cleaned pc using an antivirus:)

Then jmonge would've made a post like:
"Man Avast is really cool. It find 2 troj an 2 rootkit my frien pc. I really like that Avast, how about you."

He would've had 2 or 3 replies and less opportunities to use emoticons and then it would drop off the 1st page.

Just sayin' eace:

Sully and Kees will help to cut down on that time a lot with their Safe-Admin.
The time it takes to wipe and reinstall + 3 minutes.

 

I think Kees was playing around with that key where if the value is changed to 1 then only a meta file is downloaded instead of the exe. Not really sure on that though?

 

jmonge...I commend you, even though another has mocked. You are learning and helping at the same time. So, the time taken is inconsequential.

But, it looks like this well known maxim comes into play "no good deed goes unpunished" > http://www.phrases.org.uk/bulletin_board/27/messages/317.html

 

1806 enables/disables the question with downloaded files from unsecure zones
opening in secure zones
► http://forums.mozillazine.org/viewtopic.php?f=23&t=645496&st=0&sk=t&sd=a&start=90

HTH

@bryanjoe
i can afford that point for me - much people rely on my opinion - i dont miss
one in a hundred. posting his action here dont earn only congrats.
btw - still havent found the EDIT button too?

@Tarnak - nothing against his personal experience.
at first sight it seems ok, but digging deeper there is no gold to claim.
in few cases cleaning is the only option - but not here as it seems.
and if his friend dont change behaviour the next crash is coming for sure.

PS "Sully and Kees" are who?
3 Minutes is the time here to recover from image

 

oh please....
if you aint here to share, please afford posting non-relevant remarks.
......

since we are not gonna benefit from it either...

ps.... i never rely on your opinon....

 

But what does the change do ?

Thanks, but Kernelwars is saying the opposite 1 - 3 ?

Found this - http://support.microsoft.com/kb/182569 - 1806 Miscellaneous: Launching applications and unsafe files - but doesn't mention the reg entry numbers etc.

@ Brummelchen

Just seen your post From the link

Now we know I prefer 1 = prompt actually, still safe if only allow known/wanted stuff

 

sharing WHAT?
i already wrote a solution - if you dont read dont bother me again.
and - this topic only is about cleaning up - not to prevent.
he didnt asked for that - and the computer is already gone.
its not my fault if jmonge dont ask before he acts.

@cloneranger - due to firefox regarding the rules of trusted zones i have 1806 set to 0 (null).
that dword is a relict for me coming from windows xp with ie6 which dont offer
that setting (comes with ie7). i stored a reg-file with that setting in my tweak
folder and its valid on win7. hth

 

u ofcourse want to change zones if u want to access intranet sites zone then value 1 and for the Internet sites zone value 3..but as you are saying 1=prompt I think you are talking about interface value in that case 65536 adminapproved & 3 is disabled

 

Brummelchen offers sound advice, for sure, but under the circumstances with little experience under his belt and the infected pc not having a backup image on hand, jmonge did a good job. In the end his friend was happy with a working pc. It might be worth finding out how the pc became infected in the first place and maybe advise on and develop a security strategy to prevent it from happening again. Some nice resources worth reading here from Blue.

 

cloneranger the default value is 1 and by changing to 3 then all files will be access denny from browser(IE=microsoft)

 

i have this line 1806 with it's value 3 with IE6 and it works just fine so it works to block all drive by attacks i tested this alone againts them and remain safe but if i have it change to 1 is not save as it will not prompt when injecting without one's knowledge so clone ranger i will prefer to change it's value to 3 very safe

note:i am currently testing this with malware without any antivirus just winpatrol plus and for about 2 weeks already havent get infected i am doing this for the sake of testing and to see if it works and it does

 

Didn't have the 1806 line here in Win 7 so added it with a value of 3 then stopped/started explorer.

Starting with a fresh sandboxed FF I tried to download 3 malwares and CCleaner but all four were auto canceled with only four zero byte files showing that can be manually recovered from the sandbox.

I think Kees refered to these as meta data or something similar?

 

zero bytes is a good sign man so it works for firefox too

 

i wonder if it works with chrome

 

chrome does not regard trusted zones like firefox do. simple as that.

 

From usability point of view it means you can't download anything with firefox?

 

If you merge the below reg files all you have to do is restart IE or FF to implement. No need to stop/start explorer like I did earlier.

No exe downloads:

Allowed exe downloads:

 

I see, Thank you

 

very handy dandy
@wat0114 thanks for advise and i think it was by going to the dark side as always you know what i mean

 

RE - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword = ?

I'm confused now

That entry is still unchanged at 1 on my comp as i've left it alone, due to,

With both IE6 & FF v3 i have always set both up to prompt me before a DL, and it Always works = So i guess the registry settings for those selected options must be elsewhere, and it would "appear" to me, that these override the discussed Zones\3 ?

 

Yep CloneRanger you or I and probably all Wilders folks have most things sorted but for a normal user that block exe downloads reg setting could be of help.

Such as the fake scan site below which tries to trick the user into downloading/executing the fake Microsoft Security Essentials alert.

 

jmonge when you first start messing with an infected box boot into safe and check msconfig and kill whatever looks wrong or odd running at startup, check the Add/Remove programs and use as many apps then as possible in Safe Mode, then try booting to the desktop and life will be much simpler.

Also I always run like Malwarebytes and SuperAntispyware typically first in a quick mode just to gain back some system ability then I go for full modes...

P.S. After looking at your first post and all those apps you ran and you still had problems, backup data and just REFORMAT the box and be done with it! Sometimes it's better just to reinstall the darn thing rather then mucking forever trying to clean it, trust me I've been there already and you've got to know from the beginning when it's better not to try and save it.

 

i did that buddy

 

Although I don't like the idea of cleaning a highly infected system (in my case if it were to happen to me I'd restore a recent image) and reformatting or better yet wiping will guarantee removal of the malware, how long does it take to do this, including all drivers, patches, software and user settings? A long time, like at least 1/2 a day, so it's not the best or most efficient way, and probably could be considered a "lamer's" way of doing things, although someone with little experience could be forgiven for going that route. Anyone who continues, however, in allowing their rig to get infected without learning from previous ordeals by applying preventative measures such as updated antivirus, sandboxing, limited account use, anti-executable...etc, nor (and just as importantly) quick recovery measures such as image/restore applications, and of course safe surfing/downloading habits is obviously content on relying on the less efficient or effective cleansing or reformatting approaches instead.

 

Well I said reformat, because most likely there was no backup image, like something, as Image For Windows.

Now IFW is the smartest way to go if to much infection and you're back to clean in around 10 mins on average with most image restores...