1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Virus problems? read this

Discussion in 'Networking & Security' started by Mussels, Feb 8, 2011.

  1. Mussels

    Mussels Moderprator Staff Member

    Joined:
    Oct 6, 2004
    Messages:
    42,549 (11.42/day)
    Thanks Received:
    9,824
    I figured i'd write up another little help guide, since we get people asking this stuff all the time.

    I just had to disinfect 3 XP machines, so all this info is fresh in my mind, as well as information on the latest wonderful viruses designed to screw us all over.

    Here is my antivirus howto

    First step: Isolation

    Disconnect from any and all networks. isolate the machine.

    That means you connect NOTHING to it, not even flash drives or USB drives. If you want to get an antivirus on there, burn a CD.

    modern viruses write to flash drives and hard drives, and auto execute upon connecting to other machines.



    Second step:
    Manually trim the startup.

    use MSCONFIG to stop anything starting with windows you dont recognise - some viruses and malware start with windows via here, so its a good starting place.

    Secondly, use Hijack this. Its more complex, but also a great way to stop things starting with windows, that shouldnt be. It also shows objects that sneakily attach themselves to windows explorer and/or internet explorer.

    Disinfection


    Optional step:
    One possible way to disinfect systems is to remove the hard drive and connect it to your system (do NOT boot from it, use it as an external/USB drive) and scan from there.
    Its faster and can disinfect system (Windows) files easier, but puts your system at risk. I suggest doing this AFTER the other steps, when there is less risk to your own machine.
    Its also possible to do this, copy all important files off the drive (scan them afterward!) and format the infected hard drive.


    1. Save yourself some time, and clean all temporary files from your web browsers and windows. empty all caches. Ccleaner is a great help there. Lots of viruses hide there, so you might as well delete them all instead of wasting time disinfecting them.

    2. Disable system restore. While you may think this is contradictory to a safe system, viruses LOVE hiding in system restore files. You restore your system, think all is well and those keyloggers and trojans just keep on working...

    3. Try and use an offline antivirus, or get offline database updates. Kaspersky has a bootable recovery CD, and MSE has downloadable updates you could apply via a burned CD.

    4. Use a real antivirus. If it was free, its likely not that good. Not being told you have a virus is not the same as not having a virus.

    On that topic, MBAM (malwarebytes anti malware) is poor. I find it recommended all the time here on the forums so i tried it first - and while it found 8 viruses on the first machine, it missed 26 others that kaspersky and microsoft security essentials (MSE) both discovered.


    While it may seem contradictory, never trust just one product for your AV needs - over time, they may become worse or others may become better. when a machine is really in trouble, try more than one. I used MSE, kaspersky AV 2011, hijack this, MBAM, spybot S&D, and CCleaner on each machine.

    Out of those, kaspersky found the most infected files, but is also the only one to cost money. Without it i'd have been screwed, because a hidden startup file tied into explorer redownloaded some of the viruses the minute the PC had internet - MSE and MBAM didnt catch the redownloaded files, while kaspersky did (and kaspersky didnt stop the startup file because it linked to a website, NOT to a harmful virus that could be removed)

    Finally: prevention

    1. Get an antivirus with a realtime scanner. MSE or kaspersky are my choices there.

    2. Dont use high risk programs like Internet Explorer, or outlook express. Firefox and Thunderbird are two great alternatives there, but many others exist.

    3. Use a web based email, not a local client. Gmail for example, scans all attachments before they get anywhere near you - so the viruses dont even get a chance to download to your PC.

    4. use a program with URL based blacklists. Kaspersky offers this, blocking known bad URL's from even loading, thus preventing viruses from getting anywhere near your machine.

    Spyware blaster is a good freeware program that helps immunize browsers from known bad sites as well, but in a passive way - it never alerts you that your system tried to access the bad sites.

    5. use vista or windows 7, and leave UAC on. Its a great way to prevent many viruses from actually doing any damage. Seriously, rootkits cant infect a system with UAC on since they cant give themselves admin privileges.

    6. Avoid being played. Put simply if something is offered free on the internet, don't trust it. Google it first to find out. Free games, music, or small crap like emoticons in MSN or smilies for yahoo are great targets for viruses - the crap you downloaded might even be real, but the nasties are likely embedded inside. Play it safe.
     
    Last edited: Feb 8, 2011
  2. Mussels

    Mussels Moderprator Staff Member

    Joined:
    Oct 6, 2004
    Messages:
    42,549 (11.42/day)
    Thanks Received:
    9,824
    if anyone wants to help me add more to this, feel free to post your suggestions - but no guarantees your stuff will make it in to the first post.
     
    Last edited: Feb 8, 2011
  3. streetfighter 2

    streetfighter 2 New Member

    Joined:
    Jul 26, 2010
    Messages:
    1,658 (1.03/day)
    Thanks Received:
    732
    Location:
    Philly
    It's funny, I was going to write an article about advanced antivirus removal methodologies. :laugh:

    hijackthis is technically an advanced tool, as are:
    Process Explorer* -- use this to enumerate process modules and look for anything funny
    Process Monitor* -- if anything nasty is happening, it's going to show up here! Best. Program. Ever.
    GMER -- rootkit tool, shouldn't need it often but it's nice to have when you need it
    ComboFix -- the cure for the "oooh shhhiiii*" scenario

    If the virus got onto your USB drive:
    Flash Disinfector

    MBAM is nice because it only runs when you want it to. It's not a particularly good antivirus.

    Here's a recent comparison of Antivirus software (check out the second page for effectiveness charts):
    http://www.pcmag.com/article2/0,2817,2372364,00.asp
    FYI I only read part of that and it appears that NOD32 is notably absent.

    *These aren't antivirus tools, but they sure can be useful for identifying infected files.
     
    Last edited: Feb 8, 2011
    Mussels says thanks.
  4. MRCL

    MRCL

    Joined:
    May 31, 2008
    Messages:
    5,791 (2.42/day)
    Thanks Received:
    860
    Location:
    Switzerland, Heart of Europe
    I knew my choice to switch from Avira to Kapersky would be a good idea.
    very useful post. :toast:

    I had a coworker come to me regarding her computer won't funtion properly, won't even log her on.
    I did as you described, hooked her main HDD as a slave to a computer that wasn't connected to the net. Well I found like 500 viruses, worms and so on lol. I transfered a few important files that weren't infected to my computer, and wiped her HDD clean. Wasn't any use to try and desinfect a freakin epidemic.
     
  5. RejZoR

    RejZoR

    Joined:
    Oct 2, 2004
    Messages:
    4,832 (1.30/day)
    Thanks Received:
    1,021
    Location:
    Europe/Slovenia
  6. micropage7

    micropage7

    Joined:
    Mar 26, 2010
    Messages:
    6,143 (3.55/day)
    Thanks Received:
    1,429
    Location:
    Jakarta, Indonesia
    best is do not let virus enter your rig
    if the virus is damage your system. one that always work is killing your os, make clean install so coz of that back up no matter is very important
     
  7. erixx

    erixx

    Joined:
    Mar 24, 2010
    Messages:
    3,491 (2.02/day)
    Thanks Received:
    500
    The above is the sum of it all, Mussels :) Finally someone who says do NOT run UAC off.

    Win7 also has the autorun in USB sticks etc. solved. My wife brings sticks with viruses from school (WXP...) everyday but they do no harm here.
     
  8. caleb

    Joined:
    Sep 15, 2004
    Messages:
    1,553 (0.41/day)
    Thanks Received:
    206
    Location:
    Poland,Slask
    Yep UAC and Firefox is the way to go.
    I hate antivirus programs as they act like viruses themselves - take away performance.
    I have McAfee preinstalled on my job laptop as it gets in contact with different stuff but for home gaming Im not really affraid as I dont have much to loose even if its total annihilation of my hdd. Have pictures backed up on 3 diffrent hdd's/pc's so Im safe.
     
  9. _JP_

    _JP_

    Joined:
    Apr 16, 2010
    Messages:
    2,684 (1.57/day)
    Thanks Received:
    740
    Location:
    Portugal
    Very good guide. I already use some of those techniques (plus others) and software that you listed, plus some of the ones streetfighter listed.
    I'd like to add that for those without Process Explorer, but have Windows Defender installed (It's a good idea to have it and running, if you use any other security suite besides MSE), should use it as an alternative. It can provide the same type of full description of what is loaded in the RAM, accessing the network and loaded in winsock. it provides a very detailed information about every process, too. That's basically the only thing I use WD for anyways. :p

    Also, Mussels, I know AV choices are always personal, but can you arrange a table of the best ranked paid and non-paid security suites, still keeping your choices.
    And link those choices in the table to known independent sites that test these AVs, like Virus Bulletin and AV-Comparatives, as a reference.
     
  10. Mussels

    Mussels Moderprator Staff Member

    Joined:
    Oct 6, 2004
    Messages:
    42,549 (11.42/day)
    Thanks Received:
    9,824

    no possible way to do that, because there is no best.

    kaspersky and nod32 are my two picks - kaspersky causes slowdowns, while nod32 breaks P2P programs (including some games, mostly RTS) - which one is better depends on the user.
     
  11. qubit

    qubit Overclocked quantum bit

    Joined:
    Dec 6, 2007
    Messages:
    9,931 (3.86/day)
    Thanks Received:
    3,528
    Location:
    Quantum well (UK)
    Nice OP, Mussels. :)

    If you find one malware, then you never know what other malware you've missed and that includes using multiple scanners.

    Therefore, if I find malware on a PC I go for the nuclear option and reformat/reinstall or reimage. I even did this a while back on my Windows 7 64-bit PC as a precaution, because it was acting a bit strange like it could have had a virus, but I couldn't pin it down for sure.

    This is the only 100% guaranteed way of being sure that you've got rid of all malware from it and I just don't want to take a chance.

    However, if you have 100 infected machines in a company, reimaging may lead to a lot of difficulties and may not be very possible or practical, so a disinfection is usually done and fingers are crossed that there's no nasties left.
     
  12. Completely Bonkers New Member

    Joined:
    Feb 6, 2007
    Messages:
    2,580 (0.90/day)
    Thanks Received:
    516
    If you have a badly infected OS drive, IMO, it is often quicker to pull the drive and shove it into a USB enclosure/sharkoon hdd dock. Then connect it to another machine that is clean and is LOCKED DOWN. Make sure it is running something like COMODO at the highest level (i like comodo because it is free for ALL windows os, incl. server editions. I also like the sandboxing feature). Naturally your locked down machine has all auto-play services denied.

    Then connect the HDD over USB and scan it.

    Trying to fix a PC with a rootkit and jumping through CD booters, safe mode, etc. is fine... but docking the bad drive as a slave is usually much faster than trying to tackle it while still the primary boot drive.
     
  13. de.das.dude

    de.das.dude Pro Indian Modder

    Joined:
    Jun 13, 2010
    Messages:
    7,914 (4.80/day)
    Thanks Received:
    2,121
    Use USB Antivirus to immunize your drives.
    this works by creating an autorun.exe folder in each partition and drive(including HDD ones) so you there is less risk of viruses there.


    I use WinRAR to check if there are any viruses. have you noticed viruses show up there? LOL!
     
  14. Arrakis+9

    Arrakis+9

    Joined:
    Aug 10, 2007
    Messages:
    1,500 (0.56/day)
    Thanks Received:
    545
    Location:
    PL_badwater
    Dont forget, safe mode is your friend when battling viruses good antivirus programs WILL run in safe mode
     
  15. jsfitz54

    jsfitz54

    Joined:
    Jun 18, 2010
    Messages:
    908 (0.55/day)
    Thanks Received:
    244

    Which level of UAC do you recommend? AND Thank you.
     
  16. streetfighter 2

    streetfighter 2 New Member

    Joined:
    Jul 26, 2010
    Messages:
    1,658 (1.03/day)
    Thanks Received:
    732
    Location:
    Philly
    I'm the last person (or maybe the first?) that should be giving advice about keeping a system clean because I'm currently running as an Admin with UAC off. :laugh: If you're wondering I've not reformatted my computer since I bought it and I do not have any viruses. What's my trick? I've been doing this since Windows 3.11. :pimp:

    One of the best steps in virus prevention is testing any questionable files/programs in a virtual machine or on a test system. This is such a common practice in industry that it goes without saying and though it's become incredibly easy to do, I find lots of consumers do not bother with it. I can't encourage people enough to download VirtualBox or vmware and start testing every app in a virtual machine. If you're really nuts about security you should do all of your web browsing in a virtual machine.

    I virtualize whole systems but it is possible to run extremely light virtual machines that contain only a couple of apps. If you're interested in virtual browsing check this out:
    http://www.kace.com/products/freetools/secure-browser/
    Notes: You can use a mailinator.com address and fake info to register for the download. The file is called Secure-Browser-Firefox.msi and weighs in at 74.8MB. I have not tested it.
    Any of them but off is fine. The highest setting is when you don't trust yourself to change your screensaver :roll:
     
    Last edited: Feb 8, 2011
  17. kenkickr

    kenkickr

    Joined:
    Dec 5, 2007
    Messages:
    4,842 (1.88/day)
    Thanks Received:
    1,473
    A nice free online virus/spyware scanning tool is Microsoft's Live Scan. If your able to get online however since some rogue spyware like to setup proxy settings. It does work with XP SP2/Vista/ and 7
     
    Crunching for Team TPU
  18. Completely Bonkers New Member

    Joined:
    Feb 6, 2007
    Messages:
    2,580 (0.90/day)
    Thanks Received:
    516
    dr emulator (madmax) says thanks.
  19. dr emulator (madmax)

    dr emulator (madmax)

    Joined:
    May 5, 2009
    Messages:
    2,241 (1.09/day)
    Thanks Received:
    176
    Location:
    the uk that's all you need to know ;)
    regedit is also your friend
    i'e after you've found a nasty, you may find you can't delete it :eek:

    well if you search for said file in the registry (advanced users only) then delete it from there it should then be removable

    (remember foolin with your registry can poop your pc up, so only delete a file if ya know what your doing)
     
  20. unclewebb

    unclewebb RealTemp Author

    Joined:
    Jun 1, 2008
    Messages:
    968 (0.40/day)
    Thanks Received:
    430
  21. xBruce88x

    xBruce88x

    Joined:
    Oct 29, 2009
    Messages:
    2,453 (1.31/day)
    Thanks Received:
    641
    i was going to add... don't download "codecs" when asked by a site that plays flash type videos. i've had friends do this for ... adult... sites and next thing they know they're computer has a fake antivirus claiming they have 50,000 viruses and such and they end up buying the fake program... well until i told them it was fake anyway lol

    what do you guys think of CA antivirus? a local computer shop sells em for about $20.

    agreed about the system restore files... usually the first thing i turn off, saves space, and kills a hiding spot for viruses.
     
    More than 25k PPD

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page