Greetings everyone,

I'm not a computer tech by trade.  I learned to type on a manual typewriter, routinely cleaned key gunk of out typewriter keys, made copies using carbon paper, cut stencils for use on a mimeograph, used a rotary dial phone, and had to walk across the room to change TV channels.  Everything I learned about computers was through trial and error, and self study.  Everything I learned about malware has been through nieces and nephews (whom I affectionately refer to as the brain-damaged offspring of my well-adjusted and high-functioning siblings), most all of whom have had to contend with computer infections ranging from simple fix to some really bad trojans.  Hence, what I've learned about malware infections comes from them, with some knowledge gained here and other places, all of which tells me I have limits (and I know them).  Now that my technical credentials (or lack thereof) have been established, here's some simple advice based more on what NOT to do than what to do.

HELP - I'M INFECTED.  The primary job of your anti-virus or security suite is preventive in nature.  For a host of reasons, one might fall victim to a malware attack despite one's best preventive efforts.  While most are likely the result of user-induced problems (for example, P2P downloads - and I've seen an instance where, despite warnings that an MP3 file was infected, the user disabled the AV software to download it and was, no surprisingly, infected with a nasty trojan), it's not useful to blame the victim or second guess here.  At this point, you're at consequence management - time to fix the problem rather than the blame.

NIS (OR ANY OTHER AV SOFTWARE) DETECTS THE PROBLEM AND CLEANS THE INFECTION.  If you're lucky this is the case. If, after a successive scan you come up clean and stay that way, you can keep on trucking.

INFECTION RECURS, OR YOU GET NOTICE FROM YOUR AV PRODUCT THAT THE INFECTION NEEDS TO BE MANUALLY REMOVED:  Stop.  Right there.  Unless you're a truly competent malware removal specialist, taking on the job of removing a self-healing trojan, rootkit/bootkit, or malware of that nature it is most likely going to be beyond your limits.   Seek help, either from a paid removal service (like Symantec's), or through volunteer forums. 

WHAT NOT TO DO:  Run other tools (what are considered basic and what are advanced tools depends largely on who you ask), diagnostics, and so on.  Realize that there are a lot of people out there who know not they know not, and may offer well-intended advice.  Running ComboFix is an example; ComboFix is not for the faint of heart, or for user's other than those skilled in its use.  I've seen it cause more problems and crashes than solutions.  Anticipating and taking initiative based on what you see in other threads, while well-intentioned, does nothing but make matters worse.

STARTING THE FIX PROCESS:  Every forum, from AV manufacturers to volunteer forums, will tell you the same thing.  Wait until being told what to do or run, and follow directions to the letter.  They strive to make them easy for you to understand and carry out.  Don't be surprised if they send you away because you tried to do things on your own, ran something twice, or tried something someone else suggested in the midst of the process.  Where there's smoke there's fire, and what you think it might be might end up being much more.  Trained and accomplished removalists trying to help you are high demand, they'll work with you, but they need to correctly identify the problem in order to help you fix it.  With as many variables as there are, this is not an easy task sometimes.  Malware infections are specific to machines, hence if you take the initiative to run one tool like everyone else based on other threads you're complicating the process.  So stop, don't get ahead of the process - initiative is great sometimes, but with malware removal you need to follow the bouncing ball.

REMEMBER:  Forum members are volunteers trying to help.  If you're sent away because you got ahead of the process or strayed from the instructions, you'll be sent somewhere else and will be told why.  I can understand why.  Countless volunteers spend countless hours doing this by grace, if you're unintentionally pushing on doors marked pull, don't be upset if someone sends you on your way.  Cooperate, graduate.  Simple as that.  In any case, pointed no-nonsense language is fine, but abusive language is not.  Live and learn.

That's my FWIW advice; others more tech savvy feel free to add/refute as necessary.

Regards,

Kelly

Well said.

Thank you

If only we had a wall to paste it up on!

Thanks Kelly your sharing all that.

I vote for the log in page

Or for those permanently logged im, sticky or announcements on each individual Forum.

Amen!

---

Kelly wrote:

Greetings everyone,

 

I'm not a computer tech by trade.  I learned to type on a manual typewriter, routinely cleaned key gunk of out typewriter keys, made copies using carbon paper, cut stencils for use on a mimeograph, used a rotary dial phone, and had to walk across the room to change TV channels.  Everything I learned about computers was through trial and error, and self study.  Everything I learned about malware has been through nieces and nephews (whom I affectionately refer to as the brain-damaged offspring of my well-adjusted and high-functioning siblings), most all of whom have had to contend with computer infections ranging from simple fix to some really bad trojans.  Hence, what I've learned about malware infections comes from them, with some knowledge gained here and other places, all of which tells me I have limits (and I know them).  Now that my technical credentials (or lack thereof) have been established, here's some simple advice based more on what NOT to do than what to do.

 

HELP - I'M INFECTED.  The primary job of your anti-virus or security suite is preventive in nature.  For a host of reasons, one might fall victim to a malware attack despite one's best preventive efforts.  While most are likely the result of user-induced problems (for example, P2P downloads - and I've seen an instance where, despite warnings that an MP3 file was infected, the user disabled the AV software to download it and was, no surprisingly, infected with a nasty trojan), it's not useful to blame the victim or second guess here.  At this point, you're at consequence management - time to fix the problem rather than the blame.

 

NIS (OR ANY OTHER AV SOFTWARE) DETECTS THE PROBLEM AND CLEANS THE INFECTION.  If you're lucky this is the case. If, after a successive scan you come up clean and stay that way, you can keep on trucking.

 

INFECTION RECURS, OR YOU GET NOTICE FROM YOUR AV PRODUCT THAT THE INFECTION NEEDS TO BE MANUALLY REMOVED:  Stop.  Right there.  Unless you're a truly competent malware removal specialist, taking on the job of removing a self-healing trojan, rootkit/bootkit, or malware of that nature it is most likely going to be beyond your limits.   Seek help, either from a paid removal service (like Symantec's), or through volunteer forums. 

 

WHAT NOT TO DO:  Run other tools (what are considered basic and what are advanced tools depends largely on who you ask), diagnostics, and so on.  Realize that there are a lot of people out there who know not they know not, and may offer well-intended advice.  Running ComboFix is an example; ComboFix is not for the faint of heart, or for user's other than those skilled in its use.  I've seen it cause more problems and crashes than solutions.  Anticipating and taking initiative based on what you see in other threads, while well-intentioned, does nothing but make matters worse.

 

STARTING THE FIX PROCESS:  Every forum, from AV manufacturers to volunteer forums, will tell you the same thing.  Wait until being told what to do or run, and follow directions to the letter.  They strive to make them easy for you to understand and carry out.  Don't be surprised if they send you away because you tried to do things on your own, ran something twice, or tried something someone else suggested in the midst of the process.  Where there's smoke there's fire, and what you think it might be might end up being much more.  Trained and accomplished removalists trying to help you are high demand, they'll work with you, but they need to correctly identify the problem in order to help you fix it.  With as many variables as there are, this is not an easy task sometimes.  Malware infections are specific to machines, hence if you take the initiative to run one tool like everyone else based on other threads you're complicating the process.  So stop, don't get ahead of the process - initiative is great sometimes, but with malware removal you need to follow the bouncing ball.

 

REMEMBER:  Forum members are volunteers trying to help.  If you're sent away because you got ahead of the process or strayed from the instructions, you'll be sent somewhere else and will be told why.  I can understand why.  Countless volunteers spend countless hours doing this by grace, if you're unintentionally pushing on doors marked pull, don't be upset if someone sends you on your way.  Cooperate, graduate.  Simple as that.  In any case, pointed no-nonsense language is fine, but abusive language is not.  Live and learn.

 

That's my FWIW advice; others more tech savvy feel free to add/refute as necessary.

 

Regards,

Kelly

 

 

 

 

 

 

---

Great post and advice, and I would like to also add that it would be a TREMENDOUS benefit if folks proof read and spell check their post prior to hitting the "Post" button.

Using clear and proper English would help the folks helping with the problems.

The forum has a spell check feature and it works a treat!

I completely understand that English is not the first language for everyone, however that spell check button is very easy to see and use.

Hi Kelly,

Very well said!!

Best wishes.

Allen

Hello Kelly

You may not be a tech savvy individual, but you are one who can express yourself almost perfectly. Your post should be put some place where everyone can see it. It should be seen by people when they install the product so that they know what not to do just in case they do get some malware. This is just my opinion.

 How to Respond to Malware Infections    WHAMM!!!!  

Quads

Hello Kelly,
Bet the folk arriving here daily will really appreciate your post. The paid for help should do the fixing not the lone volunteer. Norton should not be charging twice, supply a fix or refund the dosh. The free stuff relies on volunteers, the paid for stuff shouldn't. Norton is no longer the king of the hill , others are now offering better protection and professional help when you need it. I suggest before you post another Kudos gathering comment you drop in on some of the highly respected organizations who test the likes of Norton and post back when you find a recent one that puts Norton at the head of the list.

---

sturgess wrote:

Hello Kelly,
Bet the folk arriving here daily will really appreciate your post. The paid for help should do the fixing not the lone volunteer. Norton should not be charging twice, supply a fix or refund the dosh. The free stuff relies on volunteers, the paid for stuff shouldn't. Norton is no longer the king of the hill , others are now offering better protection and professional help when you need it. I suggest before you post another Kudos gathering comment you drop in on some of the highly respected organizations who test the likes of Norton and post back when you find a recent one that puts Norton at the head of the list.

---

Hi sturgess,

I would have to disagree here. There is not a single anti-virus company out there who guarantees a user won't get an infection. In some instances a company might assist in malware removal for free but this is by no means a warranty of the product. The reality is that there are too many things the user themselves can do to cause an infection to occur which goes beyond the capability of the AV software to prevent. Couple that with the fact that there will always be new malware coming out along with pre-existing malware which morphs dramatically over time and you can see that any company who makes that sort of guarantee won't be in business long.

What you should look at is where you would be without the AV software such as Norton. Risk of infection is exponentially higher and the number of actual infections would also be dramatically higher.

Best wishes.

Allen

One more advice: be patient. Volunteers are working people you know.   Also if things are "too much" for you, simple take it into a computer repair shop asap and not do anything.

Also, I have questions of my own: while waiting for a response is it recommended to "shut down" a PC and do nothing?

How about nuking the PC with a factory restore (one on a seperate partition on the hard drive)? Would that wipe out the virus?   How about re-installing the OS or wiping the disk?

Another question is can a virus infect the BIOS and what could be done about it?

Hi scarfy,

Turning off an infected computer and then taking it to a repair is a good course of action since the infection cannot get any worse if you do that.

While restoring from a factory restore disk will wipe out the infected files, infections such MBR infections e.g. the common TDL 4 infection need to removed using tools like TDSS Killer or manually using the Recovery console of Windows XP or the Pre-Installation Environment of Windows Vista and Windows 7 since such infections survive a standard format of the hard disk.

As for your question on infecting a BIOS, it is possible and is most likely to occur in targeted attacks against a company or an individual. For details about this type of threat and how to protect against it (see the NIST PDF linked to in the following blog post):

http://threatpost.com/en_us/blogs/nist-offers-guidelines-securing-bios-082412

I hope the above information is of assistance to you. Please let me know if I can assist further.

Thank you.

---------------------------------

I have provided full details of the manual removal of such infections for Windows XP, Vista and Windows 7.

Instructions on using TDSS Killer can be found at:

http://support.kaspersky.com/find?faq_id=2663

You might also find the following article on TDSS rootkits useful:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

---------------------------------

Windows XP:

Follow the instructions under the heading,  "Option 2: Starting the Windows Recovery Console from the Windows XP CD-ROM" from the following link:

http://support.microsoft.com/kb/314058/en-us

(All Microsoft links/content above is: ©2012 Copyright Microsoft Corporation, All Rights reserved.)

I would suggest using the FIXMBR AND FIXBOOT commands as detailed in the above link.

Reboot the computer once complete. The computer should now start Windows.

Further Useful Links for Windows XP:

How to install and use the Recovery Console in Windows XP:

http://support.microsoft.com/kb/307654/en-us

How to remove Windows Recovery Console (Windows XP):

http://support.microsoft.com/kb/555032/en-us

For Windows Vista and Windows 7

See the following article:

http://support.microsoft.com/kb/927392/en-us

(All Microsoft links/content above is: ©2012 Copyright Microsoft Corporation, All Rights reserved.)

As before, start the computer and put the Windows installation DVD in the drive (as described for Windows XP above).

Press a key when prompted, set the language and keyboard layout that you wish to use when the GUI loads.(i.e. when you can see graphics on the screen).

Follow the steps mentioned in the above knowledge base article to open a Command Prompt window and type:

Repair the MBR

Bootrec.exe /FixMbr

Reboot the computer.

Repair the Windows Boot Loader

If the PC does not boot, try all of the above steps again but then run the following command:

Bootrec.exe /FixBoot

Repair the BCD (Windows Vista and Windows 7 only)

If none of the above commands have resulted in the computer starting as normal, try the final command below:

Bootrec.exe /RebuildBcd

If you encounter the "Bootmgr is Missing" error on boot up, you can instead use the following commands to resolve it:

Follow the above steps but substitute the following commands after opening the Command Prompt window:

bcdedit /export C:\BCD_Backup

c:

cd boot

attrib bcd -s -h -r

ren c:\boot\bcd bcd.old

bootrec /RebuildBcd

Ah OK.  As long as I don't install malicious or tampered BIOS, I would be safe against BIOS attacks.  BIOS from the manufacturer site should be safe right?

Also, shouldn't the factory restore wipe all partitions and wipe the MBR as well?  How about those that restore via the disk?

Also, how about during a procedure?  I read on some malware removal forums NOT to restart the PC as that can re-load the PC with the virus that the malware remover killed.

Hi Scarfy,

The factory restore/wipe may or may not clear and re-write the MBR, it will vary from manufacturer to manufacturer. From what I know about partitions on disks, deleting all partitions should clear the MBR, but I am not totally sure on that. This is why I provided the instructions that DO clear and re-write the MBR in the above post.

I would imagine that restoring from the disk would NOT re-write the MBR since it is simply copying over all of the data on the partitions and does not delete and re-create the partition(s). Even so, there is no way to tell if it cleared the MBR unless you dump the MBR to a file before the restore, perform the restore and then make a new MBR dump and compare them. A utility such MBRFix can write the MBR to a file.

MBRFix is available from (scroll down the page and choose “Download”):

http://www.sysint.no/products/Downloads/tabid/536/Default.aspx

As for re-loading malware during a procedure, that is true, if for example, you delete some malware that was being loaded at Windows start-up but do not remove the start-up entries from the Windows registry, those files can get re-created (this varies from infection to infection).

Unless you know what you are doing, I don’t recommend carrying out a manual removal yourself. I have carried out countless malware removals in my previous job and they are not for the faint hearted. Forum members such as Quads do an excellent on this forum.

I hope the above information is of assistance to you. Please let me know if I can assist further.

Thank you.

---------------------------------

My apologies to the original poster for taking this thread off-topic.

No, I don't have malware on my PC (I scan monthly with MBAM and Norton, which turns up clean).  I was just curious.

Between malware removal steps, what should be done?  I combed the threads and I didn't see Quads deal with this aspect.  He mostly say do this then report back.  After that, the user have to wait up to 24 hours before Quads reply.  So what must the user do after performing the step that Quads required? I presume the PC is not safe to do anything else like checking email etc.

Edit: I changed my sig to link to this post.

Hi scarfy,

You are correct, if the computer is infected, any activity that you perform on it, including checking email is a potential danger.

As for what steps to carry out between the instruction’s that Quads provides, only Quads can answer that. The same applies as to what to do after the malware is removed. I do not want to interfere with the excellent work that Quads does. I know it can be frustrating having to wait for the instructions but please remember that Quads is a volunteer but provides instructions of the same quality as a paid for service (I have noticed that Quads clearly states when the computer is free from malware which is very reassuring).

Thanks.

---

JimboC wrote:

Hi scarfy,

 

You are correct, if the computer is infected, any activity that you perform on it, including checking email is a potential danger.

 

As for what steps to carry out between the instruction’s that Quads provides, only Quads can answer that. The same applies as to what to do after the malware is removed. I do not want to interfere with the excellent work that Quads does. I know it can be frustrating having to wait for the instructions but please remember that Quads is a volunteer but provides instructions of the same quality as a paid for service (I have noticed that Quads clearly states when the computer is free from malware which is very reassuring).

 

Thanks.

---

Yeah I realized that but I see Quads does not mention anything to do while the malware cleanup is in progress and the user have to "wait" between instructions.  I think Quads should change his malware removal style to address that.

Sturgess,

T'was not the point of my post.

Whether Norton AV or NIS is top dog in the security suite anti-virus world is, for the purposes of this discussion, a moot point.  The content is based on what I've absorbed from reading numerous pleas for help, and where users get themselves in trouble - here and other forums as well by getting ahead of the game or venturing on their own.

Norton, like all AV programs, are defensive in nature.  It's an anti-virus, and if it were designed to be offensive and attack malware it would be more appropriately called something like a "counter-virus." 

Not too many people read and understand the Terms and Conditions of Use, End User License Agreements, and so on.  They merely tick the box, knowing if they don't the program won't install.  A look across the board at all of them will tell you they all say the same thing.  In his post below, AllenM nails it quite succinctly.  No company has any control over end users, how they maintain their computer, how often they install patches and fixes, and they certainly have no control over where on the Wild, Wild Web people travel.  For example, nothing good comes from P2P file sharing, though a lot of people use it because everyone else does, usually to get something for nothing.  It comes with risk.  One would rightly expect Symantec to fix a malware infection it cannot prevent if it had total control over one's computer.  That would mean Norton (substitute any other AV company name if you wish) would guarantee everything, have control over your computer, determine where it will let you go, and so on.  That's pretty Orwellian, outright creepy, and no one I know would find that acceptable.  But with license to use the product comes limits on liability.  From my experience, Symantec provides free of charge support to fix issues with the program's functionality, but taking on the task of removing malware comes with a price.  There are too many things beyond any company's control to zero defect manage it.  And until someone comes up with a way to make the internet a totally crime-free neighborhood that spans across the globe, it will continue to be that way.

Root causes, user errors, the sophistication of malware attacks, and so on would be a good subject for another time.  The point of the post was if you find yourself at crisis management, fix the problem and not the blame.  And regardless where one goes, be it a paid virus removal service, a tech forum, the intent is to point out (from what I gather here and at other forums) what not to do.  The first two sayings from NRA's Eddie Eagle on educating children if they find an unattended firearm comes to mind:  Stop, don't touch.....

Regards,

Kelly