Re: Trojan/virus effects

From: David (n4wwl_at_NOSPAM.hotmail.com)
Date: 06/26/04 

Date: Sat, 26 Jun 2004 14:09:42 GMT

thanks, Sandi. very useful info.

"Sandi - Microsoft MVP" <sandi_hardmeier@mvps.org> wrote in message
news:uaevSa2WEHA.1356@TK2MSFTNGP09.phx.gbl...
> There are many people who have helped this FAQ improve over time - MVPs
and
> newsgroup users. I thank all of you who have made the newsgroups,
> anti-malware websites and dedicated mailing lists into such a wonderful
> resource.
>
> Read the advice at my prevention link
> (http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances
of
> your computer being infected.
>
> IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
> the URL below - some malware can kill your internet connection when it is
> removed, and this software should get things going for you again:
> http://www.cexx.org/lspfix.htm
>
> Also get a copy of WINSOCKFIX available at:
> http://www.spychecker.com/program/winsockxpfix.html
>
> The software you should download and have ready to use is:
>
> AdAware - www.lavasoft.de [..Warning: AdAware is now version 6.181. All
> previous versions are NO LONGER SUPPORTED and will not be updated...]
>
> Spybot Search and Destroy - http://spybot.eon.net.au
>
> HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe
>
> CWShredder - http://www.merijn.org/files/CWShredder.exe
>
> IMPORTANT: After obtaining the required software above, make sure you
check
> for updates and run the programmes in safe mode.
>
> Malware removal (beginner's guide):
>
> First, go to Control Panel, add/remove programs. Check for malware entries
> and use the uninstall programs, then reboot.
>
> Go to start/run and type MSCONFIG. Go to the startup tab. Disable
> everything that you do not recognise as legitimate (do not disable any
power
> profile options).
>
> Now go to the Services tab. Turn on the option to 'hide all Microsoft
> Services'. Disable everything that remains. If you don't have this
option,
> don't worry about it.
>
> Reboot your computer and hold down the F8 key until the boot menu options
> appear. Choose Safe Mode as your startup choice. You will find
> information about what safe mode is, and what it does, at this link
> [http://inetexplorer.mvps.org/data/safe_mode.htm]
>
> Start CWSHREDDER. Update it, and fix anything it finds. Reboot back into
> safe mode.
>
> Start AdAware. Use the 'check for updates now' option. After you have
> updated, click 'start'.
>
> Note that when run using default settings, AdAware does not cope with new
> 'intelligent' malware. Make the following changes to the default
settings.
>
> Use the option 'select drives/folders to scan'. Set AdAware to scan your
> entire hard drive.
>
> Make sure 'activate in depth scan' is enabled.
>
> Select 'use custom scanning options' and then click on the 'customize'
> button. Turn on the following scan options - scan within archives, scan
> active processes, scan registry, deep registry scan, scan [my] IE
favorites
> for banned URLs, and scan [my] hosts file.
>
> Use the 'tweak' button. Turn on the following options:
>
> Cleaning engine: 'automatically try to unregister objects prior to
> deletion', 'let windows remove files in use at next reboot', 'delete
> quarantined objects after restoring'.
>
> Scanning engine: 'unload recognized processes during scan'.
>
> After you have finished with AdAware run Spybot to pick up any leftovers.
> Fix anything marked in red. Again, don't forget to check for updates.
>
> Also do the following:
>
> Empty your IE cache and your other temporary file folders, eg: c:\temp,
> c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp
(the
> path to your temp folder will change depending on your name) - sometimes
> programmes can be hidden in there - watch out for mysterious *.exe files
or
> *.dll files in those folders.
>
> Go to IE Tools, Internet Options, Temporary Internet Files {Settings
> Button}, View Objects, Downloaded Program Files. Check for unrecognised
> objects there.
>
> Go to IE Tools, Internet Options, Accessibility. Make sure there is no
style
> *** chosen (under User Style *** - format documents using my style
> ***). If the option is turned on, turn it OFF.
>
> If the problem comes back, start all over again but with the following
> changes (this section requires advanced computer skills - inexperienced
> users will require assistance):
>
> Examine win.ini using MSCONFIG to see what is loading. You may find
> something there. Go to MSCONFIG and go to the General tab. Turn off
> process win.ini file, load system services and load startup items.
Restart
> Windows and run AdAware etc once more.
>
> Use services.msc to see what is running. Some malware is now registering
> itself as a Service. The problem is working out what is legitimate and
what
> is not.
>
> I strongly recommend that unless you have strong experience working in
this
> area that until such time as I am able to track down a comprehensive list
of
> legitimate services (or put one together myself), that you post details of
> the services revealed by services.msc to a microsoft.public newsgroup for
> professional guidance. If you turn off the wrong service you could cause
> serious problems, and at the very worst, leave the computer unbootable.
>
> An experienced computer technician can use programme such as AutoStart
> Viewer for in-depth diagnosis:
> http://www.diamondcs.com.au/index.php?page=asviewer
>
> Another excellent programme for the experienced user is APM (Advanced
> Process Manipulation), available at:
> http://www.diamondcs.com.au/index.php?page=apm
>
> Once the computer is clean, and if it applies to the operating system,
> create a new restore point. The old ones may, of course, be infected with
> the malware and therefore cannot be used. Run disk cleanup to remove old
> restore points (if your operating system has this option you will find it
on
> the 'more options' tab of the disk cleanup utility. If the option to
remove
> old restore points is not available, stop and restart the restore service
> which will flush out old restore points and prevent accidental reloading
of
> malware.
>
> MS have released a limited KB article regarding what they call 'deceptive
> software'.
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;827315
>
> Here is advice specific to:
>
> home page hijackings
> http://inetexplorer.mvps.org/answers.htm#home_page
>
> pop-up ads
> http://inetexplorer.mvps.org/data/popup.htm
>
> search engine hijackings
> http://inetexplorer.mvps.org/answers4.htm#search_engine
>
>
> --
> Hyperlinks are used to ensure advice remains current
> _______________________________________
> Sandi - Microsoft MVP since 1999 (IE/OE)
> http://inetexplorer.mvps.org/
>
>
>
> David wrote:
> > For the past two days I tried to get rid of several pesky
> > viruses/trojans that apparently messed up my machine and kept
> > returning on reboot.
> >
> > I'm running XP and turned off System Restore, then rebooted in Safe
> > Mode, then ran my AV program, and deleted the "Trojano" worm and a
> > few other viruses, like the "DyfucDldr" variety.
> >
> > I think I'm now virus, trojan, worm, and adware-free, but the damage
> > seems to have been done:
> >
> > First, I can't open programs from my desktop, like IE or Ad-Aware, or
> > Real Audio. The system just hangs and the hourglass icon stares at
> > me. CTL-ALT-DEL doesn't work...it either freezes the computer or I
> > get an error message saying there is something wrong with the program
> > and asking me to send a report to Microsoft.
> >
> > Second, there is no audio on the computer anymore. The files for all
> > of the Windows sounds are missing -- there is no C:/WINDOWS/MEDIA
> > folder anymore. Instead, in Control Panel, the icons for each sound
> > show a path that begins with "%System Root%" and I get a message that
> > the file can't be located. The same is true of all the other program
> > sounds, for Real Audio, my anti-virus alerts, etc. (I checked and
> > nothing is muted.)
> >
> > Finally, I noticed the Startup list after running "msconfig" shows a
> > couple strange ".exe" files, for example, "Nye42.exe". This box is
> > checked like all the others, and it says the location is in the
> > C:/Windows folder, but I did a search for it and there is no such
> > file found on my computer. I unchecked this from the Startup list,
> > but the two problems noted above still exist.
> >
> > I'm afraid whatever got me really got me good and I have no idea how
> > to recover from this.
> >
> > Any suggestions would be appreciated. I've done a web search (on my
> > other computer) and reviewed the bulletin board threads. I think
> > I've done everything I've read to get rid of the nasties, I just
> > don't know how to restore the system to an operational mode.
> >
> > I am thinking of restoring the "System Restore" function and going
> > back a month or so before I got whacked to do a System Restore at
> > that point. Hopefully that will restore the sounds and functionality.
> > It may also restore the viruses, but I may be able to delete them
> > this time before they do permanent damage.
> >
> > I'd appreciate anyone's thoughts on what I can do or whether my plan
> > even makes sense.
> >
> > Thanks in advance for your help.
>