Dealing with Cookies from people who know.
My virus removal experiences
Most of the links on this page goto PC virus removal sites I use successfuly to remove infestations on my own computer and the dozens I maintain at work. The most difficult part of the virus removal process is to find sites that you can trust. I use free (as in freedom) sites because many commericial programs are used in testing laboratories by virus and spyware developers. Moreover, different scanners detect different threats. There is no best of breed one scanner finds everything.
It is useful to know about virus removal processes. In general your IT support will tell you,
- Don't waste time removing Virus' - Backup user data, Re-image the PC, and restore user data. Once infected it is very difficult to get rid of them all for reasons described below.
- Consider a hardware upgrade. Windows XP should have 1GB memory. Many workstations where sold with 256MB to save money. If virus' are slowing a computer, a memory upgrade may be in order.
This is good advice and is similar to your car dealer telling you the piece of junk you drive is not worth repairing and should be replaced. Maybe buying a new computer is worth it for you. Maybe paying a tech to reformat your drive is a good time to catchup on the latest of computing.
There is something to be said about being able to maintain your computer and learn what to avoid when surfing. You will make mistakes that take time to correct. The benefit is that you will learn what you are doing.
Adware and other Malacious Software
Storm Worm, Other Botnets, Kept 2007 Spam Levels High | MACs the next frontier in Malware
Adaware 2007 It is still here and free and updated. PC world still recommends it too. Ad Aware 2007 manual update procedure for PCs off the Internet. Not recommended to connect to a network when infected. See stormworm story.
Definitions Update for updating pc without laptop. Note unless the web update option is set to the program files/lavasoft/adware 2007 folder the update won't take.
Spybot Not as good as it used to be. spybot includes in case you need to update a pc without internect connection.
Process Explorer Files at bottom also link to other useful programs.
Some virus' cannot be cleaned from the system restore files. Microsoft Knowledbase (KB) article Antivirus Tools Cannot Clean Virus in System Restore KB263455, how to disable system restore kb 310405. PC Hell outlines system restore diable in multiple Microsoft Windows operating systems.
My experience has been that a lot of these programs defined the class of software. Name brand products begin as trial software in the begining. Sometimes these programs eventually loose steam as developers move on to other products. The PCMag reviews help to see if the program still has the mojo to be useful.
You can also use control panel, add remove programs to look for things you don't and remove them. Comet cursor, DNA, special offers, sat_screensaver and Gator are suspicious and unecessary. My toshiba laptop has a cool finger pad utility. The software was unrecognizable by me, until I researched it under the run registry key and found out its purpose.
Recently I found http://www.malwareradar.com/malware_today/ and don't know much about it. It has a ton of information on threats that seems updated for 2008. It was from googleing panda (software discussed and used on hijackthis forums and found on the secure resolutions site. Secure Resoluttions is powered by Panda. http://www.secureresolutions.com/AboutUs/Awards/tabid/75/Default.aspx seems to be recommended by COMPTIA and it is HIPPA certified the healthcare providers.
Antivirus 2009 download Don't download this it is scareware and is the virus, because it doesn't remove any thing and you can't remove anything without using a program like unhackme.
Trusting Software and Websites
Most of what I've learned has come from recommendations from friends. As I've dug deeper I'm finding new material and I'm beginning to think I should have some kind of validation process. Stories abound of rogueware sites that get you to by them but they don't do anything.
Here is as example of a network security that does little that may even put your system at risk. And it was highly recommended. This link is from 1999, but the procedure is still true today. Why your nework is still vulnerable.
The lesson is not to give up but to lean more and find ways to confirm your work.
According to wikipedia (another iffy site by academic standards), SATAN has been replaced by Nessus. Download Windows, Linux ...
Microsoft Technet Security Center is a link from the Microsoft Security readiness pack. Reminds me of Ethereal and Wireshark, Ethereal being the successful open source security product that went commercial and the developers went to Wireshark to continue the open source tradition.
SATAN is written in PERL and runs from the server like ip locator which can find IP addresses and plot on a map with area code and freeways. Further tools can detect computer type, browser manufacturer and screen resolution. Much of this was from a kinder and simpler day. WHOIS can be used to find the admin, technical and billing contact for a domain name.
SOFTWARE I'VE USED (FREE TO DOWNLOAD)
Hijackthis - Created by Merlin - I've used it effectively. It is a low level tool that takes a lot of thought. When I was pushed to fix machines, I turned the this because I had no other option. In the long run I've learned to trust and use the software. It has been bought by trend micro and is still offered for free. download hijack from Trendmicro
Trendmicros Housecall Scroll down to "housecall", then click "scan now it is free". Assuming you can connect to the Internet this free browser based virus and malware detector is wonderful. I have to resist purching their software as it goes through the long slow process of scanning everything.
vundofix version 6.7.8 and counting. Looks only for vundo which other scanners miss. A waste of time when you don't have it, gold when you do.
McAfee AVERT Stinger
Hackin9 Magazine -- The magazine is $16, but it comes with versions registered by the magazine for free use. There are cool things like a process viewer that rates process in terms of potential harm. There was a version of cureit. In the end, the best software was adaware and manually removing software from the run registry key.
Cureit a good one from Hackin9 Magazine. cure it review It says the scanning engine is ICSA certified. ICSA is an independent lab associated with Verizon Business.
Explanation of PH.EXE also has anonymous test to see if your PC is giving out personal information. Two things. One many sites are dedicated to the removal of the virus and really don't explain what it does. Two the anonymous scan looks promissing, but I would like to find the trustworthiness of the sites. Some as I have mentioned I've used or come recommended by PC Mag. I remember a site that keeps trusted lists and is a security site recommend in a text I respect. It may be time to get that link.
Explanation of PH.exe From spyware db (database?) What is nice about this is not only does it explain, but it also cross references the names given by Trendmicro, Norton, McAfee, Kaspersky amoung others. What is spooky is that this site gives details and howtos on injecting the trojan into a victims computer.
Some sites I have heard about that look good (so far)
The more name brand software is listed above and reviewed by sources such as pc magazine. In my travels I have found other useful software from sites I feel confident in. I can't always explain why I feel confident, but it seems to work for me (so far). I list them here to stay organized and keep it on my mind.
Case in point is Security Task Manager I found it researching nutils.dll a trojan.ntrootkit.103 according to Cureit (which I trust being distributed in hackin6 magazine). The page that I found at file.net recommended it and claimed PC World and Washington Post recommended it as top 10 downloads. Recently, I've noticed fssm32.exe taking over 80% of the cpu resource time on a computer. It turned out that the file is part of F-Secure, which I was running at the time. One cool feature of the security task manager is that it shows the location of the file of the offending process. This is useful for telling if the file is a problem or properly installed.
Online malware scanner for suspect files. Claims to be one of the good guys, server seems busy. Will have to try it in the morning, when most hackers sleep.
Notes: On Search for Malware
Use netstat -b to hunt for malware, More on Netstat and malware
Malware search can be very unsatisfying and kind of alarming and a little paranoid. This is meant to give you an idea, not because I think you need it and most of this will be false alarms. [Here are some links about an unidentifed file that was being loaded. I took it out after reading the following links. comodo creating trust online Installed SSL and SFTP on this machine a long time ago. Noticed esigiltray in my run registry key. Googleing it found sites that listed as suspicous. This one suggested it is okay. McAfee Site Adivsor link to esigiltray
The point here is that it can be sort of unsatisying. Do I really need this? Is it a trick? There is no way to know, but to experiment.
http://www.outpostfirewall.com/forum/archive/index.php/t-1771.html|epmap] is part of Symantec's Endpoint Firewall. Some services that use endpoint mapping are DHCP server, DNS server, and WINS server
masqform file.net result. This is probably a result of the grant I would like to apply for. But it is required to start up every time I boot or just when I fill in the grant application? If I have to I can always reinstall. The pack rat in me says keep it. The truth is these programs I installed are leaving nonessential files on my computer that are slowing it down. Even if this is unintentional, it is malware in the sense that it is denying me the service of my machine.
Doing google research I sometimes come up on Microsoft Knowledgebase articles and PCHell articles. Between the two I go to PC Hell as it is more comprehensive and straight forward. I like to read the knowledge base articles form Microsoft, often I find them ambigous, downright confusing, or a little to nuanced.
What is the point of iTuneshelper running? I'm taking it out. It will free up my computer memory and make it faster. I haven't noticed missing anything. So this unused application was taking up memory denying it to the stuff I use daily. Not necessarily a virus, but with friends like that who needs a virus?
Roxio engutil not required for roxio
Notes on removing quicktime from startup QTtask is in my run key. This explains that qttask is a updater for a program i rarely use. I also had to turn off auto update in iTunes as well.
Once you start this it is fun finding more stuff to remove. I went from 50 processes down to 43 processes. My memory was at 300MB free to 558MB free. My computer snaps.
This is an example of Tinkering as explained the "435 Tinkering"
Dr Web found pv.exe from c:\xampp\apache\bin as a program.prcview.3725. I'm not removing it as I trust xampp. Would be nice to get in a dialog between dr. web and xampp makers, friends of apache.
| crypt_tap |
| Dr. Web 4.44.4 |
no |
| Vundofix 7.0.1 |
no |
| Adware current databse update |
no |
| Trend Micro |
yes |
Nice Catalog of AntiVirus Software It recommends a few of the programs I've listed here and others I haven't tried but would like to.
Registry Fixes
Benefits of a Clean Registry | Does it help?
Advertised to fix 20 problems free in the hopes you'll buy it.
Proxy Server
Being Used as Malware Honeypots
See also blocking myspace
I think registry fixes are best when you apply them yourself for a specific purpose like
Task Manager Disabled or Disable from Microsoft KB
I have to admit though the thought of defragging the registry sounds like it has a potential use.
Open Source
Security flaws in Open Source Software albiet fewer than commercial software
Information Assurance
Microsoft Documentation regarding Windows using Sysinternals software. Computer Investigations
Virus Links I'm using
These to links from computing.net and pchell.com are sites I've come to trust. I share a PC with my sons and dispite their denials, there is software loaded on my PC I'd never install myself. An advantage to this is that it keeps me learning and they are learning too, even if they won't admit it.
XP Shuts down
I just write information here to keep my learning focused and to organize the information to share with the students. I can't really help you with an individual virus as work and teaching take up so much of my time.
Remove Comet Cursor
Ramblings
Can you say Terminator? Okay to much A&E on cable for me. But in the context of this page, you have to wonder if these guys are insane to develop this kind of technology. I'm sure there are black hats considering new possibilities for zombie spam and even new kinds of horrors. Oh well... full time employment for computer specialists! ...eh
Moodle Hacked at Oregan State
2nd thought addware
win32.trojan.agent a definition of what it does.
sqwire definition
Castlecops Seems to have definition of muldrop. Interesting that it reports things like the site is under denial of service attack and notes the search engine you have linked from. Worth more consideration.
Hints on researching malware and trojans - use the actual file name. The names reported usually go to the virus scan site that reported the virus and removed it. The exe or dll files give you more general sites that deal with actual malware. Even here though you often wind up in hijack this logs.
What is Phishing? Keeping your identity safe from Microsoft
WHERE DO VIRUS' COME FROM; HOW WAS I INFECTED?
Inevitable I get a work order about removing a virus and the user says (like my sons) I didn't download anything. Yet I find websearch redirects and trojan downloaders. I explain who sites on song lyrics, Bon Jovi, or Mother Theresa are injected with malware infectors by bad people exploitin vulnerabilities in the benign websites hosting providers. This is not the fault of the website or you the user. Malware people are taking advantage of this benign activit (surfing) and infecting you. That is the answer.
It can also be assistants at work who use your computer or familily and friends who share your computer. That is how it works.
Learning from disaster
Unless it is your specialty most don't want to learn everything. But then when it relates to you then you want to know. That disaster can be a bridge into becoming technically skilled. The disaster then opens the learner to new concepts. If you are following me so far then check out commands and files as it relates to virus removal.
Links
*http://www.bluecoat.com/markets/education
*Printer Vunerability discovered by Security Engineer see also cs435urls
*Microsoft joins kerberos MIT security consortium
*Blu Ray security toughness, proof consumer electronics becoming security conscious?
- Jupiter Media ebooks through internet.com registration see ebooks
- /f/3852_sec_botnets.pdf
- /f/it in2018 v4.pdf
Comments (0)
You don't have permission to comment on this page.