I suspect regedit will be among the list of window titles that the malware will check and terminate if it sees them run. A trick to get around this is to run the regedit window on a different desktop (not monitor - use something like http://technet.microsoft.com/en-us/sysinternals/cc817881). Malware generally only detects windows running on the primary desktop.
On 23 May 2011 07:26, Matthew B Ames <[email protected]> wrote: > I had one of these last night. When I ran regedit (having logged in > normally) it opened and then promptly closed down. Booted into safe mode > and checked the software\windows\currentversion\run & runonce keys for > anything that looked suspect (running from temp, app data, etc. Removed > those keys, and the random named .exe they launched. > > > > Rebooted back into windows, cleaned up the host files, and then downloaded > the latest version of MalwareBytes. 90 minutes later and the machine > reported itself as clean. I need to run another scan to check and then work > out what AV package is on there, as there were shortcuts for Norton, AVG and > MacCr@ppy on the desktop. > > > > *From:* Rankin, James R [mailto:[email protected]] > *Sent:* 20 May 2011 20:51 > > *To:* NT System Admin Issues > *Subject:* Re: System Restore and Scareware > > > > Some of these little beasties are easy to beat - I've seen ones where > deleting a file did the trick. Unfortunately at the other end of the scale > live some crafty process-injection nasties that are a veritable nightmare to > find. Fortunately MalwareBYtes has a good track record of pulling them out > for you. > > Typed frustratingly slowly on my BlackBerry® wireless device > ------------------------------ > > *From: *"Bob Hartung" <[email protected]> > > *Date: *Fri, 20 May 2011 14:47:23 -0500 > > *To: *NT System Admin Issues<[email protected]> > > *ReplyTo: *"NT System Admin Issues" <[email protected] > > > > *Subject: *System Restore and Scareware > > > > I've had a couple of recent cases of scareware infecting some Windows XP > Pro systems here. One reported lots of virus infestations and prevented the > user from accessing the internet and, for a low price, would fix all. The > other reported that the hard drive had tons of errors and the boot sector > was gone, etc. And for a small fee, their utility could fix it. This system > was unusable. > > Maybe this is pretty basic but I haven't seen mention of it but in both > cases, Window's System Restore easily removed both. I've seen descriptions > of fixing infected systems involving fairly complex procedures and multiple > utilities. I guess I just wanted to recommend giving System Restore a try > first before resorting to the heavy artillery. > > On the system that had the failed hard drive scareware, it was impossible > to access System Restore in normal windows. I figured Safe Mode was the way > to go but I discovered System Restore is not available in Safe Mode. I did > learn that you can run System Restore in Safe Mode with Command Prompt. Just > enter "%systemroot%\system32\restore\rstrui.exe" at the command prompt and > you're in System Restore. Not sure why regular Safe Mode wouldn't have that > command available. > > Hope that's of help to someone else. > > ---------------------- > > Bob Hartung > Wisco Industries, Inc. > 736 Janesville St. > Oregon, WI 53575 > Tel: (608) 835-3106 x215 > Fax: (608) 835-7399 > e-mail: bhartung(at)wiscoind.com > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > This email and any attachments to it may be confidential and are intended > solely for the use of the individual to whom it is addressed. If you are not > the intended recipient of this email, you must neither take any action based > upon its contents, nor copy or show it to anyone. Please contact the sender > if you believe you have received this email in error. QinetiQ may monitor > email traffic data and also the content of email for the purposes of > security. QinetiQ Limited (Registered in England & Wales: Company Number: > 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, > Hampshire, GU14 0LX http://www.qinetiq.com. > http://www.qinetiq.com > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." *IMPORTANT: The information in this email is CONFIDENTIAL. If its contents are disclosed in any way my lawyers will swoop down from black helicopters like Seal Team Six and drag you away with a black bag over your head. They will then take you to a secret prison and make you fight to the death with other people who dared to share this email. You will be given a large bowie knife and a supply of methamphetamines while I watch the said deathmatch and wager vast sums of money on who will be the winner. If the fight becomes boring or there is a stalemate, I will release rabid dogs and my two-stone cat into the arena to liven things up a bit. If these animals become in any way docile, I will squirt them with water pistols until they become a bit more temperamental.* ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
