Re: Tro_vundo.h



Stan@StanKrute.com
07-09-2005, 11:48 PM
I've been fighting the same virus on a client's
computer (a Dell 8400 XP SP-2 system with a
SATA HD). It's a nasty little thing, as you note.

I've tried to get to the Recovery Console (XP),
but got a BSOD on the way.

I tried to boot up into Bart's PE, but got a BSOD
on the way.

To get into Recovery Console or Bart's PE, I have
to supply SATA drivers. That's not a problem, but
I can't get around the BSOD.

I tried using Killbox to kill the infected files --
in this system, they're living in the MSAGENT
folder -- but it failed.

Are you willing to share your little program ?

Otherwise, seems I need to pull the HD from the
system and put it into another system that has
SATA interfaces, and kill the infected files
there.

-- stan

Malke
07-09-2005, 11:48 PM
Stan@StanKrute.com wrote:

> I've been fighting the same virus on a client's
> computer (a Dell 8400 XP SP-2 system with a
> SATA HD). It's a nasty little thing, as you note.
>
> I've tried to get to the Recovery Console (XP),
> but got a BSOD on the way.
>
> I tried to boot up into Bart's PE, but got a BSOD
> on the way.
>
> To get into Recovery Console or Bart's PE, I have
> to supply SATA drivers. That's not a problem, but
> I can't get around the BSOD.
>
> I tried using Killbox to kill the infected files --
> in this system, they're living in the MSAGENT
> folder -- but it failed.
>
> Are you willing to share your little program ?
>
> Otherwise, seems I need to pull the HD from the
> system and put it into another system that has
> SATA interfaces, and kill the infected files
> there.
>

Please quote some of the post to which you are replying for clarity. If
you just want to get data off the drive and then wipe it, try booting
with Knoppix. I believe the latest version should be able to handle the
SATA drive.

Knoppix is a Linux distro on a live cd. You will need a computer with
two cd drives, one of which is a cd/dvd-rw OR a usb thumb drive with
enough capacity to hold your data. To get Knoppix, you need a computer
with a fast Internet connection and third-party burning software.
Download the Knoppix .iso from www.knoppix.net and create your bootable
cd. Then boot with it and it will be able to see the Windows files. If
you will be using the usb thumb drive to copy your data, plug it in
before you boot the system with Knoppix. Otherwise, use the K3b burning
program to burn the files to cd/dvd-r's.

If you want to work on the XP installation on that drive and can't get a
Bart's to boot, then the only other option AFAIK would be a program
like Winternals' ERD Commander, but that is very expensive. They used
to offer an emergency download but IIRC that is no longer available.
You might want to check this out at:
http://www.winternals.com

Otherwise, get the data and wipe the drive.

Good luck,

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Stanley Krute
07-09-2005, 11:48 PM
Hi Malke

> Otherwise, get the data and wipe the drive.

I just need to delete half a dozen files on the drive.

-- stan

Malke
07-09-2005, 11:48 PM
Stanley Krute wrote:

> Hi Malke
>
>> Otherwise, get the data and wipe the drive.
>
> I just need to delete half a dozen files on the drive.
>
> -- stan

Well, my answer is the same. Try a different build of Bart's.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

David H. Lipman
07-09-2005, 11:48 PM
From: "Malke" <invalid@not-real.com>


|
| Well, my answer is the same. Try a different build of Bart's.
|
| Malke
| --
| Elephant Boy Computers
| www.elephantboycomputers.com
| "Don't Panic!"
| MS-MVP Windows - Shell/User


He doesn't need Bart PE.

The following has found to be effective in rememoving the Vundo.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Malke
07-09-2005, 11:48 PM
David H. Lipman wrote:

> From: "Malke" <invalid@not-real.com>
>
>
> |
> | Well, my answer is the same. Try a different build of Bart's.
> |

>
> He doesn't need Bart PE.
>
David, he says he can't even get Windows to boot. He gets a BSOD. That's
why I gave him the answer I did.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

David H. Lipman
07-09-2005, 11:48 PM
From: "Malke" <invalid@not-real.com>


| David, he says he can't even get Windows to boot. He gets a BSOD. That's
| why I gave him the answer I did.
|
| Malke
| --
| Elephant Boy Computers
| www.elephantboycomputers.com
| "Don't Panic!"
| MS-MVP Windows - Shell/User

Ah !

Got you. I missed that part. Thanx.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


Re: Tro_vundo.h