How to Remove Malware

Today's post will demonstrate the method for removing malware the I have developed over the past couple of years. Malware includes virus, spyware, scareware, worm, root kit, or trojan infections.

First, boot the PC into Safe Mode. I always do this--no matter the type or severity of the infection. Booting into Safe Mode accomplishes two things. One, it disables services upon which the malicious software relies. Most of the pop-ups and the 'self defense mechanisms' associated with malware are crippled in Safe Mode. 'Self defense mechanisms' include blocking antivirus software from being installed, detecting the infection, or removing the infection. Two, booting into Safe Mode simply allows the scans to run much faster.

After you have booted into Safe Mode, run the portable version of CCleaner. This will remove a lot of junk and speed up scan times. Start up CCleaner, configure what you want removed by checking or un-checking the various boxes, and click Run Cleaner.

Next, click on the Registry tab and then click Scan for Issues. I have never run into any problems, but go ahead and back up the registry before fixing the issues that it will find. I usually back up the registry to the root of the C:\ drive or somewhere that the client won't find it and mistakenly reinstall it.

Next, install MalwareBytes AnitMalware. MalwareBytes is an excellent malware remover. After you have it installed, update it. If you have just downloaded the installer minutes before installing the software, update it anyway.

Next, return to the Scanner tab and run a Quick Scan. I have never found it necessary to do a Full Scan.

When the scan completes, close the text file that pops up and press the 'Remove Selected' button. Reboot, as instructed. Make sure to reboot into Safe Mode, again.

If you removed several hundred infections. It's a good idea to run the scan again after rebooting.

Next, run the portable version of SuperAntiSpyWare. Yes, it's a horrible name for software(or anything for that matter.) It sounds like something from a Japanese monster movie, but it's also an excellent malware removal tool.

Again, update first.

After updating is complete, click the Scan you Computer... button. Choose Perform Quick Scan and then click the Next Button.

SuperAntiSpyWare takes considerably longer to perform it's scan than MalwareBytes does. Be patient, remove the selected infections, and reboot as instructed. If the system is a x86 (i.e. a 32-bit system) reboot into Safe Mode. We have one more step to perform.

If it is a x64 system, you should be done. Boot the computer normally and check it out. Make sure that everything behaves as it should. Make sure that no proxies are set that shouldn't be set. Browse a few antivirus sites and Microsoft.com. If you can't browse these sites, start the process over from the beginning, the system is still infected. Also try scanning with whatever antivirus software your client already has installed. That is, assuming that it is up to date.

If you are working on a 32-bit system, run ComboFix from Bleeping Computer. Be forewarned, the developers of this software do not want you to run it with out their supervision. That being said, I have run ComboFix countless times and never had any problems. Again, be sure to read the disclaimer.

If ComboFix tells you that it needs an update, update it. If it tells you that the recovery console needs installing, install it. Otherwise, let it run. If ComboFix finds root kits, it may need to reboot the system. Don't do it yourself and don't worry about Safe Mode. Let the software do it's thing.

That should do it. Again, check the system out to see that it behaves as it should. Make sure that no proxies are set that shouldn't be set. (Internet Options>Connections Tab>LAN Settings Button>Proxy Server Section.) As above, browse Microsoft's site and a few big name anti-virus software companies' web sites.

If after performing the above process you find the system still infected, remove the hard drive from the system, slave to another clean system and run MalwareBytes and SuperAntiSpyWare on the infected drive. Also, scan the slaved drive with software like AVG or Microsoft Security Essentials.

Be sure to see an earlier post on how to keep your system from getting infected. After cleaning a system, it is a good idea to go through that process as well.

Read More

Changing Forgotten Window's Passwords

Often times a user will forget their Windows login password. Of course, often times that user will be using the sole administrator account on the computer.

When I am in this situation, I use the Ultimate Boot CD for Windows to reset the password. There are other tools to accomplish this, but UBCD4win is an extremely handy multi-use tool that I think every tech should have in their arsenal. The CD's uses include repairing systems that fail to boot, malware removal, running chkdsk, and a host of others.

Point your browser to http://www.ubcd4win.com/ You'll find everything you need to know to build your own CD.

To reset a password, boot up your CD and open NTPWEdit. One can find it under Start>Programs>Password Tools>NTPWEdit.

Once the application is open, make sure that the path to the SAM(Security Accounts Manager) file is correct and press (Re)open. This is almost always, C:\WINDOWS\system32\config\SAM. If it is not correct, make the necessary changes and then press (Re)open.

A list of accounts will appear. Choose the appropriate account and press Change password. Type the new password in the dialog box that pops up and then verify it by typing it in a second time. If you want a blank password, leave the fields blank and simply hit enter.

Make sure to press Save changes before exiting. Otherwise, well, your changes won't be saved. That's it. Reboot and log into the account. This works on XP, Vista, and Windows 7. It probably works on NT and Windows 2000, as well.

Read More

Back up and Restore Network Printers

Often times in the enterprise environment, when a new PC is deployed, the technician has to set up the network printers that the user had on their previous machine. Often times this can be a fairly long list of printers. Rather than making a note of each printer and restoring them one at a time or dragging the short cuts to a share, the technician can back up and restore a registry key. This key is:

HKEY_CURRENT_USER\Printers\Connections

There are couple of easy ways to back up this key on the old machine and restore it on the new machine.

Method One

Goto Start>Run>REGEDIT

Navigate to HKEY_CURRENT_USER\Printers\Connections




Right-click the folder and select Export. Save the .reg file on a network drive or an external hard drive.



Log on to the user's account on the new machine and simply double-click the .reg file. Confirm that you want to add the settings to the registry.

In XP, goto Printers and Faxes. In Vista and Windows 7, goto Devices and Printers. Right click on each printer and select Connect. Right-click on the printer that is to be the default and select Set as default.

Method Two

One can also backup the registry key from the command line. The following command will backup the key to the \\server\share network path. Be sure to put quotes around any paths that have spaces in them. Obviously, modify the command to meet your needs.

REGEDIT /E "\\server\share\printers.reg" "HKEY_CURRENT_USER\Printers\Connections"

On the new machine, follow the above directions to restore the network printers.

That's it. You can incorporate method two into a .bat file if you wish.

Read More