Precautions needed during scanning?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

This just in!  Scanning with the Panda Rescue Disk removed 16
instances of malware.
               Scanning with Kaspersky Rescue Disk removed 26, but
said it couldn't delete or disinfect  Rootkit.win32.TDSS.mbr , at the
root level, the MBR iiuc.  

What should I do about that one!

For lack of a better idea, I'm thinking of using the Recovery Console
of an XP installation disk and running FixMBR.  ??


1) I have a router.  If my computer and the laptop with the malware
are both plugged into the router at the same time, can the laptop
infect my computer?

2) Kaspersky says, and other companies say something similar, "Regular
updates of Kaspersky Rescue Disk databases ensures effective
protection".  But it's silly, isn't it,AmAAA to talk about a regular
update of a CD**.

So if I copied the rescue CD to a bootable flashdrive or USB harddisk,
could the viuses already in the laptop infect the flashdrive or
harddisk.  Could the newly infected flashdrive or harddisk infect the
next computer it is used to test?

**If this were a standard message it wouldn't seem silly, but says
"Rescue Disk".  Don't they know that almost everyone runs this from a
CD?

3) Kaspersky had as the default option, Prompt for Action, when an
infected file is found.  Wouldn't that mean I'd have to be watching
the entire time the scan ran, and if I were out of the room, it would
wait for me, making the scan take that much longer?  I changed it to
"Prompt for action at end of scan".  Stupid question maybe, but isn't
that better for most people?  Yeet it's not the default.

Any other settings I should have changed for a heavily infected pc?
They had one two levels deep in the settings called, "Don't expand
very large files".  I've never understood whether files inside zip
files etc. can do harm -- does any malware expand archives etc. after
I have scanned?


Thanks.

Re: Precautions needed during scanning?


Quoted text here. Click to load it

Yes, that worked for me. I just posted about it in another thread called
"Malware masquerading as Microsoft Security Essentials?"
Some Dells may give you a warning that you have a non-standard boot record.
If you run it anyway, you may lose the ability to use the recovery partition
if it has one. The one I did was a Dell and I did get that warning, but it
was a fairly new Dell that shipped with the XP "downgrade" and it didn't have
a recovery partition anyway. I already had everything saved and I was
desperate so I took the chance. It worked.
It might not work for you, so son't do it on *my* account... :-)

--
        --- Everybody has a right to my opinion. ---

Re: Precautions needed during scanning?

wrote:

Quoted text here. Click to load it

I'll go read that.

Quoted text here. Click to load it

Hey, this is a Dell, and I've been trying elswhere to find out if it
has a recovery partition or not.  Do you know how I can tell?

Quoted text here. Click to load it

Okay. :)   Actually I was going to do it in a few minutes but your
post made me postpone that, because you tied the MBR to the recovery
partition

Re: Precautions needed during scanning?

wrote:

Quoted text here. Click to load it

Oops, sorry.  It's an HP Mini 1000, not a Dell, but I suppose if Dell
uses the MBR to get to a recovery partiition, HP might also.

Quoted text here. Click to load it


Re: Precautions needed during scanning?


Quoted text here. Click to load it

Just type fixmbr. If you don't get that message about being a non-
standard boot record, then you should be OK. If you do get the message,
then it's your gamble from there... :-)

--
 -- Being "over the hill" is much better than being under it! --


Re: Precautions needed during scanning?

wrote:

Quoted text here. Click to load it

Thanks for replying.

After running Panda, then Kaspersky, then BitDefender, then AVG again,
then PCTOOLS, all boot rescue CD's, and deleting 16, 36, 5, zero, and
zero files respectively (and only leaving that MBR problem in place),
I decided it was time to try to start Windows again.  

There may well be a problem with the MBR, but it does find Windows
(XP), which first has troulbe with svchost.exe, which I assume has to
do with Services and must be important.  Anyhow, I pick a
persona/logon and it starts to run, and immediately it goes back to
the Choose Personal screen.  I think I may have deleted one too many
files, or maybe two!  (Even though I looked at all the names before
deleting anything)  So now I've got the reinstallation CD that came
with the HP netbook, and I have assembled a USB CD drive, and I'm
going to try to repair Windows, and worry about the MBR later.

I also found some software like mbr.exe which is supposed to verify
and even repair the MBR.  I could use fixboot to repair, but I want to
see what mbr.exe says first.

I also have TDSSKiller and RKUnhookedLE, which may help here, but
first I want to get windows working.  Oh, there was that Drivers.sys
issue. I have to ask about that.

Re: Precautions needed during scanning?


Quoted text here. Click to load it

Boot of a windows PE disc, run fixboot. Reboot using a bartPE disc, go
force to the windows/system32/drivers folder and newter the .sys driver
file or you'll be doing this all over again.

You can also just download the Avast bootable cd or Avira or even bit
defender, burn it, boot the box and let it do it's thing.

Another option, fire the machine up and put trend micros sysclean on it
with newest pattern.
 
Quoted text here. Click to load it

Just be sure you dont' let the box boot until you get the sys driver
too, or the mbr is just going to get infected.
 
Quoted text here. Click to load it

Depending on your network configuration; it's possible.
 



--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

Re: Precautions needed during scanning?

wrote:

Quoted text here. Click to load it

I don't know what you mean by your last step  Is there only one .sys
driver file there and how do I newter it?   Rename it?

Quoted text here. Click to load it

FWIW, I used Bit Defender tonight, and it didn't find this problem.
It was the third AV I used tonight, and it did find 5 instances of 4
malware, but not this.

 I'd used Panda first and it found 16 problems.
 Then Kaspersky which found 26 or 36, all of which it fixed except
this MBR problem.

AVG just finished and only found 3 tracking cookies

So AVG and Bit Defender and Panda didnt' find this MBR problem.   That
doesn't mean it's not there, right?   Just that Kaspersky is better on
mbr's?

Since you suggest it I"ll try Avast sometime tomorrow.

So far I haven't run Avira because it makes it sound like it runs
automatically, with me at the start setting standard treatment of
threats.  Is that so. I want to look at each one individually.

Quoted text here. Click to load it

I'll look at that.
 
Quoted text here. Click to load it

I haven't linked this friend's computer to my network, so I'm okay
then?  It's just plugged into the same router at the same time.  So
far I've only plugged in one at a time.

Actually, I'm trying to make it work but I don't even have a home
network.  I have the wireless router and two computerss (one in the
basement) but I can't get them to see each other, even though they
both are connected to the DSL.  Are they save from each other's
viruses.

Thanks a lot.  


Re: Precautions needed during scanning?

Per mm:
Quoted text here. Click to load it

How did the PC get into that state?

No virus checker?
--
PeteCresswell

Re: Precautions needed during scanning?

wrote:

Quoted text here. Click to load it

It's a friend's. I think she had a virus checker, but it's only worked
for 10 minutes since I got it and I didn't have time to look.

I suspected and Rafters says that the first malware may have brought
in the others.


Re: Precautions needed during scanning?

Per mm:
Quoted text here. Click to load it

Thanks.

Another possibility - one that I had happen with a family
member's PC - is that the user clicks the wrong button when a
virus alert pops up.

Now I look for a "Don't allow accepting any suspicious stuff
anywhere any time" option in the virus checker and enable it if
it's available.
--
PeteCresswell

Re: Precautions needed during scanning?


Quoted text here. Click to load it

I was being funny; neuter as in; snip snip.. er, delete the file. <G>
 
Quoted text here. Click to load it

Hmm; I'm wondering if kaspersky is false alarming. Is it still
reporting a problem with updates?
 
Quoted text here. Click to load it

As long as this computer hasn't made hex with removable media and then
your other computer read it with autorun enabled. :) Your router allows
the computers to talk to one another. If they are atleast both windows
XP; they're start sharing some things as soon as they see each other.
 
Quoted text here. Click to load it

This really isn't the newsgroup for network questions.


--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

Re: Precautions needed during scanning?



Quoted text here. Click to load it





| I was being funny; neuter as in; snip snip.. er, delete the file. <G>

Quoted text here. Click to load it

"...couldn't delete or disinfect  Rootkit.win32.TDSS.mbr "

I'd use Kaspersky TDSSKiller on the running PC.
http://support.kaspersky.com/viruses/solutions?qid=208280684

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Precautions needed during scanning?

On Thu, 7 Oct 2010 20:28:47 -0400, "David H. Lipman"

Quoted text here. Click to load it

Thanks.  I went to your link and got this.  Haven't used it yet.

I also got mbr.exe, another similar program, and RKUnhookedLE.

Re: Precautions needed during scanning?

wrote:

Quoted text here. Click to load it

I get neuter, haha, but I still don't understand.  Am I supposed to do
something to the driver folder or one of the driver files?  YOu
mentioned it twice, so I figure it's important!


Quoted text here. Click to load it

Not Kaspersky.  Wasn't that AVG from the flashdrive?  I haven't tried
that again since I assembled a USB CD drive.**  But I have used the
AVG rescue boot CD and that worked.

**For 20 dollars, no charge for shipping, I got the RCW618 by
Rosewill, at Newegg.  It will connect a SATA/Pata hd to or CD/DVD
drive to a USB or SATA port on the PC. It's really versatile and has
been working just fine.  Some people say the included SATA cable is
bad, but one can replace it with his own.
Quoted text here. Click to load it

I don't think they see each other yet, but since I've stopped running
AV for a while, I won't have to update from the net for a while.

My basement and upstairs computers see each other partially some of
the time, but neither has malware yet.
 
Quoted text here. Click to load it

Yes of course.

Re: Precautions needed during scanning?


wrote:

Quoted text here. Click to load it


Are you neuter all this then?


Jim :)

Re: Precautions needed during scanning?


Quoted text here. Click to load it

Everyone is neuter everything at first. :-)

--
        --- Everybody has a right to my opinion. ---

Re: Precautions needed during scanning?


Quoted text here. Click to load it

Neuter; sort, allow some systems to come back up <G>


--
Some people are like a Slinky. Not much good for anything, but you can't
help but smile when one tumbles down the stairs.

Re: Precautions needed during scanning?


| wrote:


Quoted text here. Click to load it






| I get neuter, haha, but I still don't understand.  Am I supposed to do
| something to the driver folder or one of the driver files?  YOu
| mentioned it twice, so I figure it's important!


Quoted text here. Click to load it


| Not Kaspersky.  Wasn't that AVG from the flashdrive?  I haven't tried
| that again since I assembled a USB CD drive.**  But I have used the
| AVG rescue boot CD and that worked.

| **For 20 dollars, no charge for shipping, I got the RCW618 by
| Rosewill, at Newegg.  It will connect a SATA/Pata hd to or CD/DVD
| drive to a USB or SATA port on the PC. It's really versatile and has
| been working just fine.  Some people say the included SATA cable is
| bad, but one can replace it with his own.

< snip >

I have a similar device.

You said... "SATA/Pata hd to or CD/DVD drive to a USB or SATA port on the PC."

Does it connect to to a SATA port on the PC or an eSATA port on the PC ?

BTW:  When I use such a device, and remove a hard disk from an affected
computer, and
place it on a different computer I will usually call the secondary computer a
"surrogate"
PC.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Precautions needed during scanning?

On Fri, 8 Oct 2010 06:29:56 -0400, "David H. Lipman"

Quoted text here. Click to load it

Well, I don't know much about SATA yet, but it has an L shaped
connector slot on both ends of the included cable.  That means SATA
iiuc, right?
Quoted text here. Click to load it

Good to know.


Site Timeline