Then, in my opinion, yer mirror is *already* screwed ... remove one drive, and insert a fresh blank and let your screwed mirror rebuild whilst you work on cleaning the infection from the mirror partner you removed
On Thu, Oct 8, 2009 at 1:21 PM, wjh <[email protected]> wrote: > I'd be breaking a mirror, so I'm hesitant to do this. > > Erik Goldoff wrote: > > see my previous post, remove the hard drive, install it as a slave in a > second, known secure system, and then scan/clean it from there without the > OS on the infected drive active or in memory > > On Thu, Oct 8, 2009 at 1:05 PM, wjh <[email protected]> wrote: > >> I've got a user's box now that has "securitytools" fake a/v virus. It >> deleted malwarebytes from his machine. booted into safe mode to reinstall >> malwarebytes. After installation the mbam.exe file was missing again. I >> also ran Avast's bart CD and it only found two items, which did nothing to >> rmeove the virus. uggh. and this is a machine used for animation and >> video work so days of work to rebuild it with all the software apps. >> >> Bill >> >> I use a three-pronged approach that I keep stored on a small USB thumb >> drive that is labeled VIRUS CLEANER... >> First, I run Malwarebytes. After Malwarebytes, I run Combofix (download >> from bleepingcomputers.com, NOT combofix.org). After that, I install >> Avast and have it run a boot-time scan. After it has booted up again, I run >> Malwarebytes again. >> >> 9 times out of 10, my work is done at this point.... >> >> >> -- >> Matt Cross >> mailto:[email protected] >> >> >> On Thu, Oct 8, 2009 at 12:31 PM, James Kerr <[email protected]> wrote: >> >>> +1 but run it with the box in safe mode. >>> >>> James >>> >>> ----- Original Message ----- >>> *From:* John Aldrich <[email protected]> >>> *To:* NT System Admin Issues <[email protected]> >>> *Sent:* Thursday, October 08, 2009 12:24 PM >>> *Subject:* RE: infected box >>> >>> Malwarebytes.com is your friend. If that doesn’t do it, I don’t know >>> what else to suggest. You could always try booting off a VipreRescue disk >>> and see if that cleans it. >>> >>> >>> >>> [image: John-Aldrich][image: Tile-Tools] >>> >>> >>> >>> *From:* Len Hammond [mailto:[email protected]] >>> *Sent:* Thursday, October 08, 2009 12:13 PM >>> *To:* NT System Admin Issues >>> *Subject:* infected box >>> >>> >>> >>> Hi people, >>> >>> >>> >>> I have a client with an infected box. It seems to have the "SafeFighter" >>> trojan. Vipre says that it blocked the installation of it but it has pop-ups >>> wanting you to register the SafeFighter product to clean it out. It also >>> puts up a false "Microsoft Security Center" window telling you that your >>> firewall is ON and your virus protection is OFF or non-existent. When >>> viewing the 'real' Security Center you find that Vipre is listed and running >>> and the firewall is off as the settings dictate as the unit is behind a >>> network firewall. And when you visit Vipre it is scanning with no items >>> listed,n and it has two items in the blocked area but nothing in the >>> Quarantine or any where else. These pop-ups come every few minutes. I would >>> like to stop the pop-ups long enough to back up data and flatten the box and >>> install Win7 in a couple of weeks when Win7 is released. >>> >>> >>> >>> Does anyone have a manual method of removing this rascal? Everything I've >>> found on the web is wanting you to buy their product to do it. I may have to >>> call Sunbelt to get their method? But Vipre says that it blocked it but >>> something is still running. Maybe I'll just reboot and see if it is only in >>> memory and the pop-ups go away. >>> >>> >>> >>> Anyone with thoughts for temp help. I know that a rebuild is the only >>> sure way to cleanliness - just not today. >>> >>> >>> Len Hammond >>> CSI:Hartland >>> [email protected] >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> >> >> >> >> >> >> >> >> > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
