| Detailed
Information
Here are steps to help you remove
a Virus, Trojan or Worm infection:
from Symantec web site:
http://securityresponse.symantec.com/avcenter/venc/data/download.trojan.html
1. Disabling System Restore
(Windows Me/XP)
If you are running Windows Me or
Windows XP, we recommend that you temporarily turn off System Restore.
Windows Me/XP uses this feature, which is enabled by default, to restore
the files on your computer in case they become damaged. If a virus, worm,
or Trojan infects a computer, System Restore may back up the virus, worm,
or Trojan on the computer. Windows prevents outside programs, including
antivirus programs, from modifying System Restore. Therefore, antivirus
programs or tools cannot remove threats in the System Restore folder. As a
result, System Restore has the potential of restoring an infected file on
your computer, even after you have cleaned the infected files from all the
other locations.
Also, a virus scan may detect a threat
in the System Restore folder even though you have removed the threat.
For instructions on how to turn off
System Restore, read your Windows documentation, or one of the following
articles:
2. Update your antivirus tool's virus
definitions
3. Restart the computer in Safe
mode or VGA mode
For Windows 95, 98, Me, 2000, or XP
users, restart the computer in Safe mode:
To use the
F8 key to start Windows XP in Safe mode:
-
Restart the computer.
-
Some computers have a progress bar
that refers to the word BIOS. Others may not let you know what is
happening.
-
As soon as the BIOS loads, begin
tapping the F8 key on your keyboard. Do so until the Windows Advanced
Options menu appears.
-
If you begin tapping the F8 key
too soon, some computers display a "keyboard error" message. If this
happens, restart the computer and try again.
-
Using the arrow keys on the
keyboard, select Safe mode and then press Enter.
For Windows NT 4 users, restart the
computer in VGA mode.
4. Clean out prefetch files
You can clear prefetch files by
going to Start menu and Run and typing prefetch, and then click OK.
Prefetch files are there to help
programs load/open quicker but they will be replaced in prefetch when they are
used again.
This folder may accumulate useless
junk, especially if you change your configuration a lot. There's no harm
in emptying it. Simply delete all the files in that folder; Windows will
rebuild it as needed
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5. Delete Cookies and Temporary
cache files in your browser
Open a Internet Explorer browser and
go to Internet Options, Delete Cookies and Temp
Files and included all offline content
then also go to start and run and type
%temp% and clear that folder.
Empty your other temporary file
folders, eg: c:\temp, c:\windows\temp or C:\Documents and
Settings\<name>\Local Settings\Temp (the path to your temp folder will change
depending on your name) - sometimes programs can be hidden in there - watch
out for mysterious *.exe files or *.dll files in those folders; and c:\Documents and
Settings\username\local settings\Temporary Internet Files\Content.IE5 and delete all the
files in those directories and subdirectories).
http://www.mvps.org/winhelp2002/delcache.htm
6. Enable Hidden Files and Folders
To enable hidden files and folders
Go to taskbar, click Start > My Computer.
On the Tools menu, click Folder
Options.
On the View tab, uncheck Hide file
extensions for known file types.
Make sure that 'Show hidden files and
folders' is enabled.
Display the contents of system
folders' is checked & 'Hide extentions for known file types ' is not checked then
press apply.
You can set this back later by opening
the same page and pressing 'restore defaults' then pressing apply.
HOW TO Enable Hidden Files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
7. Run Disk Cleanup
To start the Disk Cleanup tool, click
Start, click run, type cleanmgr.exe in
the Open box, and then click OK.
8.
Run a full antivirus
system scan
- If any files are
detected as infected, click Delete or Quarantine. If your antivirus
program detects any infected files that it cannot delete, record the
location of the file and the file name. Then do one of the
following:
- If the file is in
a location other than the Temporary Internet Files folder, restart the
computer in Safe mode a second time. Then use Windows Explorer, browse
to and delete that particular file. Once this is done, restart the
computer in Normal mode.
- If the file is in
the Temporary Internet Files folder, write down the entire path and file
name.
- Restart the
computer in Normal mode.
- Log onto the
computer using the name that was shown in the path that you wrote down
in step 4. For example, if the path was:
C:\Documents and Settings\Linda\Local
Settings\Temporary Internet Files\qrwmqczd.dll
log on to
the computer as Linda.
- Delete these files and then
right-click on your TRASH CAN on your desktop and empty it!
9. With serious infections, do
additional full deep scans with several antivirus and antispyware tools
Repeat scanning until a complete scan
comes through clean.
10. Some other helpful information
on removing difficult threats:
- Browser Helper Objects, or BHOs
- a small program that runs automatically every time you start your
Internet browser; helping you browse the Internet. Most BHOs are good,
but the bad guys can get you to let BHOs be installed on your system and
sometimes without your knowledge. There is no restriction on what a BHO
can do your system; it can do anything any other program can do: read or
write (or delete) anything on your system. Bad BHOs can track which
advertisements you see as you surf the Web; BHO "ad-ware" or "spyware"
do things like monitor the websites you visit and report this data back
totheir creators. They can also routinely conflict with other running
programs, cause a variety of page faults, run time errors, and the like,
and generally impede browsing performance.
- BHODemon,
a great little tool for viewing and, if required, disabling, the BHOs
that may be installed on your machine:
http://www.definitivesolutions.com.
- Merijn Bellekom, has this tool,
BHOList.exe. It downloads and displays the BHO Collection in a
searchable & sort able list. See under #2, below.
- ActiveX:
Javacool’s
SpywareBlaster has a huge database
of malicious ActiveX
objects that can be used for looking up their CLSIDs. (Right-click the
list to use the Find function.)
11. Additional
Detection and Removal Information and Tools:
A.
SpywareWarrior
is a great place to go for help, should you get infected with stubborn
spyware that seemingly cannot be removed. The website has forums with
spyware removal experts who are more than happy to work with you, free
of charge, to help rid yourself of nasty and stubborn spyware without
resorting to reinstalling your operating system - or throwing away your
computer, for that matter. They also have great spyware-related
information, including reporting on rogue anti-spyware that acts like
anti-spyware software, but is in fact, spyware. Finally, they feature
anti-spyware comparison tests and up-to-the-minute spyware news.
Go to
SpywareWarrior
B. HIJACKTHIS
- If you really want to check your system and remove pesky and difficult
to remove malware, you need to know about and use HiJackThis - a primary
tool to find and remove Malware that hijacks your browser operations.
Running this utility will scan your system and show a list of all known
applications, DLLs, browser setting changes, registry setting changes
that have been loaded when you booted up. You can research the less
clear items and choose to “FIX”, or remove them. You may save your list
in a log file and post to one of several free support forums for
additional assistance from more knowledgeable techies. HiJackThis
official site for download update is always:
www.merijn.org. This
is a very popular program taking it to the hackers so don't mistakenly
obtain elsewhere as hackers try to get you to download a Trojan instead!
1. Download the newest HIJACKTHIS
utility from
http://www.merijn.org
This is a very popular program taking
it to the hackers - so beware and don't mistakenly obtain the program
elsewhere as hackers are trying to get you to download a Trojan
instead!
2.
Go here to learn how to use HIJACKTHIS and how to post your
log results for help from others more knowledgeable:
http://tomcoyote.com/hjt/
3. Use this HIJACKTHIS tutorial
for insight on the log file details go to:
http://www.spywareinfo.com/~merijn/htlogtutorial.html
4.
For help identifying Browser Helper Objects (BHO) or Startup Programs
identified by HIJACKTHIS, go to:
http://www.sysinfo.org Here, there are 2 search fields to use to
access the database of known items. (Tip: you enter the CLSID string
of numbers (found between the brackets found in the log file created
when you run the HIJACKTHIS utility) into the CLSID list –BHO Quick
Search Field. If found, a description is displayed as to what it is.
For the Startup Info search field, enter the program name (xxxfile.exe).
5.
Don't be afraid copy
and paste your HiJackThis log file to this web-based
HiJackThis log file analyzer.
While it's not recommended that you rely exclusively on the log file
analyzer, combined with your own technical knowledge, it should help
determine which items do not belong.
6. HiJackThis Log
Interpretation -See
How To Use HiJackThis:
C. AUTORUNS is free and helps
you to see and disable startup programs.
Go to AUTORUNS.
This utility, which has the most comprehensive
knowledge of auto-starting locations of any startup - shows you what
programs are configured to run during system boot up or login, and shows
you the entries in the order Windows processes them. These programs
include ones in your startup folder, Run, RunOnce, and other Registry
keys. You can configure Autoruns Utility to show other locations,
including Explorer shell extensions, toolbars, browser helper objects,
Winlogon notifications, auto-start services, and much more. Autoruns
goes way beyond the MSConfig utility bundled with Windows Me and XP.
Autoruns can remove stubborn items that HiJackThis failed to remove. In
AUTORUN, you can UNCHECK an item or DELETE an item. If you UNCHECK the
item, it can be restored later. Not so if you choose to DELETE the item.
Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on
third-party auto-starting images that have been added to your system and
it has support for looking at the auto-starting images configured for
other accounts configured on a system. Also included in the download
package is a command-line equivalent that can output in CSV format,
Autorunsc.
D. The
Ultimate Troubleshooter (TUT) Utility - a great $29 tool that easily
shows all STARTUP programs and SERVICES running in the background,
describes what they are and recommends which ones should be disabled.
Boost PC Performance by removing unnecessary programs that get loaded
into startup. Threats can be identified and "terminated" using this easy to use,
extremely valuable tool!
|
