I had a user that got this one. Vipre didn't catch it either. Vipre tech support was able to clean it quickly.
On Mon, Apr 4, 2011 at 10:25 AM, Jonathan Link <jonathan.l...@gmail.com>wrote: > I approach these machines with UBCD4Win to perform necessary cleaning. > After cleaned with UBCD4win, I'll reboot and run Vipre and other tools in a > network disconnected state, putting an update on a USB disk, if necessary. > > On Mon, Apr 4, 2011 at 11:22 AM, Steve Ens <stevey...@gmail.com> wrote: > >> I've found recently that these are killing the profiles...logon as a >> different user...then nuke the bastage! >> >> >> On Mon, Apr 4, 2011 at 10:19 AM, <richardmccl...@aspca.org> wrote: >> >>> >>> Greetings! >>> >>> I was greeted by our overnight vet who was working at someone else's >>> desk. She said she had a rogue AV popping up all the time. >>> >>> Dell PWS-3500; Windows XP Professional 32-bit, SP3 >>> >>> Popups are something like "AntiVirus XP 2011". >>> >>> Found that VIPRE had been shut down by the rogue, and it could not be >>> launched. Could not install MalwareBytes. Could not open a command prompt. >>> All resulted in a new rogue window opening. >>> >>> Booted into SafeMode; no improvement! I launched Task Manager. I noticed >>> that whenver I tried to restart VIPRE, to launch the MBytes installer, or >>> even to "Start->Run-> cmd", I'd get a rogue window (forgot to mention - the >>> roque windows would begin scanning with a separate window about >>> registrering). In Task Manager, I noticed a new task, "tmu.exe", starting >>> at the time of the popup. When I highlighted "tmu.exe" and then "End >>> process...", the window would close. >>> >>> I went to another PC, ran REGEDIT, then "Open Network Registry" to access >>> that machine. I checked both HKLM\Software and HKLM\Users\.Default, and I >>> found nothing unexpected in ...\Microsoft\Windows\CurrentVersion\Run, or in >>> other places I've seen registry changed by malware. >>> >>> I made a remote connection to the infected machine's drive and searched >>> for "tmu.exe". I found it in >>> ADMIN$\System32\config\systemprofile\Application Data. I checked "some of >>> its neighbors", and TMU.EXE was not found. So, I deleted it from the >>> infected machine. >>> >>> Still playing around, I booted the machine in "Safe Mode with Command >>> Prompt". I was able to give the command "chkdsk /f", and it did run a file >>> system check when rebooted. Again from booting into "Safe Mode w/Command >>> Prompt", I was able to launch the MBytes installer. The app, though, would >>> not start (I would imagine this is because in command prompt mode, there >>> would be no GUI displays.) >>> >>> Booted into both normal and Safe modes. Nothing will run! Double-click >>> a short-cut, double-click a file icon in Explorer, or enter something (ie, >>> "Start->Run-> cmd"), and a window opens asking with which application to >>> open the file. >>> >>> So, the machine is such that remote access to the file system and >>> registry is available. At the actual machine, the only way to do anything >>> is to boot into command prompt mode. Again, however, no apps will run if >>> they involve a GUI - only console-type commands will run. >>> >>> Next steps? Thanks! >>> -- >>> richard >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe ntsysadmin >>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
