Re: Trojan/virus effects

From: Sandi - Microsoft MVP (sandi_hardmeier_at_mvps.org)
Date: 06/26/04 

Date: Sat, 26 Jun 2004 23:22:56 +0800

<bowing> 

-- 
Hyperlinks are used to ensure advice remains current
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org/
David wrote:
> thanks, Sandi.  very useful info.
> 
> "Sandi - Microsoft MVP" <sandi_hardmeier@mvps.org> wrote in message
> news:uaevSa2WEHA.1356@TK2MSFTNGP09.phx.gbl...
>> There are many people who have helped this FAQ improve over time -
>> MVPs and newsgroup users.  I thank all of you who have made the
>> newsgroups, anti-malware websites and dedicated mailing lists into
>> such a wonderful resource.
>> 
>> Read the advice at my prevention link
>> (http://inetexplorer.mvps.org/data/prevention.htm) to reduce the
>> chances of your computer being infected.
>> 
>> IMPORTANT: Before trying to remove spyware, download a copy of
>> LSPFIX from the URL below - some malware can kill your internet
>> connection when it is removed, and this software should get things
>> going for you again: http://www.cexx.org/lspfix.htm
>> 
>> Also get a copy of WINSOCKFIX available at:
>> http://www.spychecker.com/program/winsockxpfix.html
>> 
>> The software you should download and have ready to use is:
>> 
>> AdAware - www.lavasoft.de [..Warning: AdAware is now version 6.181.
>> All previous versions are NO LONGER SUPPORTED and will not be
>> updated...] 
>> 
>> Spybot Search and Destroy - http://spybot.eon.net.au
>> 
>> HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe
>> 
>> CWShredder - http://www.merijn.org/files/CWShredder.exe
>> 
>> IMPORTANT: After obtaining the required software above, make sure
>> you check for updates and run the programmes in safe mode.
>> 
>> Malware removal (beginner's guide):
>> 
>> First, go to Control Panel, add/remove programs. Check for malware
>> entries and use the uninstall programs, then reboot.
>> 
>> Go to start/run and type MSCONFIG.  Go to the startup tab.  Disable
>> everything that you do not recognise as legitimate (do not disable
>> any power profile options).
>> 
>> Now go to the Services tab.  Turn on the option to 'hide all
>> Microsoft Services'.  Disable everything that remains.  If you don't
>> have this option, don't worry about it.
>> 
>> Reboot your computer and hold down the F8 key until the boot menu
>> options appear.   Choose Safe Mode as your startup choice.  You will
>> find information about what safe mode is, and what it does, at this
>> link [http://inetexplorer.mvps.org/data/safe_mode.htm]
>> 
>> Start CWSHREDDER.  Update it, and fix anything it finds.  Reboot
>> back into safe mode.
>> 
>> Start AdAware. Use the 'check for updates now' option.  After you
>> have updated, click 'start'.
>> 
>> Note that when run using default settings, AdAware does not cope
>> with new 'intelligent' malware.  Make the following changes to the
>> default settings. 
>> 
>> Use the option 'select drives/folders to scan'.  Set AdAware to scan
>> your entire hard drive.
>> 
>> Make sure 'activate in depth scan' is enabled.
>> 
>> Select 'use custom scanning options' and then click on the
>> 'customize' button. Turn on the following scan options - scan within
>> archives, scan active processes, scan registry, deep registry scan,
>> scan [my] IE favorites for banned URLs, and scan [my] hosts file.
>> 
>> Use the 'tweak' button.  Turn on the following options:
>> 
>> Cleaning engine: 'automatically try to unregister objects prior to
>> deletion', 'let windows remove files in use at next reboot', 'delete
>> quarantined objects after restoring'.
>> 
>> Scanning engine: 'unload recognized processes during scan'.
>> 
>> After you have finished with AdAware run Spybot to pick up any
>> leftovers. Fix anything marked in red.  Again, don't forget to check
>> for updates. 
>> 
>> Also do the following:
>> 
>> Empty your IE cache and your other temporary file folders, eg:
>> c:\temp, c:\windows\temp or C:\Documents and Settings\<name>\Local
>> Settings\Temp (the path to your temp folder will change depending on
>> your name) - sometimes programmes can be hidden in there - watch out
>> for mysterious *.exe files or *.dll files in those folders.
>> 
>> Go to IE Tools, Internet Options, Temporary Internet Files {Settings
>> Button}, View Objects, Downloaded Program Files. Check for
>> unrecognised objects there.
>> 
>> Go to IE Tools, Internet Options, Accessibility. Make sure there is
>> no style *** chosen (under User Style *** - format documents
>> using my style ***). If the option is turned on, turn it OFF.
>> 
>> If the problem comes back, start all over again but with the
>> following changes (this section requires advanced computer skills -
>> inexperienced users will require assistance):
>> 
>> Examine win.ini using MSCONFIG to see what is loading.  You may find
>> something there.  Go to MSCONFIG and go to the General tab.  Turn off
>> process win.ini file, load system services and load startup items.
>> Restart Windows and run AdAware etc once more.
>> 
>> Use services.msc to see what is running. Some malware is now
>> registering itself as a Service.  The problem is working out what is
>> legitimate and what is not.
>> 
>> I strongly recommend that unless you have strong experience working
>> in this area that until such time as I am able to track down a
>> comprehensive list of legitimate services (or put one together
>> myself), that you post details of the services revealed by
>> services.msc to a microsoft.public newsgroup for professional
>> guidance. If you turn off the wrong service you could cause serious
>> problems, and at the very worst, leave the computer unbootable. 
>> 
>> An experienced computer technician can use programme such as
>> AutoStart Viewer for in-depth diagnosis:
>> http://www.diamondcs.com.au/index.php?page=asviewer
>> 
>> Another excellent programme for the experienced user is APM (Advanced
>> Process Manipulation), available at:
>> http://www.diamondcs.com.au/index.php?page=apm
>> 
>> Once the computer is clean, and if it applies to the operating
>> system, create a new restore point.  The old ones may, of course, be
>> infected with the malware and therefore cannot be used.  Run disk
>> cleanup to remove old restore points (if your operating system has
>> this option you will find it on the 'more options' tab of the disk
>> cleanup utility.  If the option to remove old restore points is not
>> available, stop and restart the restore service which will flush out
>> old restore points and prevent accidental reloading of malware.
>> 
>> MS have released a limited KB article regarding what they call
>> 'deceptive software'.
>> http://support.microsoft.com/default.aspx?scid=kb;EN-US;827315
>> 
>> Here is advice specific to:
>> 
>> home page hijackings
>> http://inetexplorer.mvps.org/answers.htm#home_page
>> 
>> pop-up ads
>> http://inetexplorer.mvps.org/data/popup.htm
>> 
>> search engine hijackings
>> http://inetexplorer.mvps.org/answers4.htm#search_engine
>> 
>> 
>> --
>> Hyperlinks are used to ensure advice remains current
>> _______________________________________
>> Sandi - Microsoft MVP since 1999 (IE/OE)
>> http://inetexplorer.mvps.org/
>> 
>> 
>> 
>> David wrote:
>>> For the past two days I tried to get rid of several pesky
>>> viruses/trojans that apparently messed up my machine and kept
>>> returning on reboot.
>>> 
>>> I'm running XP and turned off System Restore, then rebooted in Safe
>>> Mode, then ran my AV program, and deleted the "Trojano" worm and a
>>> few other viruses, like the "DyfucDldr" variety.
>>> 
>>> I think I'm now virus, trojan, worm, and adware-free, but the damage
>>> seems to have been done:
>>> 
>>> First, I can't open programs from my desktop, like IE or Ad-Aware,
>>> or Real Audio.  The system just hangs and the hourglass icon stares
>>> at me. CTL-ALT-DEL doesn't work...it either freezes the computer or
>>> I get an error message saying there is something wrong with the
>>> program and asking me to send a report to Microsoft.
>>> 
>>> Second, there is no audio on the computer anymore.  The files for
>>> all of the Windows sounds are missing -- there is no
>>> C:/WINDOWS/MEDIA folder anymore. Instead, in Control Panel, the
>>> icons for each sound show a path that begins with "%System Root%"
>>> and I get a message that the file can't be located. The same is
>>> true of all the other program sounds, for Real Audio, my anti-virus
>>> alerts, etc.  (I checked and nothing is muted.)
>>> 
>>> Finally, I noticed the Startup list after running "msconfig" shows a
>>> couple strange ".exe" files, for example, "Nye42.exe".  This box is
>>> checked like all the others, and it says the location is in the
>>> C:/Windows folder, but I did a search for it and there is no such
>>> file found on my computer.  I unchecked this from the Startup list,
>>> but the two problems noted above still exist.
>>> 
>>> I'm afraid whatever got me really got me good and I have no idea how
>>> to recover from this.
>>> 
>>> Any suggestions would be appreciated.  I've done a web search (on my
>>> other computer) and reviewed the bulletin board threads.  I think
>>> I've done everything I've read to get rid of the nasties, I just
>>> don't know how to restore the system to an operational mode.
>>> 
>>> I am thinking of restoring the "System Restore" function and going
>>> back a month or so before I got whacked to do a System Restore at
>>> that point. Hopefully that will restore the sounds and
>>> functionality. It may also restore the viruses, but I may be able
>>> to delete them this time before they do permanent damage.
>>> 
>>> I'd appreciate anyone's thoughts on what I can do or whether my plan
>>> even makes sense.
>>> 
>>> Thanks in advance for your help.<