Provided, of coarse, it will boot into safe mode! You might need to run MBytes or VIPRERescue in "regular mode" first, then see if you can boot into safe mode. (Root kits are just so much fun!)
Until BIOS root kits become common, fdisk will probably clean anything (and you'd mentioned flattening this box). Good luck! -- richard "James Kerr" <[email protected]> wrote on 10/08/2009 11:31:41 AM: > +1 but run it with the box in safe mode. > > James > ----- Original Message ----- > From: John Aldrich > To: NT System Admin Issues > Sent: Thursday, October 08, 2009 12:24 PM > Subject: RE: infected box > > Malwarebytes.com is your friend. If that doesn?t do it, I don?t know > what else to suggest. You could always try booting off a VipreRescue > disk and see if that cleans it. > > [image removed] [image removed] > > From: Len Hammond [mailto:[email protected]] > Sent: Thursday, October 08, 2009 12:13 PM > To: NT System Admin Issues > Subject: infected box > > Hi people, > > I have a client with an infected box. It seems to have the > "SafeFighter" trojan. Vipre says that it blocked the installation of > it but it has pop-ups wanting you to register the SafeFighter > product to clean it out. It also puts up a false "Microsoft Security > Center" window telling you that your firewall is ON and your virus > protection is OFF or non-existent. When viewing the 'real' Security > Center you find that Vipre is listed and running and the firewall is > off as the settings dictate as the unit is behind a network > firewall. And when you visit Vipre it is scanning with no items > listed,n and it has two items in the blocked area but nothing in the > Quarantine or any where else. These pop-ups come every few minutes. > I would like to stop the pop-ups long enough to back up data and > flatten the box and install Win7 in a couple of weeks when Win7 is released. > > Does anyone have a manual method of removing this rascal? Everything > I've found on the web is wanting you to buy their product to do it. > I may have to call Sunbelt to get their method? But Vipre says that > it blocked it but something is still running. Maybe I'll just reboot > and see if it is only in memory and the pop-ups go away. > > Anyone with thoughts for temp help. I know that a rebuild is the > only sure way to cleanliness - just not today. > > Len Hammond > CSI:Hartland > [email protected] > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
