Short of hashes of a complete known safe volume used to rehash the same volume post-infection with the drive in a known clean system as a data volume you CAN NOT certify it clean. The fact that anyone still tries astounds and shocks me when there is so much to be lost working this way. On Dec 16, 2012 5:57 PM, "Greg Sevart" <[email protected]> wrote:
> Reinstalling is the only option IMO. A system restore/clean is a nice > workaround to get an important system up and running, but it should be > wiped > and rebuilt as soon as practical. Once a system has been owned, there's no > way to know that you've completely eradicated it--clean scans are nice, but > a kernel rootkit could be masking a deeper infection. > > Just my two cents. I never trust a system once it's been infected. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Christopher > Fisk > Sent: Sunday, December 16, 2012 7:30 PM > To: [email protected] > Subject: Re: [H] Infection question > > I have found that these viruses are quite invasive on what they do. A > class of the viruses actually install an MBR virus, an executable that runs > from a temporary folder and also a rootkit that gets latched onto a driver > in c:\windows\system32\drivers > > I have had good luck using BootICE to correct the MBR and PBR issue, using > standard AV/AM to clean the infection and then taking an known working > system that is similar/identical and copying the files from the known good > C:\Windows\System32\drivers into the bad. > > Reinstalling windows of course is an option as well. > > > On Sun, Dec 16, 2012 at 7:42 PM, Bobby Heid <[email protected]> wrote: > > > Thanks! I will check it out when I put the drive back in (Ghosting it > > now). > > > > Bobby > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Jeff Lane > > Sent: Sunday, December 16, 2012 7:35 PM > > To: [email protected] > > Subject: Re: [H] Infection question > > > > Bobby, > > > > I know you ran system restore, but these things will sometimes corrupt > your > > anti-virus and Windows accessible system restore. I have had much more > > success starting in safe mode command prompt and entering rstrui.exe at > the > > DOS prompt. This will open a fresh unaffected copy of system restore, > and, > > you can usually check the box at the bottom to restore some older ones, > if > > really necessary. Hope this helps. > > > > Jeff > > > > > > So far, it "appears" clean after all of the malware scans. > > > > Thanks, > > Bobby > > > > > > Trojan.MalJava!gen21 is usually installed by malware to download > > advertising > > files. If you can find out which malware installed it, you can possibly > > search for removal methods. > > > > > > > > On 12/16/2012 3:08 PM, Bobby Heid wrote: > > > Hey, > > > > > > > > > > > > Before I nuke a friend's laptop, I figured I'd throw it out here to > > > see > > what > > > I can get. > > > > > > > > > > > > She downloaded something and then started getting blue screens. This > > > is where I got it. I started it in safe mode and ran anti-malware > > > bytes (several times), SpyBot, super antispyware, online Symantec > > > scanner, and some other online scanner. > > > > > > > > > > > > Malware bytes cleaned several items, so did Spybot. The Symantec > > > scanner said it had the Trojan.MalJava!gen21 (iirc). I have not ran > > > the Symantec one since the others cleaned stuff. The other online > > > scanner found > > nothing. > > > Malware bytes and Spybot now return clean. > > > > > > > > > > > > If I boot into normal mode (Vista Home), I do not get blue screen > > anymore. > > > But I get the progress bar from the Vista start screen, then the > > > screen > > goes > > > black. I can see the HD access for a while, then nothing. This > > > leaves me to believe that it might have been one of those scare ware > > > infections that do not let you get to your desktop. > > > > > > > > > > > > Any ideas before I nuke and repave? Going to wipe it in the next few > > hours > > > if I don't hear anything. > > > > > > > > > > > > Thanks, > > > > > > Bobby > > > > > > > > > > > > > > > > > >
