• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 518
  • Last Modified:

How to densifect a computer

Hi Experts:

I got a new client with 1 server 2003 and 6 workstations. I went to evaluate the systems and the workstations had an antispyware called: SuperAntispyware install on each one, I updated the Antispyware and start scanning the systems and to my surprise the program detected on each computer close to 1,000(Adware, spyware and several Trojans), needed a lot of the Microsoft updates, in 2 computers could not even update the Antivirus. I try to clean one of the computers and after cleaning it would not take me to the LOG ON SCREEN(was just looping for 15 minutes) so what I did was to go to the Last known good configuration and I was able to log on again.
Question: What would be your approach to this situation as I was thinking cleaning and removing the virus and spyware but on doing this I know that some programs will not work properly and some infected files will disappear. I need to have an idea to what is best for my client and show him the different options.

Please advise me guys.
0
chenzovicc
Asked:
chenzovicc
  • 3
  • 3
  • 3
  • +7
14 Solutions
 
Aaron TomoskyTechnology ConsultantCommented:
Go to download.com on another PC. Download malwarebytes antimalware. Save it to a flash drive or cd. Boot the infected PC into safe mode (hold f8 I think during startup). Install mbam and do the full scan. Reboot into normal mode. Update mbam and run another full scan.
0
 
mikesellCommented:
Rather than reboot to the last known configuration you could use msconfig and start only a few services.

I would go start, run, msconfig. In the start up tab I would uncheck everything and restart the computer. If it come up fine then try and run the updates.

You could also uncheck unneeded services from the services tab.
0
 
brimac21Commented:
If the PC's are that infected (1,000(Adware, spyware and several Trojans)) Start Fresh, I would recommend reformatting one, reinstall all software, including anti virus, turn firewalls on, test with your client to insure it has everything they use and then image it out to the other workstations.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Danny ChildIT ManagerCommented:
you've got to secure the **user data** first, and then worry about the operating systems.  If their systems are so wide open that they've picked up as much grief as you say, then the next step is to decide on what new secure method of working they're going to use in the future.  

No point starting any rebuilds till some serious lessons have been learned AND implemented.
0
 
optomaCommented:
Run these quick scanners on machines.
Reason for that machine rebooting until Last Known Good was selected is probably due to SAS removing an infected required .sys file and not replacing that .sys file with a clean copy.
Hitman Pro http://www.surfright.nl/en/hitmanpro
Tdsskiller.exe http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 
Mohammed HamadaSenior IT ConsultantCommented:
As for the first step :
I would recommend since you are able to access these files on the clients and server that you backup all of them files to an External device and then try to disinfect the machines.

The second step is get KasperSky rescue disk, Update it and scan each machine for viruses, That would save you loads of times and cure/disinfect files.

0
 
chenzoviccAuthor Commented:
Thanks for all your comments but let me ask you:
What can be the result of removing so many adware and trojans in safe mode?.
My experience has been that some files disappear, some programs start giving errors and some times the computer will not reboot.

0
 
optomaCommented:
Removing them in Safe or Normal mode is really no different,apart from the scanner creating a restore point before removal, if applicable. Depending on what type of infection and what files are infected can cause legit programs to give errors.
0
 
xtreminatorCommented:

 use this recently announced  tool from kaspersky

tool to make usb bootable: http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/rescue2usb.exe

bootable image file : http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso

manual : http://support.kaspersky.com/downloads/guides/kasp10.0_rescuedisk_en.pdf

download above files., make bootable usb flash using resuce2usb.exe and  kav_rescue_10.iso.......... boot from flash drive.. and scan  the system.
0
 
Danny ChildIT ManagerCommented:
All Safe Mode does is to run on a "skeleton crew" of minimal drivers and applications.  This leaves more areas available for proper cleaning.  Also, as fewer processes start up, there are fewer ways for the viruses to hide or othewise embed themselves in the system.

However, if the system cannot recover after the cleaning, then it is the virus that caused this, as the infection was so bad that removal damaged the file.  The option of cleaning in Normal Mode, and therefore not cleaning as thoroughly is worse.  This is why I suggest capturing all user files, cleaning them, but to reload the OS and all Applications from scratch.  There shouldn't be much executable code in the user files, so it's easier, quicker and safer to do this.  



0
 
lexxprimeCommented:
Well the chances of you getting a system with that many infections after removing infected files are rather low.
to be honest you need to prepare for reinstall anyways.
so make sure to make backup of the needed files and format and then reinstall OS.

I know it may not be  a popular choice but its a solid and good solution.

If you have another partition or harddrive available you could try and install on that drive while still keeping the old files. (but be sure to clean up after you do or else you might risk booting on the infected partition and infecting the whole system)

Sincerely Lexx
0
 
lexxprimeCommented:
in the future i would install these two programs:

http://www.microsoft.com/security_essentials/
and http://malwarebytes.org/

and then advise to scan with them every two weeks or so..

Sincerely Lexx
0
 
philby11Commented:
Hi chenzovicc,
SAS (super anti spyware) provides a "manage quarantine" feature which gives you the ability to restore any system files that may have quarantined to at least get you booting.
You will need to observe the list of files that it has detected problems in to see if there are critical system files in the mix ie page file .
Malwarebytes is a great tool as stated earlier.
There are alot of bugs out there that can corrupt the hosts file to prevent access to most known antivirus programs, Spybot search & destroy is a cleaner that can actually protect the hosts file from corruption.
Depending on what virus you have will determine the best cleaning approach.
I would be advising your client to monitor staff useage of the internet & make sure they are not downloading from suspect sites & maybe be placing some policy restrictions on the internet access that they have.
Hope this helps
0
 
chenzoviccAuthor Commented:
Thanks for your advises. I have a problem with one of the computers that is the most infected, I am planning on reinstalling but the problem is that 3 of the programs that this computer has install at this moment were purchase several years before and were created custom for them by a Programmer and that guy is not any longer alive.
Is there any program that can transfeer on ly specific programs? I have use several cloning programs but never one that will clone only certain programs.

Please advise.
0
 
optomaCommented:
You have a backup!
Try cleaning it :)
Don't know of a program as such.
0
 
Mohammed HamadaSenior IT ConsultantCommented:
I 've heard of such program but never able to find it online however, for some very small programs it might work if you copy the folder where the program is located in your computer to a different computer.

But if the program has any references to the registry or dlls in the system folders, Then it would likely fail and keep asking for missing files.

But I think it's worth to try..

Good luck
0
 
Danny ChildIT ManagerCommented:
PCmover from LapLink claims to be able to move individual apps...

Not tried it myself, but they've been around forever, which is something...
http://www.pc-mover.com/
0
 
chenzoviccAuthor Commented:
Thanks to all of you. It it hard for me to grade as all of you gave me a lot of knowledge.

Thanks
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 3
  • 3
  • +7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now