Dustin  wrote in
news:XnsA3D682CC1C8A0C9X238BHEUFHHI5RJ791@192.254.233.145: 

> B00ze/Empire  wrote in
> news:m2s0ot$6l6$1@dont-email.me: 
> 
>> On 2014-10-27 21:21, Dustin  wrote:
>> 
>>> RayLopez99  wrote in
>>> news:bb7eac56-c205-4cb4-b03f-20cd457eeca4@googlegroups.com:
>>>
>>>> I've not. I surf porn sites that supposedly have
>>>> viruses/malware on them, and last I caught even some PUP was
>>>> years ago. 
>> 
>> Depends on what you use to browse, and how up to date you are
>> with Flash etc. If you block javascript for instance, you're not
>> going to be infected that way...
>> 
>>> I'm sure I can find you some websites that wouldn't be safe to
>>> surf on. Virus guy posts alot of interesting urls....
>> 
>> Indeed.
>> 
>>>> Some of you are technicians, so have you seen any
>>>> malware/viruses on systems that employ a quality AV like
>>>> Microsoft Security Essentials or Windows Defender?  Nope.
>>>> Didn't think so. 
>> 
>> I see crap like "Conduit" every week where I work; amazing how
>> people will just click "Next" to anything...
>> 
>>> Actually, I have, yes. I recently (three days ago actually)
>>> removed the first Poweliks.A that I've seen ITW from a clients
>>> machine. This wouldn't technically be a virus though; but it's
>>> certainly malware. 
>>>
>>> Are you familiar with it? It lives in the registry and has no
>>> actual file presence on the machine otherwise. Do you know how
>>> to remove it? 
>>> :)
>> 
>> So HOW do you remove it? If I recall, RegEdit will not let you
>> delete the key, so what's the trick? Please tell :-)
> 
> Hehehehe.. It's piss easy. First, stop explorer.exe, then
> terminate all dllhost processes. Make sure you leave yourself a
> console prompt and have sysinternals regdelnull utility. :)
> 
> Remove the registry keys that you can with regedit, finish up by 
> running the utility I mentioned above on ALL the system hives.

Just so you know, I left out one detail, so I can ask virusguy about 
it later if he chimes in trying to take credit for what I told you to 
remove the beastie. I'd asked him days ago if he knew how. I know he 
doesn't, and I know as long as I skip certain things, I can determine 
if he's figured it out on his own, or is going by what I wrote.

Also, while regedit won't let you do certain things with the 
registry; the API itself as well as other apps certainly will. The 
null character issue as well as the extended ascii characters are a 
regedit.exe issue only. Blame typical MS programmers. The same people 
who told filemanager that directories don't exist if their using 
extended ascii in their filenames are the people I suspect wrote 
regedit with the silly limits it has.
 
The malware itself is probably one of the easiest ones I've dealt 
with in years. Even though it has no actual file based home. it's 
very easy to remove and is not very well protected at all. One might 
even say because of the way it's loading into the system, it's 
extremely vulnerable.

-- 
If you can read this, Thank a teacher.
If you're reading it in english, Thank a soldier!


--- NewsGate v1.0 gamma 2