Trojan/Browsela/Looksky
in [Security]
|
Prev: Regedit "Error while opening key"
Next: Norton AntiVirus 2006 does not support the repair feature
From: cquirke (MVP Windows shell/user) on 4 Jan 2006 19:51 On Tue, 3 Jan 2006 09:40:16 -0500, "David H. Lipman" >From: "cquirke (MVP Windows shell/user)" >| I've downloaded it and read the HTML, but haven't used it yet - I'm >| interested in seeing if it can be adapted to more formal use. >| I'm working on a scanning wizard for Bart PE CDR boot that will run a >| sequence of 5 av scanners with a minimum of stop/go interaction, so I >| was interested in how Dave's worked. >Any time you'd like to discuss my tool(s), you have my email address. Thanks - I'll pursue when I'm focussed! Meantime,this is of interest for data recovery... http://www.diydatarecovery.nl/downloads/Demo/DIY%20DataRecovery%20iRecover.exe ....as at... http://www.diydatarecovery.nl/download.htm >While you mention booting from a Bart PE, the included PDF file does provide instructions >for creating a DOS Boot Disk or DOS Boot Disk with NTFS4DOS for outside the OS scanning. Thanks, that's useful for < 137G systems. I haven't tried NTFS with, say, ScanPM.exe, but I found F-Prot for DOS ineffective under such circumstances; it does run in the low DOS memory conditions inflicted by the NTFS driver, but fails to traverse the volume's dir tree. >---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony >---------- ----- ---- --- -- - - - -
From: cquirke (MVP Windows shell/user) on 4 Jan 2006 20:05 On Tue, 03 Jan 2006 17:28:35 GMT, Leythos <void(a)nowhere.lan> wrote: >Before that, cquirke wrote: >> I'm working on a scanning wizard for Bart PE CDR boot that will run a >> sequence of 5 av scanners with a minimum of stop/go interaction, so I >> was interested in how Dave's worked. >The only reason it needs to be on a drive is to expand the definitions >and create the log files - at least it appears that way. That applies to Bart as well, for tools that have to write to themselves. What I do in such cases is sling them into %Temp% and run them from there... when Bart-booted, there is a RAM drive B: which is defined as %Temp%, but I've added a facility to re-direct this to a selected location on a HD volume for greater space. So my normal "dodgy PC" SOP is: - diskette booted RAM diags; bail out if bad - Bart CDR boot: - HD Tune to check physical HD - ChkDsk to check file system - create a directory on a HD volume - map Bart's %Temp% to this - start virus scanning wizard: - F-Prot CLI detect-only C:, save log - ScanPM detect-only all HD, save log - Trend SysClean ++ detect&clean, save log - AntiVir 6 ** ++, save log - McAfee Stinger ++, save log - AdAware SE **, detect-only, save log - Spybot 1.4, detect-only, save log - HiJackThis **, save log ** Using RunScanner to access HD registry. ++ Run from Temp, as requires writable base location. After the above comes other tests to taste, followed by AdAware and Spybot detect-and-clean scans from Safe Mode, etc. I do the cleaning from Windows boot so that the changes can be undone (i.e. stored and accessible within the Windows installation). It would be nice to do all the above from a single CDR, but I haven't been able to "shell" Bart so it can share the same CDR with the RAM test diagnostics. What I can do, is spawn these RAM diagnostic 1.44M boot diskettes from the Bart CDR boot; I can't burn these to CDR as the Bart-booted session dies if the Bart CDR is ejected. >---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony >---------- ----- ---- --- -- - - - -
From: Bill Suen on 5 Jan 2006 05:09 Dave, I cannot get into safe mode with command prompt, so I ran SmitRem.exe in normal mode. Then I ran part 2 (Secured2K'....) and it appeared to work and I gained back control of my homepage etc. Tried again to reboot via F8 and still cannot get in Safe mode or safe mode with command prompt. The safe mode appears in blue on the bottom left of the screen by on top it only allows proceeding with "normal window statrt up". Am I still infected? Or is this a fault/feature of Window XP 2002 home SP2? I appraciate your further advice....and thank you for helping me fix (apparently) the problem, Much appreciated. Bill Suen "David H. Lipman" wrote: >> > > Use *all* the tools I provided you whn using the affected account. The issue is in that > user's Registry. You have to be logged in as that user for that Registery to be fixed. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > http://www.ik-cs.com/got-a-virus.htm > > >
From: Bill Suen on 5 Jan 2006 07:42 Dave, Further to my last post, my sophos just reported picking up another Troj/Dropper-DK in C:\system volume. So my underlying problem still exists. And I still cannot get into safe mode command prompt, so cannot run sophos trojan fix. Hope you can help getting to the bottom of this. Many thanks. Bill Suen "Bill Suen" wrote: > Dave, > > I cannot get into safe mode with command prompt, so I ran SmitRem.exe in > normal mode. Then I ran part 2 (Secured2K'....) and it appeared to work and > I gained back control of my homepage etc. > > Tried again to reboot via F8 and still cannot get in Safe mode or safe mode > with command prompt. The safe mode appears in blue on the bottom left of the > screen by on top it only allows proceeding with "normal window statrt up". Am > I still infected? Or is this a fault/feature of Window XP 2002 home SP2? > > I appraciate your further advice....and thank you for helping me fix > (apparently) the problem, Much appreciated. > > Bill Suen > > "David H. Lipman" wrote: > > >> > > > > Use *all* the tools I provided you whn using the affected account. The issue is in that > > user's Registry. You have to be logged in as that user for that Registery to be fixed. > > > > -- > > Dave > > http://www.claymania.com/removal-trojan-adware.html > > http://www.ik-cs.com/got-a-virus.htm > > > > > >
From: David H. Lipman on 5 Jan 2006 10:49
From: "Bill Suen" <BillSuen(a)discussions.microsoft.com> | Dave, | | Further to my last post, my sophos just reported picking up another | Troj/Dropper-DK in C:\system volume. So my underlying problem still exists. | And I still cannot get into safe mode command prompt, so cannot run sophos | trojan fix. Hope you can help getting to the bottom of this. | | Many thanks. | That's the System Restore cache. Disable the System Restore cache and reboot the PC. Re-enable the System Restore Cache and then create a new restore point. http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm I don't know what to tell you about your Safe Mode problem. It has many roots and the majority aren't malware related. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |