What you need to do if you're infected!

Well, good question isn’t it? I’ll give you some simple steps and hope these will help you destroying the malware .

  1. Shut down system restore [How to shutdown system restore]

  2. Back-up all your files and folders using a back-up program, for example Comodo Back-up

  3. Download following programs and install them

  1. Check for definition Updates (Important!).

  2. Reboot and start into safe mode (How do you start in Safe Mode?)

  3. Allow each program to Scan. Scan one at a time, And remove threats found. Now Reboot.

  4. If you still have malware found, You may need these tools also
    (Beware, these tools can be dangerous. Please do only use them when neccessairy):
    VundoFix
    SmitfraudFix
    ComboFix (XP ONLY)

  5. Reboot into normal mode and see if you find any remains of the virus

  6. Download Hijackthis let it scan and save a log

* Post back the hijackthis logs or in this thread or in the following forums which are full of hijackthis experts

* If you post here, please add :

  • If you still have encountered any symptoms of the Malware
  • What system Windows version you’re using + what system pack
  • What security software is installed
  1. Re-enable System restore
[b]3xist Response:[/b] So to sum everything up [url=https://forums.comodo.com/virusmalware_removal_assistance/what_do_i_do_if_im_infected-t27334.0.html;msg202152#msg202152]here[/url], Turn off System Restore, And Restart your PC but make sure you press continually "F8" As soon as the PC has finished shutting down/restarting. Choose "Safe Mode with Networking" when your at that configuration screen. (So you can do virus/malware definition updates, etc) then unplug your internet cable or disable your network card. It's important to disconnect from the internet to stop background malware downloading through your PC, So quickly do the malware updates then unplug *Scanning in Safe Mode Always* - Safe Mode disables the majority of malware. Turning off System Restore gets rid of all malware in restore points.

Thanks!
Josh

Hi Guys.

See Below on how to Enable & Disable System Restore.

System Restore

One of the best features of Windows ME, XP, or Windows Vista is the System Restore option, however if a virus infects a computer with this operating system the virus may be accidentally backed up because of this feature. In order to completely remove a virus on these operating systems, you should disable System Restore before cleaning the system, then reenable it after the system is clean.

Please Turn Off System Restore, Restart your PC and then begin your malware scan(s). After your finished, Then turn it back on and reboot.

Disabling System Restore on Windows ME

  1. Click Start, Settings, and then click Control Panel.
  2. Double-click the System icon. The System Properties dialog box appears.

NOTE: If the System icon is not visible, click “View all Control Panel options” to display it.

  1. Click the Performance tab, and then click File System.
  2. Click the Troubleshooting tab, and then check Disable System Restore.
  3. Click OK. Click Yes, when you are prompted to restart Windows.

Once you have cleaned the virus or other problem from the computer, reenable System Restore by following these directions

To enable Windows Me System Restore:

  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click System, and then click the Performance tab.
  3. Click File System, and then click the Troubleshooting tab.
  4. Uncheck Disable System Restore.
  5. Click OK. Click Yes, when you are prompted to restart Windows.

How to remove all previous infected restore points on XP.

Go to Start > All Programs > Accessories > System Tools > System Restore

[*] Select Create a restore point, and Ok it.

[*] Next, go to Start > Run and type in cleanmgr

[*] Select the More options tab

[*] Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

If this wasn’t working you need to follow these steps, please beware that there is no way of going back with Sytem restore disables unless you made a backup !!!
Disabling System Restore on Windows XP

[i]IMPORTANT NOTES:

* You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
* Turning off System Restore will clear out all previous restore points.[/i]

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

  1. Click Start.
  2. Right-click the My Computer icon, and then click Properties.
  3. Click the System Restore tab
  4. Check “Turn off System Restore” or “Turn off System Restore on all drives” as shown in this illustration:
  5. Click Apply.
  6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
  7. Click OK.
  8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

  1. Click Start.
  2. Right-click My Computer, and then click Properties.
  3. Click the System Restore tab.
  4. Uncheck “Turn off System Restore” or “Turn off System Restore on all drives.”
  5. Click Apply, and then click OK.

Starting System Restore From a Command Prompt in Windows XP

  1. Restart your computer or turn the computer on
  2. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a “keyboard error” message. To resolve this, restart the computer and try again.
  3. Select the “Safe Mode with Command Prompt option” and press Enter
  4. Log on to the computer with an administrator account
  5. Type the following at the command prompt and press Enter

%systemroot%\system32\restore\rstrui.exe

  1. Follow the onscreen instructions to restore your computer to an earlier time.

Re-enabling System Restore in Windows XP via the Group Policy Editor

In some cases, System Restore is disabled via the Group Policy Editor. In these cases, System Restore does not show up as a tab under My Computer Properties in Windows XP. If it doesnt show up, the question becomes how do you turn it on in the first place. To re-enable System Restore via the Group Policy Editor, follow these directions:

  1. Start the Group Policy Editor by clicking on Start, Run and typing gpedit.msc in the Run box and pressing Enter
  2. In the left hand column, click on Computer Configuration, Administrative Templates, System, System Restore
  3. In the right hand column, set Turn off System Restore and Turn off Configuration to Disable
  4. Minimize the Group Policy Editor
  5. Right click on My Computer and Select Manage
  6. In the right hand column, double click on Services and Applications, then Services
  7. Find the System Restore Service and double-click to open
  8. On the General tab set [Startup Type] to Automatic using the drop down list
  9. Click the Start button to start the service
  10. Close the Computer Management console
  11. Maximize the Group Policy Editor and set Turn off System Restore and Turn off Configuration to Not Configured
  12. Close Group Policy Editor and reboot the system.
  13. Once the system is rebooted, Click on Start, Right-click on My Computer, click on Properties and the System Restore tab should appear again.
    Disabling System Restore on
    Windows Vista

To turn off Windows Vista System Restore:

  1. Click Start.
  2. Right-click the Computer icon, and then click Properties.
  3. Click on System Protection under the Tasks column on the left side
  4. Click on Continue on the “User Account Control” window that pops up
  5. Under the System Protection tab, find Available Disks
  6. Uncheck the box for any drive you wish to disable system restore on
  7. When turning off System Restore, the existing restore points will be deleted. Click “Turn System Restore Off” on the popup window to do this.
  8. Click OK
  9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:

  1. Click Start.
  2. Right-click the Computer icon, and then click Properties.
  3. Click on System Protection under the Tasks column on the left side
  4. Click on Continue on the “User Account Control” window that pops up
  5. Under the System Protection tab, find Available Disks
  6. Place a checkmark in the box for any drive you wish to enable System Restore on
  7. Click OK

Please do not forget to re-enable System restore

Hi guys,

Safe Mode

Windows 95

* Restart the computer.
* Just after the POST diagnostics and memory count, start pressing the F8 key
* On the Startup Menu, choose Safe Mode

Windows 98/Me

* Restart the computer.
* Just after the POST diagnostics and memory count, start pressing the F8 key
* On the Startup Menu, choose Safe Mode

or you may use the System Configuration Utility Method.

* While in Normal mode, Close all programs.
* Click Start, Run and type MSCONFIG in the box and click OK
* In the System Configuration Utility, on the General Tab,   click the Advanced Button
* In the Advanced Troubleshooting Settings dialog box, check Enable Startup Menu. Click OK. Click OK again when the System Configuration Utility reappears.
* You will be prompted to restart the computer. Click Yes. The computer will restart in Safe mode.
* When you are finished with troubleshooting in Safe mode, open MSCONFIG again and uncheck "Enable Start-up Menu." under the Advanced Menu, then click OK and restart your computer

Windows 2000

* If the computer is running, shut down Windows, and then turn off the power
* Wait 30 seconds, and then turn the computer on.
* When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
* Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default.
* Press Enter. The computer then begins to start in Safe mode.
* When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

Windows XP

If Windows XP is the only operating system installed on your computer, booting into Safe Mode with these instructions.

* If the computer is running, shut down Windows, and then turn off the power
* Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe mode option is selected.
* Press Enter. The computer then begins to start in Safe mode.
* When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

To use the System Configuration Utility method

* Close all open programs.
* Click Start, Run and type MSCONFIG in the box and click OK
* The System Configuration Utility appears, On the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
* The computer restarts in Safe mode.
* Perform the troubleshooting steps for which you are using Safe Mode.
  When you are finished with troubleshooting in Safe mode, open MSCONFIG again, on the BOOT.INI tab,  uncheck "/SAFEBOOT" and click OK to restart your computer

Windows as part of a multiboot system

Use this method ONLY if you have multiple operating systems installed on your computer.

* If the computer is running, shut down Windows, and then turn off the power
* Wait 30 seconds, and then turn the computer on.
* When the Boot loader menu (list of the available operating systems) appears, use the arrow keys on the keyboard to select the version Windows what you want
* Press Enter, and then immediately begin tapping the F8 key. The Windows Advanced Options menu appears.
* Scroll to and select the Safe mode menu item, and then press Enter.

Windows Vista

Windows Vista is similar to Windows XP for starting in Safe Mode.

* Turn the computer on or Restart the computer
* Start tapping the F8 key. The Windows Advanced Boot Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe mode option is selected (the top option)
* Press Enter. The computer then begins to start in Safe mode.
* When you are finished with troubleshooting, close all programs and restart the computer as you normally

Great. This will help a lot of users.

Exerience, please edit the name ‘Comodo Fix’ in the first post to ‘Combo Fix’. I followed the link on curiosity to know the malware ‘Comodo’ who malign our beloved Comodo and it opened ‘Combo Fix’. I think it may confuse others also.

Hi laymen.

Thanks for the feedback. That typo was my error, Been fixed. :wink:

Josh

I cannot agree with the advice given in this thread to turn off System Restore before running malware removal fixes.

If these go wrong and they can, you then have no way back other than a reformat and reinstall of all your apps.

Far better IMHO to remove the malware and remove infected restore points after.

A way to not leave the system without one even temporarily is as follows.

How to remove all previous infected restore points.

Go to Start > All Programs > Accessories > System Tools > System Restore

[*] Select Create a restore point, and Ok it.

[*] Next, go to Start > Run and type in cleanmgr

[*] Select the More options tab

[*] Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

I agree with you James. (to the others, I’ve been discussing this over pm now) I’ve sended you the document, could you give me your proposal then ? I will review it then and if found good, which I think it will be, I will change the document. :slight_smile:

Xan

Sent you a pm Xan.

Unfortunately, severe infections may prevent you from installing programs like these. Also, while these programs are good, they are far from the be all and end all.

My own advice is to start with on-line scanners, including:

In severe cases you may have to run scanner and/or tools from a boot CD or DVD:

See also 13 Antivirus Rescue CDs Software Compared in Search For the Best Rescue Disk

Thanks to COMODO for CIS,
John

I don’t think that forum members here are qualified to deal with severe infections. The suggestions made are just first steps which may sort out simple ones.

Anyone with something bad would be advised to seek help with full supervision from one of the forums with people qualified to do that and there are many of those available.

It has been interesting to see how few forum members seem to have these problems whilst using Comodo Security.

The ones that do can’t get on-line to tell us! :smiley:

John

(:LGH)

Define Qualified?

CG

I agree with you.
Not everyone is qualified to provide help. But, I believe, if I am not mistaken, that people wouldn’t be qualified for a full system check up with certain tools, way more advanced than Hijackthis. People just wouldn’t know how to interpret such results. Most of them are way advanced from me. From times to times I perform those full check ups and then ask in specific security forums if anything is wrong.

Anyway, in case of a severe infection I believe the best is just to reformat the system with an appropriate tool such as DBAN.

If not severe infections, then use tools which do not require the system to be booted, such as live cds, either provided by Kaspersky, F-Secure, BitDefender, etc., or one made by me, using tools such as hijackthis, malwarebytes, superantispyware, etc.

Qualified as having undergone the extensive training in analysing and safely dealing with problems which tend to appear in HijackThis logs.

The type of training provided by Bleeping Computer, MRU and others, which requires months of extensive study.

Hijackthis logs are not that very hard to understand. Emsisoft HijackFree, for example, provides a more detail situation of your system, which makes it hard for most of people to understand it. There are other more advanced tools or, at least, at the same level as Emsisoft’s tool.

I agree that there are people who won’t even know how to interpret Hijackthis results.

That would mean I’m not “qualified”, despite having cleaned many badly infected systems successfully. :wink:

Many roads lead to Rome, and folks with other credentials, or even no credentials at all, can still offer good advice. It never hurts to listen, and to try things that make sense. :-TU

HijackThis can be helpful, but is by no means essential (and badly in need of more user friendliness) – I rarely use it. My own preferred method is to run other tools from Ultimate Boot CD for Windows – I find it much easier to clean a serious infection from an uninfected environment. :-La

John

I’ve never had to do that. It costs a huge amount of time and inconvenience. :-TD My own preference is to disinfect, from a boot CD if necessary in severe cases. :-TU

Regardless, there’s no need to do anything more than standard Format before reinstall, and even Format isn’t essential – unlike biological viruses, malware can do no harm unless actually executed. :-La

Something like DBAN is only needed for the secure destruction of sensitive data, for which I personally use standard hard disk diagnostics. (The DBAN website is seriously incomplete and currently broken, which isn’t exactly confidence inspiring.)

John

I agree with you, but you contradict yourself when you say “HijackThis can be helpful, but is by no means essential”. If something is essential, it is so, because it provides you the help you need, right?

It’s like a washing machine. You can do the laundry in an old fashioned way, but that won’t mean that a washing machine is not essential. And it is essential, because it helps doing a specific task.

Just because you rarely use something, it won’t mean it is non-essential to others. Now, does it? :slight_smile:

For example, I don’t drink wine. But, to others, well, it is their water! :smiley:

Best regards

It’s easy enough to understand the HijackThis logs. It is how to deal with what shows up there that can cause problems, some of the tools used need using under supervision for the average user. I am just concerned that someone asking about a problem could run some tool which makes their machine unbootable. Having to reformat can take up a lot of time as I learnt after installing SP3.