Cool, nice one. I'll download that for later use. As it was hopefully I have cleaned up the lodgers' girlfriends computer, however that should mean the lodger won't mind paying this weeks rent, as he has gained some additional services from me for free!
Cheers, Matt From: James Rankin [mailto:kz2...@googlemail.com] Sent: 23 May 2011 10:07 To: NT System Admin Issues Subject: Re: System Restore and Scareware I suspect regedit will be among the list of window titles that the malware will check and terminate if it sees them run. A trick to get around this is to run the regedit window on a different desktop (not monitor - use something like http://technet.microsoft.com/en-us/sysinternals/cc817881). Malware generally only detects windows running on the primary desktop. On 23 May 2011 07:26, Matthew B Ames <matthew.a...@qinetiq.com<mailto:matthew.a...@qinetiq.com>> wrote: I had one of these last night. When I ran regedit (having logged in normally) it opened and then promptly closed down. Booted into safe mode and checked the software\windows\currentversion\run & runonce keys for anything that looked suspect (running from temp, app data, etc. Removed those keys, and the random named .exe they launched. Rebooted back into windows, cleaned up the host files, and then downloaded the latest version of MalwareBytes. 90 minutes later and the machine reported itself as clean. I need to run another scan to check and then work out what AV package is on there, as there were shortcuts for Norton, AVG and MacCr@ppy on the desktop. From: Rankin, James R [mailto:kz2...@googlemail.com<mailto:kz2...@googlemail.com>] Sent: 20 May 2011 20:51 To: NT System Admin Issues Subject: Re: System Restore and Scareware Some of these little beasties are easy to beat - I've seen ones where deleting a file did the trick. Unfortunately at the other end of the scale live some crafty process-injection nasties that are a veritable nightmare to find. Fortunately MalwareBYtes has a good track record of pulling them out for you. Typed frustratingly slowly on my BlackBerry(r) wireless device ________________________________ From: "Bob Hartung" <bhart...@wiscoind.com<mailto:bhart...@wiscoind.com>> Date: Fri, 20 May 2011 14:47:23 -0500 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> ReplyTo: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> Subject: System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter "%systemroot%\system32\restore\rstrui.exe" at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. ---------------------- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com<http://wiscoind.com> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England & Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. http://www.qinetiq.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." IMPORTANT: The information in this email is CONFIDENTIAL. If its contents are disclosed in any way my lawyers will swoop down from black helicopters like Seal Team Six and drag you away with a black bag over your head. They will then take you to a secret prison and make you fight to the death with other people who dared to share this email. You will be given a large bowie knife and a supply of methamphetamines while I watch the said deathmatch and wager vast sums of money on who will be the winner. If the fight becomes boring or there is a stalemate, I will release rabid dogs and my two-stone cat into the arena to liven things up a bit. If these animals become in any way docile, I will squirt them with water pistols until they become a bit more temperamental. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England & Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin