I use a three-pronged approach that I keep stored on a small USB thumb drive that is labeled VIRUS CLEANER... First, I run Malwarebytes. After Malwarebytes, I run Combofix (download from bleepingcomputers.com, NOT combofix.org). After that, I install Avast and have it run a boot-time scan. After it has booted up again, I run Malwarebytes again.
9 times out of 10, my work is done at this point.... -- Matt Cross mailto:[email protected] On Thu, Oct 8, 2009 at 12:31 PM, James Kerr <[email protected]> wrote: > +1 but run it with the box in safe mode. > > James > > ----- Original Message ----- > *From:* John Aldrich <[email protected]> > *To:* NT System Admin Issues <[email protected]> > *Sent:* Thursday, October 08, 2009 12:24 PM > *Subject:* RE: infected box > > Malwarebytes.com is your friend. If that doesn’t do it, I don’t know what > else to suggest. You could always try booting off a VipreRescue disk and see > if that cleans it. > > > > [image: John-Aldrich][image: Tile-Tools] > > > > *From:* Len Hammond [mailto:[email protected]] > *Sent:* Thursday, October 08, 2009 12:13 PM > *To:* NT System Admin Issues > *Subject:* infected box > > > > Hi people, > > > > I have a client with an infected box. It seems to have the "SafeFighter" > trojan. Vipre says that it blocked the installation of it but it has pop-ups > wanting you to register the SafeFighter product to clean it out. It also > puts up a false "Microsoft Security Center" window telling you that your > firewall is ON and your virus protection is OFF or non-existent. When > viewing the 'real' Security Center you find that Vipre is listed and running > and the firewall is off as the settings dictate as the unit is behind a > network firewall. And when you visit Vipre it is scanning with no items > listed,n and it has two items in the blocked area but nothing in the > Quarantine or any where else. These pop-ups come every few minutes. I would > like to stop the pop-ups long enough to back up data and flatten the box and > install Win7 in a couple of weeks when Win7 is released. > > > > Does anyone have a manual method of removing this rascal? Everything I've > found on the web is wanting you to buy their product to do it. I may have to > call Sunbelt to get their method? But Vipre says that it blocked it but > something is still running. Maybe I'll just reboot and see if it is only in > memory and the pop-ups go away. > > > > Anyone with thoughts for temp help. I know that a rebuild is the only sure > way to cleanliness - just not today. > > > Len Hammond > CSI:Hartland > [email protected] > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<image001.jpg>>
<<image002.jpg>>
