oooops - fluffed it ... need advice

oooops - fluffed it ... need advice
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
oooops - fluffed it ... need advice Martin Spencer-Ford 10-26-2005
Posted by Martin Spencer-Ford on October 26, 2005, 11:28 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi group, got asked to help a friends heavily infected machine, which
had too numerous Trojans and ad ware to remember them all, but went to
kaspersky to do an on-line scan, worked through the log killing files
that had been highlighted as infected. All was successful other than one
one file which went by the name guard.tmp. This file wouldn't delete and
was not found in any of the usual places, hijackthis failed to see it
and there was no entry in the process list or in the registry, so i did
the bold move and took ownership of the file removing all inheritance,
and try to delete it that way .... no luck there either.

So feeling confident that it was the only one left to hammer, i thought
that maybe the blighter is called through one of the many dll's i had
already nobbled, and decided a reboot would probably free up the file
for deletion. But now on reboot, I can not get access, winlogon.exe is
terminated in an "unusual way" and the error message displays
"\??\c:\windows\system32\winlogon.exe"

Any body have any advice that may recover this station or is it kill it
and start again. All accounts fail whether in safe mode or normal.

Any help appreciated

Martin Spencer-Ford
(TpwUK)


Posted by David H. Lipman on October 26, 2005, 11:36 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Hi group, got asked to help a friends heavily infected machine, which
| had too numerous Trojans and ad ware to remember them all, but went to
| kaspersky to do an on-line scan, worked through the log killing files
| that had been highlighted as infected. All was successful other than one
| one file which went by the name guard.tmp. This file wouldn't delete and
| was not found in any of the usual places, hijackthis failed to see it
| and there was no entry in the process list or in the registry, so i did
| the bold move and took ownership of the file removing all inheritance,
| and try to delete it that way .... no luck there either.
|
| So feeling confident that it was the only one left to hammer, i thought
| that maybe the blighter is called through one of the many dll's i had
| already nobbled, and decided a reboot would probably free up the file
| for deletion. But now on reboot, I can not get access, winlogon.exe is
| terminated in an "unusual way" and the error message displays
| "\??\c:\windows\system32\winlogon.exe"
|
| Any body have any advice that may recover this station or is it kill it
| and start again. All accounts fail whether in safe mode or normal.
|
| Any help appreciated
|
| Martin Spencer-Ford
| (TpwUK)

If it was truly "...a friends heavily infected machine, which had too numerous
Trojans and
ad ware to remember..." I suggest creating a Ghost uimage of gthe PC. Wiping
it,
reinstalling the OS, Service Packs and Critical Updates. Then install AV
software on the PC
then restore *only* data from the Ghost image.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm




Posted by Martin Spencer-Ford on October 26, 2005, 11:41 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
David H. Lipman wrote:
>
> | Hi group, got asked to help a friends heavily infected machine, which
> | had too numerous Trojans and ad ware to remember them all, but went to
> | kaspersky to do an on-line scan, worked through the log killing files
> | that had been highlighted as infected. All was successful other than one
> | one file which went by the name guard.tmp. This file wouldn't delete and
> | was not found in any of the usual places, hijackthis failed to see it
> | and there was no entry in the process list or in the registry, so i did
> | the bold move and took ownership of the file removing all inheritance,
> | and try to delete it that way .... no luck there either.
> |
> | So feeling confident that it was the only one left to hammer, i thought
> | that maybe the blighter is called through one of the many dll's i had
> | already nobbled, and decided a reboot would probably free up the file
> | for deletion. But now on reboot, I can not get access, winlogon.exe is
> | terminated in an "unusual way" and the error message displays
> | "\??\c:\windows\system32\winlogon.exe"
> |
> | Any body have any advice that may recover this station or is it kill it
> | and start again. All accounts fail whether in safe mode or normal.
> |
> | Any help appreciated
> |
> | Martin Spencer-Ford
> | (TpwUK)
>
> If it was truly "...a friends heavily infected machine, which had too numerous
Trojans and
> ad ware to remember..." I suggest creating a Ghost uimage of gthe PC. Wiping
it,
> reinstalling the OS, Service Packs and Critical Updates. Then install AV
software on the PC
> then restore *only* data from the Ghost image.
>
ohhh yes it was a friends pc - idiotically funny really, he had
bitdefender pro suite on and had allowed such things as
"sexy_blonde_babes.exe" through the firewall among others, but happy to
see you are drawing the same conclusion that i am dave. That somehow
gives me a warm fuzzy feeling :)

Martin Spencer-Ford
(TpwUK)


Posted by David H. Lipman on October 26, 2005, 11:53 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


| ohhh yes it was a friends pc - idiotically funny really, he had
| bitdefender pro suite on and had allowed such things as
| "sexy_blonde_babes.exe" through the firewall among others, but happy to
| see you are drawing the same conclusion that i am dave. That somehow
| gives me a warm fuzzy feeling :)
|
| Martin Spencer-Ford
| (TpwUK)

Martin:

I usually do NOT suggest a wipe of a PC and usually suggest a series of clensing
attempts
and performing a Cost Benifit Analysis based upon time and futility.

In this case somohow I get the feeling futility is at hand and a wipe is the
better way to
go. Note my suggestion of Ghosting the PC as is such that NO personal data is
lost prior to
wiping said PC.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm




Posted by Martin Spencer-Ford on October 27, 2005, 12:20 am
If you were  Registered and logged in, you could reply and use other advanced thread options

>
> Martin:
>
> I usually do NOT suggest a wipe of a PC and usually suggest a series of
clensing attempts
> and performing a Cost Benifit Analysis based upon time and futility.
>
> In this case somohow I get the feeling futility is at hand and a wipe is the
better way to
> go. Note my suggestion of Ghosting the PC as is such that NO personal data is
lost prior to
> wiping said PC.
>

I agree - wiping is a last resort. The sad thing with this case is that
i just cleaned out over 270 pieces of Trojans and ad wares not more than
two weeks ago, and I managed to save all his data then, but nothing went
wrong that time and all was fine. Now I face the moral dilemma, do I
ghost and leave him with the comfort that he can be rescued as and when
he needs (false impression), or do i teach the bitter taste of lost data
and try and educate him to the values of backing up and being more
sensible with his data and with what is allowed in and out of the
firewall...


Hmmm decisions decisions ... i can feel a coin flip coming

Martin Spencer-Ford
(TpwUK)


Similar ThreadsPosted
Advice Please May 7, 2006, 9:32 am
Norton about to run out need advice August 1, 2006, 7:05 pm
OT--cc theft--need advice April 14, 2007, 8:05 pm
mrtstub.exe advice needed December 30, 2005, 3:51 pm
I'm fed up with symantec, AV advice needed February 24, 2006, 7:46 am
Request for advice concerning KAV Personal Pro. April 11, 2006, 8:21 pm
Need advice--framer virus February 15, 2008, 2:10 am
Advice needed to install a registry and dll file. October 9, 2005, 4:50 am
AdAware found regkey items...advice? April 6, 2006, 3:05 am
Is Advice to Open Suspect Emails Risky? November 13, 2008, 9:51 am

The site map in XML format XML site map

Contact Us | Privacy Policy