Title: Internet Virus control methods
Description: not related to Scenario
Description: not related to Scenario
Jed - July 8, 2006 09:54 PM (GMT)
I believe there is a lot that could be posted to help out. By no means do I claim to have answers, that is not the purpose of my post.
But, in recent light of David's internet virus, and the fact that over the past 2 days I too have had a virus. I defeated it!
And, I hope it's okay to post what was useful to me.
First of all, what was my virus?
It sounds very similar to yours, David. So if this helps you or someone else, it is worthwhile.
My internet was hijacked, every time I loaded IE (Firefox worked fine so I was able to download the security below, but this is not always going to be so kind), it took me to a FAKE security website, and a popup came up telling me I had some malicious virus, something Myzor. And that I had to click OK to download protection.
DO NOT CLICK YES (or in many cases, No. Always use Alt+F4 or click the X in teh top right to close popups).
Note: I did not have any Myzor virus. The popup was LYING, to trick you into going onto sites to download FAKE anti-spyware/virus software.
I tried many things. Mostly manual, checking what files on my entire system were accessed last after I changed the internet settings, which the hijacker virus auto changed back. It affected my homepage as well as other things. So, using the search for files modified by accessed in the last day, then ordering them. I could see what MIGHT be a virus. But DO NOT START DELETING THINGS. System files get updated as normal procedure.
After trying different programs, mentioned below, I found out that on my computer, I had a desktop hijacker, a popuper, a couple of adware programs, a trojan horse, trojan downloader files and a nasty dialer file, no idea how that got there. The dialer was easy to get rid off, I just had to locate it then manually delete. The popuper was easily removed manually but had various files connecting it that took time to find and delete within my system32 folder in windows. :(
I could not access the files for the trojan downloader, and I could not manually delete the trojan or one of the adwares. It was designed so you can't delete it with the mouse. Also, the popuper kept coming back every time I restarted my computer, this was because I did not delete the popuper downloader files. Or something like that. :blink:
---------------
It was very difficult in the end.
I tried sooo many things these past two days. But among everything, this was what was necessary:
SpySweeper - to destroy LOTS of evil things. More than some programs will stop.
pctools.com, use the Spyware Doctor. This does not remove malicious files, but is useful for locating them, and it located a couple of things at the very end of my search, that I could manually find and delete.
Accessing the registry to manually delete certain files. This is difficult. You need to know which parts(from something like Spyware Blaster) to access. But to get into the registry, you must type regedit in the windows RUN command.
Manually removing something identified as malicious, but in the System Volume Information(SVI) files. These are VERY hard to access, and my big problem, was that the main part of the virus was in this area.
The following two sites give good information on how to access the SVI folders:
http://blogs.msdn.com/oldnewthing/archive/...1/20/55764.aspx
and
http://support.microsoft.com/default.aspx?kbid=309531
and finally, some kind of Registry Cleaner because you can't always get manually to everything in the registry. I used EasyCleaner.
This program is actually very handy for a couple of other housekeeping tools.
------------------
Other things that can be useful, but for me, they are not better than what I did above, but in other circumstances, could be:
Ad-aware
Spybot search and destroy
Spyware Blaster - to block various things. Reserach this first, it has potential if you continue to have recurring difficulty in the future. But it is not as good as proper firewalling and anti virus software.
You can use the Windows RUN command, entering the command 'msconfig' without the quotation marks, that will bring up a panel, the far right tab pane has a list of all things that run on startup of your computer. In the past, I used this to check on the internet if any of the files running were viruses. If not then LEAVE THEM ALONE. But it could be useful.
Safe mode. Sometimes, you need to be prepared to manually remove things in safe mode(press F8 while computer is booting up). I could not remove the dcomcfg.exe file unless I was in safe mode, because it had some special control running in my system to prevent me frmo doing so, and safe mode restricts a lot of unrecommended actions that the computer might carry out. Unfortunately, you can't run the internet while in safe mode, so write down what you need to change.The best thing is, you can run virus protection software, adware removal, checkers etc, while in safe mode.
Finally, never visit sites that popups tell you to, I was constantly brought to the site sysprotectionpage. It is NOT legitimate. Remember, official products should not use popups to aid you.
Argh, extra caution. The popupers I had created icons on my taskbar that said I needed to click the icon to protect my computer. These look very real, like the security icons you may already have running correctly on your computer, but they are mailicious. Ignore them, close them, but never click them.
A final website that I believe is genuine and is very useful:
www.pcworld.com
The downloads pages with the stuff relating to spyware removal, virus protection etc, is worth a look.
But in general, I managed to get away with googling my problem and reading how it was dealt with in official forums. Again, caution is needed so you don't visit fake sites, with their fake malicious software.
But, in recent light of David's internet virus, and the fact that over the past 2 days I too have had a virus. I defeated it!
And, I hope it's okay to post what was useful to me.
First of all, what was my virus?
It sounds very similar to yours, David. So if this helps you or someone else, it is worthwhile.
My internet was hijacked, every time I loaded IE (Firefox worked fine so I was able to download the security below, but this is not always going to be so kind), it took me to a FAKE security website, and a popup came up telling me I had some malicious virus, something Myzor. And that I had to click OK to download protection.
DO NOT CLICK YES (or in many cases, No. Always use Alt+F4 or click the X in teh top right to close popups).
Note: I did not have any Myzor virus. The popup was LYING, to trick you into going onto sites to download FAKE anti-spyware/virus software.
I tried many things. Mostly manual, checking what files on my entire system were accessed last after I changed the internet settings, which the hijacker virus auto changed back. It affected my homepage as well as other things. So, using the search for files modified by accessed in the last day, then ordering them. I could see what MIGHT be a virus. But DO NOT START DELETING THINGS. System files get updated as normal procedure.
After trying different programs, mentioned below, I found out that on my computer, I had a desktop hijacker, a popuper, a couple of adware programs, a trojan horse, trojan downloader files and a nasty dialer file, no idea how that got there. The dialer was easy to get rid off, I just had to locate it then manually delete. The popuper was easily removed manually but had various files connecting it that took time to find and delete within my system32 folder in windows. :(
I could not access the files for the trojan downloader, and I could not manually delete the trojan or one of the adwares. It was designed so you can't delete it with the mouse. Also, the popuper kept coming back every time I restarted my computer, this was because I did not delete the popuper downloader files. Or something like that. :blink:
---------------
It was very difficult in the end.
I tried sooo many things these past two days. But among everything, this was what was necessary:
SpySweeper - to destroy LOTS of evil things. More than some programs will stop.
pctools.com, use the Spyware Doctor. This does not remove malicious files, but is useful for locating them, and it located a couple of things at the very end of my search, that I could manually find and delete.
Accessing the registry to manually delete certain files. This is difficult. You need to know which parts(from something like Spyware Blaster) to access. But to get into the registry, you must type regedit in the windows RUN command.
Manually removing something identified as malicious, but in the System Volume Information(SVI) files. These are VERY hard to access, and my big problem, was that the main part of the virus was in this area.
The following two sites give good information on how to access the SVI folders:
http://blogs.msdn.com/oldnewthing/archive/...1/20/55764.aspx
and
http://support.microsoft.com/default.aspx?kbid=309531
and finally, some kind of Registry Cleaner because you can't always get manually to everything in the registry. I used EasyCleaner.
This program is actually very handy for a couple of other housekeeping tools.
------------------
Other things that can be useful, but for me, they are not better than what I did above, but in other circumstances, could be:
Ad-aware
Spybot search and destroy
Spyware Blaster - to block various things. Reserach this first, it has potential if you continue to have recurring difficulty in the future. But it is not as good as proper firewalling and anti virus software.
You can use the Windows RUN command, entering the command 'msconfig' without the quotation marks, that will bring up a panel, the far right tab pane has a list of all things that run on startup of your computer. In the past, I used this to check on the internet if any of the files running were viruses. If not then LEAVE THEM ALONE. But it could be useful.
Safe mode. Sometimes, you need to be prepared to manually remove things in safe mode(press F8 while computer is booting up). I could not remove the dcomcfg.exe file unless I was in safe mode, because it had some special control running in my system to prevent me frmo doing so, and safe mode restricts a lot of unrecommended actions that the computer might carry out. Unfortunately, you can't run the internet while in safe mode, so write down what you need to change.The best thing is, you can run virus protection software, adware removal, checkers etc, while in safe mode.
Finally, never visit sites that popups tell you to, I was constantly brought to the site sysprotectionpage. It is NOT legitimate. Remember, official products should not use popups to aid you.
Argh, extra caution. The popupers I had created icons on my taskbar that said I needed to click the icon to protect my computer. These look very real, like the security icons you may already have running correctly on your computer, but they are mailicious. Ignore them, close them, but never click them.
A final website that I believe is genuine and is very useful:
www.pcworld.com
The downloads pages with the stuff relating to spyware removal, virus protection etc, is worth a look.
But in general, I managed to get away with googling my problem and reading how it was dealt with in official forums. Again, caution is needed so you don't visit fake sites, with their fake malicious software.
dw817 - July 14, 2006 03:17 PM (GMT)
Hi Jed:
* This is a world of good information for window users, Thank You !
I am finding out that my WinXP received virii the moment it was installed. They were part of the brand new WinXP I installed.
There - is not much hope for those of you trying to get rid of ALL virii despite any tools you may be running, I'm serious. :)
The good news is ZoneAlarm is keeping them WELL at bay.
Get ZoneAlarm, a free Firewall here, since the actual author is now charging for it and making it difficult for others to get the free one now.
http://www.softpedia.com/progDownload/Zone...nload-4864.html
Click on the:
"Softpedia Secure Download (RO)"
link, as the "External Mirror 1" did not find it when I tried.
Briefly, if you configure ZoneAlarm saying that you are an experienced computer user, will pop up windows for each and every little .EXE that wants to access the internet. Once you give it permission, it doesn't ask again. Naturally you want to give IEXPLORER access to the internet, but how about something called FREESTUFF.EXE or XXXLINK.EXE ? Deny these access and they can NEVER access your internet. Great stuff. :)
. . .
To see ALL your tasks running in WinXP, right click on the blue circle with the "<" in it in the bottom-right-hand corner of your screen (same level with the <Start> button). Then select "Task Manager." Click on the tab PROCESSES.
This is a comprehensive list of ALL tasks running in your WinXP, not just the names of the .EXEs running at the time but EVERYTHING.
Now that you are armed with every .EXE running, you want to know if they are virii ?
A good starting place is:
http://www.neuber.com/taskmanager/process/
Just do a word search to find your incriminating .EXE once you are in the website listed above and click on it for information. The advantage of this over regular virus-check sites is that they are almost always followed by user comments on what THEY believe the questioned .DLL/.EXE is about and how it affects your computer.
Hope This Helps !
David
* This is a world of good information for window users, Thank You !
I am finding out that my WinXP received virii the moment it was installed. They were part of the brand new WinXP I installed.
There - is not much hope for those of you trying to get rid of ALL virii despite any tools you may be running, I'm serious. :)
The good news is ZoneAlarm is keeping them WELL at bay.
Get ZoneAlarm, a free Firewall here, since the actual author is now charging for it and making it difficult for others to get the free one now.
http://www.softpedia.com/progDownload/Zone...nload-4864.html
Click on the:
"Softpedia Secure Download (RO)"
link, as the "External Mirror 1" did not find it when I tried.
Briefly, if you configure ZoneAlarm saying that you are an experienced computer user, will pop up windows for each and every little .EXE that wants to access the internet. Once you give it permission, it doesn't ask again. Naturally you want to give IEXPLORER access to the internet, but how about something called FREESTUFF.EXE or XXXLINK.EXE ? Deny these access and they can NEVER access your internet. Great stuff. :)
. . .
To see ALL your tasks running in WinXP, right click on the blue circle with the "<" in it in the bottom-right-hand corner of your screen (same level with the <Start> button). Then select "Task Manager." Click on the tab PROCESSES.
This is a comprehensive list of ALL tasks running in your WinXP, not just the names of the .EXEs running at the time but EVERYTHING.
Now that you are armed with every .EXE running, you want to know if they are virii ?
A good starting place is:
http://www.neuber.com/taskmanager/process/
Just do a word search to find your incriminating .EXE once you are in the website listed above and click on it for information. The advantage of this over regular virus-check sites is that they are almost always followed by user comments on what THEY believe the questioned .DLL/.EXE is about and how it affects your computer.
Hope This Helps !
David
F.I.A - August 31, 2006 04:51 PM (GMT)
Aside from tools above, I also recommend such programs if you are on virae hunting:
1. AVG Free Edition - It's no Norton Antivirus, but works like a charm in killing various deadly virae known. The good of it is it will even report if there is virus activity for one specify file(Yes, when you just see that file icon floating on the monitor.)
How to use: Everytime it senses a virae, it will prompt a menu. Simple.
Type: A prevention tool.
2. Hijackthis - It's the final resort in removing stubborn matters(Why do I talk like a cleaning ad?), since some insidious can hide themselves from well-known virus and spam-checkers(Yea, even Adaware and Spybot Search And Destroy can be fooled.). However, just as its icon suggests it(A dynamite), it takes skills to use it or you end up blowing the whole window system.
How to use: When scanned, you will be able to get a log of file list. Consult the list to PC professional out there(No worries, no privacy leak), and they will tell you which to remove, and which not to.
Type: "Get personal" tool.
And while I am at it I will talk about a strong virus I once stumbled before. And if your syndrome sounds a lot like mine, try my solution.
Name: Parite(Pirate with switching of both a and i)
How it functions:
It lunges itself to the nearby executable(In short, the browser being the first target), and face-hugs the file.
What's so bad about it:
By reexecuting the infected executable again, it will spread out and infect other nearby executables. At the same time, it will generate multiple pseudo folders(For example, inside "Scenario" folder, there is another "Scenario" folder, when it shouldn't have one.) Clicking on such pseudo folders lead to same effects of the parent virus.
As the virus spreads, it soon intercepts the core(Win system), and does it nastiest. It will proceed in duplicating all executables in the system by two folds or three folds. What happened later when you restart the pc is that the system will be tasked with two times or three times the ammount of system files, making a Pentium I faster than a infected Pentium IV. Yes, that scary. And you cannot even get to delete those fraud, as the system will reboot if you try something funny.
Solution
AVG got a good eye in seeing which file has this virus and nail it whole totally. Unfortunately, there is no clean method if the core is already infected.
Also, there is no way to recover infected file. Sad indeed.
If you are wicked jester:
Give your friend a cd with a infected executable(Say, a game installation) on it. But you must either have a very bliss ignorance, or you are a cold-hearted bytes murderer.
[F.I.A fans his cd from the last impact, which has one file infected on it.]
1. AVG Free Edition - It's no Norton Antivirus, but works like a charm in killing various deadly virae known. The good of it is it will even report if there is virus activity for one specify file(Yes, when you just see that file icon floating on the monitor.)
How to use: Everytime it senses a virae, it will prompt a menu. Simple.
Type: A prevention tool.
2. Hijackthis - It's the final resort in removing stubborn matters(Why do I talk like a cleaning ad?), since some insidious can hide themselves from well-known virus and spam-checkers(Yea, even Adaware and Spybot Search And Destroy can be fooled.). However, just as its icon suggests it(A dynamite), it takes skills to use it or you end up blowing the whole window system.
How to use: When scanned, you will be able to get a log of file list. Consult the list to PC professional out there(No worries, no privacy leak), and they will tell you which to remove, and which not to.
Type: "Get personal" tool.
And while I am at it I will talk about a strong virus I once stumbled before. And if your syndrome sounds a lot like mine, try my solution.
Name: Parite(Pirate with switching of both a and i)
How it functions:
It lunges itself to the nearby executable(In short, the browser being the first target), and face-hugs the file.
What's so bad about it:
By reexecuting the infected executable again, it will spread out and infect other nearby executables. At the same time, it will generate multiple pseudo folders(For example, inside "Scenario" folder, there is another "Scenario" folder, when it shouldn't have one.) Clicking on such pseudo folders lead to same effects of the parent virus.
As the virus spreads, it soon intercepts the core(Win system), and does it nastiest. It will proceed in duplicating all executables in the system by two folds or three folds. What happened later when you restart the pc is that the system will be tasked with two times or three times the ammount of system files, making a Pentium I faster than a infected Pentium IV. Yes, that scary. And you cannot even get to delete those fraud, as the system will reboot if you try something funny.
Solution
AVG got a good eye in seeing which file has this virus and nail it whole totally. Unfortunately, there is no clean method if the core is already infected.
Also, there is no way to recover infected file. Sad indeed.
If you are wicked jester:
Give your friend a cd with a infected executable(Say, a game installation) on it. But you must either have a very bliss ignorance, or you are a cold-hearted bytes murderer.
[F.I.A fans his cd from the last impact, which has one file infected on it.]
dw817 - September 1, 2006 03:39 PM (GMT)
Hi F.I.A.:
Good to see you again ! :D
Could you please post an exact URL to download Freeware AVP.
Thanks !
David
Good to see you again ! :D
Could you please post an exact URL to download Freeware AVP.
Thanks !
David
F.I.A - September 4, 2006 10:09 AM (GMT)
| QUOTE (dw817 @ Sep 1 2006, 03:39 PM) |
| Hi F.I.A.: Good to see you again ! :D Could you please post an exact URL to download Freeware AVP. Thanks ! David |
I have hyperlinked both the programs I mentioned in that last post. Good luck in handle the virae in your pc!
moongoon - October 24, 2006 12:50 PM (GMT)
As mentioned, Ad-Aware + Spybot + Spywareblaster + AVG are the way to go. Never, ever use Internet Exploder. Mozilla Firefox is pretty mature and has plenty of cool extensions and themes. Free programs are great but many are actually trojan horses to shove spyware right up in there. Even if a download seems legit I test it out with Sandboxie before committing to it. Sandboxie lets me install the program without truly making changes to Windows. I can inspect the files it changes and see if it really does what it says..
http://www.sandboxie.com/
http://www.sandboxie.com/
dw817 - October 25, 2006 03:42 PM (GMT)
Hi Worldbuilders:
* My thoughts on this thread, I have been using Kapersky since I got my WinXP computer and it seems to work well. It will let me tell what I believe is a virus even if it isn't, and/or the internet doesn't recognize it as a virus.
It slows down XP quite a bit when you are first booting and when you are on the internet, but it really cracks down on virii before they arrive; especially from the internet.
* My thoughts on this thread, I have been using Kapersky since I got my WinXP computer and it seems to work well. It will let me tell what I believe is a virus even if it isn't, and/or the internet doesn't recognize it as a virus.
It slows down XP quite a bit when you are first booting and when you are on the internet, but it really cracks down on virii before they arrive; especially from the internet.