Some Notes on the Machines

BitDefender has an uninstall tool available which will remove all versions of the agent from XP, Vista, and Server 2003/2008. The web page is here:

http://www.bitdefender.com/KB333-en—How-to-uninstall-BitDefender.html

Here is a document:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006022212084148?Open&docid=2002031914291648&nsf=ent-security.nsf&view=docid

It is recommended that the following procedure be used:

a) Disable services
b) Remove everything possible using rmdir /s while terminating processes
c) Reboot
d) Disable one more service
e) Complete the task using the Revo Uninstaller tool (see previous post).

Malwarebytes’ Anti-Malware automatically wiped several things:

http://www.malwarebytes.org/products.php

They appear to have other interesting products too.

The current AVG can be downloaded here:

http://www.avg.com/download

The Trinity Rescue Kit:

http://trinityhome.org/

is a Linux LiveCD (bootable CD) with many system rescue functions for Windows and Linux, including several antivirus systems which update themselves. After it boots, the first step for antimalware is ‘ifconfig’. This will test every active NIC and give the IP address. If you don’t have an IP, you’ll want to do ‘set-ip /dev/eth0’ and ‘set-ip /dev/eth1’, in order to try again.

After you have an IP, do this to mount all partitions:

mountallfs -g

The ‘-g’ is for NTFS read/write capability.

We then need to choose command line options on ‘virusscan’, as discussed here:

http://trinityhome.org/Home/index.php?wpid=40&front_id=12

The correct {DESTINATION} item depends on the results of ‘mountallfs’; a list of partition mount points is reported, e.g., ‘/hda1’, ‘/hda2’, etc. ‘virusscan’ doesn’t work on the devicenames (’/dev/hda1’); it works on the mount points (’/hda1’). Two recent laptops have had in fact four partitions on the one hard drive, one DOS, one VFAT, and two NTFS; for these, the following command worked:

virusscan -a avg -d /hda1,/hda2,/hda3,/hda4

given that the mount points of the devices were stated by ‘mountallfs’ as those four locations. Most desktops have either one or two.

The author of the TRK seems to recommend first scanning with AVG as in the above command line, and then scanning with BitDefender, which requires ‘-a bde’ instead of ‘-a avg’.

This free software:

http://killbox.net/

can be invaluable in known malware situations. Sometimes the Task Manager process list shows suspicious .EXE’s running; a Google search may (or may not) confirm it as spyware. If you are very sure, Killbox will sometimes terminate the running process for you, but even if it can’t do that, it will tell the system to delete the .EXE at next reboot. This can be a very good approach when antimalware scanners fail.