Registry Virus Help

[markb]

Recently a computer running Windows 2000 SP4 was infected with a worm. It
claimed to be the netsky32. I used the Malicious Software Removal Tool to
remove it. I need to find out when this system was infected. This particular
worm causes IE to launch and contact a website. So I was thinking of a tool
that will pull up a log and help me to interpret the results. I know the day
the infection occured, just not the time. The RegMon tool is great, but shows
real-time and I need to look back through the log to 14 days ago.

Please assist.
--
Markb

 

[David H. Lipman]

From: "markb" <markb@discussions.microsoft.com>

|
| Recently a computer running Windows 2000 SP4 was infected with a worm. It
| claimed to be the netsky32. I used the Malicious Software Removal Tool to
| remove it. I need to find out when this system was infected. This particular
| worm causes IE to launch and contact a website. So I was thinking of a tool
| that will pull up a log and help me to interpret the results. I know the day
| the infection occured, just not the time. The RegMon tool is great, but shows
| real-time and I need to look back through the log to 14 days ago.
|
| Please assist.

There is no real way to assay WHEN a PC was infected. Sorry.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Volodymyr Shcherbyna]

Before removing the executable file, you should took a look at creation date
of a file.

--
V.
This posting is provided "AS IS" with no warranties, and confers no
rights.
"markb" <markb@discussions.microsoft.com> wrote in message
news:987C2E33-BC83-4581-BAC0-9FADA89F82ED@microsoft.com...
>
> Recently a computer running Windows 2000 SP4 was infected with a worm. It
> claimed to be the netsky32. I used the Malicious Software Removal Tool to
> remove it. I need to find out when this system was infected. This
> particular
> worm causes IE to launch and contact a website. So I was thinking of a
> tool
> that will pull up a log and help me to interpret the results. I know the
> day
> the infection occured, just not the time. The RegMon tool is great, but
> shows
> real-time and I need to look back through the log to 14 days ago.
>
> Please assist.
> --
> Markb
>

 

[David H. Lipman]

From: "Volodymyr Shcherbyna" <v_scherbina@online.mvps.org>

| Before removing the executable file, you should took a look at creation date
| of a file.
|

Creation dates of malware files are often faked.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Volodymyr Shcherbyna]

Believe me, there is a low percentage of malware who modifies own create
date.

--
V.
This posting is provided "AS IS" with no warranties, and confers no
rights.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23TTfkafYIHA.5900@TK2MSFTNGP02.phx.gbl...
> From: "Volodymyr Shcherbyna" <v_scherbina@online.mvps.org>
>
> | Before removing the executable file, you should took a look at creation
> date
> | of a file.
> |
>
> Creation dates of malware files are often faked.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

 

[David H. Lipman]

From: "Volodymyr Shcherbyna" <v_scherbina@online.mvps.org>

| Believe me, there is a low percentage of malware who modifies own create
| date.
|

Considering teh sheer number of malware even if there was a low percentage, you can NOT rely
on the date as a factor indicating infection date. You may however use that with a myriad
of other factors to come to a conclusion but the data of the file can not be counted on.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Volodymyr Shcherbyna]

Second time I ask you to believe me. Noone from malware touches the own
creation date.

--
V.
This posting is provided "AS IS" with no warranties, and confers no
rights.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:O98tAqfYIHA.5132@TK2MSFTNGP02.phx.gbl...
> From: "Volodymyr Shcherbyna" <v_scherbina@online.mvps.org>
>
> | Believe me, there is a low percentage of malware who modifies own create
> | date.
> |
>
> Considering teh sheer number of malware even if there was a low
> percentage, you can NOT rely
> on the date as a factor indicating infection date. You may however use
> that with a myriad
> of other factors to come to a conclusion but the data of the file can not
> be counted on.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>