Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Help With Virus Removal

  • 1.  Help With Virus Removal

    Posted Jul 30, 2009 10:09 AM
    Currently we are suffering from the viruses Hacktool.Rootkit and W32.IRCbot. These files have infected a couple database servers of ours. The anti-virus is up to date and seems to be running smoothly and it catches the viruses and tries to to clean/delete the files but they keep returning. These servers have to be up and running night and day with little to no down time. Is there any solution to permanently removing these viruses without having to bring down the servers?


  • 2.  RE: Help With Virus Removal

    Posted Jul 30, 2009 10:37 AM
    I presume that the auto porotect is detecting the IRC Bot, if this is the case could you tel the orignal loaction of the file..


  • 3.  RE: Help With Virus Removal

    Posted Jul 30, 2009 10:48 AM
    The IRC bot is in the c:\windows\system32 folder and the file thats being detected is the msdtc.exe file. AS for the hacktool.rootkit it is located in the c:\windows\system32\drivers folder and it spans multiple executable files.


  • 4.  RE: Help With Virus Removal

    Posted Jul 30, 2009 10:57 AM
    In situtation you might need to reboot the server in safe.. reason is very simple even if symantec will detect it but it will not be able to delete it as is would be running.

    - Go to below mention link download the latest rapid relese & install the same & to a full scan in safe mode.

    http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr


  • 5.  RE: Help With Virus Removal

    Posted Jul 30, 2009 10:57 AM

    what antivirus release are using now?



  • 6.  RE: Help With Virus Removal

    Posted Jul 30, 2009 11:09 AM
    We've tried that over the weekend and it was unsuccessful. Not long after we rebooted it back to normal it detected the hacktool and later that day found the IRC bot again.


  • 7.  RE: Help With Virus Removal

    Posted Jul 30, 2009 11:11 AM
    Chances are for the MSDTC (Microsoft Distributed Transaction Coordinator) file, any AV will have a heck of a time trying to clean it. 
    Do you keep frequently updated servers- configured the same way?  Meaning, do you distribute via WSUS or anything else like that all the updates to all your systems simultaneously? 

    The problem will likely be, that because this .exe is generally always in use by the system, it may hard to "replace". 
    Would it possible in anyway for you to:

    - Remove the harddrive from the machine and boot it as a slave into a different machine, to allow for replacing (overwrite the infected file) by a known clean file from a different server of the same patching/updates
    - Boot from a Linux system, mount the filesystem and replace the existing bad file, same as above.
    - Boot in safe mode, command line, no networking, and replace the file from a command prompt.
    * * * * 
    That will get rid of the IRC bot.
    * * * * *
    In any of the scenarios presented above, you should equally be able to remove the infected .exe files from ..\drivers folder as well.  Validate the driver files themselves before hand, as you will possibly need to reinstall certain drivers for functions on the system. 

    After completing these steps the system will likely encounter some errors, which will need to fixed/patched manually...


  • 8.  RE: Help With Virus Removal

    Posted Jul 30, 2009 11:16 AM
    I would suggest you contact the tech support.. Get the loadpoint utility & run it. this utility will generate some log & get these log reviewed. 


  • 9.  RE: Help With Virus Removal

    Posted Jul 30, 2009 11:20 AM

    We may be able to replace the msdtc file this weekend and bring down the server in safe mode for that but as far as the hacktool goes it seems to be either installing or infecting random .exe files in the \drivers folder. Im not sure how this virus works exactly whether it infects already created .exe files or creates its own files within the folder. The main concern right now is the hacktool because it is seems to be spreading from server to another we currently have 4 servers with the hacktool and just one database server infected by the IRC bot.



  • 10.  RE: Help With Virus Removal

    Posted Jul 30, 2009 12:02 PM
    Check your C: drive for an autorun.inf file, generally a culprit if rebooting and removing is returning the bug.
    Also worth checking in your registry:
    \HKLM\software\Microsoft\Windows\CurrentVersion\Run
    \HKLM\software\Microsoft\Windows\CurrentVersion\RunOnce
    \HKLM\software\Microsoft\Windows\CurrentVersion\RunEx

    For entries "that should not be".
    * * * * * * * * *

    How long have you been struggling with this bug?
    You could also try doing a scan for "all files" modified in Windows\* since [date of first occurence].

    That might give you an idea of what bugger is exploited.

    You may also want to check out Process Explorer, which can break down things like SCVHOST.EXE and the like and tell you what is being activated to call the bug to keep coming back.

    Sounds like you may have a crafty one on your hands...



  • 11.  RE: Help With Virus Removal

    Posted Jul 30, 2009 12:19 PM
    One thing I forgot to note now that you mention the scvhost is that sicne we've been getting the hacktool we get an error at startup saying that the scvhost cannot locat the dynamic link library gdiplus.dll. Not sure how or if they are related. Also on one of the servers on startup I get a message stating that one or more drivers failed to start and that makes me wonder since the hacktool is affecting the drivers folder of the windows system32 folder.

    Let me check the registry and look into that Process Explorer. Ive used that before so hopefully that will give me some insight on whats going on.