The virus has somehow modified permissions to stop AV programs [ and certain
others with error message insufficient permissions ] from running. I tricked
it by installing to alternate directories, like program files\malwarebytes2
and programfiles\HJT2, and have run these in safe mode. Mbam told me that it
found 6 trojans, and removed them, but I still cannot boot to the destop
with icons again. I see only the wallpaper when booted up. [ nothing in
safemode except the safemode stamps in the corners ]
I cannot find the gpedit.msc. I cannot open windows explorer to allow hidden
files to show.
I can open mmc.msc, but cannot find the gpedit snap-on available.
I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan found no
additional viruses.
Process list is very clean: Very little cpu activity is seen . Every process
is at zero after booting. It is so clean that I suspect somebody else has
come in and cleaned the extraneous processes.
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe
The HJT log shows that there is lots of BHOs, other entrys etc, and I can
see nothing unusual in it, but as above, when booted, no activity is noted.
--
Tommy
UBCD4Win (http://www.ubcd4win.com) has a utility in the install directory
that will let you create a USB drive that you can boot off of and run win.
I believe you can even modify it to run AV
If you like linux, Fedora has a new tool out that will do the same thing,
expect with linux. (https://fedorahosted.org/liveusb-creator/)
I would reccomend ClamAV for the Linux distro, it's free and it's good.
Once you are booted off of the jump drive run the A/V scan that comes with
it on you internal HDD and clean it up that way.
That is all if you can't get into the HDD. Once you do get into the HDD,
try running TrendMicro's Houscall (http://housecall.trendmicro.com/) and
Kaspersky's (it's down right now) online A/V tool. The reason I like
running the online programs for cleaning an infected machine is that 1)
you know it's going to be clean 2) you can run multiple programs w/o
having to worry about installing them on your machine (you can only have
one A/V program)
Once I get the online A/V scans done I install my A/V program, I usually
use either AVG Free (http://free.avg.com/us-en/homepage) or the A/V
program included in Iolo's System Mechanic Pro (http://www.iolo.com/). I
REALLY like Iolo, lots of great tools to help you out for a not too bad
price. I also know that used to (don't know if this still works) if you
downloaded the demo and then bought the product through the demo, you
could save like half of the price.
Once you get all of that done, it's time for the Malware scanners. I
usually use a cocktail, Adaware by Lavasoft, Spybot Search and Destroy and
Windows Defender. With those three you'll catch just about everything. I
then usually leave Spybot SnD on there, it's got some useful tools under
the advanced settings.
CuMo
-------------------------------------
tommy wrote:
> I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
> normal
> windows screen to. It boots to a desktop wallpaper, no icons, no
> taskbar, no
> systray. Have to use task manager to run programs [ with the
> "create new
> task / run" function ].
> The virus has somehow modified permissions to stop AV programs [ and
> certain
> others with error message insufficient permissions ] from running. I
> tricked
> it by installing to alternate directories, like program
> filesmalwarebytes2
> and programfilesHJT2, and have run these in safe mode. Mbam told me
> that it
> found 6 trojans, and removed them, but I still cannot boot to the
> destop
> with icons again. I see only the wallpaper when booted up. [ nothing
> in
> safemode except the safemode stamps in the corners ]
> I cannot find the gpedit.msc. I cannot open windows explorer to allow
> hidden
> files to show.
> I can open mmc.msc, but cannot find the gpedit snap-on available.
> I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
> found no
> additional viruses.
> Process list is very clean: Very little cpu activity is seen . Every
> process
> is at zero after booting. It is so clean that I suspect somebody else
> has
> come in and cleaned the extraneous processes.
> Running processes:
> C:WINDOWSSystem32smss.exe
> C:WINDOWSsystem32winlogon.exe
> C:WINDOWSsystem32services.exe
> C:WINDOWSsystem32lsass.exe
> C:WINDOWSsystem32svchost.exe
> C:WINDOWSsystem32taskmgr.exe
> C:WINDOWSsystem32ctfmon.exe
> C:Program FilesTrend MicroHijackThis2HijackThis.exe
"CuMorrigu" <mbrast_at_g...@foo.com> wrote in message
news:7684d$4ad8a1e0$4834ce0a$12...@news.flashnewsgroups.com...
>
>I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a normal
>windows screen to. It boots to a desktop wallpaper, no icons, no
taskbar, no
>systray. Have to use task manager to run programs [ with the "create new
>task / run" function ].
>
>The virus has somehow modified permissions to stop AV programs [ and
certain
Snipped
When are people going to learn to get themselves a program like Acronis
True Image, or some other which backs up the entire disk, and use it
immediately after installing Windows, and then make incremental backups
as they install more software. It is such a simple solution to this
horrible problem of computers being turned into paperweights by malware.
Yes, I know it's hindsight in this case, but maybe someone will get a
hint from this and install True Image or Norton's Ghost *before* the
same happens to them. Everybody on Usenet is not an old hand. There are
such things as newbies.
Had the same problem, managed to cure the system 99.99% (the "Turn
computer off" button is still not visible on the welcome screen). It
took me the better part of two _long_ days. But I'll tell you, it's
better to flatten and rebuild. So that's what I recommend.
You may be able to boot off an external drive, CD/DVD, or USB stick, and
burn data to a DVD or two. If so, don't be tempted to repair.
FWIW, Stopzilla found and repaired the corrupted registry entries, after
which other anti-malware programs functioned. I would _not_ recommend
Stopzilla as a regular AV program; it's close to being malware itself.
When you do rebuild then:
a) create a data partition, and save _all_ data on it. Modify
applications default settings to save to suitable folders on that data
expeditionary, and/or do a manual copy from My Documents and the other
stoopid default data locations.
b) get a partition backup program, and create system partition images at
regular intervals.
HTH
wolf k.
ASCII wrote:
> tommy wrote:
>>
>> I have an XP home pc,
>
> <~~~>
>
>> I cannot find the gpedit.msc.
>
> I didn't think the group policy editor came in the home edition,
> unless you put it in later as I did http://tinyurl.com/gpedit-msc
>
>> The HJT log shows that there is lots of BHOs, other entrys etc, and
>> I can see nothing unusual in it,
>
> Lots of BHO's aren't unusual?
9 BHOs
if you want to see it [ I know this isn't the usual place to post it ]
here it is, see if you see anything [ sending to your email addr ]
Your effete use of "fora" exposes you as a posturing
arty farty pansy.
| "I employ a bogus email addy"
Your constant whining about anons in newsgroups
exposes you as a hypocrite and a 24 karat dipshit.
Having trouble understanding plurals?
"forUMS". Look it up, FromTheRafta.
Is "flora" the singular of `"florums"?
"fora" is used by faggot posers who think they know Latin.
Well, the plural of "forum" is either forums or fora.
http://www.yourdictionary.com/forum
although the choice of "fora" in the original context is certainly
pretentious in that the OP is attempting to show a degree of erudition
that he obviously lacks. It's as if he stood up to say "... see how
smart I am, I know that "forum" is a singular Latin word whose plural
form is "fora"... thereby paradoxically showing his ignorance.
Generally where both Latin and English plural forms of a word exist,
the Latin is more appropriate to a scientific forum in which Latin
terms are common, whereas the English form is generally used in
non-scientific forums, such as this one. Unless of cause one wants to
be seen as pretentious.
--
I filter all messages from google groups.
If enough people say it wrong, it becomes added to the dictionaries due
to common usage.
- doesn't make it right.
It reminds me of some advertisements for "Rosetta Stone" language
learning software. In one guy's testimonial he states that he's used all
of the other mediums for learning new languages.
...but why go to all of those psychics just to learn French?
So.. it's "forums" if you want to appear uneducated and "fora" if not?
> Is "flora" the singular of `"florums"?
Non sequitur (more Latin - look it up). We're not attempting to show
that "fora" is the singular of "forums" so adding the "L" only makes you
appear to have lost the train of thought here (no surprise). Try to stay
on track there will ya? ;o)
> "fora" is used by faggot posers who think they know Latin.
That may be true, but it does not follow that *all* users of what is
arguably the more correct form are propping up bunches of sticks for
some photo op. You will find people doing this with stalks (cornstalks
specifically) around this time of year, hereabouts (this ones English,
but you may need to look *it* up as well).
> You really are a bunch of sad bastards!
Your computer is infected with virii!
--
-bts
-Friends don't let friends drive Windows
| On Sat, 17 Oct 2009 14:47:50 -0400, "Beauregard T. Shagnasty"
| <a.non...@example.invalid> wrote:
>>Jerry wrote:
>>> You really are a bunch of sad bastards!
>>Your computer is infected with virii!
| Virii are the flora of the fora.
| ROTFL
| --
| Fred W. (NL)
Bwahahahahahahaha :-)
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
I am now running Sophos under Multi-AV. I tricked the virus again by
changing the name of Startmenu to Startmenu2 after copying the AV-CLS folder
to the target. Its been hours. I am going to try them all, but since MBAM
usually gets this stuff, I will be amazed if its cleared up the whole
problem..
Sophos found nothing except some [ minor?] corrupted files. > 8 hrs scanning
Trend found 1 [ minor? ] spyware item . Still no improvement.
I am going to try searching for registry items after McAfee and KAV
MultiAV is a nice idea.
vira
idiot (plural - idii)
GOOD ONE!
Did you change the spelling of your name from Latin to American
because you're Latin American or because "Shagnasti" is the plural
of "Shagnastus"?
Wassamatter Poxic? You still infected with e-colus?
It means "no pruning snipper".
| On Sun, 18 Oct 2009 17:55:01 +0200 (CEST), noauth
| <an...@remailer.gabrix.ath.cx> wrote:
>>vira
| Wrong.
| Viri is multiple of virus.
No.
http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
http://linuxmafia.com/~rick/faq/plural-of-virus.html
Hoc verbum spero ultimum esse.
wolf k.
forii
Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it
It was a VIRus forUM in old Rome about 70 years B.C.
medii
Media is already plural - no need to change it to anything else.
A group of mediumshippers are mediums.
"is" (alt.comp.pedantry).
A group of mediashitters are ASCII and Toxic.
Bill Clinton employed a team of Lickin Sexretaries!
(All female)
> His Holiness communicates to the world in Latin.
His Holeingress mastubates to the word in Latin.
"I did not have sexual relations with that Cardinal,
Father Lewinsky."
Absolutely! I should have said that the individuals in a group of
mediumshippers are mediums.
Q. Why did the cannibal undercook the fortune teller.
A. He liked his medium rare.
The cannibal studied at Eton.
The medium was.
Your bum receives hot sperm with ultimate ease.
> From: "FredW" <fr...@blackholespam.net>
>
>| On Sun, 18 Oct 2009 17:55:01 +0200 (CEST), noauth
>| <an...@remailer.gabrix.ath.cx> wrote:
>
>
>>>"Beauregard T. Shagnasty" <a.non...@example.invalid>
>>>wrote in message
>>>news:hbd3gm$vfv$1...@news.eternal-september.org...
>>>> Jerry wrote:
>
>>>>> You really are a bunch of sad bastards!
>
>>>> Your computer is infected with virii!
>
>>>vira
>
>
>| Wrong.
>
>
>| Viri is multiple of virus.
>
>
> No.
> http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-v
> irus.html
> http://linuxmafia.com/~rick/faq/plural-of-virus.html
>
IOW (a looong time ago, I asked):
[ quot,names "X"-d ]
Hi J,
There is no plural attested in Latin. It's an odd form, virus-
viri-neuter, (the neuter is hard to parallel, maybe analogized
to venenum-veneni-neuter [regular] = poison) which would never
give a plural virii. So viruses it is!
All best, Xxx
X.Y.Z.
Professor of Greek and Latin
Chair, Department of the Classics
Ivy L. U.
[ /quot ]
J
--
Replies to: Nherr1professor2doktor31109(at)Oyahoo(dot)Tcom
Classical Greeks take dick up the ass. So do classical Latins, but not
with such gusto.
Is that a sausage between your ass and the chair, Professor Catamite?
When the Dutch occupied Indonesia they named a Bali district "Kuta",
which an educated Dutchman like you will know that In Hollands-Latin
sprecht means "multiple vaginas", but Is the singular "Kutum" or "Kutus"?
tommy wrote:
> I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
> normal windows screen to. It boots to a desktop wallpaper, no icons,
> no taskbar, no systray. Have to use task manager to run programs [
> with the "create new task / run" function ].
>
> The virus has somehow modified permissions to stop AV programs [ and
> certain others with error message insufficient permissions ] from
> running. I tricked it by installing to alternate directories, like
> program files\malwarebytes2 and programfiles\HJT2, and have run these
> in safe mode. Mbam told me that it found 6 trojans, and removed them,
> but I still cannot boot to the destop with icons again. I see only
> the wallpaper when booted up. [ nothing in safemode except the
> safemode stamps in the corners ]
>
> I cannot find the gpedit.msc. I cannot open windows explorer to allow
> hidden files to show.
> I can open mmc.msc, but cannot find the gpedit snap-on available.
>
> I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
> found no additional viruses.
>
> Process list is very clean: Very little cpu activity is seen . Every
> process is at zero after booting. It is so clean that I suspect
> somebody else has come in and cleaned the extraneous processes.
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\system32\taskmgr.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe
>
> The HJT log shows that there is lots of BHOs, other entrys etc, and I
> can see nothing unusual in it, but as above, when booted, no activity
> is noted.
I ran all 4 av clients in Multi-Av, and still couldn't fix it that way.
It does have a D: recovery drive, and it does appear to work.
So, thats probably what will happen, using the recovery reinstall.
--
"tommy" <tommyle...@removeyahoo.dropcom> wrote in message
news:hba0pd$i4f$1...@news.eternal-september.org...
> --
> Tommy
>
>
The Central Scrutinizer wrote:
> How are you certain this was caused by a virus?
>
>
The guy said he had experienced re-direction dating back to 6 mos ago.
He has little pc experience.
There were viruses on there. Malwarebytes took off 6 of them.
Important programs were blocked by policy [permissions], including all
antivirus pgms. [ I had to change names for any AV client to run ]
He has a restore partition, but wants to do that himself.
I was able to install gpedit, but no policies had been set.
--
Tommy
--
"tommy" <tommyle...@removeyahoo.dropcom> wrote in message
news:hbpo0k$pqu$1...@news.eternal-september.org...
> On Sat, 17 Oct 2009 15:33:02 +0200, noauth wrote:
>
> "noauth" is used by faggot posers like Dave
> who think they know Shit
> but are full of it instead
>
Mom and Dad are away and left the computer unlocked again eh?
--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk
>
>I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a normal
>windows screen to. It boots to a desktop wallpaper, no icons, no taskbar, no
>systray. Have to use task manager to run programs [ with the "create new
>task / run" function ].
My friend, boot a nice little linux dist, move as much of your
data as you can to some other media (burn it to DVDs), then reformat,
reinstall windows. Your "executable" "open-withs" are probably all
re-directed to the bag-guy-worm/trojan.
Not much you can do, about it. Unless you don't mind weeks and
weeks of painful cleaning-up.
A linux dist with clamav or f-prot will probably clean up the
bad guy, but not the registry damage.
Format.
[]'s
Is that really 500Mb or a typo ? Or are you referring to ram ?
500 mb ram
I have used TRK Trinity Rescue Kit which is similar to what you suggest.
Do you know of more like TRK?
The kit is going to reinstall. He wants to do it himself. There is a drive
D: restore partition activated by hitting F10
I have gotten lots of these cleaned by using MBAM and followup by some other
gerneral purpose AV clients. This is just an unusually difficult one.
>Shadow wrote:
>> On Fri, 16 Oct 2009 09:42:51 -0500, "tommy"
>> <tommyle...@removeyahoo.dropcom> wrote:
>>
>> Format.
>> []'s
>> Is that really 500Mb or a typo ? Or are you referring to ram ?
>
>500 mb ram
>I have used TRK Trinity Rescue Kit which is similar to what you suggest.
>Do you know of more like TRK?
If you are not familiar with linux it is probably the best
choice. I had a brief look at the home page and it appears to be made
for these cases. But any live-cd bootable linux dist will do, slax,
puppy, LFS, even ubuntu.
If you have a fast connection, you can download f-prot or
Clamav and the latest databases to most of these (I'm sure you can
with ubuntu), to scan the harddisk. Not sure what TRK comes with.
>
>The kit is going to reinstall. He wants to do it himself. There is a drive
>D: restore partition activated by hitting F10
Good. I'd scan that D: drive first. It might be where the
bad-guy is. Use the "scan all file types" option.
>
>I have gotten lots of these cleaned by using MBAM and followup by some other
>gerneral purpose AV clients. This is just an unusually difficult one.
They always leave a "broken" system behind. Unless you are
keeping the data for "sentimental" purposes, I'd just reformat. I
still have DOS 6.2 on a partition, can't even boot it, it's there
because ... well, because :)
>
PS. Ignore the nasty guy. He's just a bot.
Suck your boyfriends dick and give your asshole a rest!
Glen wrote:
> Sell your fucking PC and give us all a rest!
>
>
>
my pc is not infected. I was finished posting on this subject, and Shadow
had to ask a question. Please read the whole thread. This is repetitive.
Interesting however. I did find that some posters on comp.security.firewalls
believe in reinstalling if even one virus appears !
Shadow wrote:
> On Fri, 23 Oct 2009 22:40:48 -0500, "tommy"
> <tommyle...@removeyahoo.dropcom> wrote:
>
>> Shadow wrote:
>>> On Fri, 16 Oct 2009 09:42:51 -0500, "tommy"
>>> <tommyle...@removeyahoo.dropcom> wrote:
>>>
>>> Format.
>>> []'s
>>> Is that really 500Mb or a typo ? Or are you referring to ram ?
>>
>> 500 mb ram
>> I have used TRK Trinity Rescue Kit which is similar to what you
>> suggest.
>> Do you know of more like TRK?
> If you are not familiar with linux it is probably the best
> choice. I had a brief look at the home page and it appears to be made
> for these cases. But any live-cd bootable linux dist will do, slax,
> puppy, LFS, even ubuntu.
> If you have a fast connection, you can download f-prot or
> Clamav and the latest databases to most of these (I'm sure you can
> with ubuntu), to scan the harddisk. Not sure what TRK comes with.
TRK includes ClamAV dos. and three others , you have to have the internet
connected to use the others.
I was hoping you were familiar with TRK or some others that have this
capability built in.
>>
>> The kit is going to reinstall. He wants to do it himself. There is a
>> drive D: restore partition activated by hitting F10
> Good. I'd scan that D: drive first. It might be where the
> bad-guy is. Use the "scan all file types" option.
Done [ not too long ago ]
They have a point in a way. Their position is that since a lot of
malware downloads and installs other malware packages, combined with the
fact that no anti-virus/malware package finds and cleans ALL malware, you
can never be sure that your computer is truly clean. In effect, since you
cannot prove a negative (that your computer is NOT infected), your only
recourse is to wipe everything clean and reinstall from a known, clean
source.
If you follow that logic just a little further, you run into other
troubling thoughts. Since new malware vectors are being found all the
time, and new malware packages that are not yet detectable are also being
released all the time, you can never _prove_ your PC is not currently
infected by some new package via a new vector. Therefore, the only
logical thing to do is to completely wipe your PC clean and reinstall
everything from a known, clean source every single day. Of course, that
is an equally silly stance.
What it all boils down to is that you need to evaluate the situation and
decide on the apropriate action for that situation. A system that is used
for basic purposes by a home user, which has had a rogueAV installed on
it and is quickly taken off the net before it is brought to you for
cleaning is one thing. A system that handles sensitive information and/or
has multiple infections including various rootkits, policy setting
changes, etc. is another thing entirely. And then there are the available
tools issues. Those who advocate "an immediate wipe and reinstall from
backup image" are completely ignoring the fact that the vast majority of
home users never _have_ a "backup image". Hell, a lot of them don't even
have OS reinstallation disks! They bought low end machines that only have
a "recovery partition" which cannot be trusted on a badly infected
machine. On the other hand, in a corporate or educational environment
where a backup image is often immediately available, it's quicker and
easier to "cure" even a minor infection by wiping and reinstalling.
The bottom line is you need to look at the system, evaluate the
situation and available tools, then make the best cost/benefit analysis
that you can. In some cases, a wipe and reinstall are called for. In
others a thorough cleaning may be called for.
Anyway, that's my 2 cents worth.....
--
Rick Simon rsi...@cris.com
Include "spam(trap)key" somewhere in the
body of any email to avoid spam filters.
IK