Hey guys, I am new here and beginning my pc A+ course, regarding learning how to clean viruses, can anyone tell me please how best I can go about learning to this? I am thinking of going to some porn or gambling sites to purposely download some stuff to get some viruses to experiment with but isn't this dangerous? Any ideas?

Hello Mike - You've come to the right place. I think it was Terry who posted an excellent article a while back. Here's basically what I do.

1) Turn off System Restore.
2) Run Disk Cleaner or better yet, JV16 File Cleaner.
3) Remove the hard drive and install as slave in another machine (or connect via USB/FW adapter). Run spyware and virus scans in that machine.
4) Put drive back in orignal machine. Run spyware scan.
5) Run a virus scan.

Do everything in Safe Mode.

Details vary with each machine.

-td

Hey Tony, appreciate the help but I can't see how this will help as I already know how to run scans but I have never had to clean an actual virus, I gotten viruses a few times in the past but it was my wife who always cleaned it up so anyway, I need to clean an actual virus itself, hope this expalins it better, unless I may be misunderstanding you post?

IF... you have a good AV, it should never get in to begin with!
That's the premise of "Safe Computing".
Build your castle walls well so you never have to go through the process of removing something that should never have gotten past the guards at the gate.

Cleaning can be hazardous to your system!
Some of these nasties attach themselves to, or replace critical system files and can't be cleaned, only deleted or quarantined. Results of cleaning can be fatal to your system!

IF your AV detects an item it can't clean, quarantine it, go to the AV sites and look up what it was identified as.
Most of the major AV makers offer SPECIFIC cleaners for some of the best known varients. Only these specific cleaners do a decent job of removing a known, name brand virus or trojan, especially if they are attached to or embedded in system files.

Just like a real virus, many of these things self reproduce!
The infection is only the symptom of something else lurking deeper in the system. Eliminate the infection and it comes right back!
As mentioned above, one of the only options may be to remove the drive and scan it from another machine so the AV can access files normally locked by the (active) system.

If you go back through the Archived posts, there is considerable information in older posts there.
One of our main points of focus here has always been "safe computing" and there is a treasure trove of older posts in the archives with many tips and tricks.

Tony & Doug,
I don't think you caught the drift of what Mike is asking. I know becasue
I sent him here for advise. See, Mike wants to learn more about how
to clean viruses and spyware, but to do that he needs to get his
computer infested with spyware & viruses. He asked me how to
get his computer infested so he can practice, but I honestly
couldn't tell him where to go.

See, I know how to clean them but I don't really know which sites
to visit to get horribly infested with spyware & viruses. I know
that gambling & porn sites have a reputation of spreading malware.

I'm always cleaning computers of malware, but where the heck do
these people go to get so infested with spyware or viruses that
their computer slows down to a crawl?

I mentioned this in the past. We need something like a list of links
and actions to take that would put a computer through a virus
& spyware torture test in real time on the internet.

On suggestion I just thought of is to connect to the interent
direct to the DSL or CABLE modem (to bypass router which
acts as a firewall), and disable alll software firewalls, AV &
antispyware applications. That might be enough to get
infected to a certain degree over a few days period.

Any more ideas?

PS: A more suitable title for this thread might be... How To
Get Your PC Loaded With Viruses & Spyware So It Slows
Down To a Crawl. :D

---pete---

Mike,

First off - DO NOT VENTURE FROM YOUR COURSE STUDIES! You have to remember what you learn in the "real" world is NOT the same as the testing you will be required to pass for your certifications.

That said, you should NEVER use your "production" machine as a test box. I have a system specifically setup for testing applications, running cleanings on client hard drives, and just all round crashings. I have a ghost image of that machine that NEVER is accessible when working on any issues.

If you want to have a real live experience - download every toolbar, remove any firewall, antivirus, spyware, and popup blocker from your machine. Let it run for a couple hours on downloading free music and you will have all the fun you can bargain for. :confused:

Good advice everyone, yes, Pete put it best concerning what I am seeking to do, "knowing" what to do and being able to do it is a separate issue I say so I need to work on an actual virus. I have a backup pc which I will use and do what Dan says, question here, I was always told that you can't get a virus from downloading "mp3's" in particular, is this correct? Appreciate the help all.

The major front of attacks right now is hidden scripting on web pages. Just use IE with all security off and spend a day on the gambling and porn sites. That should load you up pretty well.

Toolbars, yeah, grab a bunch of them as many are worse than any virus to remove.

Don't forget to get all the IM clients, MSN, AIM, IRC
They have been a recent route of attack.

Don't forget to infest your email client.
Some of the open source 'freebie' email programs are getting hit hard right now.

The "test" pc I am referring to is my Mom's pc whcih she never uses and which my wife had put together for her, hope I don't get kicked out of the house if it crashes! Great, will do all of those things you recommended, thanks! I still wish someone would answer my question about "getting viruses through mp3 downloads"?

Not all that common downloading an MP3 format as it is a music compression codec.
What "usually" happens is clicking on a link on some web page to download an mp3, a free or advertised give away, and having the link re-directed to malicious code.
As you are already telling your browser to connect to something by clicking the link, and if your security settings and AV are not tight, you get a download of a malicious package.
That can piggyback with the legitimate mp3 file or just plain launch an installer before you can stop it.
The better stuff is well hidden. You won't notice it placing a rootkit deep in your system.

You seldom find a corrupt mp3 itself, it's what tags along with it via the download.

P2P file sharing programs are another risk.
Again, you are clicking on a link to an unknown source.
By engaging the download, you have opened doors and ports into your machine. If something on the other end is looking for a way in, you just opened the front door to them.

Your test machine...
I hope you have a good image system backup of it in a clean state!
At the least, you want a verified image that you have proven will restore successfully at least once, and make sure to completely scan the machine before making the image so you know it is clean.
After tinkering with it, I would do a format wipe and load and restore from the clean image.

The simplest answer is Limewire, Kazaa and Morpheus sites...peruse them download them and guaranteed before long, you will be inundated just like our clients kids are!

Your test machine...
I hope you have a good image system backup of it in a clean state!
At the least, you want a verified image that you have proven will restore successfully at least once, and make sure to completely scan the machine before making the image so you know it is clean.
After tinkering with it, I would do a format wipe and load and restore from the clean image.

Mike, do you understand what he is talking about above?
If not, maybe someone here can direct you to some of
our archives that tell you all about Acronis and how to use it.
I think you need to learn that before you investigate this
virus & spyware cleaning thing. Just make sure you have
a clean system *before* you backup using Acronis.

In case you are not familiar with "Imaging", it simply means you run
a program that backs up your entire hard drive to a single image file.
Then if you ever got totally infected or messed up your Windows OS
and could not fix it, you could restore the system back to that image
which would totally wipe the sytem clean and restore things back to
the day you backed it up. Of course you would lose anything new
since that backup.

---pete---

Very well explained DBarrow, thanks!! Your handle seems familiar to me, I think we may have crossed paths before, maybe on one of the zillion forums I participate in.

Part of the process of "safe computing" is traveling the internet like you are walking through a swamp full of quicksand and tiger pits. Watch where you step!

You have a NAT router, software firewall, good AV program, adblockers, rootkit detectors, and all the other necessary defenses.

All of these can be defeated by the one factor we can't control ... the user!

There is one big hole in your castle defenses ... the front gate and drawbridge. To communicate with the outside world, you have to leave it open to traffic. You can have the best sentries and guard dogs on duty but, they will do you no good if you tell them to let something pass through by your own actions.

Many of your "trusted" programs allow traffic through this gate by means of running under svchost processes which grant them system access via Generic Host process for Win32 Services.
That service can open gateways and ports to a wide variety of functions as a "trusted" "system" service.

Your browser is a "trusted" service. You grant it permission to access the web. What you click on once you go outside your machine becomes an "allowed process".
This is where MS is having so much problem with security as functionality of IE depends on "trusted" services and security settings to allow Active-X, HTML, Flash, and a range of other browser functions that make the web media rich. ALL of these have experienced "vulnerabilities". Exploits are surfacing faster than they can fix them.
Note the recent update for Flash (which requires manual download) to fix a hole in that. (and it's a big hole so make sure you do it!) Active-X has turned into a security nightmare!

The last year has seen proliferation of web attacks as the main security problem. Unlike the "script kiddie" email virus attacks of the past, where the objective was to boldly announce that they had gotten in and farkled your machine, the current trend is cybercrime intended to pick your pocket and grab your wallet.

These attacks are silent. The new "bad stuff" is designed to be highly stealthed and invisible to the user. You won't see it, you won't notice it. Unless your AV snags it, you will never be aware that a rootkit is lurking in your system waiting to activate a keylogger when you logon to your bank or pay a credit card bill online.

The problem is ... these are all "allowed processes" that you have granted passage through the portals via the standard gateways of svchost and Generic process for Win32. Your machine does not discriminate, nor does your firewall, router, and in many cases ... your AV. You told the guards to open the gates!

A common practice these days is hikacking a popular website and inserting malicious code. There is nothing obvious or visible. The code is invisible and may go undetected by the website operator for quite some time.
(a major factor why we upgraded to Vbulletin software vs the old and very dangerous phbb)
Anything from code hidden in a pixel of a jpeg image, Active-X control, mal-formed or redirected link can hide a hidden payload of something bad. All you have to do is click on it and it owns your machine!

"Safe Computing" demands that you stay up to the week current with any patches for any program or function where a vulnerability has been detected and fixed.
Choose the best possible AV program. Free is usually worth what you pay for it ... nothing!
Even with top quality AV, routinely run scheduled or manual "whole system" deep scans. Signatures are updated frequently and whole system scans are necessary to ensure that the latest threat, that may not have been in last weeks signature, isn't hiding somewhere because it wasn't in the signature base when you downloaded it.

Set your AV settings to MAXIMUM.
In some cases, DEFAULT settings are way to low and liberal. If it goes higher ... set it higher. Better to have a false positive than miss something.

A 2 way firewall, in and most importantly ... OUT, that alerts to traffic is a must. Network traffic awareness is essential! CHECK that box in your network connections to place the network icon in your systray. Place your router where you can see the activity lights. KNOW when your machine is talking to something. Seeing network traffic when nothing should be connecting to the web is a sure sign something is wrong.

Run a rootkit detector monthly.
Rootkits are becoming the major problem as they cloak themselves in "allowed" system processes and are extremely stealthy.
PROCESS EXPLORER is a real PITA to use but it lets you see all the software tied to any system process.
Regular review with it lets you inventory who connects to what. If you find something you can't identify, use it to trace down the program and file and identify all unknowns.
Is it legitimate or are you looking at a hidden rootkit?
Look for unexplained network communication and unidentifiable files.
Regularly open TASK MANAGER or any other program like AdWatch that lets you see the tally of RUNNING PROCESSES. Remember the number. Memorize the list.
If you should have 31 processes running (at idle), and suddenly notice 35, find out exactly what they are and what they belong to.

LOOK through your System32, System, %\Documents and Settings\User (name)\Local settings\temp and %Windows folders now and then for strange files like X73gbw.exe or .dll. Rootkits and virus sometimes hide with oddball file names. Right click on the file and check PROPERTIES.
A legitimate .exe file will display the source name ie: Microsoft Corp, etc.

Get and run a PORT SCANNER (several free on CNET downloads)
Many LEGITIMATE processes will open or listen to one of the over 6000 ports (open windows to the outside world).
Many malicious apps will piggyback on one of those processes to use the common (open) port.
Know what ports are opened and used by what programs and processes.
CHANGE common ports when applicable, ie: Remote Desktop uses 3389 but you can change it to any number you want so long as you do the same on the target machine. Many commonly used (vulnerable) ports can be changed to a lesser targeted one.
RUN online port scans, ie: https://www.grc.com/x/ne.dll?bh0bkyd2
Find out if you have any unlocked doors.

Don't install "freebies".
Toolbars and the like, can not only contain and download malware and adware, they can be as pervasive and hard to remove as any virus. Many contain "statistical data gathering" functions that gather information on you, your machine, your surfing habits and silently report back to their home source. They don't tell you who they are talking to or when or what they are collecting and sending back.

Resist the urge to click on things!
Many people will post links to articles or pictures ... hey! go look at this! They may be someone you know and trust.
VERIFY the link BEFORE you click it! Mouse over it and look. Does the link go to a verifiable known site? Does it bear the mark of an "over there" address (as in somewhere in Asia or Russia)? Like I'm about to click on a link to a picture with an .ru address!

A lot of "noobs" in my gaming clan love to post links to funny videos and the like on our forums.
It wasn't that long ago that I clicked on one that immediately started to dl a rootkit. Fortunately, Nod32 was up to the job and blocked it. I had to inform a bunch of them who don't run Nod32 or tight security that they better format their machines or go clean out the garbage.

Use a better browser.
Firefox and Opera are not vulnerable to the same type of exploits found in IE.
Statiscially, Firefox has experienced more vulnerabilities than IE, but, they tend to fix holes before exploits start making use of them, at least much faster than MS. Most attacks are targeted at IE and not Firefox.

Segregate all downloads to a specific DOWNLOAD folder and not to your desktop and temps. Run a MANUAL scan on them BEFORE opening.
Even though Nod32 scans the file as it comes in from the web, a second manual deep scan is always advisable especially if it is any kind of compressed zip or rar archive AND, make sure your AV is set to scan within archived files of this type.

Put THIS site in your bookmarks for DAILY reading!
http://news.com.com/2001-1009_3-0.html?tag=ne
CNET Security page, where you will find the most up to the minute security alerts along with links to the most current patches. It also does not hurt to skim the Symantec security alerts news on their site or the Nod32 site.

And, for the really parnoid, remember the STANDBY button on your cable modem that will lock down internet access when not in use!

Mike, one more thing ...
The Registry

Having studied the Registry, I'm sure by now you understand how it is the internal "guts" of your OS.
You know that NOTHING will work without a registry key to tell the OS where it lives, what it associates with, what it calls, and the parameters it requires. EVERYTHING must have reg keys!

A virus, trojan, rootkit or any other malware MUST have reg keys just the same as everything else.
A self-replicating virus or rootkit for example, MUST have a reg key to tell the master file to look and see if it is running, and if not, to re-install it from the hidden installer file. In order execute, run, or do whatever it does, it MUST have reg keys!

Above and beyond your AV, firewall, NAT router and all your other security measures there is ONE thing that I consider critical to stamping out malware and malicious apps .... locking the registry!

If the malware can't create the required reg keys, it can't execute! Plain and simple, you can have a folder full of any kind of bad trash and it is completely neutered if it can't create the required reg keys.

There are a multitude of "registry lock" programs out there. Many are part of some of the better anti-spyware/adware apps like Spybot and AdAware SE Plus. There are also some stand alone versions.

I may be mistaken, but I believe I recall reading somewhere that this will be included as part of Vista?

A Registry Lock is a key element of "safe computing".
If the malware gets past every other defense, it can't do any harm if it can't invade the registry and create its necessary keys.

These registry locks can be a royal PITA as they may be constantly popping up warnings or blocking you from doing something, like an install, until you grant permission for ANY registry modifications. I consider the aggrevation worth it. It is the last and one of the most important layers of defense.

While most of these were designed for a much more simplistic purpose, like preventing a browser home page hi-jack, their power is not to be under estimated! Running one at all times places a gigantic padlock on your OS.

Sure, you may have to disable it or even remove it from startup to install a program. The controls are usually easy to manage and it is just one more thing you have to remember to do, like it or not.

I use AdAware SE Plus on all my machines (for years).
I seldom run AdAware as nothing gets in that needs to be cleaned out. What I consider worthy of the price of the program is the AdWatch registry lock.
AdWatch is one mean grizzly bear! It won't let anything modify the registry without permission. Some people find it too annoying for their tastes. Maybe I am just plain used to it and know how to handle it. You can create exception rules for those known apps that require regular registry modifications. You do have to remember to turn it off for installs and take it out of startup for anything that requires reboot that will initiate reg changes on startup.

Matter of fact, I have never been invaded by a virus, trojan or rootkit on any of my machines, a fact I attribute in part to AdWatch running behind Nod32, Zone Alarm, and the router. It has, on more than one occassion, saved me from doing something I didn't want to do or almost did inadvertantly by my own inattention.

Whatever program you choose that includes a registry lock, find one that works and securely blocks any registry modification attempts. Do include one in your inventory of essential security measures!

This is a LOT for me to soak in guys and will need a little time to break all of this down, as Pete has said I should do the backup first, the test pc is clean so I will go look at the Acronis software now over the net and will get back to you guys here, thank you all for the help!!

This is a LOT for me to soak in guys and will need a little time to break all of this down, as Pete has said I should do the backup first, the test pc is clean so I will go look at the Acronis software now over the net and will get back to you guys here, thank you all for the help!!

Thanks Mike, and welcome aboard.
---pete---

Great to be here Pete, glad you directed me to this site. I will be downloading the demo version of Acronis tomorow and try out backing up or imaging the pc.

There are a multitude of "registry lock" programs out there. Many are part of some of the better anti-spyware/adware apps like Spybot and AdAware SE Plus. There are also some stand alone versions.

I may be mistaken, but I believe I recall reading somewhere that this will be included as part of Vista?


I've been saying that people will not be flocking to Vista when it's
finally released, but if MS were able to really make it secure such
that a newbie could surf the net without being infected by malware,
that would be a totally different story, and people would go for it
rather than pay to have their infected systems cleaned.

I read the Win Vista promotion at he MS site and I did not get
the impression that it's all that much more secure, but let's see
how it's finally marketed. That will be a good indicator.

---pete---

Great to be here Pete, glad you directed me to this site. I will be downloading the demo version of Acronis tomorow and try out backing up or imaging the pc.

I'm not sure what the limits are on the demo version but I highly
recommend you buy it. It's a must have for doing what you you
want to do.

Thanks for submitting your questions which resulted in some very
interesting posts here. I appreciate the efforts of everyone here! <applauding>

Everyone,
It's funny how things happen. I was on the Eudora vBulletin system
and Mike had an issue with Eudora SPAM filters, the thread was going
on and on for almost a month with no resolution. I came in at the
end and offered Mike a free Remote Assistance session and we
found what the problem was in a few minutes. Then we chatted
a while and I found Mike had great interest in computer servicing,
so I gave him this BBS and RBLs BBS as excellent sources of info.
Thanks all for helping him out!

---pete---

Now, how's this for timing? I have been taking certain cnet courses for a while now as their courses are very easy to understand and since I will be starting today to get into networking and viruses issues looks like they read my mind?

http://pc-protect.workshops.help.com/

Between this mini-course and help from you guys, looks like I should have everything covered but if there is anything else you guys think I may need, please post, thanks.

I called up Acronis and spoke to one Sales person this morning then I called back a few minutes ago to ask another question before downloading and was shocked when another person told me that in order to use Acronis, I would have to get a license for "each" pc, is this correct? I can't see that it makes sense for me to pay $60 or so to back up each pc with True Image? Is this what you guys do? Please clarify, thanks.

Legally that is true with most software however there really is no need to install it on all pc's, as you could use it with a rescue disk created rom one without installing it on all. And the answer to your question for me is no I don't have a license for each unit. And you can download it for $49.99 and make your own cd's besides. I never oredr cd's online for software.

I don't understand what happened when I called them, the first time I spoke to a guy who told me I can use it indefinitely, he never mentioned anything about "licenses" at all. Anyway, I was told that the demo has no limitations so I will start doing the back up tomrow and will keep you guys informed.