Curse

Painbringer · Jul 15, 2008, 09:51 PM // 21:51

This is a “linked to help” information guide to inform you on the basics of internet security, and to answer the question “I think I am infected what do I do?”. If you are experiencing problems read the guide and it should help point you in the right direction.

What is it?

Since the birth of the internet and even before that programs were written to watch, steal, destroy, or cause havoc to a computer system? Some viruses were written just for fun others for malicious purposes. I have linked definitions from Wikipedia of some of the common bugs that you will see out there.

Malware http://en.wikipedia.org/wiki/Malware

Adware http://en.wikipedia.org/wiki/Adware

Virus http://en.wikipedia.org/wiki/Computer_virus

Rootkits http://en.wikipedia.org/wiki/Rootkit

Rouge Server - http://www.net-security.org/article.php?id=1068&p=1 (it is an older article but informative) This article got me thinking could Malware have made a change to my system and sent me to a rouge server? Many hackers target games specifically. So the question I had was how I know if when I am connected I am actually connected to an official site? Play NC has informed me all you have to do is put your pointer over the ping ball and see the IP number. The fist three numbers should be one of the following; (The below numbers are for me “American District” I am awaiting an answer on what other countries have for numbers from PlayNC)

216
206

If for some reason the numbers above do not match yours do not freak out the list is not finished!

What are the symptoms?

Below are some symptoms of an infection on a system this comes from the Microsoft site.

Symptoms of a computer virus
The following are some primary indicators that a computer may be infected:

• The computer runs slower than usual.
• The computer stops responding, or it locks up frequently.
• The computer crashes, and then it restarts every few minutes.
• The computer restarts on its own. Additionally, the computer does not run as usual.
• Applications on the computer do not work correctly.
• Disks or disk drives are inaccessible.
• You cannot print items correctly.
• You see unusual error messages.
• You see distorted menus and dialog boxes.
• There is a double extension on an attachment that you recently opened, such as a .jpg, .vbs, .gif, or .exe. extension.
• An antivirus program is disabled for no reason. Additionally, the antivirus program cannot be restarted.
• An antivirus program cannot be installed on the computer, or the antivirus program will not run.
• New icons appear on the desktop that you did not put there, or the icons are not associated with any recently installed programs.
• Strange sounds or music plays from the speakers unexpectedly.
• A program disappears from the computer even though you did not intentionally remove the program.

Symptoms of worms and trojan horse viruses in e-mail messages
When a computer virus infects e-mail messages or infects other files on a computer, you may notice the following symptoms:

• The infected file may make copies of itself. This behavior may use up all the free space on the hard disk.
• A copy of the infected file may be sent to all the addresses in an e-mail address list.
• The computer virus may reformat the hard disk. This behavior will delete files and programs.
• The computer virus may install hidden programs, such as pirated software. This pirated software may then be distributed and sold from the computer.
• The computer virus may reduce security. This could enable intruders to remotely access the computer or the network.
• You receive an e-mail message that has a strange attachment. When you open the attachment, dialog boxes appear, or a sudden degradation in system performance occurs.
• Someone tells you that they have recently received e-mail messages from you that contained attached files that you did not send. The files that are attached to the e-mail messages have extensions such as .exe, .bat, .scr, and .vbs extensions.
Symptoms that may be the result of ordinary Windows functions
A computer virus infection may cause the following problems:
• Windows does not start even though you have not made any system changes or even though you have not installed or removed any programs.
• There is frequent modem activity. If you have an external modem, you may notice the lights blinking frequently when the modem is not being used. You may be unknowingly supplying pirated software.
• Windows does not start because certain important system files are missing. Additionally, you receive an error message that lists the missing files.
• The computer sometimes starts as expected. However, at other times, the computer stops responding before the desktop icons and the taskbar appear.
• The computer runs very slowly. Additionally, the computer takes longer than expected to start.
• You receive out-of-memory error messages even though the computer has sufficient RAM.
• New programs are installed incorrectly.
• Windows spontaneously restarts unexpectedly.
• Programs that used to run stop responding frequently. Even if you remove and reinstall the programs, the issue continues to occur.
• A disk utility such as Scandisk reports multiple serious disk errors.
• A partition disappears.
• The computer always stops responding when you try to use Microsoft Office products.
• You cannot start Windows Task Manager.
• Antivirus software indicates that a computer virus is present.

There is other weird behavior that should be mentioned. When on line do you have ads or sites you did not want popping up? Is your home page not correct?

How did it get in?

There are numerous ways they get into your system and all of them revolve around you letting them in. (Below are a few ways)

1. You either clicked on an attachment in an e-mail or downloaded it yourself.

2. Spam delete it do not open it.

3. Bringing foreign items into your system are CD, DVD, Camera Sticks, or even USB Memory sticks would be examples of these. Although useful they can hold a payload of Malware/viruses. If it is not yours or if it was used somewhere else make sure it is clean. Turn off the auto load feature and scan the stick with your antivirus before opening it in your computer.

4. Surfing to bad sites is never good and can get you infected.

5. One common source of infection is Misleading Applications. An example of this is a prompt that pops-up stating that a virus has been found or detected on your system. Click here to resolve. Rules of Thumb do not click. If it looks like an authentic Windows prompt still do not click. You have your own virus software installed let it tell you the problems you have.

6. Not updating your operating system or other programs will put you at risk. Security risks from out dated our not updated programs can be taken advantage of and viruses will find away in. So keep your system up to date. Here is a program that helps with updating out of date or dead programs. https://psi.secunia.com/?language=English Try it out update your system then remove it or keep it going if you wish.

How do I get rid of it?

Open your current antivirus tool update the virus definitions and run a scan. If nothing is found reboot in Safe Mode (Guide to rebooting in Safe mode by Bleeping Computers.com http://www.bleepingcomputer.com/tuto...utorial61.html ) If a problem is found write down or print the information or name of the virus etc… This will come in handy if things get worse. Now follow your prompts of your anti virus to fix or quarantine the problem. Reboot and see if performance has changed. If things are fixed great! If not it’s time to get back in the trenches.

I would suggest a Malware scanner at this point. You can download free ones from many sites http://www.filehippo.com/ , http://www.download.com/Antivirus-Fi...yware/?tag=dir or even from the help sites I will be mentioning later. One good and free Malware removal software as mention by screen317 is http://www.malwarebytes.org/mbam.php I have used this one and it is easy to use. Some other tools I have used are the new ad-aware 2008 which is a breeze (I did find this one a little lacking in description of what bugs are found.) Spy-Bot Search and Destroy. (Great tool although the way you update definitions could be better, more steps then others but this is being picky) SuperAntiSpyware 4.15.1000 http://www.superantispyware.com/ is also a good one with lots of options (Make sure your firewall does not block updates and do not do a thing on your computer till it finishes its updates it is a bit feisty) If you know for sure this program has become unresponsive on a update download physically disconnect from the internet and wait for loss connection prompt. Otherwise task manager will give you endless error messages while trying to close out the program. Leaving you with just the turn off and reboot option. Run one of the above scanners (or one of your choice) and see if they find anything. Write down or print anything they find so you have record. Follow prompts to fix or remove any problems.

Special Note: Some of these free scanners have extra tools in them that can do a lot of lets say “technical things”. Stick to just the basic default scanners at this point. If needed later on help site staff will tell you if you need to change settings or run any special tools.

Remember you can only have 1 firewall 1 antivirus installed at a time. You can, however, have several antispyware programs installed as long as only one of them has real-time protection enabled. If things are fixed great! If not it’s time to get back in the trenches.

I would suggest now to enlist some help. There are many out there two of my favorite sites for help are Bleeping Computers http://www.bleepingcomputer.com/forums/ or Major Geeks http://forums.majorgeeks.com/index.php . They can assist you with removal and hijack logs. Be patient with them as you will see they are extremely busy. Allow at least a week for a reply. Be nice! Also do not bump posts it only hurts you it makes you look like you are being helped.

Tip- If you are unable to download or surf do to infection you will have to surf and download from another computer. Burn downloads to a New CD, DVD, USB Memory stick then install the program on your system.

Caution- People/friends will suggest you download and run Hijack this program. This is a powerful program that can seriously mess your system up if you do not know what you are doing! I strongly suggest if hijack is needed you only follow the proper procedure that is listed on help sites. And do only as directed by that sites staff.

How do I keep clean?

The following guides are from Major Geeks.com and Bleeping Computers.com. They are very informative guides and very good on what you can do to keep clean. With whatever virus removal tools you use always run your updates and run scans regularly. Make a habit of it. Remember you may have the best Antivirus/Security Program on the market, but if you do not use it correctly you are wasting your money and time.

http://forums.majorgeeks.com/showthread.php?t=44525

http://www.bleepingcomputer.com/forums/topic2520.html

Good Luck and Surf Safely

Painbringer

P.S. I am not an expert and do not claim to be one. I was just an unlucky inflected person that went on a 2 month malware removal frenzy to get my computer back.

Edits – I removed the turn off system restore before running a viral scans as requested by Tarun. This should be done only if requested by your software or help site staff. Turning it off will turn off a windows security feature that sets restore points. These are settings that can save you if things go from bad to worse. Some software (as directed) need this feature disabled for running full scans and enabling proper removal of viruses. (Norton special Vundo removal tools is an example – not to be confused with any purchased product they sell this is one you must get from there site) Also after your system is totally clean you may be requested to toggle this feature and set a new restore point. This may be requested by help site staff.

Also changed what I had under rouge servers due to confusion it could cause.

I added to malware scanners more information and more file hippo for downloading

Songbringer · Jul 15, 2008, 09:58 PM // 21:58

Quote:

Originally Posted by Painbringer

P.S. I am not an expert and do not claim to be one. I was just an unlucky inflected person that went on a 2 month malware removal frenzy to get my computer back.

Stop downloading that porn and you won't have to go on those 2 month removal frenzies

Painbringer · Jul 15, 2008, 10:05 PM // 22:05

Quote:

Originally Posted by Songbringer

Stop downloading that porn and you won't have to go on those 2 month removal frenzies

No I got mine from a Misleading Application that popped up while reading GW Guru.

This was from me not cleaning my system correctly (Not from Guru)

Miska Bow · Jul 15, 2008, 11:53 PM // 23:53

Quote:

Originally Posted by Songbringer

Stop downloading that porn and you won't have to go on those 2 month removal frenzies

That's a pretty lame and dumb reply.

OP/

Great post. Just missing a few links to Spybot, free anti-virus and free rootkit remover.

Tarun · Jul 16, 2008, 03:12 AM // 03:12

I've never liked downloading from Download.com. The feel of the site is just... horrible. I'd much prefer the source, and if I cannot download from the source, I'll get it from BetaNews and even FileHippo to name a few.

Never heard of a rouge server either. Since when did servers come in colors like red? :P

You talk about infection symptoms, but you don't link your source for the copy/paste.

Turn off System Restore? NEVER do that under any circumstance. Even if infected, it could still save you from problems.

Both of the guides linked to are very out of date. Bleeping Computer has good support, but I've seen them refer people to my forums for issues with Dial-a-fix. I've helped users get cleaned up quickly, when it takes both of those sites a much longer time in terms of response. In fact, their rules for HijackThis sections are absurd.

I've written some guides for cleaning your computer.

http://wiki.lunarsoft.net/wiki/PC_Maintenance
http://wiki.lunarsoft.net/wiki/PC_Security

I've also written some software that would have reduced your two month hunt for the proper tools. It's called LunarDownloader. Links: LunarDownloader Installer, LunarDownloader Zip, and the LunarDownloader Wiki page.

Why_Me · Jul 16, 2008, 02:16 PM // 14:16

I'm a big fan of partitioning and reformatting.

zamial · Jul 16, 2008, 04:46 PM // 16:46

I have found instances where:
a) turning off system restore was nessaccery (metajaun virus, not on my pc) but after it was killed I reenabled the system restore.

b) keeping the system restore on a seperate hard drive is a good idea, no need to disable at that point.

A site that has helped me alot with issues: http://www.pchell.com/

Tarun · Jul 16, 2008, 05:48 PM // 17:48

All you need to do is create a new System Restore point, then go through Disk Cleanup and flush the old points. It keeps the most recent point made which is the one you just created.

screen317 · Jul 17, 2008, 05:09 AM // 05:09

BleepingComputer is currently very deeply backlogged with the amount of people waiting for help (I would know-- I'm a member of their HijackThis Team).

To help ease their tiring helpers, please consider posting in one of the other ASAP (Alliance of Security Analysis Professionals) sites:

http://www.asap.maddoktor2.com/

Otherwise nice guide Painbringer!

I also do not favor download.com, as they host shifty products that I've had the displeasure of testing.

In addition, for malware removal, us in the know regarding computer security now recommend MalwareBytes Anti-Malware, create and developed by some of our most talented colleagues:

http://www.malwarebytes.org/mbam.php

You may scan and update it forever for free; you may also pay for resident protection (which I use and find to be excellent).

The reason why I mention it is because it deals with today's infections, quite effectively.

Regards,

-screen317

fenix · Jul 17, 2008, 06:08 AM // 06:08

To be honest, I have literally 0 worries about viruses these days. I have a pretty good Firewall in my Router, I have COMODO Personal Firewall, I have NOD32, and I have Spybot S&D.

I recommend that if you can get a copy, get NOD32. There's really no alternative (except Avira, which I found to be very good).

Also, regarding the System Restore, I had to turn it off on my sisters laptop recently because a virus got into it, and the computer was restoring the virus constantly. Whether you turn it on or off is up to you...

screen317 · Jul 17, 2008, 06:20 AM // 06:20

I do not recommend resetting System Restore until the computer is clean.

A muddy Restore Point is a million times better than no Restore Point, in case of conditions getting worse.

NOD32 is great for a paid antivirus. AntiVir, avast!, and AVG are all great free antiviruses.

Final thought: no amount of protection programs can compensate for a bit of common sense and safe surfing.

Edit: Grammar