Security Basics mailing list archives
AV removal malware
From: SMiller () unimin com
Date: Fri, 5 Sep 2003 17:06:20 -0400
I'm working on a machine that has boot problems (20+ minutes for Win2K "normal" boot, both safe modes freeze) When the machine finally booted I saw that our AV product (eTrust 6) was gone. And I don't mean non-functional, I mean vanished. No entries in Add/Remove programs, no folders or files remain under Program Files or anywhere else I've looked. I didn't get a chance to examine the registry before I rebooted, will do so Monday (when I will also examine bootlog.txt). My question is whether anyone here has run into an infection that attempts to remove antivirus products that is this effective and polished. The few of those that I have seen close up have merely made crude and generally unsuccessful attempts to mess with registry keys. I suspect that the user or someone else with access to the machine actually removed the eTrust product, after which the machine may have become infected. Event Viewer no longer works, which also doesn't help forensics. Thoughts? Scott Miller --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- AV removal malware SMiller (Sep 05)
- Re: AV removal malware Dave (Sep 08)
- <Possible follow-ups>
- Re: AV removal malware Jimi Thompson (Sep 10)