Comments on: KB2506014 kills TDL4 on x64 News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 By: David Harley Fri, 31 Aug 2012 23:31:30 +0000 Hi, Kristy. What version of Windows are you running?

By: Kristy Morrill Fri, 31 Aug 2012 22:37:33 +0000 Had a nasty ecperience 2 days ago with Trend Micro Titanium Premium and rude tech help with no help at all: I was loaded with virus, trojans, mrb, etc and had to change to kaspersky Pure 2 after extensive help from to get rid of malware and more.
My PC shows an Action Center flag for update required : KB2506014. I chose the download for WIN 7 x64bit for PC and it states " I already have it" but I do not. 2nd try it states it is "incompatible with my system".
Could another trijan or malware be blocking it?

By: David Harley Wed, 16 May 2012 05:23:10 +0000 If I understand your questions correctly… A redirect isn’t something that happens on your PC (unless you’re talking about some form of DNS poisoning, where malware modifies your system to control which sites your browser or other software can access). It can be a legitimate function of code on the server, or built into malware that downloads other malware in order to make it harder to detect.

Some AV functionality will actually be hampered if you disconnect, depending on the AV you’re using. Temporary files written by the system or running apps aren’t usually a problem unless you’re in the process of inadvertently installing something malicious. In which case you’re really relying on your on-access scanning to protect you by checking code as it executes, not an on-demand scan of the whole system.

By: Josh Thu, 10 May 2012 20:17:51 +0000 do|JJust how can browser redirects operate? Are these really a virus or does an individual manually edit a record on your pc to direct the browser to a different web page? I’m not technical enough to know how someone could do this with a virus. Do you kno

Would you recommend disconnecting your Internet connection while running an antivirus scan? The reason I ask is temporary files are regularly being written to when browsing the Web. It’s really feasible that something will get skipped in the scan unless you disconnect your connection?

By: David Harley Sat, 15 Oct 2011 12:16:40 +0000 I’m afraid I wouldn’t feel comfortable answering that question without a lot more information, and we really can’t offer one-to-one support through this blog. Apart from anything else, the bloggers here aren’t support specialists. You may be able to get better help via the support tab on the main web page, but I think you need help identifying the problem. Wiping the first sectors without knowing what the problem is could actually make it worse.

By: Misha Sat, 15 Oct 2011 12:02:12 +0000 Would you please let me know of the exact command to use to wipe the first sectors of a disk.There are discrepancies in the begining and end sectors of my disk.I don't think it is a hardware problem because it is happening to more than just one pc and I can only find the "FIXMBR" and "FIXBOOT" commands when I search online. Both my notebooks appear to be still infected after wiping them with different utilities as if they are write protected.                                                         Thank you for your help and time.

By: MariaCristina Thu, 30 Jun 2011 22:46:59 +0000 Hello, David. Thanks for your response.
About Aryeh Goretsky's words, I'll assume that even formatting the disk, the MBR must be rewritten to ensure that any piece of code has not be left behind.

By: David Harley Fri, 17 Jun 2011 08:35:59 +0000 MariaCristina, I’ll take the last question first. I think it would be seriously odd for malware to modify an MBR at random, but it might try to modify every MBR it can find on a system.

I wouldn’t use anything with an /MBR parameter for generic malware removal: if a good security program detects it, the chances are it will remove it properly, and if there’s a problem, you should be able to get help from the vendor. If malware messes about with the MBR, there’s a chance that replacing it will cause direct damage. Aryeh Goretsky, who knows MS internals much better than I do and has the certs to prove it, says this:

‘I think FIXBOOT (for a disk volume’s boot sector) and FIXMBR (for the
master boot record of a hard disk’s partition) replaced “FDISK /MBR”
sometimein the XP timeframe. I’m thinking that if a disk was infected
by a bootkit, I’d probably wipe the first sector of the disk before
repartitioning it just to be sure. This can be done via the command
line DISKPART utility.’

‘Of course, that assumes a wipe of the disk. A “FIXMBR” is probably a
better approach if they want to keep anything that’s on it.’


By: MariaCristina Tue, 07 Jun 2011 07:13:08 +0000 Hello.
I am member of an antimalware comunity and I use to help people to remove nasty infections through a forum support. I wish to ask you two things I ever wanted to know from a trusted source: is the malicious MBR code successfully removed by formatting the hard drive? And, the second one: in the event an user have two or more hard drives, will the bootkit install its MBR code in any of hard drives aleatory, or does it needs to be the one which loads the OS?
Thanks in advance.