Re: infected box

[wjh]

I'd be breaking a mirror, so I'm hesitant to do this. Erik Goldoff wrote: see my previous post, remove the hard drive, install it as a slave in a second, known secure system, and then scan/clean it from there without the OS on the infected drive active or in memory On Thu, Oct 8, 2009 at 1:05 PM, wjh <nt...@hedgedigger.com> wrote: I've got a user's box now that has "securitytools" fake a/v virus.  It deleted malwarebytes from his machine.  booted into safe mode to reinstall malwarebytes.  After installation the mbam.exe file was missing again.  I also ran Avast's bart CD and it only found two items, which did nothing to rmeove the virus.   uggh.  and this is a machine used for animation and video work so days of work to rebuild it with all the software apps. Bill I use a three-pronged approach that I keep stored on a small USB thumb drive that is labeled VIRUS CLEANER... First, I run Malwarebytes.  After Malwarebytes, I run Combofix (download from bleepingcomputers.com, NOT combofix.org).  After that, I install Avast and have it run a boot-time scan.  After it has booted up again, I run Malwarebytes again. 9 times out of 10, my work is done at this point.... -- Matt Cross mailto:mrforkl...@gmail.com On Thu, Oct 8, 2009 at 12:31 PM, James Kerr <cluster...@gmail.com> wrote: +1 but run it with the box in safe mode.   James ----- Original Message ----- From: John Aldrich To: NT System Admin Issues Sent: Thursday, October 08, 2009 12:24 PM Subject: RE: infected box Malwarebytes.com is your friend. If that doesn’t do it, I don’t know what else to suggest. You could always try booting off a VipreRescue disk and see if that cleans it.     From: Len Hammond [mailto:lenhammo...@gmail.com] Sent: Thursday, October 08, 2009 12:13 PM To: NT System Admin Issues Subject: infected box   Hi people,   I have a client with an infected box. It seems to have the "SafeFighter" trojan. Vipre says that it blocked the installation of it but it has pop-ups wanting you to register the SafeFighter product to clean it out. It also puts up a false "Microsoft Security Center" window telling you that your firewall is ON and your virus protection is OFF or non-existent. When viewing the 'real' Security Center you find that Vipre is listed and running and the firewall is off as the settings dictate as the unit is behind a network firewall. And when you visit Vipre it is scanning with no items listed,n and it has two items in the blocked area but nothing in the Quarantine or any where else. These pop-ups come every few minutes. I would like to stop the pop-ups long enough to back up data and flatten the box and install Win7 in a couple of weeks when Win7 is released.    Does anyone have a manual method of removing this rascal? Everything I've found on the web is wanting you to buy their product to do it. I may have to call Sunbelt to get their method? But Vipre says that it blocked it but something is still running. Maybe I'll just reboot and see if it is only in memory and the pop-ups go away.   Anyone with thoughts for temp help. I know that a rebuild is the only sure way to cleanliness - just not today. Len Hammond CSI:Hartland lenhamm...@gmail.com