Guest RJK Posted October 2, 2008 Posted October 2, 2008 It turned out to be:- http://www.threatexpert.com/report.aspx?ui...11-42e9c180a17f Multi-AV Kaspersky CLS deleted:- c:\docume~1\alluse~1\applic~1\aboutt~1\extrap~1.exe Yesterday during my hotch-potch approach, PrevX had located a file that I didn't note the name of, there were aboout five files in that folder including one called "FileBoob.exe" and I deleted those myself. boob in a filename seems to tally with onfo on above URL ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to start it again ! ....have been reading http://www.symantec.com/security_response/...5421-99&tabid=3 ...not very clear. regards, Richard Quote
Guest Geoff Posted October 3, 2008 Posted October 3, 2008 On Thu, 2 Oct 2008 23:31:03 +0100, "RJK" <notatospam@hotmail.com> wrote: <span style="color:blue"> >It turned out to be:- >http://www.threatexpert.com/report.aspx?ui...11-42e9c180a17f > >Multi-AV Kaspersky CLS deleted:- >c:docume~1alluse~1applic~1aboutt~1extrap~1.exe > >Yesterday during my hotch-potch approach, PrevX had located a file that I >didn't note the name of, >there were aboout five files in that folder including one called >"FileBoob.exe" and I deleted those myself. > > boob in a filename seems to tally with onfo on above URL > >ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to start it >again ! > >...have been reading >http://www.symantec.com/security_response/...5421-99&tabid=3 > >..not very clear. ></span> LOP is a very old adware that would have been intercepted if your A-V product were not impaired or compromised in some way, either by being blocked by other malware, turned off, or not up to date. (LOP is around 5 years old now) The Symantec site is very clear about it's characteristics and how to remove it. If you can't eradicate it automatically I recommend you print the Technical Details and Removal pages and get to work in Safe Mode. As for terminating the virus scans, I don't know why you feel you must terminate them when you go to bed. I'd let them run overnight or get up early and let them run while I did other things. There is no real reason to sit there and watch them unless they are popping up so many dialogs that you have to click them to make progress. In that case I think you are fighting a demon and you need to format the hard drive and reinstall and call it a lost cause. I wouldn't trust anything on that disk if such is the case. My wife let her brother use her notebook computer in Asia on a trip. The A-V was not up to date. When she finally brought it home it had some 640+ infected files with all kinds of malware and viruses on it. (WANSO was main demon) I fought with that machine for 3 days and finally got smart and pulled the HDD out and scanned it with my computer's tools. That finally eliminated the infection and preserved the data. I installed a better A-V product (NOD32) and demoted her account to disallow program installations. Anything she needs on there, I can install and test for her. style_emoticons/ I strongly recommend you scan that hard disk with a known clean system since you cannot trust A-V's on the active system since they ALL should have detected LOP by this time. Quote
Guest RJK Posted October 3, 2008 Posted October 3, 2008 Big thanx, will do (remove hd and scan as slave) regards, Richard "Geoff" <geoff@invalid.invalid> wrote in message news:qcoae4hs758lertggjdck4h6tba5no13if@4ax.com...<span style="color:blue"> > On Thu, 2 Oct 2008 23:31:03 +0100, "RJK" <notatospam@hotmail.com> wrote: ><span style="color:green"> >>It turned out to be:- >>http://www.threatexpert.com/report.aspx?ui...11-42e9c180a17f >> >>Multi-AV Kaspersky CLS deleted:- >>c:docume~1alluse~1applic~1aboutt~1extrap~1.exe >> >>Yesterday during my hotch-potch approach, PrevX had located a file that I >>didn't note the name of, >>there were aboout five files in that folder including one called >>"FileBoob.exe" and I deleted those myself. >> >> boob in a filename seems to tally with onfo on above URL >> >>ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to start >>it >>again ! >> >>...have been reading >>http://www.symantec.com/security_response/...5421-99&tabid=3 >> >>..not very clear. >></span> > > LOP is a very old adware that would have been intercepted if your A-V > product were not impaired or compromised in some way, either by being > blocked by other malware, turned off, or not up to date. (LOP is around 5 > years old now) > > The Symantec site is very clear about it's characteristics and how to > remove it. If you can't eradicate it automatically I recommend you print > the Technical Details and Removal pages and get to work in Safe Mode. > > As for terminating the virus scans, I don't know why you feel you must > terminate them when you go to bed. I'd let them run overnight or get up > early and let them run while I did other things. There is no real reason > to > sit there and watch them unless they are popping up so many dialogs that > you have to click them to make progress. In that case I think you are > fighting a demon and you need to format the hard drive and reinstall and > call it a lost cause. I wouldn't trust anything on that disk if such is > the > case. > > My wife let her brother use her notebook computer in Asia on a trip. The > A-V was not up to date. When she finally brought it home it had some 640+ > infected files with all kinds of malware and viruses on it. (WANSO was > main > demon) I fought with that machine for 3 days and finally got smart and > pulled the HDD out and scanned it with my computer's tools. That finally > eliminated the infection and preserved the data. I installed a better A-V > product (NOD32) and demoted her account to disallow program installations. > Anything she needs on there, I can install and test for her. style_emoticons/ > > I strongly recommend you scan that hard disk with a known clean system > since you cannot trust A-V's on the active system since they ALL should > have detected LOP by this time. > </span> Quote
Guest RJK Posted October 3, 2008 Posted October 3, 2008 Here we go again, this evening I'm in a "put some effort into it mood." !! I've pulled the hd out, and attatched it to the unused motherboard IDE port, in my 2nd PC, and tweaked the bios so that it's in the bios list of hd's. XP Home ed. allocated it the letter I:\ ...and AVG 8.0 full internet security suite is doing its' "thing" on it. ...i.e. a full anti-everything sweep ! :-) After this, I suppose I ought to run David H. Lipmans multi-av / av-cls 4 cls's ...which should run at lightning speed seeing as my "clean" 2nd PC is treating the infected hd as a slave drive. ...as I speak AVG 8.0 has scanned over 133,000 files and it's only been going a few minutes ! regards, Richard (...there is an Athlon 64 x6000 in my 2nd PC :-) ...I suppose that makes a difference ! "Geoff" <geoff@invalid.invalid> wrote in message news:qcoae4hs758lertggjdck4h6tba5no13if@4ax.com...<span style="color:blue"> > On Thu, 2 Oct 2008 23:31:03 +0100, "RJK" <notatospam@hotmail.com> wrote: ><span style="color:green"> >>It turned out to be:- >>http://www.threatexpert.com/report.aspx?ui...11-42e9c180a17f >> >>Multi-AV Kaspersky CLS deleted:- >>c:docume~1alluse~1applic~1aboutt~1extrap~1.exe >> >>Yesterday during my hotch-potch approach, PrevX had located a file that I >>didn't note the name of, >>there were aboout five files in that folder including one called >>"FileBoob.exe" and I deleted those myself. >> >> boob in a filename seems to tally with onfo on above URL >> >>ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to start >>it >>again ! >> >>...have been reading >>http://www.symantec.com/security_response/...5421-99&tabid=3 >> >>..not very clear. >></span> > > LOP is a very old adware that would have been intercepted if your A-V > product were not impaired or compromised in some way, either by being > blocked by other malware, turned off, or not up to date. (LOP is around 5 > years old now) > > The Symantec site is very clear about it's characteristics and how to > remove it. If you can't eradicate it automatically I recommend you print > the Technical Details and Removal pages and get to work in Safe Mode. > > As for terminating the virus scans, I don't know why you feel you must > terminate them when you go to bed. I'd let them run overnight or get up > early and let them run while I did other things. There is no real reason > to > sit there and watch them unless they are popping up so many dialogs that > you have to click them to make progress. In that case I think you are > fighting a demon and you need to format the hard drive and reinstall and > call it a lost cause. I wouldn't trust anything on that disk if such is > the > case. > > My wife let her brother use her notebook computer in Asia on a trip. The > A-V was not up to date. When she finally brought it home it had some 640+ > infected files with all kinds of malware and viruses on it. (WANSO was > main > demon) I fought with that machine for 3 days and finally got smart and > pulled the HDD out and scanned it with my computer's tools. That finally > eliminated the infection and preserved the data. I installed a better A-V > product (NOD32) and demoted her account to disallow program installations. > Anything she needs on there, I can install and test for her. style_emoticons/ > > I strongly recommend you scan that hard disk with a known clean system > since you cannot trust A-V's on the active system since they ALL should > have detected LOP by this time. > </span> Quote
Guest RJK Posted October 3, 2008 Posted October 3, 2008 mmmm... seeing as things are so fast running a clean m/c, in Windows normal mode, with an infected hd attached as a slave hd, ...and seeing as I can scan a "specific location or folder," ...is it as beneficial to run the four cls's in Windows normal mode - on a slave hd I:\ - as it is running it in SLooooooW Safe Mode (i.e. mobo bus master drivers aren't being used etc.), on the infected Windows hd itself, if it were running in Safe Mode in its' normal home / system box ....if you see what I mean ! To clarify, I've done as Geoff suggested - infected hd is connected as a slave hd in my 2nd PC, (and luckily in my 2nd PC everything is SATA - meaning an unused motherboard IDE port is available), and so, I'm now running a David H. Lipmans Multi-av sweep on this infected slave IDE hd, and of course it's running like lightning because the Windows platform on that PC ....my 2nd PC, ...to which the infected hd is attached, ...is running in Windows normal mode, ....if you see what I mean " ??? regards, Richard "RJK" <notatospam@hotmail.com> wrote in message news:%23MzBfsYJJHA.5992@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > Here we go again, this evening I'm in a "put some effort into it mood." !! > > I've pulled the hd out, and attatched it to the unused motherboard IDE > port, in my 2nd PC, and tweaked the bios so that it's in the bios list of > hd's. > > XP Home ed. allocated it the letter I: ...and AVG 8.0 full internet > security suite is doing its' "thing" on it. ...i.e. a full > anti-everything sweep ! :-) > > After this, I suppose I ought to run David H. Lipmans multi-av / av-cls 4 > cls's ...which should run at lightning speed seeing as my "clean" 2nd PC > is treating the infected hd as a slave drive. ...as I speak AVG 8.0 has > scanned over 133,000 files and it's only been going a few minutes ! > > regards, Richard > > (...there is an Athlon 64 x6000 in my 2nd PC :-) ...I suppose that makes > a difference ! > > > "Geoff" <geoff@invalid.invalid> wrote in message > news:qcoae4hs758lertggjdck4h6tba5no13if@4ax.com...<span style="color:green"> >> On Thu, 2 Oct 2008 23:31:03 +0100, "RJK" <notatospam@hotmail.com> wrote: >><span style="color:darkred"> >>>It turned out to be:- >>>http://www.threatexpert.com/report.aspx?ui...11-42e9c180a17f >>> >>>Multi-AV Kaspersky CLS deleted:- >>>c:docume~1alluse~1applic~1aboutt~1extrap~1.exe >>> >>>Yesterday during my hotch-potch approach, PrevX had located a file that I >>>didn't note the name of, >>>there were aboout five files in that folder including one called >>>"FileBoob.exe" and I deleted those myself. >>> >>> boob in a filename seems to tally with onfo on above URL >>> >>>ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to start >>>it >>>again ! >>> >>>...have been reading >>>http://www.symantec.com/security_response/...5421-99&tabid=3 >>> >>>..not very clear. >>></span> >> >> LOP is a very old adware that would have been intercepted if your A-V >> product were not impaired or compromised in some way, either by being >> blocked by other malware, turned off, or not up to date. (LOP is around 5 >> years old now) >> >> The Symantec site is very clear about it's characteristics and how to >> remove it. If you can't eradicate it automatically I recommend you print >> the Technical Details and Removal pages and get to work in Safe Mode. >> >> As for terminating the virus scans, I don't know why you feel you must >> terminate them when you go to bed. I'd let them run overnight or get up >> early and let them run while I did other things. There is no real reason >> to >> sit there and watch them unless they are popping up so many dialogs that >> you have to click them to make progress. In that case I think you are >> fighting a demon and you need to format the hard drive and reinstall and >> call it a lost cause. I wouldn't trust anything on that disk if such is >> the >> case. >> >> My wife let her brother use her notebook computer in Asia on a trip. The >> A-V was not up to date. When she finally brought it home it had some 640+ >> infected files with all kinds of malware and viruses on it. (WANSO was >> main >> demon) I fought with that machine for 3 days and finally got smart and >> pulled the HDD out and scanned it with my computer's tools. That finally >> eliminated the infection and preserved the data. I installed a better A-V >> product (NOD32) and demoted her account to disallow program >> installations. >> Anything she needs on there, I can install and test for her. style_emoticons/ >> >> I strongly recommend you scan that hard disk with a known clean system >> since you cannot trust A-V's on the active system since they ALL should >> have detected LOP by this time. >></span> > > </span> Quote
Guest RJK Posted October 3, 2008 Posted October 3, 2008 BTW, I did take on board Geoff's advice that, in as many words, the malware could be "hiding" when av-cls is running, even in Safe Mode, on the infected hd itself ! Having said that, and as Geoff said, the malware is 5 years old, I wonder how it got in there, because this is a machine that I "hardened up" for internet use !!! Relevant of course is that the innfected owners son installed a bunch of "free" software !!!!! regards, Richard "RJK" <notatospam@hotmail.com> wrote in message news:OA8sy$YJJHA.4144@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > mmmm... seeing as things are so fast running a clean m/c, in Windows > normal mode, with an infected hd attached as a slave hd, ...and seeing as > I can scan a "specific location or folder," ...is it as beneficial to run > the four cls's in Windows normal mode - on a slave hd I: - as it is > running it in SLooooooW Safe Mode (i.e. mobo bus master drivers aren't > being used etc.), on the infected Windows hd itself, if it were running > in Safe Mode in its' normal home / system box ....if you see what I mean ! > > To clarify, I've done as Geoff suggested - infected hd is connected as a > slave hd in my 2nd PC, (and luckily in my 2nd PC everything is SATA - > meaning an unused motherboard IDE port is available), and so, I'm now > running a David H. Lipmans Multi-av sweep on this infected slave IDE hd, > and of course it's running like lightning because the Windows platform on > that PC ....my 2nd PC, ...to which the infected hd is attached, ...is > running in Windows normal mode, ....if you see what I mean " ??? > > regards, Richard > > > "RJK" <notatospam@hotmail.com> wrote in message > news:%23MzBfsYJJHA.5992@TK2MSFTNGP04.phx.gbl...<span style="color:green"> >> Here we go again, this evening I'm in a "put some effort into it mood." >> !! >> >> I've pulled the hd out, and attatched it to the unused motherboard IDE >> port, in my 2nd PC, and tweaked the bios so that it's in the bios list of >> hd's. >> >> XP Home ed. allocated it the letter I: ...and AVG 8.0 full internet >> security suite is doing its' "thing" on it. ...i.e. a full >> anti-everything sweep ! :-) >> >> After this, I suppose I ought to run David H. Lipmans multi-av / av-cls >> 4 cls's ...which should run at lightning speed seeing as my "clean" 2nd >> PC is treating the infected hd as a slave drive. ...as I speak AVG 8.0 >> has scanned over 133,000 files and it's only been going a few minutes ! >> >> regards, Richard >> >> (...there is an Athlon 64 x6000 in my 2nd PC :-) ...I suppose that >> makes a difference ! >> >> >> "Geoff" <geoff@invalid.invalid> wrote in message >> news:qcoae4hs758lertggjdck4h6tba5no13if@4ax.com...<span style="color:darkred"> >>> On Thu, 2 Oct 2008 23:31:03 +0100, "RJK" <notatospam@hotmail.com> wrote: >>> >>>>It turned out to be:- >>>>http://www.threatexpert.com/report.aspx?ui...11-42e9c180a17f >>>> >>>>Multi-AV Kaspersky CLS deleted:- >>>>c:docume~1alluse~1applic~1aboutt~1extrap~1.exe >>>> >>>>Yesterday during my hotch-potch approach, PrevX had located a file that >>>>I >>>>didn't note the name of, >>>>there were aboout five files in that folder including one called >>>>"FileBoob.exe" and I deleted those myself. >>>> >>>> boob in a filename seems to tally with onfo on above URL >>>> >>>>ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to >>>>start it >>>>again ! >>>> >>>>...have been reading >>>>http://www.symantec.com/security_response/...5421-99&tabid=3 >>>> >>>>..not very clear. >>>> >>> >>> LOP is a very old adware that would have been intercepted if your A-V >>> product were not impaired or compromised in some way, either by being >>> blocked by other malware, turned off, or not up to date. (LOP is around >>> 5 >>> years old now) >>> >>> The Symantec site is very clear about it's characteristics and how to >>> remove it. If you can't eradicate it automatically I recommend you print >>> the Technical Details and Removal pages and get to work in Safe Mode. >>> >>> As for terminating the virus scans, I don't know why you feel you must >>> terminate them when you go to bed. I'd let them run overnight or get up >>> early and let them run while I did other things. There is no real reason >>> to >>> sit there and watch them unless they are popping up so many dialogs that >>> you have to click them to make progress. In that case I think you are >>> fighting a demon and you need to format the hard drive and reinstall and >>> call it a lost cause. I wouldn't trust anything on that disk if such is >>> the >>> case. >>> >>> My wife let her brother use her notebook computer in Asia on a trip. The >>> A-V was not up to date. When she finally brought it home it had some >>> 640+ >>> infected files with all kinds of malware and viruses on it. (WANSO was >>> main >>> demon) I fought with that machine for 3 days and finally got smart and >>> pulled the HDD out and scanned it with my computer's tools. That finally >>> eliminated the infection and preserved the data. I installed a better >>> A-V >>> product (NOD32) and demoted her account to disallow program >>> installations. >>> Anything she needs on there, I can install and test for her. style_emoticons/ >>> >>> I strongly recommend you scan that hard disk with a known clean system >>> since you cannot trust A-V's on the active system since they ALL should >>> have detected LOP by this time. >>></span> >> >></span> > > </span> Quote
Guest David H. Lipman Posted October 3, 2008 Posted October 3, 2008 From: "RJK" <notatospam@hotmail.com> | mmmm... seeing as things are so fast running a clean m/c, in Windows normal | mode, with an infected hd attached as a slave hd, ...and seeing as I can | scan a "specific location or folder," ...is it as beneficial to run the | four cls's in Windows normal mode - on a slave hd I:\ - as it is running it | in SLooooooW Safe Mode (i.e. mobo bus master drivers aren't being used | etc.), on the infected Windows hd itself, if it were running in Safe Mode | in its' normal home / system box ....if you see what I mean ! | To clarify, I've done as Geoff suggested - infected hd is connected as a | slave hd in my 2nd PC, (and luckily in my 2nd PC everything is SATA - | meaning an unused motherboard IDE port is available), and so, I'm now | running a David H. Lipmans Multi-av sweep on this infected slave IDE hd, and | of course it's running like lightning because the Windows platform on that | PC ....my 2nd PC, ...to which the infected hd is attached, ...is running in | Windows normal mode, ....if you see what I mean " ??? | regards, Richard There is ONE major drawback! If you use a surrogate PC to scan a hard drive extracted from an infected PC, you may scan and find files BUT... When it looks to the Registry to clean/fix alterations, it will be done on the surrogate's Registry and no the Registry of the affected hard drive. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest David H. Lipman Posted October 3, 2008 Posted October 3, 2008 From: "RJK" <notatospam@hotmail.com> | BTW, I did take on board Geoff's advice that, in as many words, the malware | could be "hiding" when av-cls is running, even in Safe Mode, on the infected | hd itself ! | Having said that, and as Geoff said, the malware is 5 years old, I wonder | how it got in there, because this is a machine that I "hardened up" for | internet use !!! | Relevant of course is that the innfected owners son installed a bunch of | "free" software !!!!! Easy Richard. It can be a new variant of Lop or mislabeled as a Lop trojan. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest RJK Posted October 3, 2008 Posted October 3, 2008 ><span style="color:blue"> > There is ONE major drawback! > > If you use a surrogate PC to scan a hard drive extracted from an infected > PC, you may scan > and find files BUT... When it looks to the Registry to clean/fix > alterations, it will be > done on the surrogate's Registry and no the Registry of the affected hard > drive. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> HUGE thanx for that, I shall bear that in mind, (registry clean/fix/alterations will be directed to surrogate PC XP registry). ....AVG 8.0 internet Security sweep "paid for version" (including spyware/rootkit sweeps) came up with nothing. I wonder if AVG 8.0 would have found what PrevX did yesterday - i.e. the "Infostyle" directory containing, as PrevX labelled it, "fraudulent software detected," ...{"pay now to fix it" LOL...just a little comment from me} ...including a file called fileboob.exe ...I can't get at the recycle bin on the infected drive to get the filenames, (I don't think), until it's booted up - back in its' home system box ! regards, Richard Quote
Guest Geoff Posted October 4, 2008 Posted October 4, 2008 On Fri, 3 Oct 2008 22:21:34 +0100, "RJK" <notatospam@hotmail.com> wrote: <span style="color:blue"><span style="color:green"> >> >> There is ONE major drawback! >> >> If you use a surrogate PC to scan a hard drive extracted from an infected >> PC, you may scan >> and find files BUT... When it looks to the Registry to clean/fix >> alterations, it will be >> done on the surrogate's Registry and no the Registry of the affected hard >> drive. >> >> >> -- >> Dave >> http://www.claymania.com/removal-trojan-adware.html >> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp >> >></span> > >HUGE thanx for that, I shall bear that in mind, (registry >clean/fix/alterations will be directed to surrogate PC XP registry). > >...AVG 8.0 internet Security sweep "paid for version" (including >spyware/rootkit sweeps) came up with nothing. >I wonder if AVG 8.0 would have found what PrevX did yesterday - i.e. the >"Infostyle" directory containing, as PrevX labelled it, "fraudulent >software detected," ...{"pay now to fix it" LOL...just a little comment from >me} ...including a file called fileboob.exe ...I can't get at the recycle >bin on the infected drive to get the filenames, (I don't think), until it's >booted up - back in its' home system box ! ></span> Hopefully the files were not deleted to the recycle bin but were deleted forever so they can't be recovered accidentally. I think you will find the system doesn't have the popups and malware now. Any programs targeted to run at boot in the registry will fail. Now you can safely clean the registry of the keys pointing to those files with conventional scanners like CCleaner or Adaware. Don't forget to make sure the IE or any other browser temp file folders are cleaned too. Once you have safely killed the files that are protecting themselves and the registry keys they depend on, the cleanup of bad keys is relatively easy in the live system in the original machine. Quote
Guest David H. Lipman Posted October 4, 2008 Posted October 4, 2008 From: "Geoff" <geoff@invalid.invalid> | Hopefully the files were not deleted to the recycle bin but were deleted | forever so they can't be recovered accidentally. | I think you will find the system doesn't have the popups and malware now. | Any programs targeted to run at boot in the registry will fail. Now you can | safely clean the registry of the keys pointing to those files with | conventional scanners like CCleaner or Adaware. Don't forget to make sure | the IE or any other browser temp file folders are cleaned too. | Once you have safely killed the files that are protecting themselves and | the registry keys they depend on, the cleanup of bad keys is relatively | easy in the live system in the original machine. Maybe the easy RUN type keys but not keys such as in LSA. You also have to consider that there are load time DLL keys that can be inserted and thus if the DLLs are removed the the OS will no longer boot and fail in a BSoD complaining that a needed DLL could not be found. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Geoff Posted October 4, 2008 Posted October 4, 2008 On Fri, 3 Oct 2008 20:53:15 -0400, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: <span style="color:blue"> >From: "Geoff" <geoff@invalid.invalid> > > >| Hopefully the files were not deleted to the recycle bin but were deleted >| forever so they can't be recovered accidentally. > >| I think you will find the system doesn't have the popups and malware now. >| Any programs targeted to run at boot in the registry will fail. Now you can >| safely clean the registry of the keys pointing to those files with >| conventional scanners like CCleaner or Adaware. Don't forget to make sure >| the IE or any other browser temp file folders are cleaned too. > >| Once you have safely killed the files that are protecting themselves and >| the registry keys they depend on, the cleanup of bad keys is relatively >| easy in the live system in the original machine. > >Maybe the easy RUN type keys but not keys such as in LSA. You also have to consider that >there are load time DLL keys that can be inserted and thus if the DLLs are removed the the >OS will no longer boot and fail in a BSoD complaining that a needed DLL could not be >found.</span> Which is why I recommended Autoruns in the first place since it allows easy access to and backup of such keys. You can even turn them off with a checkbox before deleting the key itself if you find you need to restore it. Autoruns even works in Safe Mode so if it did BSOD he would still be able to fix it there. There are actually very few DLLs that, if missing, will cause a BSOD or that couldn't be properly reinstalled with their authentic executables by running "SFC /scannow" in safe mode or command line only mode. If it gets that bad, a relevel and reinstall was in the making anyway. If that were the case, slaving it, pulling off any user essential data and programs would be a necessary part of the process since a known clean system would be needed to be sure the backup was trustworthy. Quote
Guest David H. Lipman Posted October 4, 2008 Posted October 4, 2008 From: "Geoff" <geoff@invalid.invalid> | Which is why I recommended Autoruns in the first place since it allows easy | access to and backup of such keys. You can even turn them off with a | checkbox before deleting the key itself if you find you need to restore it. | Autoruns even works in Safe Mode so if it did BSOD he would still be able | to fix it there. There are actually very few DLLs that, if missing, will | cause a BSOD or that couldn't be properly reinstalled with their authentic | executables by running "SFC /scannow" in safe mode or command line only | mode. If it gets that bad, a relevel and reinstall was in the making | anyway. If that were the case, slaving it, pulling off any user essential | data and programs would be a necessary part of the process since a known | clean system would be needed to be sure the backup was trustworthy. The key I am thinking about will not be shown in AutoRuns. The DLL would be named such as; base????32.dll (ex. basevml32.dll) This is a SubSys trojan and with this trojan, it would be inserted into the following registry key; HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows and would become part of a DLL load chain. The name of malware DLL would be inserted ito the registry key (such as; ServerDll=basevml32) . If you deleted the trojan by putting the drive in a surrogate PC or by using the Recovery Console the PC would boot into a BSoD complaining that the DLL could not be found. Example NT Stop Error: STOP: c0000135 {Unable To Locate Component} This application has failed to start because basevml32 was not found. Re-installing the application may fix this problem. It loads via... HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows Example of text in an infected PC: ----------------------------------- %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basevml32,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 Example of correct text: ---------------------------- %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 The above is a real world example taken from my notes. AutoRuns and the System File Checker are useless in the above scenario. The ONLY way to fix it is either copy basesrv.dll to basevml32.dll in the Recovery Console or preferrably load the infected OS and edit the registry and reboot then delete basevml32.dll. I mention the above because many presume placing an affected drive in a surrogate PC is one of the best ways to deal with removing malware that may be loaded at run-time. However, if you do, when you run the Anti malware software it will not correct the registry of the OS of the affected drive and may leave the OS of the affected drive impotent. I am NOT saying placing an affected drive in a surrogate PC is not a good methodology. I am saying that it can have drawbacks and you must be prepared for them. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest RJK Posted October 6, 2008 Posted October 6, 2008 Hello there ! ...after a considerable number of anti-malware sweeps, all seems fine. I know this will sound daft but, early on, (on this particular machine), I "sensed" that this was a "not too dangerous" ad-ware payload, that had been installed alongside some downloaded "free" application software. i.e. A little bit of knowledge and a good sixth sense goes a LONG way !!!!! I didn't fancy zero filling the hd, and installing from scratch - I would have been on that machine forever, and there is a "son" involved that' is going to destroy my work, come what may, ...on the aforementioned PC !!! I did have a full Symantec Norton Ghost backup in place, on his 2nd hd, and could easily have restored that. This backup was only a few weeks old but, would have meant the loss of some work that the owners wife had done, on the PC. ....so I pondered on running the XP "Transfer My Files and Setting" wizard, out to 2nd HD, restoring the aforementioned Norton BU and then restoring the aforementioned wizards' archive, but, I didn't fancy doing that either !!! ....I suspect that the PC will be coming back to me, infested with more malware, ..though the owner has been supplied with several printouts on safe-web surfing practices, an instrucitons on how to control his offspring :-) regards, Richard "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:eBR9CshJJHA.1968@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > From: "Geoff" <geoff@invalid.invalid> > > > | Which is why I recommended Autoruns in the first place since it allows > easy > | access to and backup of such keys. You can even turn them off with a > | checkbox before deleting the key itself if you find you need to restore > it. > | Autoruns even works in Safe Mode so if it did BSOD he would still be > able > | to fix it there. There are actually very few DLLs that, if missing, will > | cause a BSOD or that couldn't be properly reinstalled with their > authentic > | executables by running "SFC /scannow" in safe mode or command line only > | mode. If it gets that bad, a relevel and reinstall was in the making > | anyway. If that were the case, slaving it, pulling off any user > essential > | data and programs would be a necessary part of the process since a known > | clean system would be needed to be sure the backup was trustworthy. > > The key I am thinking about will not be shown in AutoRuns. The DLL would > be named such > as; base????32.dll (ex. basevml32.dll) > This is a SubSys trojan and with this trojan, it would be inserted into > the following > registry key; > HKLMSYSTEMCurrentControlSetControlSession ManagerSubSystemswindows > and would become part of a DLL load chain. The name of malware DLL would > be inserted ito > the registry key (such as; ServerDll=basevml32) . If you deleted the > trojan by putting > the drive in a surrogate PC or by using the Recovery Console the PC would > boot into a BSoD > complaining that the DLL could not be found. > > Example NT Stop Error: > STOP: c0000135 {Unable To Locate Component} > This application has failed to start because basevml32 was not found. > Re-installing the application may fix this problem. > > It loads via... > HKLMSYSTEMCurrentControlSetControlSession ManagerSubSystemswindows > > > Example of text in an infected PC: > ----------------------------------- > %SystemRoot%system32csrss.exe ObjectDirectory=Windows > SharedSection=1024,3072,512,512 > Windows=On SubSystemType=Windows ServerDll=basevml32,1 > ServerDll=winsrv:UserServerDllInitialization,3 > ServerDll=winsrv:ConServerDllInitialization,2 > ProfileControl=Off MaxRequestThreads=16 > > > Example of correct text: > ---------------------------- > %SystemRoot%system32csrss.exe ObjectDirectory=Windows > SharedSection=1024,3072,512,512 > Windows=On SubSystemType=Windows ServerDll=basesrv,1 > ServerDll=winsrv:UserServerDllInitialization,3 > ServerDll=winsrv:ConServerDllInitialization,2 > ProfileControl=Off MaxRequestThreads=16 > > The above is a real world example taken from my notes. AutoRuns and the > System File > Checker are useless in the above scenario. The ONLY way to fix it is > either copy > basesrv.dll to basevml32.dll in the Recovery Console or preferrably load > the infected OS > and edit the registry and reboot then delete basevml32.dll. > > I mention the above because many presume placing an affected drive in a > surrogate PC is > one of the best ways to deal with removing malware that may be loaded at > run-time. > However, if you do, when you run the Anti malware software it will not > correct the > registry of the OS of the affected drive and may leave the OS of the > affected drive > impotent. I am NOT saying placing an affected drive in a surrogate PC is > not a good > methodology. I am saying that it can have drawbacks and you must be > prepared for them. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest David H. Lipman Posted October 6, 2008 Posted October 6, 2008 From: "RJK" <notatospam@hotmail.com> | Hello there ! ...after a considerable number of anti-malware sweeps, all | seems fine. I know this will sound daft but, early on, (on this particular | machine), I "sensed" that this was a "not too dangerous" ad-ware payload, | that had been installed alongside some downloaded "free" application | software. i.e. A little bit of knowledge and a good sixth sense goes a | LONG way !!!!! | I didn't fancy zero filling the hd, and installing from scratch - I would | have been on that machine forever, and there is a "son" involved that' is | going to destroy my work, come what may, ...on the aforementioned PC !!! | I did have a full Symantec Norton Ghost backup in place, on his 2nd hd, | and could easily have restored that. This backup was only a few weeks old | but, would have meant the loss of some work that the owners wife had done, | on the PC. | ...so I pondered on running the XP "Transfer My Files and Setting" wizard, | out to 2nd HD, restoring the aforementioned Norton BU and then restoring the | aforementioned wizards' archive, but, I didn't fancy doing that either !!! | ...I suspect that the PC will be coming back to me, infested with more | malware, ..though the owner has been supplied with several printouts on | safe-web surfing practices, an instrucitons on how to control his offspring ::-) | regards, Richard Best 'o luck with them Richard. :-) All the best to you as well. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.