(long) Guide to Defeating Infections

From: WinGuy (no_spam_at_nomail.bot)
Date: 06/27/04 

Date: Sun, 27 Jun 2004 03:29:29 GMT

It can be very frustrating when your computer is infected and nothing seems
to help. The reason can be that some of the newer infections actively fight
the very utilities used to get rid of them, even when the computer is booted
into Safe Mode. How they do this is what some companies make a full time job
at trying to discover. What the reader probably wants is just some way to
get enough control so that anti-malware utilities can be run with expected
results. Please read all of this document before doing anything it says to
do. This is intended as a guide, it's my hope it is without error or
omission.

The first thing to do is get prepared. Get the following utilities onto a
CD-R so that you can install them without having to be connected to the
internet. Make sure that you have the very latest available downloads of the
utilities on the CD-R that you make or have made for you. Your CD Drive must
be known to have been working before you got infected, because you will need
to use it.

1. The freeware version of AVG from http://www.grisoft.com

Note: You may have to receive two emails. The first will be a link to where
you can download AVG from. The second email will be sent during the download
and it will provide a needed activation key, which is case sensitive when
you enter it.

2. The freeware version of ZoneAlarm from http://www.zonelabs.com

3. Ad-aware 6 from http://www.lavasoft.de

While you are at that site be sure to also download its latest definitions
reference file. After you install Ad-aware 6 be sure to over-write the old
reference file with this new one.

4. Spybot Search & Destroy from http://www.safer-networking.org/

5. SpywareBlaster from http://www.javacoolsoftware.com/spywareblaster.html

6. SpywareGuard from http://www.javacoolsoftware.com/sgdownload.html

Note: Get the full version.

7. CWShredder from http://www.spywareinfo.com/~merijn/cwschronicles.html

8. DCOMbobulator from http://grc.com/dcom

8. HTAStop from http://www.nsclean.com/psc-htas.html

9. Kill2Me from http://www.spywareinfo.com/~merijn/downloads.html

10. ShootTheMessenger from http://grc.com/stm/shootthemessenger.htm

This one is used only on NT, 2000, and XP based computers.

11. Obtain this file:
http://www.davehigham.zen.co.uk/downloads/missingfilesetup.exe

12. Obtain this file:
http://www.microsoft.com/downloads/details.aspx?FamilyID=bf9a24f9-b5c5-48f4-8edd-cdf2d29a79d5&displaylang=en

13. Obtain this file:
http://members.shaw.ca/techcd/VB_Projects/WinsockFix.zip

Booting into Safe Mode (by selecting it from the menu that appears if you
keep tapping the F8 key during a boot) might not keep an infection from
remaining active and in a fighting mode. The goal to obtaining control is to
boot the machine in Diagnostic mode, which is a special boot that only uses
files that are absolutely necessary for Windows to boot in Safe or in Normal
Mode. Similar to Safe Mode, Diagnostic Mode results in many things not
working that would otherwise work in Normal Mode. In Diagnostic Mode even
fewer things work than those that would work in Safe Mode. Unfortunately,
there usually is no way to get to Diagnostic Mode via the F8 key, so
depending on the infection you might have to fight a little to select
Diagnostic Mode once you've booted into Safe Mode. So do things as quickly
and accurately as you can when in Safe Mode. But first, physically
disconnect from any networking (LAN or WAN/Internet) until instructed
otherwise in this document.

1. Boot into Safe Mode. If a message appears saying you're not booting up
normally then select the option to not be told about that again and then
click OK (do not click Cancel). Then click on Start then on Run, type
"msconfig" (without the quotes) and click OK. If the program starts and
doesn't close by itself then go to step #3.

2. If the MSConfig program starts up and then closes by itself then you
have a real fighter on your hands. In this case click on Start then on Run
and then type "cmd" (without the quotes). If you're using 98 or ME then
instead type in "command" (without the quotes). A dosbox should appear.
Understand that when you see the notation {windir} it means the name of the
folder that Windows is installed into. On most 98, ME, and XP machines the
folder name usually is named WINDOWS. On 2000 machines it is usually named
WINNT. It's located in the root of Drive C. Type these things in the dosbox
and hit Enter after each line.

c:

cd \

For 98 or Me: cd c:\{windir}\system

For 2K or XP: cd c:\{windir}\system32

copy msconfig.exe mymscfg.exe

exit

The dosbox will close. Note that you should give some other name to the
copied file instead of "mymscfg.exe" (but it must end with .exe) just in
case some infection author has also read this!

Now click Start then run and type in the name of that new copy of the
msconfig.exe and click OK. This time the program should not close by itself
(the infection author doesn't know its name). If it does close by itself
then you must extract another copy of msconfig.exe from a CD of the same
version of Windows that you are using and (while in Diagnostic Mode) replace
the infected version of msconfig.exe.

3. Select the Diagnostic Startup option and then click on OK. Be sure to do
that. THEN select the Selective Startup option. Make a checkmark appear in
the Process SYSTEM.INI File and the Process WIN.INI File options. If using
98 or ME then enable the AUTOECEC.BAT and CONFIG.SYS options. Also, for 2K
and XP, make sure the option is selected to Use Original BOOT.INI. There
should not be a selection enabled for either the Load System Services or the
Load Startup Items options.

4. Reboot and let Windows start normally. Again, if prompted, tell it not
to remind you that you are booting normally and then click OK (do not click
Cancel).

5. Put your CD (that you made) in and check to make sure you can view its
content. Create a folder on your desktop and then copy those 10 programs
from that CD into that folder.

Using msconfig, take a quick look in the Services tab area and note what
services are already running. These are the absolute minimum ones that are
needed to run Windows. Do the same for the Startup tab. 98 and ME don't have
a Services tab. 

--
Now you should be in control of your computer, although its functionality is
minimal. You can now install the programs that you put in the folder on your
desktop. Do so, and read their Helps carefully so you can make sure they are
configured properly. Don't be in a hurry, really read ALL the Helps. All of
it is important to know both now and in the future, so take the time and
effort to learn right now.
Be sure to put that latest reference file in the folder where you install
Ad-aware 6 into. Also, make sure that you remain in this specially
configured Selective Startup mode after each boot.
Now do these things in this order:
0. Double click the #11 and #12 files you obtained (beginning of this
document). This will assure that certain files exist that some of the
following utilities require to work properly.
1. Make sure AVG is configured to use all of its functionality, including
heuristics. Then run it. Don't worry for now if it finds things in a
_RESTORE folder but it can not delete things there. That's the folder used
to recover your system to an earlier point in time, if you use ME or XP.
Only after everything is enabled and working ok again will you want to clean
out that folder by turning off System Restore, rebooting, and turning it
back on and then rebooting again. Let AVG fix anything it finds.
2. Use CWShredder
3. Run Ad-aware. Let it get rid of anything it finds.
4. Run Spybot. Let it get rid of anything it finds. Enable both of its
Resident utilities.
5. Use SpywareGuard and SpywareBlaster
6. For 2K and XP, use KillTheMessenger
7. Use HTAStop and Kill2Me
8. Use DCOMbobulator but don't reboot just yet.
For 2K and XP, assure that your physical LAN port (or dialup connection) is
enabled - right click My Network Places, select Properties, right-click and
get properties for the connection you will use. For XP, click the Advanced
tab and enable the built-in firewall for the connection.
9. Use WinsockXPFix and let the machine reboot, even if using 98 or ME. If
using 98 or ME then physically reconnect your internet just before you
reboot.
10. If using 2K or XP then run msconfig again and enable Load System
Services and then reboot, and physically reconnect your internet just before
rebooting.
If ZoneAlarm pops up asking if it's ok for something to use the internet,
allow only these things for now: Internet Explorer, Generic Host Process for
Win32 Services, Services and Controller app, and any of the files that you
just got done installing.
11. Update AVG, Ad-aware 6, Spybot, SpywareBlaster, CWShredder, and
SpywareGuard. Be sure the updates get applied. Disconnect from the internet
and use them all again. Reboot.
12. Run msconfig again and select Normal Startup, reboot. You system should
be clean, you can probably safely reconnect your internet now.
13. If using ME or XP and everything seems ok then disable System Restore,
reboot, re-enable it again, and reboot. See Windows Help on how to do that.
14. Visit MS Update website and make sure all offered updates are installed.
That's it. If your system is still messing up then you have a really new
infection or (more likely) system files have been damaged. As long as you
can boot into Windows, safe or normal mode, you can re-install Windows on
top of itself without loosing anything - but you will need to do all MS
Updates after that. Otherwise, consider taking it to a professional if
things didn't go quite right (or worse) because a good one can probably save
everything and make it all work right for you again.
I hope this document didn't have any bad advice in it, but if I did or if I
left something out then I hope even more that someone in this forum will
offer up some better advice! Best wishes.

Relevant Pages

  • RE: Help! Startup automatically reboots halfway through
    ... Insert the Windows XP startup disk into the floppy disk drive, ... If this does not fix your issue I suggest that you do a parallel install ... rename the system folder to something besides windows or winnt. ... Once you are done you can try and reboot ...
    (microsoft.public.win2000.setup_deployment)
  • RE: Help!SOS!Hardest Senario-Cant start up!-computer reboots halfway through setup
    ... Insert the Windows XP startup disk into the floppy disk drive, ... If this does not fix your issue I suggest that you do a parallel install ... rename the system folder to something besides windows or winnt. ... Once you are done you can try and reboot ...
    (microsoft.public.win2000.setup)
  • Re: Document Folder Pop-up on Startup
    ... Click apply/ok, do not reboot yet. ... The folder should not show up now. ... Windows help - www.rickrogers.org ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Log-off error msgs post XP SP3 installation
    ... resilient with respect to such an act than any version of Windows 9x. ... Then, on reboot, first check to see if the processes are running. ... Verify that this version of the programs is compatible with SP3. ... a folder called \Program Files\Analog Devices. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: System 32 folder opens at Start up
    ... Click apply/ok, do not reboot yet. ... The folder should not show up now. ... Rick Rogers aka "Nutcase" MS-MVP - Windows ...
    (microsoft.public.windowsxp.general)
Quantcast