# Virus problems? read this



## Mussels (Feb 8, 2011)

I figured i'd write up another little help guide, since we get people asking this stuff all the time.

I just had to disinfect 3 XP machines, so all this info is fresh in my mind, as well as information on the latest wonderful viruses designed to screw us all over.

Here is my antivirus howto

*First step:* Isolation

Disconnect from any and all networks. isolate the machine.

That means you connect NOTHING to it, not even flash drives or USB drives. If you want to get an antivirus on there, burn a CD.

modern viruses write to flash drives and hard drives, and auto execute upon connecting to other machines.



*Second step*:
Manually trim the startup.

use MSCONFIG to stop anything starting with windows you dont recognise - some viruses and malware start with windows via here, so its a good starting place.

Secondly, use Hijack this. Its more complex, but also a great way to stop things starting with windows, that shouldnt be. It also shows objects that sneakily attach themselves to windows explorer and/or internet explorer.
*
Disinfection*

Optional step:
One possible way to disinfect systems is to remove the hard drive and connect it to your system (do NOT boot from it, use it as an external/USB drive) and scan from there.
Its faster and can disinfect system (Windows) files easier, but puts your system at risk. I suggest doing this AFTER the other steps, when there is less risk to your own machine.
Its also possible to do this, copy all important files off the drive (scan them afterward!) and format the infected hard drive.


1. Save yourself some time, and clean all temporary files from your web browsers and windows. empty all caches. Ccleaner is a great help there. Lots of viruses hide there, so you might as well delete them all instead of wasting time disinfecting them.

2. Disable system restore. While you may think this is contradictory to a safe system, viruses LOVE hiding in system restore files. You restore your system, think all is well and those keyloggers and trojans just keep on working...

3. Try and use an offline antivirus, or get offline database updates. Kaspersky has a bootable recovery CD, and MSE has downloadable updates you could apply via a burned CD.

4. Use a real antivirus. If it was free, its likely not that good. Not being told you have a virus is not the same as not having a virus.

On that topic, MBAM (malwarebytes anti malware) is poor. I find it recommended all the time here on the forums so i tried it first - and while it found 8 viruses on the first machine, it missed 26 others that kaspersky and microsoft security essentials (MSE) both discovered.


While it may seem contradictory, never trust just one product for your AV needs - over time, they may become worse or others may become better. when a machine is really in trouble, try more than one. I used MSE, kaspersky AV 2011, hijack this, MBAM, spybot S&D, and CCleaner on each machine.

Out of those, kaspersky found the most infected files, but is also the only one to cost money. Without it i'd have been screwed, because a hidden startup file tied into explorer redownloaded some of the viruses the minute the PC had internet - MSE and MBAM didnt catch the redownloaded files, while kaspersky did (and kaspersky didnt stop the startup file because it linked to a website, NOT to a harmful virus that could be removed)

*Finally*: prevention

1. Get an antivirus with a realtime scanner. MSE or kaspersky are my choices there.

2. Dont use high risk programs like Internet Explorer, or outlook express. Firefox and Thunderbird are two great alternatives there, but many others exist.

3. Use a web based email, not a local client. Gmail for example, scans all attachments before they get anywhere near you - so the viruses dont even get a chance to download to your PC.

4. use a program with URL based blacklists. Kaspersky offers this, blocking known bad URL's from even loading, thus preventing viruses from getting anywhere near your machine.

Spyware blaster is a good freeware program that helps immunize browsers from known bad sites as well, but in a passive way - it never alerts you that your system tried to access the bad sites.

5. use vista or windows 7, and leave UAC on. Its a great way to prevent many viruses from actually doing any damage. Seriously, rootkits cant infect a system with UAC on since they cant give themselves admin privileges.

6. Avoid being played. Put simply if something is offered free on the internet, don't trust it. Google it first to find out. Free games, music, or small crap like emoticons in MSN or smilies for yahoo are great targets for viruses - the crap you downloaded might even be real, but the nasties are likely embedded inside. Play it safe.


----------



## Mussels (Feb 8, 2011)

if anyone wants to help me add more to this, feel free to post your suggestions - but no guarantees your stuff will make it in to the first post.


----------



## streetfighter 2 (Feb 8, 2011)

It's funny, I was going to write an article about advanced antivirus removal methodologies. 

hijackthis is technically an advanced tool, as are:
Process Explorer* -- use this to enumerate process modules and look for anything funny
Process Monitor* -- if anything nasty is happening, it's going to show up here!  Best. Program. Ever.
GMER -- rootkit tool, shouldn't need it often but it's nice to have when you need it
ComboFix -- the cure for the "oooh shhhiiii*" scenario

If the virus got onto your USB drive:
Flash Disinfector

MBAM is nice because it only runs when you want it to.  It's not a particularly good antivirus.

Here's a recent comparison of Antivirus software (check out the second page for effectiveness charts):
http://www.pcmag.com/article2/0,2817,2372364,00.asp
FYI I only read part of that and it appears that NOD32 is notably absent.

*These aren't antivirus tools, but they sure can be useful for identifying infected files.


----------



## MRCL (Feb 8, 2011)

I knew my choice to switch from Avira to Kapersky would be a good idea.
very useful post. 

I had a coworker come to me regarding her computer won't funtion properly, won't even log her on.
I did as you described, hooked her main HDD as a slave to a computer that wasn't connected to the net. Well I found like 500 viruses, worms and so on lol. I transfered a few important files that weren't infected to my computer, and wiped her HDD clean. Wasn't any use to try and desinfect a freakin epidemic.


----------



## RejZoR (Feb 8, 2011)

http://my.opera.com/rejzor/blog/safer-web-browsing-tips


----------



## micropage7 (Feb 8, 2011)

best is do not let virus enter your rig
if the virus is damage your system. one that always work is killing your os, make clean install so coz of that back up no matter is very important


----------



## erixx (Feb 8, 2011)

Mussels said:


> 5. use vista or windows 7, and leave UAC on. Its a great way to prevent many viruses from actually doing any damage. Seriously, rootkits cant infect a system with UAC on since they cant give themselves admin privileges.
> 
> 6. Avoid being played. Put simply if something is offered free on the internet, don't trust it. Google it first to find out. Free games, music, or small crap like emoticons in MSN or smilies for yahoo are great targets for viruses - the crap you downloaded might even be real, but the nasties are likely embedded inside. Play it safe.



The above is the sum of it all, Mussels  Finally someone who says do NOT run UAC off.

Win7 also has the autorun in USB sticks etc. solved. My wife brings sticks with viruses from school (WXP...) everyday but they do no harm here.


----------



## caleb (Feb 8, 2011)

Yep UAC and Firefox is the way to go.
I hate antivirus programs as they act like viruses themselves - take away performance. 
I have McAfee preinstalled on my job laptop as it gets in contact with different stuff but for home gaming Im not really affraid as I dont have much to loose even if its total annihilation of my hdd. Have pictures backed up on 3 diffrent hdd's/pc's so Im safe.


----------



## _JP_ (Feb 8, 2011)

Very good guide. I already use some of those techniques (plus others) and software that you listed, plus some of the ones streetfighter listed.
I'd like to add that for those without Process Explorer, but have Windows Defender installed (It's a good idea to have it and running, if you use any other security suite besides MSE), should use it as an alternative. It can provide the same type of full description of what is loaded in the RAM, accessing the network and loaded in winsock. it provides a very detailed information about every process, too. That's basically the only thing I use WD for anyways. 

Also, Mussels, I know AV choices are always personal, but can you arrange a table of the best ranked paid and non-paid security suites, still keeping your choices.
And link those choices in the table to known independent sites that test these AVs, like Virus Bulletin and AV-Comparatives, as a reference.


----------



## Mussels (Feb 8, 2011)

_JP_ said:


> Also, Mussels, I know AV choices are always personal, but can you arrange a table of the best ranked paid and non-paid security suites, still keeping your choices.
> And link those choices in the table to known independent sites that test these AVs, like Virus Bulletin and AV-Comparatives, as a reference.




no possible way to do that, because there is no best.

kaspersky and nod32 are my two picks - kaspersky causes slowdowns, while nod32 breaks P2P programs (including some games, mostly RTS) - which one is better depends on the user.


----------



## qubit (Feb 8, 2011)

Nice OP, Mussels. 

If you find one malware, then you never know what other malware you've missed and that includes using multiple scanners.

Therefore, if I find malware on a PC I go for the nuclear option and reformat/reinstall or reimage. I even did this a while back on my Windows 7 64-bit PC as a precaution, because it was acting a bit strange like it could have had a virus, but I couldn't pin it down for sure.

This is the only 100% guaranteed way of being sure that you've got rid of all malware from it and I just don't want to take a chance.

However, if you have 100 infected machines in a company, reimaging may lead to a lot of difficulties and may not be very possible or practical, so a disinfection is usually done and fingers are crossed that there's no nasties left.


----------



## Completely Bonkers (Feb 8, 2011)

If you have a badly infected OS drive, IMO, it is often quicker to pull the drive and shove it into a USB enclosure/sharkoon  hdd dock.  Then connect it to another machine that is clean and is LOCKED DOWN. Make sure it is running something like COMODO at the highest level (i like comodo because it is free for ALL windows os, incl. server editions. I also like the sandboxing feature). Naturally your locked down machine has all auto-play services denied.

Then connect the HDD over USB and scan it.

Trying to fix a PC with a rootkit and jumping through CD booters, safe mode, etc. is fine... but docking the bad drive as a slave is usually much faster than trying to tackle it while still the primary boot drive.


----------



## de.das.dude (Feb 8, 2011)

Use USB Antivirus to immunize your drives.
this works by creating an autorun.exe folder in each partition and drive(including HDD ones) so you there is less risk of viruses there.


I use WinRAR to check if there are any viruses. have you noticed viruses show up there? LOL!


----------



## Arrakis9 (Feb 8, 2011)

Dont forget, safe mode is your friend when battling viruses good antivirus programs WILL run in safe mode


----------



## jsfitz54 (Feb 8, 2011)

Mussels said:


> 5. use vista or windows 7, and leave UAC on. Its a great way to prevent many viruses from actually doing any damage. Seriously, rootkits cant infect a system with UAC on since they cant give themselves admin privileges






erixx said:


> The above is the sum of it all, Mussels  Finally someone who says do NOT run UAC off.
> 
> Win7 also has the autorun in USB sticks etc. solved. My wife brings sticks with viruses from school (WXP...) everyday but they do no harm here.



Which level of UAC do you recommend?  AND Thank you.


----------



## streetfighter 2 (Feb 8, 2011)

I'm the last person (or maybe the first?) that should be giving advice about keeping a system clean because I'm currently running as an Admin with UAC off.   If you're wondering I've not reformatted my computer since I bought it and I do not have any viruses.  What's my trick?  I've been doing this since Windows 3.11. 

One of the best steps in virus prevention is testing any questionable files/programs in a virtual machine or on a test system.  This is such a common practice in industry that it goes without saying and though it's become incredibly easy to do, I find lots of consumers do not bother with it.  I can't encourage people enough to download VirtualBox or vmware and start testing every app in a virtual machine.  If you're really nuts about security you should do all of your web browsing in a virtual machine.

I virtualize whole systems but it is possible to run extremely light virtual machines that contain only a couple of apps.  If you're interested in virtual browsing check this out:
http://www.kace.com/products/freetools/secure-browser/
Notes:  You can use a _mailinator.com_ address and fake info to register for the download.  The file is called _Secure-Browser-Firefox.msi_ and weighs in at 74.8MB.  I have not tested it.


jsfitz54 said:


> Which level of UAC do you recommend?  AND Thank you.


Any of them but off is fine.  The highest setting is when you don't trust yourself to change your screensaver


----------



## kenkickr (Feb 8, 2011)

A nice free online virus/spyware scanning tool is Microsoft's Live Scan.  If your able to get online however since some rogue spyware like to setup proxy settings.  It does work with XP SP2/Vista/ and 7


----------



## Completely Bonkers (Feb 8, 2011)

GET IT NOW - TODAY ONLY - http://www.giveawayoftheday.com/

There is a program called Startup Defender that can help you manage what is in, and what tries to put itself in, Windows autostarts. It is also able to "lock down" the startups which can help avoid virus/malware. 

GOTD is providing a free serial but today only.

http://www.giveawayoftheday.com/download/?id=18715

Enjoy while it lasts!


----------



## dr emulator (madmax) (Feb 9, 2011)

regedit is also your friend 
i'e after you've found a nasty, you may find you can't delete it  

well if you search for said file in the registry (advanced users only) then delete it from there it should then be removable 

(remember foolin with your registry can poop your pc up, so only delete a file if ya know what your doing)


----------



## unclewebb (Feb 9, 2011)

Autoruns is my favorite.

http://technet.microsoft.com/en-us/sysinternals/bb963902

It does a better job at finding startup junk compared to msconfig


----------



## xBruce88x (Feb 9, 2011)

Mussels said:


> if anyone wants to help me add more to this, feel free to post your suggestions - but no guarantees your stuff will make it in to the first post.



i was going to add... don't download "codecs" when asked by a site that plays flash type videos. i've had friends do this for ... adult... sites and next thing they know they're computer has a fake antivirus claiming they have 50,000 viruses and such and they end up buying the fake program... well until i told them it was fake anyway lol

what do you guys think of CA antivirus? a local computer shop sells em for about $20.

agreed about the system restore files... usually the first thing i turn off, saves space, and kills a hiding spot for viruses.


----------

