Hi Frederick,
I know I'm a bit late for the "party";), but I'm not sure if you have contacted
Faronics - the company that publishes DeepFreeze.
http://www.faronics.com/html/deepfreeze.asp
According to the website,the operating system is 100% recoverable.
http://www.faronics.com/html/DFFeatures.asp
So,maybe you could contact support http://www.faronics.com/html/support.asp
Surely the school must have some kind of agreement with Faronics
It might also be important for the company to know that DeepFreeze might be
susceptible to corruption.
Mind you, the corruption might come from the inside - meaning a clever -albeit
malicious student?
For what it's worth, there is an extensive analysis on the malware you're describing:
http://www.malwareanalysis.org/10556404df39b6a51cf42f46b071c655-mh-exe-t98.html
It gives a lot of info regarding locations of the malware.
Hope this helps.
Peter E.
-------- Original Message --------
Subject: [PCSOFT] Virus could intrude Deep Freeze?
From: Frederick Navarro <[log in to unmask]>
To: [log in to unmask]
Date: 22-Nov-2008 8:31:27 AM
I don't know what happened. But several PCs in our school are infected by
hbkernel virus, and the thing here is all of the computers were running with
deep freeze for more than 2 years without any problems, and never had
they've been THAWED. It is really a nuisance because the virus eats up the
CPU usage causing others to hang up (ms-office applications, etc) and even
changing an ip address takes up to 5 minutes (which means the system is
really very busy). Has anybody experienced this?
I could say that it's hbkernel.sys, because I saw it under the Run entry for
HKLM->Software->Microsoft->Windows->CurrentVersion->Run and doing some
research about the virus some websites say that it is some malware or
spyware type.
We even tried setting the computers in THAWED mode with out network
connectivity (to ensure no external connection) and removed the entry from
the registry and used ComboFix and SuperAnti Spyware to scan the whole
drive. But sad to say, after rebooting and setting it back again to FREEZE
mode, the entry came back in the registry.
PCSOFT's List Owner's:
Bob Wright<[log in to unmask]>
Mark Rode<[log in to unmask]>
PCSOFT's List Owner's:
Bob Wright<[log in to unmask]>
Mark Rode<[log in to unmask]>
|