Actually killing a virus- my secrets revealed

Actually killing a virus- my secrets revealed

The ability to root out a stubborn virus is what basically keeps me in business- the computer virus will have the ability to defend itself and hide itself and even replicate itself in the face of an attack by me. The deleting and curing process is not as simple as installing a good antivirus program, especially after the fact (by that time it's too late!). Over the past fourannahalf years I've put together a small but sturdy package of software to use to kill the nasties after they've taken over a machine.

And it's not simply software- the computer virus is smart and getting smarter. It hides in unseen and unexpected places and many know how to reinfect a freshly "cleaned" machine. They fight back, and many go by a scorched earth policy- if the virus knows it's going to be killed it can do anything from screwing up your winsock (thus taking your computer offline) to corrupting the entire OS and making the machine unbootable.

Here's how to genuinely defeat a virus.

HIDING PLACES

It is essential to become comfortable rummaging around the file system- I know far too many people who have no idea what a hidden file is nor how and where to find it. And that's what the virus depends on- if you don't know that each Windoze user profile has its own temp folder and IE file cache, and if you don't know how to unhide them, browse to them, and safely delete the files from them then it's high time you learned.

UNHIDING FILES

Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK.

This will unhide all hidden files and folders. After you get your files though back, I suggest you rehide the hidden files and folders in case you or another user of the computer deletes something accidentally.

DRIVE "C"

That's your hard drive. That's your unremovable storage media. That's where Windoze lives. That's where your files are.

Your hard drive is little more than a simply organized file cabinet. You pull open the top cabinet and there in all its glory is Drive C. But what do you see inside it? Loose papers (files). Manilla folders (directories). Gaze nside those folders and you will see MORE files and perhaps some more folders (SUBdirectories). Look down to the next cabinet and you may see it labeled as Drive D. Or Drive E, or F, or...

This is where your average IuseWindozeMEbecauseIonlyusemycomputerforemail power user gets that glazed look in their eyes. Y'know- the "Oh, I thought that was called memory" bunch. Sorry.

This is where the file browser comes in handy- it's used to look at your hard drive and to tidy it up. Except I take issue with the usefulness of Windoze Explorer- it's mediocre at best and useless at worst. (My personal top complaint is when you try to copy or move multiple files and directories- when (not "if") it gets to the point it can't delete a file or can't copy a file or can't complete an operation the process simply quits. No information. No marker to tell you where to go to restart things. It wusses out completely.) Thus, in keeping with my credo of "Older is not necessarily inferior" I make use of a different browser- I use the old 32 bit Winfile.exe as provided with WinNT 4.0 Workstation. It contains almost all the NTFS security controls, allows you to open multiple windows for drag and drop, has long file name capability (unlike the old Win3x 16bit version) and it ALLOWS YOU TO IGNORE ERRORS AND CONTINUE WITH THE NEXT FILE. Unfortunately Vista has finally broken this basic but workable tool. Their loss.

WHERE TO FIND THE VIRUS

I'll start by simply giving you a list of the most likely places to look. NOTE: Have caution. If you proceed using this guide learn your way around first. Don't lightly make changes or delete files if you're uncertain. Study the situation. Learn what the magic box is all about and learn how to use it properly. AND STEP ONE IS ALWAYS ALWAYS ALWAYS DO A COMPLETE BACKUP TO AN EXTERNAL MEDIUM BEFORE YOU BEGIN.

Hideouts:

C:\Documents and Settings\Your Profile\Local Settings\Temp

C:\Documents and Settings\Your Profile\Local Settings\Temporary Internet Files\Content.IE5

(NOTE: Win Explorer will NOT reveal the hidden IE cache files if you browse to this second location. YOU MUST use Winfile.exe or find another browser that will unhide these files. This is important, as this is one of the prime locations a spyware program or virus file will set up shop. And Windoze is notorious for its failure to delete files from these cache directories even if you take the proper steps to do so the "legitimate" way.)

C:\Windows\Temp

C:\Windows\system32

(NOTE: This subdirectory is the prime storage directory for all system DLL files. Many virii plant their files here, which makes it difficult- how to tell a virus file from a legit file? The first thing to do is conduct a directed virus scan at this directory. There are further steps that may be taken here but I don't want to get myself and you into trouble when you accidentally delete a needed file.)

C:\Windows\Prefetch

The .PIF file

There's a part of Windoze programming that has seemingly been relegated to history- Win 3.x made extensive use of a device called the Program Information File. This file provided information on executable program files. There was even a .pif editor.

The file has made somewhat of a comeback- the .pif file now resides in the Prefetch subidrectory (in XP. Neither the directory or the .pif file exists as such in Win9x, ME, or Win2000). It's simply a "pointer" to autoload a file upon bootup, and thus is an obvious method for a virus to load or recreate itself upon bootup. It's vital to go through this subdirectory and kill off any file you don't recognize- anything pointing to a .tmp file, for example. And don't worry about deleting a vital system file- any program making use of a .pif file will automatically recreate it as needed without harming the system.

If you've succeeded in killing the other virus pointers then by killing these files you may be taking one of the final steps toward restoring your system.

NOTE: The Prefetch folder will NOT show up in Winfile. This one MUST be browsed by using Windows Explorer or My Computer.

SYSTEM RESTORE

Even if you do manage to put the zap on your bug it can come back later on- if a system restore point has been created lately it can contain the virus. If you find the need to take a step back, that hidden virus can be there again when you're done.

The system restore points, information, and software backed up software reside in an inaccessible directory called System Volume Information (using NTFS, at any rate). You will be unable to directly do anything within this directory. System Restore is the only mechanism that may be used to affect it.

I recommend that as a final step in cleaning your system you wipe out your restore points by deactivating System Restore on all drives, then reactivating it after you've proven to your satisfaction the virus is gone and your computer is working normally. After all, some sacrifices have to be made for the health of your magic box!

VIRUS/SPYWARE CLEANING SOFTWARE

As should be becoming clear by now, killing a virus is NOT a simple one-program magical trick, and that means you cannot rely on your freshly installed copy of Norton to do it all. I've developed a "magic bullet" package I keep with me at all times (on a flash drive dangling from my neck).

The antivirus scanner

It's important to have a GOOD scanner on hand- I rely on a command line version of McAfee Antivirus. The importance of using this particular software is due to multiple pluses- I can update it via my host computer daily, then burn it to a CD for use on any computer. It will even work on a Win98 machine (with the correct .dll file added, which I have). There is a further advantage to using it from a cd- no virus can attack it and delete it. A good one MAY be able to kill the process, but that's all that can happen, and I haven't seen it yet.

http://www.mcafee.com/us/enterprise/products/anti_virus/file_servers_desktops/virusscan_command_line_scanner_windows_unix.html

The antispyware scanner

There are several reasons I use Spybot Search & Destroy- it's freeware. The updates are downloadable. It (along with all other software I list here) can be both installed and used in Safe Mode. They update the database on a constant basis- the number of programs it watches for has quadrupled over the past three years or so.

http://www.safer-networking.org/en/index.html

HijackThis

This is a specialized registry tool- it scans registry entries related to internet browsing. You can use this tool to kill off unwanted IE tool bars, among other things.

http://www.spywareinfo.com/~merijn/programs.php

NOTE: There are several good diagnostics and cleanup tools on the Merijn web site.

SmitfraudfFix.exe

This is a tool best used in Safe Mode- several antivirus scanners detect it as an unwanted program and will not allow its use. Safe Mode bypasses this. (It's also a good one to have on a read-only cd, so it can't be deleted. NOTE: On first use it creates a folder with all program files within it. Copy this folder to your utility cd and run it by using the SmitfraudFix.cmd file. The .exe file itself may be discarded after the directory is created.

http://siri.geekstogo.com/SmitfraudFix.php

LSP-Fix

Some computer virii will fight their own destruction by using the scorched earth tactic. A common target is the Windoze winsock, which is the heart of internet connectivity. Screw up the registry entries and you're offline. This utility resets the winsock. It works in Win9x through all the XP flavors. I have no idea if it works in Vista- I somehow doubt it. On all other windoze systems run it, reboot it, then browse it. It's usually straightforward, and this is the first tool to use if you suddenly lose your internet while trying to do a cleanup.

http://www.cexx.org/lspfix.htm

REGISTRY CLEANUP

I use, and recommend, one program for this part of the process- PC Tools Registry Mechanic. Simple to install and use (it can be installed and used from within Safe Mode) this one scans the computer registry using clearly defined steps. I don't know what it says nor about what, but you can run this utility on a shiny new Windoze install and find dozens of registry errors.

http://www.pctools.com/registry-mechanic/

POSTSCRIPT
The complete cleanup technique I generally use is this (I have a computer specifically set up for cleanup operations)- I pull the hard drive and put it into a computer outside the system. This allows me to attack the drive completely outside of Windoze (running normal Windoze can be a drawback- it tends to put active malware programs into memory and will not allow you to kill the processes. Safe Mode is better than nothing, but some virii will still load and you'll still have a fight on your hands. The alternative to these two options is a separate bootup utility cd- I keep a boot cd of Winternals ERD Commander in my toolkit for field work. This bootable environment cd allows full access to all files (even files in password-protected private profiles), and one can even access parts of the Windoze registry if needed.

NOTE: ERD Commander has been acquired by Microsoft, no doubt with the view toward killing off a superior techie tool. Alas, but you can google it and still find places to download it from.

Once the .tmp and other files are cleaned up, a complete virus scan can be performed on the drive. It doesn't hurt to also do a disk check and a defrag while the drive is outside the system.

Then the drive goes back into the computer, it's booted into Safe Mode, and a second scan is performed, along with Spybot, SmitfraudFix, and Registry Mechanic. Don't forget that this is also the point you will want to consider deactivating System Restore, at least temporarily.

AND THE FIRST SHALL BE LAST

I have only three words to tell you before you begin the above process- BACKUP. BACKUP. BACKUP.

Do this first. Do this often. Do this to a media outside your own computer- a cd, a dvd, a backup hard drive, or even a flash drive. This is one of the main reasons I pull the drive and put it into my workhorse machine- the very first step I take is to do a complete backup image of the target hard drive. This allows me to do anything I think is necessary to fix your machine, and if I mess up I can always restore the image to the drive and just start over!

I use Acronis True Image Workstation for this, and it's never let me down yet.

http://www.acronis.com/enterprise/products/choose-trueimage/

----

NOTE: Any geeks or fellow pros may add their 2 cents to the screed. Perhaps it will end up as a usable guide for all our fellow DUers.

I keep no data files on C: I use it only for the OS and software. All my data files are kept on a different partition or even a different drive. So if I have to reinstall, I don't lose my data at all. My main system, counting removable drives and all I'm up to drive letter Q: I keep my music files, my video, my data and misc. all on different partitions. Plus backups burned of all data. You're right, Acronis is great. I use AVG, Spywareblaster, Spybot S&D, Comodo and Advanced Windows Care. I've built or refurbed at least 200 systems for people and the only one that was infected after that was the idiot that didn't like the flashing warning about a virus so he turned OFF the AVG.

I recently finished killing a virus that instantly installed itself on EVERY SINGLE EXE FILE ON THE COMPUTER. This computer also included two other hard drives. They were both completely infected.

This virus also happened to be network-aware- if it had been on a LAN the entire network would have been involved.

Now that I look I see I failed to note the name of the virus. But I DID manage to kill it off without damaging the OS, and no files were destroyed. All EXE files were successfully cleaned.

If I weren't so sick today I'd look at the antivirus log to see what the heck it was.

I'm running five and sometimes 6 computers at the house. My main system, my audio conversion system, my video conversion one, my wife's, my laptop and the one that I'm slowly learning to play with various flavors of Linux on. I'm suspicious by nature so that even if one of mine gets hit, it can't screw up the others. Learned to be security conscious way back in my Air Farce days-when a 1200 baud moden was broadband speed in comparison.

exchanging these and renting, you need to virus scan before using. Hold down the left shift key and this will prevent autostart on the CD/DVD. Then scan the device with your anti-virus program. There are too many for detail instruction but you could google "scanning external device with XXXXX".

Mine got infected once. Then it instantly infected my PC when I plugged it in. Luckily it wasn't serious.

So when you get a flash drive, get one with a write-protect switch if you can.

Thanks!