Want advice on Virus Removal

  • Thread starter Thread starter wdsnews
  • Start date Start date
W

wdsnews

I've tried several anti-virus programs in an attempt to remove viruses from
my customers' computers. Norton, TrendMicro, PestPatrol, Stinger,
PC-cillon, all seem unable to remove the viruses they detect. I've seen
many customers lately, with many different infections. Even Safemode does
not allow them to be removed.

All of the antivirus programs detect different new pests. They tell me what
the infection is. They tell me what files are infected. But neither they
nor I can delete the files. I can find the files on the harddrive. I can
find entries in the registry. But they won't delete.

I've tried shutting down running processes, but many of the suspect
processes are considered "critical" by the OS and won't shutdown. I've
spent most of my time in Safemode, but the files remain locked.

Usually we decide to wait for an antivirus update that can handle the virus
and sometimes that works. But in two cases we decided to format and
re-install, which seems like a totally unacceptable solution considering the
patch situation.

So... now this expert, that I call myself, with over 20 years experience,
feels like a total novice. I would feel very thankful to everyone who can
give some advice. Thank you so much.
 
Try booting into DOS mode for FAT and use winternals for
NTFS. But, the best practice for an infection is a
complete rebuild.
 
wdsnews said:
I've tried several anti-virus programs in an attempt to remove viruses from
my customers' computers. Norton, TrendMicro, PestPatrol, Stinger,
PC-cillon, all seem unable to remove the viruses they detect. I've seen
many customers lately, with many different infections. Even Safemode does
not allow them to be removed.

All of the antivirus programs detect different new pests. They tell me what
the infection is. They tell me what files are infected. But neither they
nor I can delete the files. I can find the files on the harddrive. I can
find entries in the registry. But they won't delete.

I've tried shutting down running processes, but many of the suspect
processes are considered "critical" by the OS and won't shutdown. I've
spent most of my time in Safemode, but the files remain locked.

Usually we decide to wait for an antivirus update that can handle the virus
and sometimes that works. But in two cases we decided to format and
re-install, which seems like a totally unacceptable solution considering the
patch situation.

So... now this expert, that I call myself, with over 20 years experience,
feels like a total novice. I would feel very thankful to everyone who can
give some advice. Thank you so much.
Click to expand...

What are some of the specific viruses that are doing this?

And where are these viruses located?

If these viruses are located in the
\System Volume Information\_Restore folder then they are encapsulated
and cannot possibly do anything unless System Restore is used to set
the computer back to a prior date.

To clean up the _Restore folder us Disk Cleanup in the Accessories -
System Tools menu. Go to the More Options tab and click on the Clean
up button in the System Restore (bottom) section. That will eliminate
all but the most recent System Restore point and at least most of the
infected files in the _Restore folder should be gone. If not then use
System Restore to create a new restore point and then use Disk Cleanup
again.

Good luck





Ron Martell Duncan B.C. Canada
--
Microsoft MVP
On-Line Help Computer Service
http://onlinehelp.bc.ca

"The reason computer chips are so small is computers don't eat much."
 
All of those removal tools work pretty well, but you're
right, they don't always remove the registry settings or
delete the files associated with the infection.

A good portion of the latest viruses running wild are
utlizing pulished exploits. Within my company, that I'm
the IT Security Officer for, we established the following
procedures for virus infection:

1. Isolate the potentially infected system by removing
the network cable.
2. Check http://vil.nai.com/vil/newly-discovered-
viruses.asp for the latest threats. Though it is a NAI
operated site, they do provide cross vendor description
information.
3. If the syptoms are described in a description, not
only do we retrieve the latest definition files when
available but we publish the manual removal procedures
internally within out IT department.
4. Ensure that ALL LATEST CRITICAL SECURITY PATCHES ARE
INSTALLED. We have seen many times, despite having the
latest virus definition files installed, systems that are
not patched can still become infected.
5. Perform the manual removal instructions including the
clearing of the System Restore points. As said in another
person's response, though it is no immediate threat, it
does annoy you when Anti-Virus software runs across it in
the System Restore database or if a system restore is
performed, you could end up re-infecting the system.
6. Perform a complete full scan of all files with the
latest stand alone removal tool and with the installed
Anti-Virus software.
7. Perform a complete Baseline Security scan using MBSA
to ensure the system meets minimum security requirements.
8. Remove all objects from the Internet Explorer (Windows
Downloaded Program Files). This does help wipe out some
of those pesky adware / spyware applications. It's easier
to just download the plugins again that try to determine
what is suppose to be there and not.
9. After restarting the system, run a NETSTAT -an from a
command prompt to determine if there is any unexpected
traffic attempts that could be caused by a worm, spyware,
etc.
10. Only if step 9 shows no sign of attempted
communication will we reattach the system to the network.
11. Immediately visit Windows Update to ensure there are
no new missing critical patches.

It's all a pain especially when you have over 5000 nodes
in just North America but it works well.
 
Back
Top