General virus and trojan question

Discussion in 'malware problems & news' started by craigbass76, Apr 4, 2005.

Thread Status:
Not open for further replies.
  1. craigbass76

    craigbass76 Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    72
    Location:
    Maine, USA
    Say my antivirus catches a virus/worm, or this could be spybot catching spyware for that matter, that won't go away, such as the type that loads when windows starts.
    When starting in safe mode still won't remove the malicious file in question, will scanning the drive by putting it in another computer fix the problem? I've been doing this, and it seems to work, but I wanted to be sure. How do you access the registry when it's not on the master drive, and how would adaware/spybot, or antivirus software catch it if it weren't?

    I hope this question is clear. As I read it, I wonder. But I don't quite know how else to ask.
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi craigbass76,

    Slaving the infected drive to another system is a method I often use. While effective for removing files, malware scanners will not be able to scan and edit the registry hives. However, you can read and edit those hives using RegdatXP. It has worked well for me. You will have to know in advance what entries to look for and edit/remove.

    Nick
     
  3. craigbass

    craigbass Guest

    It looks like, in this case, my aunt is ready to take the Linux plunge, so I won't have to worry about it, but for future reference, I will try that tool, or maybe I'll try it out on this drive before I format.

    So I need to know what to look for. Does this mean if, say, Gator, is running, I'd look for sometihing Gatorish in the registry, or there'll be no Gator reference at all?
     
  4. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    For commom malware, Google points the way. For something uncommon, you will have to rely on tools like Regmon and FileMon while the system is still running.

    Nick
     
  5. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, I understand what you are saying, slaving the HDD onto another PC can be helpful.

    Generally there is no foolproof method for removing startup programs that avoid detetion/removal, there are a few things worth trying however:



    Steps for removing start-up Malware​


    1. Empty Cache's ( Internet Explorer, FireFox, Java etc, also the use of a washing program can be very helpful for over all system health; CCleaner is a very good free program.) I would recommend installing CCleaner and running it regularly, select the options best sutied to your needs.

    To clean Cache's -

    Using IE: Open IE > Click tools > Internet Options > Delete cookies > Delete files > Delete files again, this time place a tick in Offline Content > Clear History.

    Using FireFox: open FF > tools > options > privacy > clear cache, history and cookies.

    Java: Open Control Panel > Select classic view > Open Java > Select Delete files, tick all three options and delete. (there are various types of Java so yours may differ, if unsure go to your Java venders site or do a google search)

    2. Turn Off System Restore

    Right click the My Computer icon > click on Properties > Click on the System Restore tab > Put a check mark next to "Turn off System Restore on All Drives"

    3. Check Start up processes and Programs

    Click Start > Run > type "msconfig" > In the top panel select Services > tick hide all Microsoft Services > the remaining list shows the services that will start when windows does, research these services on the net, Wintasks is an excellent site.

    To view the Startup Programs follow the above, select Startup instead of services, you will need to look these up as well. By customizing this list Windows will load faster, many users have programs starting with windows that don't need to, for instince; "msmsgs" (Microsoft Messenger) can be a security risk and doesn't need to be on the Startup list. (Note "msnmsgs" is the MSN version of the messenger program) Also things like Quicktime and Real player do not need to auto start. You may need to do an internet search to find out what some of the entries are for.

    If you make any changes to the Startup Services or Programs you will be prompted to restart your computer, at this stage click exit without restart.

    4. Add/Remove programs

    Check the Add/Remove programs list for suspect programs, in particular Search Assistants, Toolbars, Shopping Helpers, Bargin Buddy etc.

    Basiclly look at each entry, if there is somthing you don't recognize look it up on the web or post here an ask.

    5. Download CWShredder HERE

    A small utility for removing difficult Spyware.

    6. Restart

    7. Run CWShredder


    Double Click the CWS icon > Check for update > If there is an update download it and run the newer version > Select Fix > The program will search for varients of CWS and remove any found.

    8. Run Anti-Spyware Programs

    I recommend CounterSpy (free 15 day trial) Adaware SE (free) Spybot (free) Microsoft AntiSpyware beta1 (free 6mth)

    Choose two of the above or if you have a different reliable program use that.

    Update the AntiSpyware programs (2) and run a full system scan.

    9. Antivirus software

    Run a full system scan with your Antivirus program, make sure it's up to date.

    10. Finish

    Your system should now be cleaner and faster, if you are a new PC user hopefully you have learned a few things and feel more confident in the use of your computer.

    If you still have problems it may require a more in-depth analysis.
    There are many more options available, the above steps are designed to be a quick fairly simple fix for spyware related startup problems.

    Remembr to turn System Restore on again if you use it.
     
    Last edited: Apr 5, 2005
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.