How to densifect a computer

Hi Experts:

I got a new client with 1 server 2003 and 6 workstations. I went to evaluate the systems and the workstations had an antispyware called: SuperAntispyware install on each one, I updated the Antispyware and start scanning the systems and to my surprise the program detected on each computer close to 1,000(Adware, spyware and several Trojans), needed a lot of the Microsoft updates, in 2 computers could not even update the Antivirus. I try to clean one of the computers and after cleaning it would not take me to the LOG ON SCREEN(was just looping for 15 minutes) so what I did was to go to the Last known good configuration and I was able to log on again.
Question: What would be your approach to this situation as I was thinking cleaning and removing the virus and spyware but on doing this I know that some programs will not work properly and some infected files will disappear. I need to have an idea to what is best for my client and show him the different options.

Please advise me guys.
chenzoviccAsked:
Who is Participating?
 
mikesellConnect With a Mentor Commented:
Rather than reboot to the last known configuration you could use msconfig and start only a few services.

I would go start, run, msconfig. In the start up tab I would uncheck everything and restart the computer. If it come up fine then try and run the updates.

You could also uncheck unneeded services from the services tab.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
Go to download.com on another PC. Download malwarebytes antimalware. Save it to a flash drive or cd. Boot the infected PC into safe mode (hold f8 I think during startup). Install mbam and do the full scan. Reboot into normal mode. Update mbam and run another full scan.
0
 
brimac21Connect With a Mentor Commented:
If the PC's are that infected (1,000(Adware, spyware and several Trojans)) Start Fresh, I would recommend reformatting one, reinstall all software, including anti virus, turn firewalls on, test with your client to insure it has everything they use and then image it out to the other workstations.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Danny ChildConnect With a Mentor IT ManagerCommented:
you've got to secure the **user data** first, and then worry about the operating systems.  If their systems are so wide open that they've picked up as much grief as you say, then the next step is to decide on what new secure method of working they're going to use in the future.  

No point starting any rebuilds till some serious lessons have been learned AND implemented.
0
 
optomaConnect With a Mentor Commented:
Run these quick scanners on machines.
Reason for that machine rebooting until Last Known Good was selected is probably due to SAS removing an infected required .sys file and not replacing that .sys file with a clean copy.
Hitman Pro http://www.surfright.nl/en/hitmanpro
Tdsskiller.exe http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 
Mohammed HamadaConnect With a Mentor Senior IT ConsultantCommented:
As for the first step :
I would recommend since you are able to access these files on the clients and server that you backup all of them files to an External device and then try to disinfect the machines.

The second step is get KasperSky rescue disk, Update it and scan each machine for viruses, That would save you loads of times and cure/disinfect files.

0
 
chenzoviccAuthor Commented:
Thanks for all your comments but let me ask you:
What can be the result of removing so many adware and trojans in safe mode?.
My experience has been that some files disappear, some programs start giving errors and some times the computer will not reboot.

0
 
optomaConnect With a Mentor Commented:
Removing them in Safe or Normal mode is really no different,apart from the scanner creating a restore point before removal, if applicable. Depending on what type of infection and what files are infected can cause legit programs to give errors.
0
 
xtreminatorConnect With a Mentor DIYerCommented:

 use this recently announced  tool from kaspersky

tool to make usb bootable: http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/rescue2usb.exe

bootable image file : http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso

manual : http://support.kaspersky.com/downloads/guides/kasp10.0_rescuedisk_en.pdf

download above files., make bootable usb flash using resuce2usb.exe and  kav_rescue_10.iso.......... boot from flash drive.. and scan  the system.
0
 
Danny ChildConnect With a Mentor IT ManagerCommented:
All Safe Mode does is to run on a "skeleton crew" of minimal drivers and applications.  This leaves more areas available for proper cleaning.  Also, as fewer processes start up, there are fewer ways for the viruses to hide or othewise embed themselves in the system.

However, if the system cannot recover after the cleaning, then it is the virus that caused this, as the infection was so bad that removal damaged the file.  The option of cleaning in Normal Mode, and therefore not cleaning as thoroughly is worse.  This is why I suggest capturing all user files, cleaning them, but to reload the OS and all Applications from scratch.  There shouldn't be much executable code in the user files, so it's easier, quicker and safer to do this.  



0
 
lexxprimeConnect With a Mentor Commented:
Well the chances of you getting a system with that many infections after removing infected files are rather low.
to be honest you need to prepare for reinstall anyways.
so make sure to make backup of the needed files and format and then reinstall OS.

I know it may not be  a popular choice but its a solid and good solution.

If you have another partition or harddrive available you could try and install on that drive while still keeping the old files. (but be sure to clean up after you do or else you might risk booting on the infected partition and infecting the whole system)

Sincerely Lexx
0
 
lexxprimeConnect With a Mentor Commented:
in the future i would install these two programs:

http://www.microsoft.com/security_essentials/
and http://malwarebytes.org/

and then advise to scan with them every two weeks or so..

Sincerely Lexx
0
 
philby11Connect With a Mentor Commented:
Hi chenzovicc,
SAS (super anti spyware) provides a "manage quarantine" feature which gives you the ability to restore any system files that may have quarantined to at least get you booting.
You will need to observe the list of files that it has detected problems in to see if there are critical system files in the mix ie page file .
Malwarebytes is a great tool as stated earlier.
There are alot of bugs out there that can corrupt the hosts file to prevent access to most known antivirus programs, Spybot search & destroy is a cleaner that can actually protect the hosts file from corruption.
Depending on what virus you have will determine the best cleaning approach.
I would be advising your client to monitor staff useage of the internet & make sure they are not downloading from suspect sites & maybe be placing some policy restrictions on the internet access that they have.
Hope this helps
0
 
chenzoviccAuthor Commented:
Thanks for your advises. I have a problem with one of the computers that is the most infected, I am planning on reinstalling but the problem is that 3 of the programs that this computer has install at this moment were purchase several years before and were created custom for them by a Programmer and that guy is not any longer alive.
Is there any program that can transfeer on ly specific programs? I have use several cloning programs but never one that will clone only certain programs.

Please advise.
0
 
optomaConnect With a Mentor Commented:
You have a backup!
Try cleaning it :)
Don't know of a program as such.
0
 
Mohammed HamadaConnect With a Mentor Senior IT ConsultantCommented:
I 've heard of such program but never able to find it online however, for some very small programs it might work if you copy the folder where the program is located in your computer to a different computer.

But if the program has any references to the registry or dlls in the system folders, Then it would likely fail and keep asking for missing files.

But I think it's worth to try..

Good luck
0
 
Danny ChildConnect With a Mentor IT ManagerCommented:
PCmover from LapLink claims to be able to move individual apps...

Not tried it myself, but they've been around forever, which is something...
http://www.pc-mover.com/
0
 
chenzoviccAuthor Commented:
Thanks to all of you. It it hard for me to grade as all of you gave me a lot of knowledge.

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.