LISTSERV - PCBUILD Archives - LISTSERV.ICORS.ORG

PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG

	LISTSERV Archives
	PCBUILD Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Condense Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Content-Transfer-Encoding:	7bit
Sender:	PCBUILD - Personal Computer Hardware discussion List <[log in to unmask]>
Subject:	Re: AdAware
From:	Larry Fisk <[log in to unmask]>
Date:	Thu, 30 Dec 2004 19:51:51 -0700
Content-Type:	text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
MIME-Version:	1.0
Reply-To:	PCBUILD - Personal Computer Hardware discussion List <[log in to unmask]>
Parts/Attachments:	text/plain (59 lines)

Lewis;
I've dealt with this malware/trojan a couple of times.
The most recent encounter -  the client's computer seemed to have some kind
of trojan generator with the file ext. of ".cpy"
on most of the files, like "A0001937.cpy"  in the "c:\_restore\archive"
folder ...........thousands of them!
this particular computer was running WinME
I tried turning off system restore, but the computer locked up every time.

I finally had to boot to a dos prompt,
navigate to the _restore directory (remember the underline in front of
_restore)
and del the archive folder contents.
for some reason the command dos "erase" seemed to work better than "del"
for example "c:\ _restore\archive erase *.*"
be patient, this computer had 60,000 plus files in the archive directory
took about an hour or more to delete the files in dos.
I couldn't seem to "deltree" the "archive" folder so I erased the files
inside first.
the machine would lock up and I had to reboot and run the erase command
several times
each time getting more of the malware files.
If you're running ME ( I assume)  you will need to turn off system restore
temp. to fully get rid
of possible copies the trojan in the restore backups.
Also dump all your temp files including internet temp files.

A google search for "_restore\archive" will give you more info on this nasty
trojan.
The antivirus program "avast" www.avast.com seems to delete the files, but
with 60,000 plus files,
it wasn't practical to delete them one at a time :-)

----- Original Message -----
From: "Lewis C Emerson" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, December 30, 2004 4:32 PM
Subject: [PCBUILD] AdAware


> Folks,
>
> I've previously reported my lockup problems and have tried the
> suggestions I've received from you helpful guys, but am still having
> problems.
>
> One thing:  When I run AdWare I'm able to quarantine every file except
> for one in the directory _RESTORE\ARCHIVE - and I get a message that it
> can be deleted at the next BootUp.  Somehow, I seem to get the same old
> problem over and over.  A more knowlegeable guy said that I'd have to go
> into the Registry and make changes there, but I'm deathly afraid of doing
> anything there as I've seen warnings indicating tnat you're not to mess
> with the Registry unless you know really what you're doing.  (and I, for
> sure, don't)

            Do you want to signoff PCBUILD or just change to
                    Digest mode - visit our web site:
                   http://freepctech.com/pcbuild.shtml

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG