Getting ready to do this. My HelpDesk guy had hidded the external SATA adapter.
Richard Stovall <rich...@gmail.com> wrote on 04/04/2011 10:23:30 AM: > 1) Put the drive in a different machine and scan again. > > 2) Plan for the nuking and repaving process. :) > On Mon, Apr 4, 2011 at 11:19 AM, <richardmccl...@aspca.org> wrote: > > Greetings! > > I was greeted by our overnight vet who was working at someone else's > desk. She said she had a rogue AV popping up all the time. > > Dell PWS-3500; Windows XP Professional 32-bit, SP3 > > Popups are something like "AntiVirus XP 2011". > > Found that VIPRE had been shut down by the rogue, and it could not > be launched. Could not install MalwareBytes. Could not open a > command prompt. All resulted in a new rogue window opening. > > Booted into SafeMode; no improvement! I launched Task Manager. I > noticed that whenver I tried to restart VIPRE, to launch the MBytes > installer, or even to "Start->Run-> cmd", I'd get a rogue window > (forgot to mention - the roque windows would begin scanning with a > separate window about registrering). In Task Manager, I noticed a > new task, "tmu.exe", starting at the time of the popup. When I > highlighted "tmu.exe" and then "End process...", the window would close. > > I went to another PC, ran REGEDIT, then "Open Network Registry" to > access that machine. I checked both HKLM\Software and HKLM\Users\. > Default, and I found nothing unexpected in ... > \Microsoft\Windows\CurrentVersion\Run, or in other places I've seen > registry changed by malware. > > I made a remote connection to the infected machine's drive and > searched for "tmu.exe". I found it in > ADMIN$\System32\config\systemprofile\Application Data. I checked > "some of its neighbors", and TMU.EXE was not found. So, I deleted > it from the infected machine. > > Still playing around, I booted the machine in "Safe Mode with > Command Prompt". I was able to give the command "chkdsk /f", and it > did run a file system check when rebooted. Again from booting into > "Safe Mode w/Command Prompt", I was able to launch the MBytes > installer. The app, though, would not start (I would imagine this > is because in command prompt mode, there would be no GUI displays.) > > Booted into both normal and Safe modes. Nothing will run! Double- > click a short-cut, double-click a file icon in Explorer, or enter > something (ie, "Start->Run-> cmd"), and a window opens asking with > which application to open the file. > > So, the machine is such that remote access to the file system and > registry is available. At the actual machine, the only way to do > anything is to boot into command prompt mode. Again, however, no > apps will run if they involve a GUI - only console-type commands will run. > > Next steps? Thanks! > -- > richard > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software. > com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software. > com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
