The Randem Group - Your Installation Specialist


Read Money, Knowledge and Power - Why You Are Missing All Three (click here)

 
Home
Playbouy Music Internet Radio
Online Payments
Computer Repairs
Items For Sale
InnoScript
Crystal Reports Support
Visual C++ Support
.NET Support
VBSourceTrace
Virus Problems
Products
Free Products, Code and Utilities
Support
Services
Service Related Topics
Contact Us
Virtual Fundraiser

The Cure for Most

Virus/Worm/Trojan/Malware Attacks


        Well, lets get this out there... I consider Norton and McAfee anti-virus programs scareware. They do exactly the same thing that the other scareware programs do, they attempt to harass you into purchasing their product and you can't uninstall them from your system without a special cleaner tool. If your trial happens to expire these programs have been known to slow your computer down and hijack your internet connect intermittently not allowing you access to the internet hoping that you think that if you renew your subscription the problem will be corrected. This is true to a point because it is those programs that are causing the problems in the first place. The only way around these programs is to uninstall them (for a novice, good luck!!!) or purchase the product. There is no simple way to disable them. AOL software is as much of a culprit as Symantec and McAfee; being that they also hijack your system causing other programs to malfunction. These programs always seem to get in the way, they don't seem to understand that it is your computer not theirs! Hmmm, isn't this what those fake programs do (scareware)? The first thing that I do when cleaning a system is to remove these products. I use the Norton Removal Tool and the McAfee Removal Tool to get rid of these infestations. I just uninstall AOL completely; especially in a networked environment.

        Your first line of defense in making sure that the virus/trojan/worm does not make a return appearance is to delete all restore points and suspicious Scheduled Task entries. The first mistake you can make when removing a virus is to use the System Restore to get the computer back to an earlier point in time, however just restoring a restore point is by no means a way to clean the virus/worm/malware. Your system may be back to a good point in time but the files of the infection are still on your system just waiting to attack.  You actually have to remove the files not just the registry entries. Some of the nasty viruses/worms/trojans will install themselves then create a System Restore Point so that after you remove it, a timer that has been set on the system will run the restore point and bingo your virus/worm/trojan is back just when you thought it was gone forever. I have seen this timer set to minutes, hours or days. The most common scheduler that is manipulated for viruses is the TCPIP packet scheduler. This is the method in which the OS checks to see if there is an internet connection. The virus will not rear it's ugly head until a network connection is active. To defend this type of return sneak attack you should delete the network connection then let Windows automatically re-install them to totally clean out your network connection tand also delete all restore points on the system then check in the Task Scheduler for suspicious tasks before attempting to clean the system. You can just turn off System Restore or use a Bart PE CD to boot the system then delete everything in the \System Information Volume\ folder on the system boot drive. This is a hidden system folder also with hidden files where the restore points are stored. Also go to Conrol Panel then to Scheduled Tasks to delete any scheduled task you don't recognize (You can also disable them also). This will prevent a reappearance of the enemy!

        One of the first things to do after cleaning a system to avoid re-infection is to create trusted restore points on your system so that you can roll back your system to a known point before the infestation. It will be much easier to remove the infestation files from this point in time for the files are not active and most decent malware removal programs can get to them then. Next we will want to reset Internet Explorer to its install defaults to remove ALL Add-Ons. Many IE virus/worms/trojans will hide as an add-on to IE since it is such an easy target and so accommodating. It is very important that you do not start IE or the virus/worm/trojan may get a hold on your system again. What I like to do is to disconnect the internet connection or disable IE until I am done cleaning. To reset IE Go to Start->Control Panel->Internet Options then select the Advanced tab. At the bottom of this tab you should see a Reset button. This button will reset IE to it's install defaults and disable all IE add-in. This will also delete all IE temp files and cookies (This is where the worms hide their backups).

                                    RESET ALL IE SETTINGS!!!! VERY IMPORTANT!!!

                                Internet Explorer is where MALWARE enters

Next:

        This process is better done in CCleaner in the Startup area  on the Tools selection but can be done manually. Open registry editor (Start->Run then type Regedit.exe) go to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run highlight it then right click on it to select the export selection from the menu. Save this information, this will be your backup in case you delete something you shouldn't have. Now, go thru this key in regedit to delete anything you don't recognize. These are the entries that run when your computer is first started, so if the viruses have placed themselves here they can keep comming back no matter how often you clean them from memory. With the saved information you can always add any entries back if you find that they really are needed. Do the same for HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for each user on the machine.

        Download, install and then run in SAFE MODE a program called SmitFraudFix (Free), It's a rootkit removal tool. If you can; after that run Spyware Doctor (in regular mode, this costs $29.00) Spyware Doctor is an active protector and remover. PCtools Spyware Doctor is very good at getting those really tough worms and viruses out of your system!!!  A freeware alternate to Spyware Doctor is SuperAntiSpyware (passive protection and remover, the paid version allows scheduled cleaning and active protection). You should also go with MalwareBytes, the free version is a very good passive spyware remover but NOT a protector; which means it needs to be run manually to be effective. The paid version is an active protector. The next step is to run AVG (free version is active protection) to remove remaining viruses/trojans/worms. If you have a fairly fast system you can run all three programs at the same time. Also download and install CCleaner (Free) to remove all temporary files and other junk files from your system and to be able to control your computer's startup programs. Viruses can hide here as well because these files are not normally cleaned from the system. It make very good sense to install a good firewall that monitors incoming traffic as well as outgoing traffic, one such free product is the PCTools Firewall..

        Finally run Windows Update to install ALL available updates (except Windows Search 4.0). Choose the Custom Button not the Express Button. This is the step that most users NEVER do. It will make sure you are up to date on all Windows OS software that can help protect you and keep your computer running smoothly. It will also update hardware drivers if they are available and upgrade your Internet Explorer, if you haven't done so already. IE 6 is prone to attacks by worms and malware and you cannot disable the add-ins. Keep going back to Windows Update until ALL AVAILABLE UPDATES have been installed (All categories report 0 updates available). This should eliminate your issues...

        If you should happen to have your Task Manager or Regedit disabled you can run registry scripts to re-enable them so you can get at the virus/worm/trojan. Look on the website Kelly's Corner for those scripts. If your Task Manager is disabled you will need to create a batch file that run a loop of inserting the registry entries in silent mode so that you can get to task manager before the worm replaces the enabled flag with the disabled flag.

        If you happen to be one of the lucky ones with a worm/virus/trojan that enabled Windows File Protection and hid it's payload in the %SystemRoot%\System32\DllCache folder you will not get rid of it unless you disable Windows File Protection because now Windows itself will be unwittingly protecting the worm/virus/trojan. You can find out how to disable Windows File Protection on the PCTools Website. You can also boot from a Bart PE CD then delete the files from the folders without disabling Windows File Protection.

        When your system is finally clean; the first thing you should do is to create a restore point for yourself in case somewhere down the road you get attacked again, you will have a known uninfected point to return to. If after doing all of this and you still have a problem then it is most likely that you will need a re-installation of Windows. If you need to reload Windows, install your Anti-Virus / Spyware protection before any of your personal applications or just have a qualified professional do it for you.

Randem Systems Recommends:

 




 
 
 Verified and Tested
By Ralph James
Randem Systems, Inc
Sept 2, 2008
Updated December 29, 2009

ALL SUPPORT IS VIA THE SUPPORT BOARD.

http://www.randem.com/cgi-bin/discus/discus.cgi