From: "cquirke (MVP Windows shell/user)" <cquirkenews@nospam.mvps.org>


|
| I've downloaded it and read the HTML, but haven't used it yet - I'm
| interested in seeing if it can be adapted to more formal use.
|
| As it is, AFAIK it starts by downloading stuff (updates etc.) from
| within normal (infected) Windows, then is to be used from Safe Mode,
| etc. As Safe Mode doesn't suppress all explicit integrations and will
| be likely to run intrafile code infectors, I'd really prefer to work
| "from orbit", e.g. from Bart CDR boot.
|
| At the least, I'd like to get updates etc. and prepare the scanners
| from a clean PC, and then run them from Safe Mode on the infected PC,
| preferably from read-only storage such as locked USB stick or CDRW.
|
| Also, remember to re-apply any HOSTS-mediated static protection, such
| as Spyware Blaster or certain off-the-peg antimalware HOSTS files, as
| Dave's procedure appears to leave the existing HOSTS deactivated.
|
| I'm working on a scanning wizard for Bart PE CDR boot that will run a
| sequence of 5 av scanners with a minimum of stop/go interaction, so I
| was interested in how Dave's worked.
|
>> ------------ ----- ---- --- -- - - - -
| The most accurate diagnostic instrument
| in medicine is the Retrospectoscope
>> ------------ ----- ---- --- -- - - - -

Any time you'd like to discuss my tool(s), you have my email address.

While you mention booting from a Bart PE, the included PDF file does provide instructions
for creating a DOS Boot Disk or DOS Boot Disk with NTFS4DOS for outside the OS scanning.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

I'm currently running them all in normal mode, and I'll do them in safe
later. Thanks for the help - I'll tell you if they do the job.

"David H. Lipman" wrote:

> From: "cquirke (MVP Windows shell/user)" <cquirkenews@nospam.mvps.org>
>
>
> |
> | I've downloaded it and read the HTML, but haven't used it yet - I'm
> | interested in seeing if it can be adapted to more formal use.
> |
> | As it is, AFAIK it starts by downloading stuff (updates etc.) from
> | within normal (infected) Windows, then is to be used from Safe Mode,
> | etc. As Safe Mode doesn't suppress all explicit integrations and will
> | be likely to run intrafile code infectors, I'd really prefer to work
> | "from orbit", e.g. from Bart CDR boot.
> |
> | At the least, I'd like to get updates etc. and prepare the scanners
> | from a clean PC, and then run them from Safe Mode on the infected PC,
> | preferably from read-only storage such as locked USB stick or CDRW.
> |
> | Also, remember to re-apply any HOSTS-mediated static protection, such
> | as Spyware Blaster or certain off-the-peg antimalware HOSTS files, as
> | Dave's procedure appears to leave the existing HOSTS deactivated.
> |
> | I'm working on a scanning wizard for Bart PE CDR boot that will run a
> | sequence of 5 av scanners with a minimum of stop/go interaction, so I
> | was interested in how Dave's worked.
> |
> >> ------------ ----- ---- --- -- - - - -
> | The most accurate diagnostic instrument
> | in medicine is the Retrospectoscope
> >> ------------ ----- ---- --- -- - - - -
>
> Any time you'd like to discuss my tool(s), you have my email address.
>
> While you mention booting from a Bart PE, the included PDF file does provide instructions
> for creating a DOS Boot Disk or DOS Boot Disk with NTFS4DOS for outside the OS scanning.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "benjammin" <benjammin@discussions.microsoft.com>

| I'm currently running them all in normal mode, and I'll do them in safe
| later. Thanks for the help - I'll tell you if they do the job.
|


I'll be looking for your reply back.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

In article <drrkr1h7brmelln2ua9cfdb8silbivl8ar@4ax.com>,
cquirkenews@nospam.mvps.org says...
> On Tue, 03 Jan 2006 11:18:58 GMT, Leythos <void@nowhere.lan> wrote:
> >benjammin@discussions.microsoft.com says...
>
> >> what does Dave Lipman's thing actually do?
>
> >David's product works wonders using the manual scan engines from several
> >different vendors, and it has several fixes he's created to resolve
> >problems caused by malware that are not fixed by virus removal.
>
> >You really need to follow this directions exactly, and if you do, it
> >will leave you with a clean machine.
>
> I've downloaded it and read the HTML, but haven't used it yet - I'm
> interested in seeing if it can be adapted to more formal use.
>
> As it is, AFAIK it starts by downloading stuff (updates etc.) from
> within normal (infected) Windows, then is to be used from Safe Mode,
> etc. As Safe Mode doesn't suppress all explicit integrations and will
> be likely to run intrafile code infectors, I'd really prefer to work
> "from orbit", e.g. from Bart CDR boot.
>
> At the least, I'd like to get updates etc. and prepare the scanners
> from a clean PC, and then run them from Safe Mode on the infected PC,
> preferably from read-only storage such as locked USB stick or CDRW.

I did - I loaded it on a clean PC, then did the updates, stopped the
scans if they started, then burned the entire folder to a CD, copied the
folder to the infected C drive, made sure that the folder was not read-
only, ran it without any network connection, clean, easy, works great.

> Also, remember to re-apply any HOSTS-mediated static protection, such
> as Spyware Blaster or certain off-the-peg antimalware HOSTS files, as
> Dave's procedure appears to leave the existing HOSTS deactivated.
>
> I'm working on a scanning wizard for Bart PE CDR boot that will run a
> sequence of 5 av scanners with a minimum of stop/go interaction, so I
> was interested in how Dave's worked.

The only reason it needs to be on a drive is to expand the definitions
and create the log files - at least it appears that way.

--

spam999free@rrohio.com
remove 999 in order to email me

From: "Leythos" <void@nowhere.lan>

| In article <drrkr1h7brmelln2ua9cfdb8silbivl8ar@4ax.com>,
| cquirkenews@nospam.mvps.org says...
>> On Tue, 03 Jan 2006 11:18:58 GMT, Leythos <void@nowhere.lan> wrote:
>>> benjammin@discussions.microsoft.com says...
>>
>>>> what does Dave Lipman's thing actually do?
>>
>>> David's product works wonders using the manual scan engines from several
>>> different vendors, and it has several fixes he's created to resolve
>>> problems caused by malware that are not fixed by virus removal.
>>
>>> You really need to follow this directions exactly, and if you do, it
>>> will leave you with a clean machine.
>>
>> I've downloaded it and read the HTML, but haven't used it yet - I'm
>> interested in seeing if it can be adapted to more formal use.
>>
>> As it is, AFAIK it starts by downloading stuff (updates etc.) from
>> within normal (infected) Windows, then is to be used from Safe Mode,
>> etc. As Safe Mode doesn't suppress all explicit integrations and will
>> be likely to run intrafile code infectors, I'd really prefer to work
>> "from orbit", e.g. from Bart CDR boot.
>>
>> At the least, I'd like to get updates etc. and prepare the scanners
>> from a clean PC, and then run them from Safe Mode on the infected PC,
>> preferably from read-only storage such as locked USB stick or CDRW.
|
| I did - I loaded it on a clean PC, then did the updates, stopped the
| scans if they started, then burned the entire folder to a CD, copied the
| folder to the infected C drive, made sure that the folder was not read-
| only, ran it without any network connection, clean, easy, works great.
|
>> Also, remember to re-apply any HOSTS-mediated static protection, such
>> as Spyware Blaster or certain off-the-peg antimalware HOSTS files, as
>> Dave's procedure appears to leave the existing HOSTS deactivated.
>>
>> I'm working on a scanning wizard for Bart PE CDR boot that will run a
>> sequence of 5 av scanners with a minimum of stop/go interaction, so I
>> was interested in how Dave's worked.
|
| The only reason it needs to be on a drive is to expand the definitions
| and create the log files - at least it appears that way.
|

It is hard-coded to use; C:\AV-CLS as the base directory ONLY.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

In article <OgGxSHJEGHA.960@TK2MSFTNGP10.phx.gbl>,
DLipman~nospam~@Verizon.Net says...
> | The only reason it needs to be on a drive is to expand the definitions
> | and create the log files - at least it appears that way.
> |
>
> It is hard-coded to use; C:\AV-CLS as the base directory ONLY.

Sorry, forgot about that one.

--

spam999free@rrohio.com
remove 999 in order to email me

I've tried them all in normal mode - no luck. At least one of them found the
exact file but couldn't open it. I'll try them in safe mode - might that
make a difference? I have also tried to manually delete the file myself, but
I can't because it is always 'in use'.

"David H. Lipman" wrote:

> From: "benjammin" <benjammin@discussions.microsoft.com>
>
> | These are helpful, but no spyware removal things will remove this, I need
> | something different - what does Dave Lipman's thing actually do? Preferably,
> | I'd just like to run the sfc/scannow, so does anyone know why it might not
> | work?
> |
>
> SFC is the System File Checker and is NOT a program for dealing with malware. It is a tool
> for dealing with OS corruption where a specific EXE or DLL file was accidentdetally replaced
> with an older version file. For example, you install WinXP SP2 and you installed a new
> printer but did not slipstream the installation files and a SP1 DLL replaced a SP2 DLL file.
>
> The SFC can replace the faulty DLL with a SP2 DLL from a cache.
>
> The tool that I suggested spaecifically seeks out Trojans, Viruses and other forms of
> malware and removes them.
>
> I suggest you use my tool and start with the McAfee module.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "benjammin" <benjammin@discussions.microsoft.com>

| I've tried them all in normal mode - no luck. At least one of them found the
| exact file but couldn't open it. I'll try them in safe mode - might that
| make a difference? I have also tried to manually delete the file myself, but
| I can't because it is always 'in use'.
|

You said..."At least one of them found the exact file but couldn't open it."

Please Copy and Paste the contents of the log of the AV module log file that did find this.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

I have a similar problem:
I work a lot from my home PC for a university and has sophos loaded in it.
The regular daily scan on Monday revealed that I have a Troj/spyaks-B
infected in c:\windows\system32\wbeconm.dll and it cannot delete the file. I
went in via command prompt and deleted the infected file but the home page
still set to a security centre page. Yesterday I followed the sophos
instruction and downloaded a SAV32CLI fix onto a CD-R and try to run it on
command prompt via F8 re-start. I am running Window XP 2002 home service
pack 2, and it will not let me get onto safe mode with command prompt at
restart, so I cannot run the fix on my PC.






"benjammin" wrote:

> I tried using your method - in command prompt, i typed sfc.exe, then tried
> scannow, but it said 'error code is 0x000006ba (The RPC server is
> unavailable) and same sort of thing with other scans - what does this mean?
>
> "Eric" wrote:
>
> > Try booting in safe mode/command prompt. The file shouldn't be open then.
> >
> > "benjammin" wrote:
> >
> > > I have a Trojan download in C:\windows\system32\browsela.dll, and can't
> > > delete it.
> > >
> > > Same applies to w32.looksky.A@mm in local settings somewhere.
> > >
> > > How can I get rid of these things if my antivirusdoesn't?

From: "Bill Suen" <BillSuen@discussions.microsoft.com>

| I have a similar problem:
| I work a lot from my home PC for a university and has sophos loaded in it.
| The regular daily scan on Monday revealed that I have a Troj/spyaks-B
| infected in c:\windows\system32\wbeconm.dll and it cannot delete the file. I
| went in via command prompt and deleted the infected file but the home page
| still set to a security centre page. Yesterday I followed the sophos
| instruction and downloaded a SAV32CLI fix onto a CD-R and try to run it on
| command prompt via F8 re-start. I am running Window XP 2002 home service
| pack 2, and it will not let me get onto safe mode with command prompt at
| restart, so I cannot run the fix on my PC.



Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.


Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm