/11/i-still-like-avira/#comment-212 KrAzE Sun, 06 Dec 2009 00:05:33 +0000 http://www.nicholasoverstreet.com/?p=565#comment-212 I am using Avira now per your recommendation here. I keep telling it to ignore this specific file I have, but it forgets after every boot... Unless this file gets regenerated on every boot. But it did find ONE trojan on my machine after being without antivirus for 5 months. I was hoping for 666 again. I am using Avira now per your recommendation here. I keep telling it to ignore this specific file I have, but it forgets after every boot… Unless this file gets regenerated on every boot.

But it did find ONE trojan on my machine after being without antivirus for 5 months. I was hoping for 666 again.

]]> By: Nick http://www.nicholasoverstreet.com/2009/11/i-still-like-avira/#comment-210 Nick Sat, 05 Dec 2009 20:11:32 +0000 http://www.nicholasoverstreet.com/?p=565#comment-210 I rescanned the file on VirusTotal.com again today out of boredom, and the new total is: Result: 20/41 (48.79%) I am actually very shocked it is not 100% There are some SHITTY antivirus engines out there! A virus is in the wild and weeks upon weeks later, Over half the engines this site tests with still aren't detecting it! Yikes! I'm glad Avira is one of the good ones who was updated with in a couple days of discovery. Here is a link to the latest report for anyone interested in seeing which engines suck balls: http://www.virustotal.com/analisis/01858e47e205d8acbb869ee4af9e764b41cc39427b7a0d8846bc65aba5646ee4-1260043611 It should surprise NO ONE that virus engines NOT detecting this virus include: Avast McAfee Symantec TrendMicro I rescanned the file on VirusTotal.com again today out of boredom, and the new total is:
Result: 20/41 (48.79%)
I am actually very shocked it is not 100%
There are some SHITTY antivirus engines out there! A virus is in the wild and weeks upon weeks later, Over half the engines this site tests with still aren’t detecting it! Yikes!
I’m glad Avira is one of the good ones who was updated with in a couple days of discovery.
Here is a link to the latest report for anyone interested in seeing which engines suck balls:
http://www.virustotal.com/analisis/01858e47e205d8acbb869ee4af9e764b41cc39427b7a0d8846bc65aba5646ee4-1260043611
It should surprise NO ONE that virus engines NOT detecting this virus include:
Avast
McAfee
Symantec
TrendMicro

]]>