malware aftermath
Dec. 8th, 2014 02:27 amYesterday (well, earlier in this wake cycle) I finally got around to finshing up the recovery opf the infected computer
I'd pulled the drives and stuck them in another system to scan for nasties shortly after the original post. It took several days because after doing the scan, I'd back up the drive. That took a while (two 160 gig drives and a 500 gig drive).
And while the system was open, I'd discovered that it actually *did* have SATA. The two connectors were placed oddly and sort of blended in. So I wanted to get a SATA to eSATA adapter and put in a bluray player. I didn't get to the place I buy such things from until Saturday.
Running Malwarebytes found some stuff that hadn't shown when the drives were scanned in the other box. TDSSKiller found more stuff. So did Rkill and RogueKiller.
I couldn't run ComboFix because it's not *possible* to disable my AV program except by uninstalling it.
The software policy restriction stuff was still there even after doing things like creating one and setting it to "unrestricted".
I finally had to go into event viewer and find the entries generated when I tried running the blocked programs.
This gave me a typical weird Windoze character string as the ID of the policy. I searched for that in the registry and found the "SAFER" section which is where that sort of thing gets stored.
Beside the stuff I knew was blocked, updates to several windows files were blocked. I just deleted the whole section.
After rebooting the system was finally ok.
( upgrades etc )
I'd pulled the drives and stuck them in another system to scan for nasties shortly after the original post. It took several days because after doing the scan, I'd back up the drive. That took a while (two 160 gig drives and a 500 gig drive).
And while the system was open, I'd discovered that it actually *did* have SATA. The two connectors were placed oddly and sort of blended in. So I wanted to get a SATA to eSATA adapter and put in a bluray player. I didn't get to the place I buy such things from until Saturday.
Running Malwarebytes found some stuff that hadn't shown when the drives were scanned in the other box. TDSSKiller found more stuff. So did Rkill and RogueKiller.
I couldn't run ComboFix because it's not *possible* to disable my AV program except by uninstalling it.
The software policy restriction stuff was still there even after doing things like creating one and setting it to "unrestricted".
I finally had to go into event viewer and find the entries generated when I tried running the blocked programs.
This gave me a typical weird Windoze character string as the ID of the policy. I searched for that in the registry and found the "SAFER" section which is where that sort of thing gets stored.
Beside the stuff I knew was blocked, updates to several windows files were blocked. I just deleted the whole section.
After rebooting the system was finally ok.
( upgrades etc )