Re: Klone Virus

Thank you, again. I assumed that some of the scanners kill processes in
order to excise files, and PestPatrol, for example, creates a script that
runs at startup, in order to excise files before they load. But there are
layers upon layers to this whole business. I know some who suggest pretty
much always using Bart's for formal malware scanning, but I kind of figure
that's taking things a bit far.

--

Gary S. Terhune
MS-MVP Shell/User
http://grystmill.org/articles/cleanboot.htm
http://grystmill.org/articles/security.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uyM1mDcEHHA.4024@xxxxxxxxxxxxxxxxxxxxxxx
From: "Gary S. Terhune" <grystnews@xxxxxxxx>

| Thank you, ;-)
|
| Still (and I ask this in all seriousness), if Klone requires treatment
from
| outside the OS, as suggested by your mention of the Recovery Console,
how
| does a Windows-based AV or any other scanner running from within
Windows,
| deal with it?
|
| And, particularly since I deal in legacy Windows (98 mostly), when
cleaning
| up Klone and similar items wouldn't the use of BART's PE, for example,
be
| even better than running Multi_AV, etc., in Safe Mode?
|

Running the Multi ACV Scanning Tool in Safe Mode will increase the chance
of removal of some
malware that can't be removed in Normal Mode becuase it hopefully has NOT
been loaded. In
the case of the Klone Trojan, it is loaded in both Safe and Normal Modes.

The way to to remove the Klone is you would have to kill/suspend theose
process that have
loaded the DLL and thus the DLL File Handle will no longer be held open
and the Registry
entries no longer protected. Some anti malware utilities have this
capability or have it to
some degree.

You would want to go through the anti malware utilities first to get the
easiest to emove
malware and then when you can't remove something then you may have to
resort to more radical
actions such as the Recovery Console method.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm




.