Hello, Thanks for your response. I neglected to mention that I do have an image, but don't believe it's got the profiles in it. I'll check on the Alurion. Right now I believe my next step after the chkdsk I just started completes is I'm going to take the enclosure and put it in a linux box, see if I can get the files that way, any thoughts? Right now all I want is the data, pics, docs, audio, favorites, the profile, I can restore the machine after that. It's a dell and from what I'm seeing it has a recovery partition. Thanks. Dave. On 4/19/12, Jackie McBride <abletec@gmail.com> wrote:
Dave, o, boy--Alurion is in fact a rootkit. So, he was correct on that score.
Here's what I think, & u may wanna decide if this is all worth your time for extended family who's not paying u.
First & foremost, image the drive. Seriously. That probly should've been done prior to doing any cleaning, especially if the default is to delete files as opposed to putting them into quarantine, but, in any event, do it b4 u do anything more on that drive. I'm really serious about that. That way, if things go to hell in a handcart, you'll have something to go bak to. Otherwise, you're pretty much screwed.
Once you've imaged the drive, & are pretty sure u u got all the nasties off, then do a chkdsk on the original to mitigate any file corruption.
It is possible that the malware changed the user profile name, so look for that possibility. Also make sure that none of those fall into the category of file infectors, because, if so, saving the files could in fact lead to reinfection once the box has been reformatted & the files restored.
HTH.
On 4/19/12, David Mehler <dave.mehler@gmail.com> wrote:
Hello,
Has anyone dealt specifically with any of the following malware:
1. Exploit:Java/CVE-2012-0507.R 2. backdoor:Win32/Kelihos.F 3. Exploit:Java/CVE-2010-0840.QI 4. exploit:Java/CVE-2012-0507.R!ldr 5. TrojanDownloader:Win32/Waledac.C 6. trojan:Win32/Tibs.IT 7. Trojan:Win64/Alureon.gen!F 8. Trojan:Win64/Alureon.gen!J 9. trojan:Win32/Alureon.gen!AD 10. Trojan:Win32/Orsam!rts 11. trojan:Win32/Alureon.FK 12. Trojan:DOS/Alureon.I 13. trojan:Win32/Dynamer!dtc 14. Trojan:Win32/Dynamer!dtc
on a win7 64 bit machine?
This one is going to be convoluted. An individual who gives me more computer headaches than anyone else but he also happens to be extended family, called me about two weeks back claiming his box had a worm. I think he was running Norton 360. I do not know the name of the worm or if it was a worm. He didn't give me the box until four days ago when problems had eskelated to a backdoor/rootkit, trojan, and a virus his words. His cleaning efforts did not take the box off the internet so I wouldn't be surprised. The thing that got the box finally to me was a black screen, my guess is a very corrupted windows given some of the above malware I've googled as well as a report that his user profile, documents, background, pictures, etc was gone. The drive in question is very full only having 20 GB left of space.
Here's the problem, I put that drive in an external enclosure hooked it up to a test box and cleaned it, took two passes of Security Essentials and Malware bites to do it, found the above listing of stuff this is after his "cleaning efforts" I can only have nightmares about what this looked like before. Two problems, the black screen (corrupted windows or registry my guess), and file permission changes.
He reported to me that certain files were "hidden" I have since discovered that they are operating system protected, but his profile is not accessible, it's showing up as a folder with no files or folders in it.
These reports are still from this drive being in the external enclosure, I have not rehooked it up to it's motherboard, I believe my next step is to blow it away, it sounds like it is really bad, but I've got to get the profiles, documents, pictures, etc. Suggestions welcome, none of my googling on the above indicated they did anything with regards changing file attributes to hidden or setting files "protected" by the operating system.
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
-- Blame the computer--why not? It can't defend itself & occasionally might even be the culprit Jackie McBride Ask Me Computer Questions at: www.pcinquirer.com Jaws Scripting training materials: www.screenreaderscripting.com homePage: www.abletec.serverheaven.net
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins