|
TekLok posted:Yes, this loving thing. My Toolkit lately has included 4 pieces of software: 1. ComboFix 2. Malwarebytes/SuperANTIspyware 3. CCleaner That seems to fix 98% of the things I come across at my job. One client had a particularly bad rootkit like the ones above - it would not let me install any of these tools. I had to take the drive out and scan using another machine. With these 4 tools, you can do no wrong.
|
#
¿
Dec 16, 2008 02:17
|
|
|
|
| # ¿ Apr 27, 2024 09:12 |
|
|
A while back I remember having a jpg file that instantly crashed explorer.exe when you viewed the folder it was contained in. If you put it on the desktop, it would crash explorer constantly. If you viewed it in any browser, it would instantly cause an overflow and your system would bluescreen unless you closed it through Procman. I wonder if I saved it... EDIT Found it. It no longer crashes explorer, but it does cause iexplorer to jump to over 500mb RAM, and firefox to 791mb! Interesting. Otacon fucked around with this message at 13:00 on Dec 17, 2008 |
|
#
¿
Dec 17, 2008 12:56
|
|
|
Varkas posted:Has anyone gotten a virus that seems to block internet connections to specific known anti-virus/anti-spyware sites, and also seems to inhibit such installed programs from actually running? Sounds like a rootkit, to be honest. The ones I've dealt with in the past wouldn't let me load up any cleaners, and changed some entries in HOSTS that redirected me to other sites when I tried to download fresh copies. I haven't tried it, but give that GMER a try, or RootkitRevealer, see what pops up.
|
|
#
¿
Dec 20, 2008 21:48
|
|
|
Hillridge posted:Something weird is still going on here. Take a travel to C:\windows\system32\drivers\etc, and open the HOSTS file in notepad. See if there's anything in there, other than the default which would be: code:EDIT: You might need to check permissions on HOSTS, sometimes it is write protected. If there's anything in there in addition to localhost, delete those lines, save, and write protect the file.
|
|
#
¿
Dec 23, 2008 00:49
|
|
|
highme posted:After reading this thread I downloaded Malwarebytes, Superantispyware, Combofix & Avira. I haven't yet installed Combofix, but Avira keeps popping up an alert saying that my copy of Combofix.exe is a Trojan. I believe I dl'd it from bleepingcomputer.com. Is this a known issue or did I trust the wrong google result? Combofix isn't something you install - it's for wiping out viruses and shitware. It WILL be detected as a virus, and this is normal. Just keep it on a flash drive, and only run it when your system is hosed. Bleepingcomputer is their main site. The reason is returns as a virus is because of the heuristics built in. Don't worry about it.
|
|
#
¿
Dec 25, 2008 21:16
|
|
|
I read something from Reddit a couple nights ago that I can't find anymore. Some hackers have figured out how to use other site's redirect pages against us. The example I remember (which is now patched) was that Microsoft has a redirect page, that tells you "You are now leaving Microsoft.com, we are not responsible for the content on this linked page, etc etc etc". These hackers have used this redirect against them by posting blog comments that read "http://www.microsoft.com/redirect/www.malwaresite.com/?frooty+loops+6+download" Now, when someone searches Google for "frooty loops 6 download" Google returns the biggest site results - most notably, microsoft.com. Clicking that link will then forward the user to Malwaresite.com, which seems to be able to load up some real-looking virus alerts, which users stupidly click on and download something. Microsoft patched it, but a number of other sites still have their old redirect pages not secured. Be careful Googling, folks.
|
|
#
¿
Dec 25, 2008 21:33
|
|
|
Most of the time now, the hardest part about killing Spyware is getting the stupid computer to boot into Windows. Our shop sees a lot of BSODs and black screens on boot, and Safe Mode isn't even a sure fire way past that trash. But once you're on the desktop, those viruses and spyware will be gone soon.
|
|
#
¿
Jan 2, 2009 21:31
|
|
|
Oh boy, interesting day at the office. Sony Vaio laptop, stuck in a bootloop. 0xB4, which is a video init error. Instantly restarts. Can't get into safemode, same problem. Can't get into VGA mode, same problem. Of course the owner doesn't have any system restore points, nor does she have the Vaio recovery CDs. She refuses to let me back up her computer, because she is cheap, and concerned that our company will "store copies" of her data. I tried doing an XP Home repair install, and of course, that doesn't work either. Same problem, 0xB4. Finally, I tried mashing F# keys at boot up, and found one (either F9, F10, or F11, one of the three) that enters into the Vaio Recovery Mode. The only option that I'm allowed to select is to do a factory reset, which would wipe the data. I have no other options at this point, other than spending 45 minutes on the phone with her assuring her that we won't keep copies of the 500 pictures of her dog and grandkids. INFURIATING. I can't even boot into Windows to run any scans. I'm out of ideas. Anyone have something for me? LiveCDs work, I tried ERD Commander 2007, but can't make heads or tails of the 200 drivers, ~75% of them which are set to Manual or Disabled. Please, someone must have some advice on replacing the erroring video driver with a Vaio approved one. The installer won't run on any PC other than the Vaio it's supposed to be used on, and it won't run in ERD. The chipset is Intel Alviso-Gi915G, video is Mobile Intel(R) 915GM/GMS, 910GML Express, and the model is VGN-FS640-W. Anyone? Bueller? Please? ------------ The other case was a Toshiba laptop that freezes upon the insertion of any USB plug. All of the plugs freeze the system. Flashdrives, Printers, anything USB will freeze it. This sounds like hardware to me, but she claims it just started happening a few weeks ago. Any ideas on this one? I've never experienced these problems before. Please help. Otacon fucked around with this message at 22:48 on Jan 3, 2009 |
|
#
¿
Jan 3, 2009 22:40
|
|
|
slidebite posted:I'm by no means a hardware wizard and probably have no right posting in this thread other than being one to ASK for help instead of to give ( I've done this in the past, and while Avast can scan the drive, nothing I find can scan the registry. SuperAntiSpyware can scan directories, but thats it. MBAM can't scan anything selectively. So while I'd remove any viruses, I'd only get some of the malware, which would still leave me unable to boot into Windows. I'm almost absolutely sure that one of her graphic drivers was infected, and since it was from the VAIO setup CD, and didn't come installed with Windows, that the Windows Repair didn't replace it. I guess I could take a look in the system32 folder through ERD and look for suspicious files, I was just hoping someone would post something like: "Hi! Here are the drivers you need, in .sys and .ini format. Just unzip them to system32 and reboot!" A man can wish, right?
|
|
#
¿
Jan 3, 2009 23:06
|
|
) but could you pull the internal drive out of the laptop and plug it in as an extra drive on a different PC and scan it that way?
|
CalvinandHobbes posted:I am a moderatly knowledegable user and i think i'm in over my head. I'd recommend getting Gmer, a rootkit finder, and renaming the file to something else - ie, "SOMETHINGAWFUL.exe" and running that. I bet it'll find something ugly. Just navigate with the tabs at the top of the screen. Entries in red are suspect and should be investigated. Other than that, the TDSServ service will also do this. Give that a lookie, too.
|
|
#
¿
Jan 4, 2009 10:55
|
|
|
As of yesterday, our shop found a new virus/rootkit disguising itself as a Microsoft Windows driver, signed by Microsoft themselves. Be careful out there!
|
|
#
¿
Jan 9, 2009 14:35
|
|
|
abominable fricke posted:Do you care to share any info, or are you going to hold out? Midelne posted:Seconded, since signed code infections are rare to begin with, let alone code signed by Microsoft. Needs a lot more details, up to and possibly including VirusTotal stats. My boss found it, and briefly told me about it. I'm not going into work until tomorrow, but when I do I'll see if he can remember anything else. He basically said that he had done a few scans, was still having problems, and ran down the list of drivers one more time. He ran into one he didn't recognize, and upon checking the details he noticed it was signed, spoofing Microsoft - which is why he didn't find it in the first place. The only scanner that picked it up was.... Panda. SASW missed it, MBAM missed it, Avast! missed it, Trend Micro missed it - the only thing that picked it up was Panda. Go figure. Otacon fucked around with this message at 21:02 on Jan 9, 2009 |
|
#
¿
Jan 9, 2009 20:59
|
|
|
A few days ago I posted about malware posing as signed Microsoft drivers - we got another one in today, and it's with an AntiVirus 2009 variant - this one also redirects Google.com to a hacked DNS site that still says Google.com, but pops up something along the lines of YOUR SOFTWARE IS OUT OF DATE, UPDATE IT HERE! with a bunch of other nasties. I'll try to get the infection name, may edit this post in a few hours.
|
|
#
¿
Jan 13, 2009 19:11
|
|
|
For anyone NOT nuking a system after a nasty virus install, please please PLEASEEEE turn off system restore and then turn it on again. Disabling system restore removes all of the backups, which are guaranteed infected. This will help you when in 2 weeks, your brother says "Hey my Windows is hosed up again, time to do a system restore!" and the system is reinfected.greg_graffin posted:I just ran gmer out of curiosity and the only thing that shows up under the Rootkit/Malware tab is fltmgr.sys, which appears to be a legitimate Windows file that viruses sometime disguise themselves as. Should I delete the file or leave it alone and consider it a false alarm? I'm not experiencing anything out of the ordinary and Avira and Malwarebytes say everything is ok. Gmer is not a scanner, in the way that MBAM or SAS is. All it does is look for boot entries that aren't default. 90% of the time I run Gmer at work, it throws up some false flags. Don't delete it because it pops up in Gmer. However, using an actual scanner on the files that show up in Gmer isn't a bad idea. Otacon fucked around with this message at 04:55 on Feb 9, 2009 |
|
#
¿
Feb 9, 2009 04:53
|
|
|
fungi^2 posted:Thanks for the thread guys. I was stuck back in 2005 with adaware and spybot. I did a quick SuperAntiSpyware run and it found: BHOApp is related to an MSIE toolbar - BHO means "Browser Helper Object" Unclassified.Unknown Origin is usually a remnant of another virus/malware that was half removed - it's usually not a threat, but it's nice to remove it. Anti Spyware 2009 is what 90% of the Internet is infected with, and definitely was the culprit in making your machine slow to a crawl. Don't feel too bad - over 100,000 people are infected by it every week. Look at it this way: You're just a statistic, that's all!
|
|
#
¿
Feb 10, 2009 02:15
|
|
|
GREAT BOOK OF DICK posted:Because something like the ultimate boot cd for windows can't necessarily help you clean everything. Something like the Geeksquad MRI CD can actually mount the Windows installation and have the ability to clean registry entries, hidden files, etc. I'm probably not as educated on utilizing an ultimate boot cd to its fullest potential, but I haven't found any easy way to clean everything with it. Best I've used (that can mount to a Windows partition) is ERD Commander. Very useful for stopping hidden processes, drivers, services, etc.
|
|
#
¿
Feb 10, 2009 02:44
|
|
|
Has anyone here worked with Geeksquad? How efficient were those MRI disks?
|
|
#
¿
Feb 10, 2009 08:00
|
|
|
I'm on my third computer today that's crossed my desk with TDSSrv, and it's only 2pm. Signs that you are infected with TDSSrv: Windows XP refuses to boot, either blue-screening during the black loading screen, or freezing before it gets to login. Solution: Run WinERD commander from boot cd, attach it to your Win install, and go to Start -> Autoruns. Find the appropriate user profile (search through them all) and google every file that is set to autorun. If any of the results come up as malware, right click and delete that autorun. Then, move onto drivers and services: look for anything called TDSSrv, TSsrv, or any variants - there aren't always anything hidden in here, but you should always check. Finally, navigate in explorer (still in WinERD Commander) to c:\windows\system32\drivers - sort by date edited, and remove all of the random strings of letters, as well as anything listed as TDSSrv - even the log files can infect your system. Most of the virus will have modified dates very close together, and usually extremely recent. Then, back track one directory to c:\windows\system32, and sort it by date again. Do the same deletes for any other random string filenames, as well as the TDSSrv files. Click Start, Restart - do not just power off the computer as the startup registry changes will not be made. You should now be able to boot into safemode, and run Combofix. This virus should suck my nuts.
|
|
#
¿
Feb 10, 2009 20:02
|
|
|
1997 posted:Incredibly efficient. Virus removal is almost completely automated, with any remaining bits needing manual removal. Mounts to Windows installations, has the ability to clean and modify the registry even if something like TDSSrv prevents boot up. Has all sorts of Winsock and dll fixes that are automated too. Much better than it was before last summer. Basically we just have to run it once for it to pave through what it finds and 99% chance there will be a usable system to come out of it in the end. We rarely have to restore units and even more rarely see them come back again for the same problems, unless the customer was an idiot and re-infected themselves. There's multiple scans that we use to give a system a clean diagnosis, we don't rely on just one. I had a guy yesterday call in, and asked me about Limewire - then, he put me on speakerphone so his crotchspawn could hear me say "Limewire will put viruses on your computer." Then, the kid said "Well, how else am I supposed to get music?" My response? "You pay for it in iTunes."
|
|
#
¿
Feb 11, 2009 17:33
|
|
|
More on TDSServ/Anti Spyware 2009: http://trollitc.com/2009/02/how-to-remove-antivirus-2009-from-your-computer-so-you-can-game-properly/
|
|
#
¿
Feb 12, 2009 03:45
|
|
|
Sanctum posted:I honestly have no idea since I haven't changed jumper settings on my HDs or DVD drive, but BIOS refuses to recognize the DVD drive now. The first sounds like an issue in C:\windows\system32\drivers\etc\HOSTS - open HOSTS in notepad, see if there are any other lines that don't begin with a #. If there are any others than 127.0.0.1, delete those additions. The second is common with these viruses - they have a list of programs that won't run/install if they match the name of a known virus/malware scanner. Easiest way to get around these is to rename installer, install, and then log into Safe Mode as an Administrator to run the scanner. This is of course, if you haven't already run a reinstall. Even though - some of these will crash the Windows Installer as it's trying to copy files from the CD. So, YMMV.
|
|
#
¿
Feb 14, 2009 02:58
|
|
I give up, this virus wins, I'm re-installing windows even if it means I'll have to do it by dropping an old IDE drive into my computer to boot to.
|
Just finished a 2 day virus infection extravaganza. Installed a bad file, didn't scan first, walked away with Virut, MS Antispyware 2009, and some new form of rootkit that NOTHING would clean. It created a bunch of new drivers for devices I didn't even know existed. (Saitek Magic Bus? Who let the magic bus into my computer???) Long story short, 5 repair installs, countless loops of Combofix/SDFix/Smitfraud, MBAM, SASW, Panda, Rootkit scanners, etc. All boils down to a nuke and reinstall. I've learned my lesson. I've also made a Ghost image. (Virut turns all EXEs and all HTMLs into viruses. Every single EXE file in /Windows/ was infected. Look out for MS ANTISPYWARE 2009. It installs itself in C:\D&S\All Users\Application Data\CrucialSoft\MS AntiSpyware 2009\ and WILL NOT DELETE no matter HOW MANY TIMES YOU DELETE IT! Argg!)
|
|
#
¿
Feb 18, 2009 18:55
|
|
|
BillWh0re posted:That pause can mean something that was supposed to load in winlogon.exe wasn't accessible. Often this is because the anti-virus software on that machine is blocking it. You might want to check winlogon-related registry keys (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and friends) for any suspicious DLLs that are trying to load. Also, use CCleaner for registry cleaning goodness.
|
|
#
¿
Feb 21, 2009 20:43
|
|
|
Thanks for the UAC*.dll update, a co-worker asked me 5 minutes before closing if a file called UACsomething was suspicious, and I said negative.  I'll let him know tomorrow. Thanks again.
|
|
#
¿
Feb 25, 2009 09:12
|
|
|
Gonna have to give Dial-a-Fix a shout-out this week, it's helped me twice with great success this week. It can fix issues with Windows Updates, permissions issues, and file-corruption issues. Two viruses, both different strains, both corrupted the registry hardcore. Dial-a-Fix saved me a great deal of time. Hint: Hit Check-All, then hit Go. If it runs through the entire list without an error box, then all is well. If you get an error box, it will instruct you what to do. Pro-Tip: the "Tools" menu is the tiny hammer in the lower right-hand corner.
|
|
#
¿
Mar 20, 2009 08:47
|
|
|
Ensign Expendable posted:That sounds like either winlogon.exe or userinit.exe is not initializing properly. Get a setup disk and manually copy the files over. SFC /scannow - use it, brother.
|
|
#
¿
Mar 29, 2009 20:51
|
|
|
The Man with a Hat posted:I've got a TDSServ infection on my 32-bit Vista machine, and it's dug in. The catch is, everything mentioned in the thread thus far seems ineffective. I've checked the Non-Plug and Play Drivers list, but there are no TDS variations. Spyware Doctor can detect it, but refuses to remove it unless I buy a full version. MalwareBytes always crashes before completing its scan. SUPERAntiSpyware didn't detect anything. GMER bluescreened the computer, even when renamed. ComboFix ran, had an adverse reaction to avast! (maybe?), and almost lobotomized my computer when it bluescreened on restart. Avira detected a couple of trojans, but not TDSServ, and then it crashed my computer. I'm starting to wonder if the trojan's creating fake bluescreens. Any help would be appreciated. Catchme is from Gmer, and is harmless. Give this a shot: Boot into Safe Mode, download Combofix, drop it in C: and rename it to 'cf.exe' - run this as administrator, and let it go through. If it reboots your machine and it blue screens, there should be a combofix.txt file in your root drive - paste the text and we'll get some more info. However, popping the drive into computer and running an external virus scan will help - just be prepared for blue screens as Windows tries to load device drivers that don't exist anymore. taiyoko posted:Trying to remotely fix a friend's computer right now. No idea what he's managed to get on his system offhand. He says IE and Firefox won't load any pages, but his instant messaging still works, so it's not a problem with the connection. We've tried MalwareBytes and SUPERAntiSpyware to no effect, though they can't access updates. Combofix does nothing. AVG didn't pick up anything. I'm unable to physically go over there and do anything, as I'm at college and don't have a car on campus. Open up Notepad and look for the HOSTS file: c:\windows\system32\drivers\etc\ - it's not a text file, it's just called HOSTS. See if there is anything else other than 127.0.0.1 listed - if not, tell him to download Dial-A-Fix and to have that give a run through. Otacon fucked around with this message at 03:47 on Mar 31, 2009 |
|
#
¿
Mar 31, 2009 03:44
|
|
|
Zuffox posted:My aforementioned problems with logging in keep persisting. Today to the extent of not getting a successful log-in in normal mode (or, Test Mode as it's called now) at all. Safe Mode still works, though. I can't remember - Have you run Combofix? If any of your system files are infected (I've seen explorer.exe, userinit.exe, and a slew of others capable of carrying an infection) then Combofix will alert you with the log file. If you have and the log file didn't tell you anything new, did you try Hijack-This? Post the log files and let's see what turns up.
|
|
#
¿
Mar 31, 2009 17:47
|
|
|
Even though the software is pretty self explanatory, I thought I'd share the best method I've come up with on running Combofix. Step 0: Put Combofix on a thumbdrive, and insert thumbdrive. Step 1: Turn on computer, press F8, boot into safe mode. Step 2: Do not hit "OK" to the safe mode warning - let that popup stay on the screen, but move it aside. You don't want to let explorer load. Step 3: CTRL+ALT+DEL to get to TaskMan, and go to File - New Task Step 4: Click browse, and find your thumbdrive Step 5: Copy/Paste combofix.exe to C: Step 6: Rename to "c:\cf.exe" Step 7: Run (from TaskMan) cf.exe. Step 8: Close TaskMan. As CF is running, it may reload the Safe Mode gui - just ignore it again. If Combofix has to restart your computer, follow these same directions - ideally, you'll catch it before it reboots so you can get it into safemode. It'll display the safe mode gui again - remember to ignore it. Finally, after it displays your log file, CTRL+ALT+DEL to get to task man, New Task, and launch explorer - you're back in business. I've been using this method for a few weeks and it constantly surprises me how many systems I can bring back from the dead with it. Safe mode (and not letting explorer run) is your friend. Use it wisely.
|
|
#
¿
Mar 31, 2009 18:04
|
|
|
Zuffox posted:It's unsupported on Vista 64, unfortunately. At least the last time I tried. Appreciate your elaborate guidance, though. Oh. 64 bit. Right. I've officially got nothing. Apologies.
|
|
#
¿
Mar 31, 2009 18:19
|
|
|
The Man with a Hat posted:Well, I downloaded HijackThis, and got a log. Not really sure what I should be looking for, but there are a couple of suspicious lines. It's kinda lengthy... would anybody be able to give me an opinion, if I posted it? Yep! That's why it has that log - to post to other knowledgeable people and get their opinions.
|
|
#
¿
Apr 1, 2009 03:36
|
|
|
First: You should avoid having two different virus scanners on your computer. Stick with Avast, uninstall Avira. Second: what is that crawler program? Third: While Spyware Doctor is a legit program, I don't see the need to have all these programs on startup. I mean: SuperAnti Spyware, Registry Mechanic, and Spyware Doctor? That's a bit overboard. I personally run MalwareBytes and Avast - that's it. You might still be in diagnostic mode and just trying everything under the sun to get to your problem, so I don't know. But, still - having two anti-virus programs is like wearing 2 condoms - it seems like a great idea, but it usually ends in tears. Fourth: Your running processes all check out, but these are safe to remove: The Man with a Hat posted:
From what HJT tells me, your tools found and removed the viruses - anything that says (no file) was an infected file that was removed. Give MalwareBytes a try (if you haven't already) and let us know if it finds anything else. From the look of that HJT log, you aren't infected - just running horribly slow with all those processes. Otacon fucked around with this message at 04:50 on Apr 1, 2009 |
|
#
¿
Apr 1, 2009 04:39
|
|
|
The Man with a Hat posted:Thanks. Crawler's just a plugin that warns me away from potentially dangerous websites. As for all the scanners, I figured that piling on the protection would be a good idea. Guess not. Dammit! I just edited my post, and was hoping for a ninja-edit. Oh well. Just give it a re-read - I researched a lot of those "iffy" ones on Google, and have removed a lot that I wasn't sure about.
|
|
#
¿
Apr 1, 2009 04:51
|
|
|
Virut is NASTY. Every .EXE, every .HTML file - all are probably infected by now. Any removable media that's been connected? USB drives? The cameras SD cards? All infected using an autorun.ini file. Here's your game plan - remove the drive, install it in your own computer. Use Knoppix, or another CD-based Linux OS. Recover ONLY *.jpg, *.doc, and if she uses Outlook, any *.pst or *.wab files. After you get those files, format the drive. Don't keep the Dell partitions, don't keep anything. It's infected. After you format, mount her USB sticks and SD cards. Format those, too. Reboot, remove the drives, and install the hard drive back into the Dell. Pop in a Dell Recovery CD, and return the computer to factory settings. All in all you're looking at about 1-2 hours - possibly longer depending on how much searching you have to do for your aunt's files. But don't even try to resurrect the drive - it's too late. Virut is NASTY.
|
|
#
¿
Apr 6, 2009 15:36
|
|
|
GREAT BOOK OF DICK posted:Yeah it was pretty much too late in this situation. She had initially called me saying "Internet Explorer keeps crashing when I try to open it." We had agreed to leave the machine off and I would come retrieve it. She called back again saying she started the machine back up and now it just has a blue screen. It was caught in an infinite BSOD loop at that point so I could only presume it was either a fake, or the virus had infected an important .exe file. You're welcome. I had a number of stock WinXP EXEs on my thumb drive - keyword had - because it turned them all to infected swiss cheese. MSCONFIG? Infected. Notepad.exe? Infected. Explorer.exe, winlogon.exe, userinit.exe? Infected. But, it also goes after other EXEs - Smitfraud? Infected. Catchme.exe? Infected. Hijackthis? Infected. It seems to only go after EXEs that are under a certain filesize - in the same folder as a number of the apps were also installers for MalwareBytes, SuperANTISpyware, CCleaner, etc - all of those were untouched. That however is definitely one virus the author must be very proud of - Combofix doesn't work on it because once explorer, userinit, and winlogon are infected, you're SOL - no possibility of safe removal. It even ENJOYS repair installs. Long story short - when I see virut at work, I call the customer immediately and tell them the only thing we can do at this point is salvage their DOCs and Pictures, and restart from scratch. Two hours of CAREFUL file backup and a Windows install is a lot more productive than six to eight hours of cursing and repair installs and running Combofix 17 times. Like was said earlier - if it's a relatively new infection, you stand a fighting chance - but honestly - how often do customers/family call you the day that these things happen? Never. They ignore it until the computer refuses to boot, at which point they call you. By then, it is far too late. Good luck again! Otacon fucked around with this message at 03:21 on Apr 7, 2009 |
|
#
¿
Apr 7, 2009 02:56
|
|
|
averagebloke posted:I think I came pretty close to getting rid of Virut the other week. I scanned and cleaned using UBCD4Win with the Sophos plugin which cleaned over 1,300 infected files and deleted a few it could not clean. I was still able to load Windows and get into this persons profile fine after this. Don't worry - virut will be back in full swing on your machine within the week.
|
|
#
¿
Apr 20, 2009 23:49
|
|
|
Trinity Rescue Kit is my personal fave - it does everything you can possibly hope to do from a live CD. Both Fprot and ClamAV can download updated virus definitions, and there are tools for data recovery, backups, HDD tests, Mem tests, and tons more. Hiren's is also wonderful as well, and has XP-AntiSpy which can update the definitions as well. Bart's PE and Ultimate Boot are another two that I use occasionally, but neither have been updated in a while. All of these free downloads can be found as ISOs on any major torrent site.
|
|
#
¿
Apr 28, 2009 17:05
|
|
|
Carecat posted:I can't use GMER, it crashes when it gets to VolumeShadowCopy, if you try to start it a second time it BSODs. Google shows a few people having this problem but no-one really tried to work out the cause. Disable System Restore, disable System Hibernation, and set your swap file to disabled - then try and run it again.
|
|
#
¿
May 14, 2009 19:47
|
|
|
hobb posted:Yeah I'm thinking I might as well. I found the dll "LVPRCINJ01.DLL" running from my windows/temp/logishrd directory and while it seems to be something related to my logitech webcam, it makes no sense it would be in /temp/. I ran into this last week - that is a legitimate program. Logitech got a lot of complaints about it though and their newest drivers no longer run from a temp directory. They said they had to do it that way originally so that Windows could allow the program to hook into the shell - but after enough people bitched, they found some other way. But yeah - a lot of spyware programs detect it as bad because of how it works with Windows.
|
|
#
¿
May 18, 2009 06:11
|
|
|
|
| # ¿ Apr 27, 2024 09:12 |
|
|
Midelne posted:Welcome to the wonderful world of fast infectors. The next thing you should research is how to image your hard drive, and how much storage space it'll take to image it once a month or so after a full malware scan, and then how to reapply those images in a minimum amount of time to get up and running even if Virut was your problem. In the mean time, since this has happened to many people in this thread: Make a backup of everything EXCEPT for any EXEs or HTMLs. All your Docs, images, movies, saved games are all kosher - but any EXE or HTML file (or HTM for that matter) is now infected. With these backed up to a CD-R, begin the nuking and paving. Make sure you format the drive, and then install that Windows 7 you were talking about. It's better to start fresh on a new OS anyway  Good luck! (Oh, by the way - virus scan that CD-R when you burn it. Just to be sure.)
|
|
#
¿
May 18, 2009 15:45
|
|