Solved

How to densifect a computer

Posted on 2010-09-03
18
502 Views
Last Modified: 2013-11-22
Hi Experts:

I got a new client with 1 server 2003 and 6 workstations. I went to evaluate the systems and the workstations had an antispyware called: SuperAntispyware install on each one, I updated the Antispyware and start scanning the systems and to my surprise the program detected on each computer close to 1,000(Adware, spyware and several Trojans), needed a lot of the Microsoft updates, in 2 computers could not even update the Antivirus. I try to clean one of the computers and after cleaning it would not take me to the LOG ON SCREEN(was just looping for 15 minutes) so what I did was to go to the Last known good configuration and I was able to log on again.
Question: What would be your approach to this situation as I was thinking cleaning and removing the virus and spyware but on doing this I know that some programs will not work properly and some infected files will disappear. I need to have an idea to what is best for my client and show him the different options.

Please advise me guys.
0
Comment
Question by:chenzovicc
  • 3
  • 3
  • 3
  • +7
18 Comments
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 33599444
Go to download.com on another PC. Download malwarebytes antimalware. Save it to a flash drive or cd. Boot the infected PC into safe mode (hold f8 I think during startup). Install mbam and do the full scan. Reboot into normal mode. Update mbam and run another full scan.
0
 
LVL 1

Accepted Solution

by:
mikesell earned 36 total points
ID: 33599454
Rather than reboot to the last known configuration you could use msconfig and start only a few services.

I would go start, run, msconfig. In the start up tab I would uncheck everything and restart the computer. If it come up fine then try and run the updates.

You could also uncheck unneeded services from the services tab.
0
 

Assisted Solution

by:brimac21
brimac21 earned 36 total points
ID: 33599545
If the PC's are that infected (1,000(Adware, spyware and several Trojans)) Start Fresh, I would recommend reformatting one, reinstall all software, including anti virus, turn firewalls on, test with your client to insure it has everything they use and then image it out to the other workstations.
0
 
LVL 23

Assisted Solution

by:DanCh99
DanCh99 earned 108 total points
ID: 33599860
you've got to secure the **user data** first, and then worry about the operating systems.  If their systems are so wide open that they've picked up as much grief as you say, then the next step is to decide on what new secure method of working they're going to use in the future.  

No point starting any rebuilds till some serious lessons have been learned AND implemented.
0
 
LVL 22

Assisted Solution

by:optoma
optoma earned 107 total points
ID: 33600997
Run these quick scanners on machines.
Reason for that machine rebooting until Last Known Good was selected is probably due to SAS removing an infected required .sys file and not replacing that .sys file with a clean copy.
Hitman Pro http://www.surfright.nl/en/hitmanpro
Tdsskiller.exe http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 
LVL 23

Assisted Solution

by:Mohammed Hamada
Mohammed Hamada earned 71 total points
ID: 33601016
As for the first step :
I would recommend since you are able to access these files on the clients and server that you backup all of them files to an External device and then try to disinfect the machines.

The second step is get KasperSky rescue disk, Update it and scan each machine for viruses, That would save you loads of times and cure/disinfect files.

0
 

Author Comment

by:chenzovicc
ID: 33601337
Thanks for all your comments but let me ask you:
What can be the result of removing so many adware and trojans in safe mode?.
My experience has been that some files disappear, some programs start giving errors and some times the computer will not reboot.

0
 
LVL 22

Assisted Solution

by:optoma
optoma earned 107 total points
ID: 33601365
Removing them in Safe or Normal mode is really no different,apart from the scanner creating a restore point before removal, if applicable. Depending on what type of infection and what files are infected can cause legit programs to give errors.
0
 
LVL 11

Assisted Solution

by:xtreminator
xtreminator earned 36 total points
ID: 33603747

 use this recently announced  tool from kaspersky

tool to make usb bootable: http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/rescue2usb.exe

bootable image file : http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso

manual : http://support.kaspersky.com/downloads/guides/kasp10.0_rescuedisk_en.pdf

download above files., make bootable usb flash using resuce2usb.exe and  kav_rescue_10.iso.......... boot from flash drive.. and scan  the system.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 23

Assisted Solution

by:DanCh99
DanCh99 earned 108 total points
ID: 33604115
All Safe Mode does is to run on a "skeleton crew" of minimal drivers and applications.  This leaves more areas available for proper cleaning.  Also, as fewer processes start up, there are fewer ways for the viruses to hide or othewise embed themselves in the system.

However, if the system cannot recover after the cleaning, then it is the virus that caused this, as the infection was so bad that removal damaged the file.  The option of cleaning in Normal Mode, and therefore not cleaning as thoroughly is worse.  This is why I suggest capturing all user files, cleaning them, but to reload the OS and all Applications from scratch.  There shouldn't be much executable code in the user files, so it's easier, quicker and safer to do this.  



0
 
LVL 1

Assisted Solution

by:lexxprime
lexxprime earned 71 total points
ID: 33612677
Well the chances of you getting a system with that many infections after removing infected files are rather low.
to be honest you need to prepare for reinstall anyways.
so make sure to make backup of the needed files and format and then reinstall OS.

I know it may not be  a popular choice but its a solid and good solution.

If you have another partition or harddrive available you could try and install on that drive while still keeping the old files. (but be sure to clean up after you do or else you might risk booting on the infected partition and infecting the whole system)

Sincerely Lexx
0
 
LVL 1

Assisted Solution

by:lexxprime
lexxprime earned 71 total points
ID: 33612702
in the future i would install these two programs:

http://www.microsoft.com/security_essentials/
and http://malwarebytes.org/

and then advise to scan with them every two weeks or so..

Sincerely Lexx
0
 
LVL 7

Assisted Solution

by:philby11
philby11 earned 35 total points
ID: 33624592
Hi chenzovicc,
SAS (super anti spyware) provides a "manage quarantine" feature which gives you the ability to restore any system files that may have quarantined to at least get you booting.
You will need to observe the list of files that it has detected problems in to see if there are critical system files in the mix ie page file .
Malwarebytes is a great tool as stated earlier.
There are alot of bugs out there that can corrupt the hosts file to prevent access to most known antivirus programs, Spybot search & destroy is a cleaner that can actually protect the hosts file from corruption.
Depending on what virus you have will determine the best cleaning approach.
I would be advising your client to monitor staff useage of the internet & make sure they are not downloading from suspect sites & maybe be placing some policy restrictions on the internet access that they have.
Hope this helps
0
 

Author Comment

by:chenzovicc
ID: 33651219
Thanks for your advises. I have a problem with one of the computers that is the most infected, I am planning on reinstalling but the problem is that 3 of the programs that this computer has install at this moment were purchase several years before and were created custom for them by a Programmer and that guy is not any longer alive.
Is there any program that can transfeer on ly specific programs? I have use several cloning programs but never one that will clone only certain programs.

Please advise.
0
 
LVL 22

Assisted Solution

by:optoma
optoma earned 107 total points
ID: 33651396
You have a backup!
Try cleaning it :)
Don't know of a program as such.
0
 
LVL 23

Assisted Solution

by:Mohammed Hamada
Mohammed Hamada earned 71 total points
ID: 33652596
I 've heard of such program but never able to find it online however, for some very small programs it might work if you copy the folder where the program is located in your computer to a different computer.

But if the program has any references to the registry or dlls in the system folders, Then it would likely fail and keep asking for missing files.

But I think it's worth to try..

Good luck
0
 
LVL 23

Assisted Solution

by:DanCh99
DanCh99 earned 108 total points
ID: 33762390
PCmover from LapLink claims to be able to move individual apps...

Not tried it myself, but they've been around forever, which is something...
http://www.pc-mover.com/
0
 

Author Closing Comment

by:chenzovicc
ID: 33925286
Thanks to all of you. It it hard for me to grade as all of you gave me a lot of knowledge.

Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

How can this article save you time AND money?  In just a few minutes you may discover something you didn't know existed that is easy enough for you to fix yourself!
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now