So your PC have been infected by malware!?

Even if you have installed the best antivirus on the marked you can still become infected with malware, and once you are infected there is no certainty that your antivirus is capable of cleaning up without a little help.

Technical

On this page I will refer to malware as a generalization of viruses, malware, worms and trojans, and the techniques I refer to is aimed at Windows XP (can still be used on other platforms but may require additional steps/actions).

Tell-tail signs that something is wrong;

Your antivirus keep detecting infections day after day, you clean it but the next day when you reboot the machine it is infected again.

When is there little reason to be concerned;

If you browse to a web-site and immediately get a warning from your antivirus that this and that file is infected, and the reference is to a file in a folder with a name something similar to this (it may differ some);

C:\Documents and Settings\username\Application Data\Microsoft\Internet Explorer\UserData\FY2BE6Q4

then there is a good chance your antivirus caught the malware before it got a chance to install itself and there is thus no reason to panic, I would however still recommend a complete system scan with the installed antivirus just to be on the safe side.

Infected, what now!?

How did I get infected and what is the big deal?

What often happens is that your PC is infected by malware while visiting a web-site, this can happen even without visiting dangerous/suspicious web-sites even very reputable sites sometime get malwarecode injected into their sites (this can happen via banner advertisements or by hacking etc.).  As the malware may be brand new your antivirus does maybe not know it and thus raises no warning, you have now unknowingly been infected.  After a few days, your antivirus vendor may pick up on the malware, and issue an update to your antivirus (definition update) once your antivirus has been updated it now detects that your computer has been infected. You might think that everything is fine now, your antivirus has detected the malware and offers to clean the infection!?  The problem is, that quite often a malware infection has had ample time to do it’s nasty business before it was detected and cleaned, thus your antivirus may very well clean the ‘original’ malware but may not pick up on some of the changes done to your system – this could be anything from harmless changes to the titlebar of your internetbrowser to more serious matters like the installation of backdoors, rootkits, botnet clients or other malware.

Anyhow, let us try to picture that your PC has now been well and thoroughly infected.

What do you do!?

  • Check that your antivirus is working and has the latest updates.
  • Do a complete system scan with your antivirus.
  • Restart your machine, do so by shutting down and then starting up the machine again (not a simple reboot)
  • Do another complete system scan with your antivirus.

Now many people think that once this is done, and the antivirus informs you that it has cleaned a number of infections everything is fine, well the correct answer is that MAYBE everything is fine.  The problem is, as mentioned before, that you may not know how long your PC has been infected nor what has happened during this time – if the malware has installed what is known as a rootkit, then this can be very hard to detect and may go completely unnoticed by your antivirus, thus we need to take additional precautions before we jump to the conclusion that everything is fine.

Additional steps/precautions;

  • Run Microsoft Malicious Software Removal Tool (MRT)
    This is a utility that Microsoft has included in Windows Update, it is thus installed on all PC’s and updated monthly, once a month an automated scan is made (without any warning or display thus you will never notice it).  You can launch this utility manually by opening a run dialog box (Windows key + R) and typing MRT.EXE and clicking OK, now click next and do a complete scan (you can start with a quick scan which is much faster, but I strongly suggest a Full scan of the system to be safe).
    run
     

mrt1

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

 

Now your PC should be cleaned for infections, however we still need to verify this.

  • Shutdown your PC, start it again (a simple reboot is not enough) now do a new scan with your antivirus scanner.

Experienced users;

If you are an IT professional here is a few additional steps you may try, these are additional steps not required, and you will still need to perform the steps above. I do not reccomend these steps for novice/non IT professional users.

  • You can try to check which programs are set to autostart, look for suspicious programs that are configured to startup automatically.This can be quite complicated to determine as the references/names used often may be difficult to identify (eg. acr32rd.exe etc).To check which programs and services autostart you can use the utility msconfig.exe (Windows Key + R) type msconfig.exe and hit OK-  or try the more advanced utility from http://live.sysinternals.com/autoruns.exe
    however be cautious, if you disable important systemfiles the PC may not boot correctly and it may be difficult to undo the damage.

Update May 4th 2011;
a new tool is available to scan and clean your pc;
Microsoft Security Scanner, get it free here;
http://www.microsoft.com/security/scanner/en-us/default.aspx

Update June 5th 2011;
Recently I mentioned the Microsoft Security Scanner (https://readmydamnblog.com/?p=2011) a portable/standalone scanner for your pc, well it seem Microsoft is stepping up their Anti Malware/Rootkit effords – link to their new scanner Windows Defender Offline http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline a bootable ISO containing a Rootkit and Malware scanner.  It is also worth noticing that the latest version of Microsoft DART “ERD commander” (the old Winternal/Sysinternal utility to boot, modify and fix Windows installations) now also contain a malware scanning and removal utility – this is however sadly only available to Microsoft corporate license holders.

This link may also be useful; http://www.bleepingcomputer.com/download/anti-virus/rkill 
(direct download http://download.bleepingcomputer.com/grinler/rkill.exe)

Video tutorial to installing and cleaning using Malwarebytes scanner;
http://youtu.be/gme75Aq_goI – Danish version 
http://youtu.be/P26migKnHC8 – English version

Additional links added January 2011;

Kaspersky Rescue Disk 10 – a boot and clean disk you can use to cleanup your system (untested by me, but was recommended).
http://support.kaspersky.com/viruses/rescuedisk  (Free)

Sophos Anti-Rootkit (Free) – a detection and removal kit for Rootkits
http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx

SpyBot Search and Destroy (Free) (I however still prefer Malwarebytes, but this is a good cleanup utility also)
http://www.safer-networking.org/

On this page I will eventually try to list some or all the software I use on a regular basic

Updated Feb 19th 2011

I usually convert video using;
Any DVD Converter Pro – http://www.any-video-converter.com/products/


DVD backup is done using;
DvdFab – http://www.dvdfab.com/
AnyDvd (bypass region coding and more) – http://www.slysoft.com/en/anydvd.html


iTunes is used to manage my podcasts (and Audiobooks);
http://www.apple.com/itunes/download/

Media files are played using;
Media Player Classic (Home Cinema x64) – http://mpc-hc.sourceforge.net/


The problem with missing codec’s etc are solved via;
Windows 7 codec pack (Sharks) – http://www.shark007.net/


Photos and graphic is edited using;
http://www.getpaint.net/
and sometimes Photoshop from Adobe.


When I need to convert .MP3 to .M4B (iPod/iPhone audiobook format) I use these utils;
http://www.freeipodsoftware.com/
http://www.shchuka.com/software/mergemp3/


AVI video to DVD is created via;
http://www.vso-software.fr/products/convert_x_to_dvd/


AVI editing is done via;
http://www.photodex.com/products/proshow/producer
Windows DVD maker (live tools)


Virtual machines;

VmWare Workstation/Player for my Workstation and Hyper-V for my servers

Filecompression;
WinRar – http://www.rarlabs.com/


Files Shared via;
http://www.dropbox.com/


Passwords remembered via;
http://lastpass.com

Encryption;
http://www.truecrypt.org


Coding done via;
Borland Delphi 7 (old old version)


DRM removal (needed to play wmv on iPod) done via;

Drmbuster http://drmbuster.com/ (Simpler version)
TuneByte http://audials.com (more advanced)


Browsing done via;
IE + Firefox


CD-Burning done via;
Nero Burning Rom – http://www.nero.com/eng/nero-burning-rom-overview.html
Alternatives are; http://cdburnerxp.se/  –  http://www.imgburn.com/  –  http://infrarecorder.org/
But also check here; http://www.ghacks.net/2009/12/21/free-cd-burning-software/
http://mytechquest.com/windows/8-free-portable-cd-and-dvd-burning-software/


ISO Mounting is done like this;

https://readmydamnblog.com/?p=1790


Mail is read using;
Microsoft Outlook 2010


Screenshots are taken via;
http://www.techsmith.com/jing/free/


Video/screen video captured via;
Hypercam 2 (Free) – http://www.hyperionics.com/hc/ 


Various Utilities I also use;
Virus total (scan files for virus with many engines) – www.virustotal.com  and a right click plugin http://www.virustotal.com/advanced.html#uploader
TerraCopy (MOST excellent, speed up copying and much much more – a MUST have) – http://www.codesector.com/teracopy.php

mseYes it is here “Microsoft Security Essentials”, the Beta for Microsoft’s new free anti virus (previously codenamed morro) and the replacement for One Care Live a paid anti virus solution Microsoft attempted earlier which reached eol in June 2009.

We use Forefront Client Security (Microsoft’s corporate anti virus solution) at work, and it works quite well.  The malware and anti virus part is just as good as any I have tried, but the corporate management part is somewhat lagging I would say.  But as Microsoft Security Essentials is a standalone product this is not an issue, and I would suspect the engine etc. to be the same as Forefront Client Security so all in all I expect this to be an excelent product.

Read more;
http://www.microsoft.com/security_essentials/ 
Here you can also get the beta (if you are eligible)

http://hacktolive.org/wiki/Microsoft_Security_Essentials
Here you can also get the beta (if you are not eligible 😉 )

A pretty good walkthrough here;
http://www.winsupersite.com/win7/mse_beta.asp

Some random posts;
http://www.addictivetips.com/windows-tips/microsoft-security-essentials-review-with-screenshots/
http://www.pcworld.com/article/167160/is_microsofts_morro_malware_in_disguise.html

Bonus Outlook tools.

For some additional tools to help you manage Outlook files and contents, don’t forget about all the awesome (and portable) Outlook tools offered recently by Nir Sofer.

Outlook/Office Utilities – (freeware) – NirSoft.

NK2View – (freeware) – Did you know that if you use Outlook the email names used in the To/Cc fields are retained? The NK2 file is the “auto-complete” file. Great place to review if you are auditing an Outlook user’s pc. Anyway, this handy utility allows you to view the N2K file, display all the email address records stored, and export them into various file formats. Handy for security techs.  Also allows you to quickly edit, sort, save/restore, and delete items in the file itself.  Particularly useful if you need to bulk-edit the contents due to changes/conversions in corporate address book items.

OutlookAttachView – (freeware) – This utility can help you locate, extract and/or remove attachments embedded in your Outlook email messages.  It displays the list of attached files in your Outlook’s mailbox, and allows you to easily select all attachments that you need, and then extract them into a folder that you choose. 

OutlookStatView – (freeware) – Nir is on a roll! For all you Outlook junkies out there, this tool can gather a lot of great statistics on your email habits. Quoting from Nir’s description, “OutlookStatView scans your Outlook mailbox, and display a general statistics about the users that you communicate via emails. For each user/email, the following information is displayed: The number of outgoing messages that you sent to the user (separated by to/cc/bcc), the number of incoming message that the user sent to you, the total size of messages sent by the user, the email client software used by this user, and the time range that you send/received emails with the specified user.”

Source; Claus V. http://grandstreamdreams.blogspot.com/2009/05/outlook-thread-compressor-new-escapee.html

This content is password protected. To view it please enter your password below:

Although I am more or less up and running again after the Needhost bankruptcy (just 2 months blogposts lost), there are those less fortunate.

One of my very close friends lost his wife’s blog (not popular), but he pointed me to this blogpost that may be of interest to former Needhost customers;

http://blog.surftown.dk/?p=1239

Let’s hope for a small miracle this Christmas 🙂

In the Early days of Christmas 2008 my old hosting provider declared bankruptcy and switched off their servers, or rather switched off their servers and then leaked information about their bankruptcy..

So as a man with a FULL backup of his site cough cough, I went to a new provider and reinstalled my backup..  Hmm, but well as you may see I missed a few months of backup :-/  bummer..

But I will try to restore some of the missing posts from memory and from google cache, and well take a new look at my backup routine 😀

Meanwhile, hope you all had a merry Christmas and wish you a blast of a new year 🙂

Happy holidays.
Mike

 Ps. Note the irony in that the last post from my backup actually regarded backup..  Someone sure had it in for me 😉


Carol of the Bells – 2008 Holdman Christmas Display from Richard Holdman on Vimeo

Frosty the Snowman 2008 – Holdman Christmas Display from Richard Holdman on Vimeo.

I have decided to start a dedicated page to various links. Mainly I may keep this online for my own benefit, just to avoid forgetting those interesting links you stumble across over time.

Anyhow, here goes;


Blogs;

Below is a list of some of the blogs I have stumbled across during my surfing.

Michaels Deployment Blog

http://kongkuba1.spaces.live.com/blog/
Blog with tip’s and tricks for deployment MDT/SCCM etc.

Rob Marshall’s blog

http://wmug.co.uk/blogs/r0b/default.aspx
Microsoft SCCM guru

Ronni Pedersen’s Blog

http://myitforum.com/cs2/blogs/rpedersen
Danish SCCM guru from EG

Terry Zink’s Cyber Security Blog

http://blogs.msdn.com/tzink
An interesting blog about spam and spammers among other things


News Media and more;

Below are links to different News services I follow.

ComOn

http://www.comon.dk  – http://m.comon.dk (Mobile version)
A Danish online IT news magazine

Version 2

http://www.version2.dk/
A Danish online IT news magazine

24 Timer

http://www.24timer.dk/
A free Danish newspaper (available as downloadable PDF also)

Cnet news

http://news.cnet.com/?tag=hdr%3bsnav
http://www.youtube.com/user/CNETTV (Video magazine)
Cnet’s Technology News site


Various Links;

A collection of different interesting links for various things.

4 sysops

http://4sysops.com/
A site for system administrators, full of useful utilities, reviews, scripts etc.

Lazy Admin

http://thelazyadmin.com/
A site for system administrators

IT-Experts.dk

http://it-experts.dk/
A Danish language forum/site for IT administrators

Bink.NU

http://bink.nu/
A site with various IT news, reviews, utilities etc.

Black Viper

http://www.blackviper.com/
A great resource to optimizing your Windows installation, this site will explain what the different services and processes do and what you can do to tweak performance.

EventID

http://eventid.net/
A resource for debugging eventid errors in Windows

PortForward

http://portforward.com/
Need help configuring a router (perhaps setting up port-forwarding etc.), well this is the site to visit.  Lots of information and guides for almost any brand router you can think of.


Photo ressources;

In 2011 I bought myself a DSLR camera and during this process I did a lot of research, I found the links below very helpful

CameraLabs

http://www.cameralabs.com/
A great and easy to understand site with tons of reviews, tips and tricks and other information

DigitalRev

http://www.youtube.com/user/DigitalRevCom
This is a cool YouTube channel for people interested in Cameras.  Lots of reviews, tips and geeky/funny stuff in general.  Even if you are not all that into cameras then this is worth a visit.


Security Links;

A bunch of links to various security related sites and services

HAK5

http://www.hak5.org/
Hak5 is mostly a monthly webcast about security and hacking, it is perhaps tending to be a bit on the ‘black hat’ side – but this offers great insight into the ‘enemy’ and is thus very interesting.  It is a geeky show with tons of tips, tricks and reviews.  The quality has lowered slightly after the staff has been reduced, but it is still worth a visit if you are interested in ‘the dark side’ 🙂

Secunia

http://secunia.com/
Secunia offers among other things a security scanner for your pc that will evaluate the software on your pc (version and vulnerability wise).  Other than that it is one of the more famous security companies so they are likely to have other goodies or news lying around.

Threat Expert

http://www.threatexpert.com/
This is a cool service where you can upload software for analysis, you will get a report that show what the software does upon execution (what files are installed, which registry keys are modified etc. and a general thread assessment) – it is very useful if you suspect mischief from some software you download or find installed on your pc.

Virus Total

http://www.virustotal.com/
This is an EXCELLENT site, you upload an executable or other file and it is analyzed with numerous antivirus scanners (20-30 different scanners).  Thus if you are in doubt if a file is infected upload it here and get a ‘second opinion’.  They also offer emailing service (you can email files instead of uploading) and a right-click option for windows (so you can right-click any file and upload it without having to visit a web-site).

 


Podcasts I listen to;

I recently bought an Ipod Touch 16gb, now this is a cool device it seem really well thought out and the finish just blows you away, the only thing I’m not that impressed with is that I’m forced to use ITunes to manage it, it would have been great with just pure USB access, but other than the ITunes ‘infection’ its really cool.  I added an FM transmitter for car usage, so now I can combine the commuter trip with e-learning (or just plain podcasting).

http://www.twit.tv/sn – Security Now
Security Now is a weekly approx 1 hour security briefing with focus on new technology and current issues in the security world.  This show is fine both for persons with just a basic interest in security as well as the security professional.

http://itradio.com.au/security/ – Risky Business
Risky Business is like Security Now a security podcast, the focus on this show is however more on the commercial/business side.  This podcast is likely more interesting for the IT Security Pro than the home user.

http://www.twit.tv – Various
On Twit you will find numerous interesting shows staring Leo Laporte, along these I’d mention “Windows Weekly” and “Security Now” as definitely worth a listen.  The site’s focus in mainly on end users and not limited to IT news, there is also shows on cooking and parenting.

Quite a few additional Security Podcasts can be found here;
http://getmon.com
http://www.irongeek.com/security-podcasts.php


Art;

Http://www.sinus-art.com  –  Sinus-Art
I would like to promote a small art gallery in Germany, I have bought a few paintings from this place and they are great.  Paul Sinus can really do something with colors, its really fascinating and at a fair price even.

Selected Value: 2

Get in touch

If for any reason you want to get in touch, give feedback, correct me or just plainly want to reach out.  Feel free to fill out the form on the left, I will try to get back to you in a few days if applicable.

Looking forward to hearing from you.

/Mike


Who is the man behinde the scene;

Name:
Michael Møller

Born:
31st August 1969, Samsø Denmark

Civil Status:
Married to my beautiful wife Mary Liao

Where do I live:
Viborg, Denmark
Show City on Google maps

Current occupation:
IT administrator at a Danish architect company, former IT operations in both international corporations and in the Danish military.

Technologies I work with:

MS-Server 2003/2008/2008-R2, 2012 2012R2, 2019, MS-TMG, Sophos UTM, MS-Exchange 2010/2007/2003, Lansweeper, MS-SQL 2008/2005/2000, MS-Forefront, WebRoot AV, McAfee AV, Office365, MS-Teams, MS-Skype4b, IBM-TSM, MS-Cluster,/HyperV, Riverbed.

Programming:
I used to code a bit in Delphi, but these days it’s mostly VBS and CMD scripts – I have a promise to myself to learn more Powershell but time is scarce so..

Sports:
Spinning.

Interests:

Books (I listen to quite many Audio Books , along with this come a number of podcasts), Movies, Family, IT in general and especially IT Security.

Certifications:
CISSP, CPSA, MCP (WIN NT, 2000, 2003), ITIL