Re: Trojan/virus effects

From: Sandi - Microsoft MVP (sandi_hardmeier_at_mvps.org)
Date: 06/26/04 

Date: Sat, 26 Jun 2004 18:26:51 +0800

There are many people who have helped this FAQ improve over time - MVPs and
newsgroup users. I thank all of you who have made the newsgroups,
anti-malware websites and dedicated mailing lists into such a wonderful
resource.

Read the advice at my prevention link
(http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances of
your computer being infected.

IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware can kill your internet connection when it is
removed, and this software should get things going for you again:
http://www.cexx.org/lspfix.htm

Also get a copy of WINSOCKFIX available at:
http://www.spychecker.com/program/winsockxpfix.html

The software you should download and have ready to use is:

AdAware - www.lavasoft.de [..Warning: AdAware is now version 6.181. All
previous versions are NO LONGER SUPPORTED and will not be updated...]

Spybot Search and Destroy - http://spybot.eon.net.au

HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe

CWShredder - http://www.merijn.org/files/CWShredder.exe

IMPORTANT: After obtaining the required software above, make sure you check
for updates and run the programmes in safe mode.

Malware removal (beginner's guide):

First, go to Control Panel, add/remove programs. Check for malware entries
and use the uninstall programs, then reboot.

Go to start/run and type MSCONFIG. Go to the startup tab. Disable
everything that you do not recognise as legitimate (do not disable any power
profile options).

Now go to the Services tab. Turn on the option to 'hide all Microsoft
Services'. Disable everything that remains. If you don't have this option,
don't worry about it.

Reboot your computer and hold down the F8 key until the boot menu options
appear. Choose Safe Mode as your startup choice. You will find
information about what safe mode is, and what it does, at this link
[http://inetexplorer.mvps.org/data/safe_mode.htm]

Start CWSHREDDER. Update it, and fix anything it finds. Reboot back into
safe mode.

Start AdAware. Use the 'check for updates now' option. After you have
updated, click 'start'.

Note that when run using default settings, AdAware does not cope with new
'intelligent' malware. Make the following changes to the default settings.

Use the option 'select drives/folders to scan'. Set AdAware to scan your
entire hard drive.

Make sure 'activate in depth scan' is enabled.

Select 'use custom scanning options' and then click on the 'customize'
button. Turn on the following scan options - scan within archives, scan
active processes, scan registry, deep registry scan, scan [my] IE favorites
for banned URLs, and scan [my] hosts file.

Use the 'tweak' button. Turn on the following options:

Cleaning engine: 'automatically try to unregister objects prior to
deletion', 'let windows remove files in use at next reboot', 'delete
quarantined objects after restoring'.

Scanning engine: 'unload recognized processes during scan'.

After you have finished with AdAware run Spybot to pick up any leftovers.
Fix anything marked in red. Again, don't forget to check for updates.

Also do the following:

Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those folders.

Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Program Files. Check for unrecognised
objects there.

Go to IE Tools, Internet Options, Accessibility. Make sure there is no style
*** chosen (under User Style *** - format documents using my style
***). If the option is turned on, turn it OFF.

If the problem comes back, start all over again but with the following
changes (this section requires advanced computer skills - inexperienced
users will require assistance):

Examine win.ini using MSCONFIG to see what is loading. You may find
something there. Go to MSCONFIG and go to the General tab. Turn off
process win.ini file, load system services and load startup items. Restart
Windows and run AdAware etc once more.

Use services.msc to see what is running. Some malware is now registering
itself as a Service. The problem is working out what is legitimate and what
is not.

I strongly recommend that unless you have strong experience working in this
area that until such time as I am able to track down a comprehensive list of
legitimate services (or put one together myself), that you post details of
the services revealed by services.msc to a microsoft.public newsgroup for
professional guidance. If you turn off the wrong service you could cause
serious problems, and at the very worst, leave the computer unbootable.

An experienced computer technician can use programme such as AutoStart
Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer

Another excellent programme for the experienced user is APM (Advanced
Process Manipulation), available at:
http://www.diamondcs.com.au/index.php?page=apm

Once the computer is clean, and if it applies to the operating system,
create a new restore point. The old ones may, of course, be infected with
the malware and therefore cannot be used. Run disk cleanup to remove old
restore points (if your operating system has this option you will find it on
the 'more options' tab of the disk cleanup utility. If the option to remove
old restore points is not available, stop and restart the restore service
which will flush out old restore points and prevent accidental reloading of
malware.

MS have released a limited KB article regarding what they call 'deceptive
software'.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;827315

Here is advice specific to:

home page hijackings
http://inetexplorer.mvps.org/answers.htm#home_page

pop-up ads
http://inetexplorer.mvps.org/data/popup.htm

search engine hijackings
http://inetexplorer.mvps.org/answers4.htm#search_engine 

-- 
Hyperlinks are used to ensure advice remains current
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org/
David wrote:
> For the past two days I tried to get rid of several pesky
> viruses/trojans that apparently messed up my machine and kept
> returning on reboot.
>
> I'm running XP and turned off System Restore, then rebooted in Safe
> Mode, then ran my AV program, and deleted the "Trojano" worm and a
> few other viruses, like the "DyfucDldr" variety.
>
> I think I'm now virus, trojan, worm, and adware-free, but the damage
> seems to have been done:
>
> First, I can't open programs from my desktop, like IE or Ad-Aware, or
> Real Audio.  The system just hangs and the hourglass icon stares at
> me. CTL-ALT-DEL doesn't work...it either freezes the computer or I
> get an error message saying there is something wrong with the program
> and asking me to send a report to Microsoft.
>
> Second, there is no audio on the computer anymore.  The files for all
> of the Windows sounds are missing -- there is no C:/WINDOWS/MEDIA
> folder anymore. Instead, in Control Panel, the icons for each sound
> show a path that begins with "%System Root%" and I get a message that
> the file can't be located. The same is true of all the other program
> sounds, for Real Audio, my anti-virus alerts, etc.  (I checked and
> nothing is muted.)
>
> Finally, I noticed the Startup list after running "msconfig" shows a
> couple strange ".exe" files, for example, "Nye42.exe".  This box is
> checked like all the others, and it says the location is in the
> C:/Windows folder, but I did a search for it and there is no such
> file found on my computer.  I unchecked this from the Startup list,
> but the two problems noted above still exist.
>
> I'm afraid whatever got me really got me good and I have no idea how
> to recover from this.
>
> Any suggestions would be appreciated.  I've done a web search (on my
> other computer) and reviewed the bulletin board threads.  I think
> I've done everything I've read to get rid of the nasties, I just
> don't know how to restore the system to an operational mode.
>
> I am thinking of restoring the "System Restore" function and going
> back a month or so before I got whacked to do a System Restore at
> that point. Hopefully that will restore the sounds and functionality.
> It may also restore the viruses, but I may be able to delete them
> this time before they do permanent damage.
>
> I'd appreciate anyone's thoughts on what I can do or whether my plan
> even makes sense.
>
> Thanks in advance for your help.