Page 1 of 4 123 ... LastLast
Results 1 to 10 of 36

Thread: Computer Viruses and You: How to Remove and General Avoidance Guidelines

  1. #1
    YOUUSSS TRROOOLLLIN supporter Feedback Score 0 sketch's Avatar
    Join Date
    Sep 2010
    Owner Since
    8/2008

    Location
    Boston, MA
    Posts
    538
    Thanks
    29
    Thanked 64 Times in 46 Posts

    Computer Viruses and You: How to Remove and General Avoidance Guidelines

    I work in IT for a living at a Boston engineering school. As you might imagine, I have to deal with viruses quite often, but as of late I find myself cleaning more and more infected machines for friends/family outside of work, answering questions, etc. The best way to get rid of a virus is to never get it by practicing safe surfing habits and a little common sense. "oh, this program that I've never seen before just scanned my 800gb hard drive in 3 seconds and found over two thousand infections! of course i want to remove now!"

    But regardless, I felt it relevant to re-post this information here. If you ever get (or suspect) that your computer is infected, I am more than happy to help you attempt to clean it yourself rather than have you go out to geek squad (or similar) and pay absurd amounts of money for what you can do yourself. I originally wrote this at some point last summer and posted it on 3SI:


    So, your computer is infected.
    Every time you open up your browser you get redirected to porn.
    You have popups trying to sell you porn
    you have a program telling you that your computer is infected and if you buy some absurd application (usually will have antivirus somewhere in the title) for 3 easy payments and one complicated payment of only $59.95 you can clean your computer!

    So, what do you actually do to clean it?

    Do you bring it to those PC guys in your town square who will charge you $75 for a PC Health report? If you're not comfortable with adding/removing software or running your computer in safe mode, not a bad idea. Hopefully this thread will get your feet wet with computing and get you comfortable with the Windows OS a bit more, and help you avoid bringing it in to your local PC repair guys.

    Do you bring it to the Geek Squad at BestBuy? (HINT: NO.)

    Basic assumptions ITT:
    -You do not know anything about computers. I am going to try to put everything as plainly as possible - I hate it when I look up a tutorial on something that I am new at and it makes assumptions about what I already know.
    -You have a high speed connection (fios, DSL, cable, ADSL, SDSL, etc. Not dial-up)
    -You have access to the internet from another computer
    -You have access to a flash drive

    Your first step is to not panic. Everybody knows that bad things happen when you panic. Go ahead and disconnect your computer from whatever network it is on. If it has any wireless capabilities (as most laptops do), search for the switch on the body that will turn it off. You may or may not also have an Ethernet cable connecting your computer to your network (desktop computers will 99% of the time, this will vary with laptops depending on your working environment). Ethernet cables look like glorified telephone cables, with 8 pins. They will typically say "Cat 5" or "Cat 5e" or "Cat6" on them. Unplug this cable from either end (either your computer or modem/router). If you are on dial-up internet, disconnect the phone line from your computer.

    From another computer, change your account passwords. It is very rare that your passwords were actually stolen, but it does happen. Be safe, change your passwords. Any websites, online banking, iTunes, Steam, NewEgg, anything. If you can log into it and have personal information stored there, change it. Do NOT do it on the computer that is infected. I repeat, do NOT do it on the computer that is infected.

    Again, from another computer, and with the infected computer disconnected from your network, download this nifty little application called ComboFix.
    A guide and tutorial on using ComboFix
    This little guy is one of my best friends. Download it to your flash drive.

    Plug the flash drive into the infected computer, go ahead and boot it up. Right here we are going to boot into Safe Mode with Networking.
    When a computer boots, the first thing that you see is the BIOS screen during POST. POST is Power On Self Test, it is the computers pre-boot sequence. For example, if you own a Dell you will see the Dell logo displayed on the screen, etc.
    This is where you start pressing the F8 key. Press this until the Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, your computer may show some form of a "keyboard error" message. To resolve this, restart the computer and try again. Select Safe Mode with Networking (More on booting into safe mode, depending on your operating system.)

    Copy & paste the combofix executable onto your desktop. Double click it. your computer will likely beep a couple of times here, possibly quite loudly. This is normal.
    Only if prompted to install the windows recovery console may you connect this computer to the network via Ethernet cable. After the MS Windows Recovery Console has installed immediately disconnect from any and all network connections. Let this program work its magic. Your computer will likely restart a couple of times during this progress. Scanning can take up to a half hour for badly infected systems. It will definitely reboot if you are told that you have rootkit activity. If you don't know what this means, don't worry about it.

    It is okay that your computer does not reboot into safe mode at this point.

    When the scan is complete your (potentially after a couple of reboots) your computer will display a logfile in notepad telling you what was removed, what was running, etc. Save this to your desktop, give it a descriptive name. You can close this out now.

    Browse to your C drive, in there you will find a folder named "Qoobox" - this was created by combofix. Open up the Quarantine folder, delete the folder named "C" under this. Empty your recycle bin.
    C:\Qoobox\Quarantine\C - this is the folder that you are deleting.
    It is okay to leave the "Registry_backups" folder and catchme.txt file

    Open up your registry with the registry editor

    (Click Start > Run... > regedit > enter) or (windows key + r > regedit > enter)
    select "HKEY_CURRENT_USER)
    press ctrl+f and search for 127.0.0.1

    The path that comes up should be similar to HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings
    the key that will be highlighted will be named ProxyServer with a value of http=127.0.0.1:5577 (or similar value). Delete this key (right click on ProxyServer, Delete)

    Next you will need to download and install the free version of MBAM (Malwarebytes' Anti-Malware) from this website:
    Malwarebytes' Anti-Malware: Malwarebytes
    (the download links may redirect you to MajorGeeks, this is okay)
    After installation allow the program to update, run a complete/full scan with this. At this point it is unlikely that MBAM will have found anything, this is simply a supplemental scan.

    Pending that MBAM finds nothing, next we are going to run CCleaner to tidy things up a bit - you can find that on this website: CCleaner - Optimization and Cleaning - Free Download

    As a final precation, I would recommend updating the virus definitions of your chosen anti-virus program.

    General Avoidance guidelines
    Use Firefox. Use it with ABP (Ad Block Plus). Allow this app and addon to update when there are updates that need to be applied. Most updates that are put out for applications like these are security updates and are there for your safety and convenience.

    Stop using IE. Many viruses are targeted at IE, simple as that. There are many reasons why they are targeted at the browser, but they are not particularly relevant. Unless you use a web app that only runs in IE, please do no use that browser. I hate the applications that I need to use for work that only run in IE.

    Never give out your username or password for anything on the internet. I have never seen any company that needs your username and password for something. If there was a diabolical admin somewhere that really had it out for you and wanted to pose as you on some web forum, that admin has the power to change your password (I have also never seen this happen either, just illustrating that point that for no reason should you ever give out your username and password. for anything).

    Disclaimer: I take no responsibility if your machine tanks due to following these steps, missing steps, skipping steps, etc. ComboFix is a very powerful application and if misused can ruin your day. Buy an external drive, backup your important data on this. For example, if you store your school/work files, music, movies, etc. on your laptop computer, have copies of these files on your external hard drive. External storage is dirt cheap, an external 1 TB hard drive can be bought for under $90 and is more than enough storage for the average computer user.


    -jeff
    (USER WAS BANNED FOR THIS POST)



    -jeff

    1992 SVX LS-L
    1996 3000GT FWD-TT
    2005 XC90 T6 AWD

    i collect parts.

    6g74 block : 6g74 crankshaft (for sale!) : 6g75 crankshaft : 6g74/75 forged H-beam rods : 6g75 MIVEC heads : 2x 20G TD05 turbos

    DrWeldin Wastegate upgrades : DrWeldin brushed sparkplug cover : Pampena solid rear diff bushings : STM brainded stainless clutch line : GZP remote clutch bleeder : Maximal Performance? T-case bracket : Seattle91VR4 poly motor mounts : front solid motor sound : 98SL ECU w/ Chrome & BlackStealth adapter harness : 3SX O2 simulators : TLE Groundwire kit

    Krank Vents (original) : 3.0" GM MAF : 3.75" GM MAF w/ adapter harness : MAFT 1.x : NinjaPerformance remote IAC block : BlackStealth LCD Boost Controller : NinjaPerformance Boost Controller : Dejon split y-pipe : Dejon pre-turbo intake pipes w/ K&N filters : K&N FIPK kit : DSM SMICs : Tim/*GT Custom TD05 SMICs BIGGER THAN YOURS : random tech high-flow cat : M2 exhaust

    Jackhammer Dual pump fuel hangar : 2x Aeromotive Stealth 340 fuel pumps : SX -10AN fuel filter : 450cc DSM blacktop injectors : 880cc delphi injectors : Stealthlabel injector quick disconnect clips : custom stainless steel breaded PTFE dual feed fuel setup : Fuelab FPR : Skillard underbody fuel channel

    96 Stealth spoiler (original) : 2x Cianci 52mm DS B-pillar gauge pods w/ 1x matching PS blank B-pillar (different manufacturers) : Billet grill : random eBay? strut bar

  2. The Following 5 Users Say Thank You to sketch For This Useful Post:


  3. #2
    -BOOSTTD- verified Feedback Score 2 (100%) mh3kgt's Avatar
    Join Date
    Sep 2010
    Owner Since
    2007

    Location
    Elko, Nevada, United States
    Posts
    578
    Thanks
    34
    Thanked 14 Times in 13 Posts
    Very useful post. Thank you

  4. #3
    Stress free wheel gap. Not Verified Feedback Score 0 YoshiBishi's Avatar
    Join Date
    Jan 2011
    Owner Since
    2002

    Location
    Morrisville, NC
    Posts
    324
    Thanks
    16
    Thanked 25 Times in 17 Posts
    Sadly combofix does not run on 64bit OSes. I phased out combofix from the spyware/virus removal procedure at work since all computers on campus for students and faculty for the past 2 years are required to have 64bit Win7. However, combofix is GREAT for all 32bit OSes. I've also seen combofix break a few machines completely to the point that safe mode no longer works. But this is a small percentage, perhaps 1 in 1000.

    Now, I run CCleaner first to clean out temp files so there are less files for malwarebytes to scan.

    Another thing to prevent infections is to update your java. The past 4 months have been hell for me at work since I work at at University and Facebook was sending viruses out through a java exploit. These students never seem to listen... I tell them to stop using Facebook since it is the reason they are getting the spyware, and they come back 5 minutes after picking up their machine with facebook open in their browsers >=[.

    Luckily, java and facebook have fixed issues on their end and for now (fingers crossed) and I get time to browse forums and buy car parts that I don't need instead of aimlessly running virus/spyware scans!

    I'd also be hesitant to tell normal users to use the registry. You can do a lot of damage if you accidentally delete a necessary key.
    I would do a Start > Run and put in "rundll32 Shell32.dll,Control_RunDLL INETCPL.CPL" without the quotes.
    This brings up your internet options for internet explorer. Then go to the Connections tab and click on Lan Settings. Uncheck the boxes under Proxy Server and make sure to have Automatically Detect Settings checked. Sometimes the proxy servers are not always 127.0.0.1, which is why I prefer this method instead.
    *NOTE: If you have a proxy server set up for some reason, you will need to retype it in your proxy server box. Some ISPS may require this.

    If you use firefox, you will need to reset the proxies as well. Tools > Options > Advanced > Network > Settings
    Choose either No proxy or Use system proxy.

    Google Chrome uses IE proxies, so those were already reset.

    Like Jeff said, back up your stuff as often and as many times as possible!!!!
    I once had my iPod, 2 external HDDs, and my laptop drive all fail in the same week =(. Talk about having some bad Karma...

    Great write up though, really like that you took a lot of time and effort in this. Kudos on putting up relevant links!
    Last edited by YoshiBishi; 02-01-2011 at 09:07 PM.

  5. #4
    YOUUSSS TRROOOLLLIN supporter Feedback Score 0 sketch's Avatar
    Join Date
    Sep 2010
    Owner Since
    8/2008

    Location
    Boston, MA
    Posts
    538
    Thanks
    29
    Thanked 64 Times in 46 Posts
    sad but true re: 64-bit windows & combofix. at least they have it running on vista & 7 now (although i rarely see vista...anywhere.)

    most of the infections i see come through java exploits or adobe exploits. I tell everyone to always keep their software up-to-date, even things seemingly as trivial as java. new exploits are found nearly every day in java (at least it feels that way to me!)
    in addition, stay away from mafia wars and farmville and all of that other crap on facebook. there are better ways to waste your time

  6. #5
    Stress free wheel gap. Not Verified Feedback Score 0 YoshiBishi's Avatar
    Join Date
    Jan 2011
    Owner Since
    2002

    Location
    Morrisville, NC
    Posts
    324
    Thanks
    16
    Thanked 25 Times in 17 Posts
    Facebook applications + java/adobe exploits = job security for us .

  7. #6
    There will be Blood! verified Feedback Score 4 (100%) CoopKill's Avatar
    Join Date
    Sep 2010
    Owner Since
    1997

    Location
    In Sane!
    Posts
    4,757
    Thanks
    1,095
    Thanked 451 Times in 332 Posts
    Mafia Wars!!!! NOOooooo!


    Thanks for posting the info. I to am constantly fixing family and friends junk boxes...

    Help them, for they know not that which they do not know!
    CoopKill's Mistress Makeover Thread!
    "Punk, Nutswinging, Small Time, Asshat, Monkey, Jerkoff, Loser that rides on other peoples accomplishments!" . .

  8. #7
    Stress free wheel gap. Not Verified Feedback Score 0 YoshiBishi's Avatar
    Join Date
    Jan 2011
    Owner Since
    2002

    Location
    Morrisville, NC
    Posts
    324
    Thanks
    16
    Thanked 25 Times in 17 Posts
    We should open up a computer tech support helpline for 3/s owners on this forum! Especially since the members here are so helpful in our car tech support.

  9. #8
    YOUUSSS TRROOOLLLIN supporter Feedback Score 0 sketch's Avatar
    Join Date
    Sep 2010
    Owner Since
    8/2008

    Location
    Boston, MA
    Posts
    538
    Thanks
    29
    Thanked 64 Times in 46 Posts
    true about proxy server settings...i see it set to localhost in the registry for the majority of the browser hijacks that i run into.
    a lot of good...general computer use....guidelines? (can't really phrase what i'm getting at here) comes from a bit of education as to how things work. when it's browsing habbits, we call it being a "good network citizen": what i do on the network has the potential to effect everyone else using the network, too. when you get infected with a virus that sends out several million spam emails in the course of 3 hours and we get blacklisted by verizon, comcast, etc. you've effected a shit ton of people. think before you click

  10. #9
    Stress free wheel gap. Not Verified Feedback Score 0 YoshiBishi's Avatar
    Join Date
    Jan 2011
    Owner Since
    2002

    Location
    Morrisville, NC
    Posts
    324
    Thanks
    16
    Thanked 25 Times in 17 Posts
    Very true, our IT security department blocks people for damn near everything. Which is a good thing, network never gets bogged down. However, also brings in more clients with network connectivity issues.

  11. #10
    Now with more poop-smear Not Verified Feedback Score 8 (100%) IPD's Avatar
    Join Date
    Sep 2010
    Owner Since
    Not Anymore

    Location
    Georgia
    Posts
    6,660
    Blog Entries
    2
    Thanks
    484
    Thanked 547 Times in 393 Posts
    i like it.

    step one:



    so long and thanks for all the fish!

Page 1 of 4 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
The 3000GT/Stealth/GTO Web History Project
3000gt.com
3000GT / Stealth International WWWboard Archive
Jim's (RED3KGT) Reststop
3000GT/Stealth/GTO Information and Resources
Team 3S
3000GT / Stealth / GTO Information
daveblack.net
3000GT/Stealth/GTO Clubs and Groups
Michigan 3S
MInnesota 3S
Wisconsin 3S
Iowa, Nebraska, Kansas 3S
North California 3000GT/Stealth
United Society of 3S Owners
3000GT/Stealth/GTO Forums
3000GT/Stealth International
3000GT/Stealth/GTO Event Pages
3S National Gathering
East Coast Gathering
Upper Mid-West Gathering
Blue Ridge Gathering