I'm a beta member of the ImgBurn forum. Lately there have been a lot of reports on a virus/malware that makes the installed CD-ROM devices (like burners) invisible to Windows and programs like ImgBurn (www.imgburn.com). MBAM doesn't detect it.
This is what the author posted about this virus.
I stuck it on a laptop and had a little play around with a few tools to see what could detect it and remove it.
All my tests were performed with the virus already on the system. (So those apps that couldn't detected it *might* have stopped me from installing it in the first place had they have been installed/enabled).
GMER picks up on the service it uses to cloak everything else. You can disable the service (via the context menu), reboot and then delete it. ImgBurn works just fine after that.
avast AntiVirus finds it ok and recommends a boot time (like where boot time defrag or chkdsk normally run) virus scan - where it can (and does) then remove the bad files. It doesn't clean up the service entry in the registry - but that's not a real problem because the file no longer exists and so can't do any harm.
Dr.Web CureIt! doesn't see it (I could have sworn someone said it did!) - or at least not the particular variant I'd infected my machine with. It does appear to be able to scan the entire hdd though.
Symantec Endpoint 11 MR4 MP2 (latest as this time) doesn't see it. The full scan doesn't even work properly because it can't open the drive and scan the files - although it doesn't tell you about that! I only know that's what's happening because it says 'scan complete' having supposedly looked at 725 files or so - obviously there are far more than that on a C:\ !
MBAM doesn't see it.
RootRepeal finds a hidden driver (flagged in red), hidden files, stealth and a hidden service. I didn't manage to find a way to actually remove them with it though. You click wipe / force delete and it doesn't appear to do anything - scan again and they're still there.
So basically, out of that lot, the only ones that are really any use are GMER and avast. If the virus checked its own service (to see if it was enabled / disabled), I'm sure GMER would only be as useful as RootRepeal (i.e. to tell you there's a problem). I say this because the virus could very easily just re-enable the service again.
Sometimes the only way to get rid of these things is to know their names and remove them when they can't possibly be running - i.e. use Hiren's boot CD and Paragon Mount Anything to delete them outside of windows (or at boot time like avast - although that might not work 100% of the time if the virus is really low level). You could also hook the hdd up to another machine. You have to be careful with that though because some of the viruses put an autorun.inf file in the root of the drive, which would then install the virus on the clean machine as soon as the drive is connected.
I've attached the virus in a zip file for anyone that wants to have a mess around themselves to see if their AV can pick it up/remove it once it's installed.
The zip file password is: Infected
090609a.png 14.29K 1 downloads
Examples from programs that detects it.
090609b.png 20.38K 1 downloads
090609d.png 18.49K 1 downloads
This is when the virus is removed:
090609c.png 10.71K 1 downloads
virus.zip 87.09K 7 downloads