Five Tips For Removing Viruses & Spyware

It’s inevitable that clients will infect workstations, PCs, and laptops with spyware and viruses. Regardless of preventive steps, from gateway protection to automated scans to written Internet use policies, malware threats sneak through even layered defenses. What makes the situation worse is that many clients aren’t willing to invest in standalone anti-spyware software, even though they understand the need for minimal antivirus protection.

Some IT professionals advocate simply wiping systems and reinstalling Windows, while others suggest that’s akin to giving up and letting the bad guys win. The truth lies somewhere in between. After making an image copy of the drive (it’s always best to have a fallback option when battling malicious infections), here are the measures I find most effective.

1: Isolate the drive

Many rootkit and Trojan threats are masters of disguise that hide from the operating system as soon as or before Windows starts. I find that even the best antivirus and antispyware tools — including AVG Anti-Virus Professional, Malwarebytes Anti-Malware, and SuperAntiSpyware — sometimes struggle to remove such entrenched infections.

You need systems dedicated to removal. Pull the hard disk from the offending system, slave it to the dedicated test machine, and run multiple virus and spyware scans against the entire slaved drive.

2: Remove temporary files

While the drive is still slaved, browse to all users’ temporary files. These are typically found within the C:\Documents and Settings\Username\Local Settings\Temp directory within Windows XP or the C:\Users\Username\App Data\Local\Temp folder within Windows Vista.

Delete everything within the temporary folders. Many threats hide there seeking to regenerate upon system startup. With the drive still slaved, it’s much easier to eliminate these offending files.

3: Return the drive and repeat those scans

Once you run a complete antivirus scan and execute two full antispyware scans using two current, recently updated and different anti-spyware applications (removing all found infections), return the hard disk to the system. Then, run the same scans again.

Despite the scans and previous sanitization, you may be surprised at the number of remaining active infections the anti-malware applications subsequently find and remove. Only by performing these additional native scans can you be sure you’ve done what you can to locate and remove known threats.

4: Test the system

When you finish the previous three steps, it’s tempting to think a system is good to go. Don’t make that mistake. Boot it up, open the Web browser, and immediately delete all offline files and cookies. Next, go to the Internet Explorer Connection settings (Tools | Internet Options and select the Connections tab within Internet Explorer) to confirm that a malicious program didn’t change a system’s default proxy or LAN connection settings. Correct any issues you find and ensure settings match those required on your network or the client’s network.

Then, visit 12 to 15 random sites. Look for any anomalies, including the obvious popup windows, redirected Web searches, hijacked home pages, and similar frustrations. Don’t consider the machine cleaned until you can open Google, Yahoo, and other search engines and complete searches on a string of a half-dozen terms. Be sure to test the system’s ability to reach popular anti-malware Web sites, such as AVG, Symantec, and Malwarebytes.

5: Dig deeper on remaining infections

If any infection remnants persist, such as redirected searches or blocked access to specific Web sites, try determining the filename for the active process causing the trouble. Trend Micro’s HijackThis, Microsoft’s Process Explorer, and Windows’ native Microsoft System Configuration Utility (Start | Run and type msconfig) are excellent utilities for helping locate offending processes. If necessary, search the registry for an offending executable and remove all incidents. Then, reboot the system and try again.

If a system still proves corrupt or unusable, it’s time to begin thinking about a reinstall. If an infection persists after all these steps, you’re likely in a losing battle.

Other strategies

Some IT consultants swear by fancier tricks than what I’ve outlined above. I’ve investigated KNOPPIX as one alternative. And I’ve had a few occasions in the field where I’ve slaved infected Windows drives to my Macintosh laptop to delete particularly obstinate files in the absence of a boot disk. Other technicians recommend leveraging such tools as Reimage, although I’ve experienced difficulty getting the utility to even recognize common NICs, without which the automated repair tool can’t work.
Source: http://techrepublic.com

RAM Defragmenter Alternative

Hi friends,
As you all know, how costly the original RAM defragmenting softwares are. So, I’ve come up with a short and simple tweak tip to free up your RAM memory. All you have to do is follow some simple steps and succeed in freeing up your RAM memory.
1. Open a new notepad file.
2.Type FreeMem=Space(64000000)
3. Save this file with some name like RAM.vbs all you have to take care is to keep the extension as “.vbs”

4. Close this file and then run it by double clicking on it.

Use Your Computer Hard Disc As RAM

Everybody knows how costly is to buy a new RAM. SO, in order to get almost equal performance, we can also use some memory from our Hard Disc as virtual memory, which acts as a substitute to RAM. Follow the simple steps stated below to do so….
1. Right Click on My Computer & go to Properties
2. Click on Advanced Tab & go to Settings in the Performance Section.
3. Select the next “Advanced” Tab on the “Performance Options” window. On the advanced tab, click the “Change” button in the “Virtual memory” section.
4. Comprehend the implications of the virtual memory settings. On the “Virtual Memory” window, the “initial size” is the minimum amount of hard drive space Windows will allocate to virtual memory. The “maximum size” is the largest size to which Windows will allow your virtual memory to grow. If you set this setting too low and Windows requires more virtual memory than the maximum, Windows will likely crash or freeze and you will need to reboot. Thus, you should select (or keep the selection as) “System managed size.” By allowing Windows to manage the virtual memory, Windows will increase and decrease the size of the virtual memory as-needed. It is not recommended under any circumstances to select “No paging file” because this can cause system instability.
5. Choose your virtual memory settings. On the “Virtual Memory” screen, you may modify your virtual memory settings in accordance with Step 4. Once you have made your settings, click the “Set” button. Windows will ask you to reboot. Once you do, your virtual memory settings will be changed.

General Keyboard Shortcuts For Windows

CTRL+C(Copy)

CTRL+X (Cut)

CTRL+Z (Undo)

DELETE (Delete)

SHIFT+DELETE (Delete the selected item permanently without placing the item in the Recycle Bin)

CTRL while dragging an item (Copy the selected item)

CTRL+SHIFT while dragging an item (Create a shortcut to the selected item)

F2 key (Rename the selected item)

CTRL+RIGHT ARROW (Move the insertion point to the beginning of the next word)

CTRL+LEFT ARROW (Move the insertion point to the beginning of the previous word)

CTRL+DOWN ARROW (Move the insertion point to the beginning of the next paragraph)

CTRL+SHIFT with any of the arrow keys (Highlight a block of text)

CTRL+UP ARROW (Move the insertion point to the beginning of the previous paragraph)

SHIFT with any of the arrow keys (Select more than one item in a window or on the desktop, or select text in a document)

CTRL+A (Select all)

F3 key (Search for a file or a folder)

ALT+ENTER (View the properties for the selected item)

ALT+F4 (Close the active item, or quit the active program)

ALT+ENTER (Display the properties of the selected object)

ALT+SPACEBAR (Open the shortcut menu for the active window)

CTRL+F4 (Close the active document in programs that enable you to have multiple documents open simultaneously)

ALT+TAB (Switch between the open items)

ALT+ESC (Cycle through items in the order that they had been opened)

F6 key (Cycle through the screen elements in a window or on the desktop)

F4 key (Display the Address bar list in My Computer or Windows Explorer)

SHIFT+F10 (Display the shortcut menu for the selected item)

ALT+SPACEBAR (Display the System menu for the active window)

CTRL+ESC (Display the Start menu)

ALT+Underlined letter in a menu name (Display the corresponding menu)

Underlined letter in a command name on an open menu (Perform the corresponding command)

F10 key (Activate the menu bar in the active program)

RIGHT ARROW (Open the next menu to the right, or open a submenu)

LEFT ARROW (Open the next menu to the left, or close a submenu)

F5 key (Update the active window)

BACKSPACE (View the folder one level up in My Computer or Windows Explorer)

ESC (Cancel the current task)

SHIFT when you insert a CD-ROM into the CD-ROM drive (Prevent the CD-ROM from automatically playing)

CTRL+SHIFT+ESC (Open Task Manager) Dialog box keyboard shortcuts

If you press SHIFT+F8 in extended selection list boxes, you enable extended selection mode. In this mode, you can use an arrow key to move a cursor without changing the selection. You can press CTRL+SPACEBAR or SHIFT+SPACEBAR to adjust the selection. To cancel extended selection mode, press SHIFT+F8 again. Extended selection mode cancels itself when you move the focus to another control.

CTRL+TAB (Move forward through the tabs)

CTRL+SHIFT+TAB (Move backward through the tabs)

TAB (Move forward through the options)

SHIFT+TAB (Move backward through the options)

ALT+Underlined letter (Perform the corresponding command or select the corresponding option)

ENTER (Perform the command for the active option or button)

SPACEBAR (Select or clear the check box if the active option is a check box)

Arrow keys (Select a button if the active option is a group of option buttons)

F1 key (Display Help)

F4 key (Display the items in the active list)

BACKSPACE (Open a folder one level up if a folder is selected in the Save As or Open dialog box)

Shortcuts Commands In Run

Calc – Calculator

Cfgwiz32 – ISDN Configuration Wizard

Charmap – Character Map

Chkdisk – Repair damaged files

Cleanmgr – Cleans up hard drives

Clipbrd – Windows Clipboard viewer

Cmd – Opens a new Command Window (cmd.exe)

Control – Displays Control Panel

Dcomcnfg – DCOM user security

Debug – Assembly language programming tool

Defrag – Defragmentation tool

Drwatson – Records programs crash & snapshots

Dxdiag – DirectX Diagnostic Utility

Explorer – Windows Explorer

Fontview – Graphical font viewer

Ftp – ftp.exe program

Hostname – Returns Computer’s name

Ipconfig – Displays IP configuration for all network adapters

Jview – Microsoft Command-line Loader for Java classes

MMC – Microsoft Management Console

Msconfig – Configuration to edit startup files

Msinfo32 – Microsoft System Information Utility

Nbtstat – Displays stats and current connections using NetBios over TCP/IP

Netstat – Displays all active network connections

Nslookup- Returns your local DNS server

Ping – Sends data to a specified host/IP

Regedit – registry Editor

Regsvr32 – register/de-register DLL/OCX/ActiveX

Regwiz – Reistration wizard

Sfc /scannow – Sytem File Checker

Sndrec32 – Sound Recorder

Sndvol32 – Volume control for soundcard

Sysedit – Edit system startup files (config.sys, autoexec.bat, win.ini, etc.)

Systeminfo – display various system information in text console

Taskmgr – Task manager

Telnet – Telnet program

Taskkill – kill processes using command line interface

Tskill – reduced version of Taskkill from Windows XP Home

Tracert – Traces and displays all paths required to reach an internet host

Winchat – simple chat program for Windows networks

Winipcfg – Displays IP configuration

Disabling Automatic Startup Programs

If you don’t want certain programs or applications to run automatically on startup, there’s an easy way to disable them.
  • Click Start
  • Type msconfig in the search box
  • Click Continue in the User Account Control to continue
  • Click on the Startup Tab
  • Uncheck any boxes in the “Startup Items” that you wish to disable or click the Disable All button (not recommended)
  • Click OK
If you need to re-enable any of the programs, go through the same process and check the boxes of programs you wish to run automatically on startup.

All About SAM Files

What is SAM?

SAM is short for Security Accounts Manager, which is located on the PDC and has information on all user accounts and passwords. Most of the time while the PDC is running, it is being accessed or used.

What do I do with a copy of SAM?


You get passwords. First use a copy of SAMDUMP.EXE to extract the user info out of it. You do not need to import this data into the Registry of your home machine to play with it. You can simply load it up into one of the many applications for cracking passwords, such as L0phtCrack, which is available from: http://www.L0phtCrack.com


Of interest to hackers is the fact that all access control and assorted parameters are located in the Registry. The Registry contains thousands of individual items of data, and is grouped together into “keys” or some type of optional value. These keys are grouped together into subtrees — placing like keys together and making copies of others into separate trees for more convenient system access.

The Registry is divided into four separate subtrees. These subtrees are called

  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS

We’ll go through them from most important to the hacker to least important to the hacker.

First and foremost is the HKEY_LOCAL_MACHINE subtree. It contains five different keys. These keys are as follows:

  • SAM and SECURITY – These keys contain the info such as user rights, user and group info for the domain (or workgroup if there is no domain), and passwords. In the NT hacker game of capture the flag, this is the flag. Bag this and all bets are off.

The keys are binary data only (for security reasons) and are typically not accessible unless you are an Administrator or in the Administrators group. It is easier to copy the data and play with it offline than to work on directly.

  • HARDWARE – this is a storage database of throw-away data that describes the hardware components of the computer. Device drivers and applications build this database during boot and update it during runtime (although most of the database is updated during the boot process). When the computer is rebooted, the data is built again from scratch. It is not recommended to directly edit this particular database unless you can read hex easily.

There are three subkeys under HARDWARE, these are the Description key, the DeviceMap key, and the ResourceMap key. The Description key has describes each hardware resource, the DeviceMap key has data in it specific to individual groups of drivers, and the ResourceMap key tells which driver goes with which resource.

  • SYSTEM – This key contains basic operating stuff like what happens at startup, what device drivers are loaded, what services are in use, etc. These are split into ControlSets which have unique system configurations (some bootable, some not), with each ControlSet containing service data and OS components for that ControlSet. Ever had to boot from the “Last Known Good” configuration because something got hosed? That is a ControlSet stored here.
  • SOFTWARE – This key has info on software loaded locally. File associations, OLE info, and some miscellaneous configuration data is located here.


The second most important main key is HKEY_USERS. It contains a subkey for each local user who accesses the system, either locally or remotely. If the server is a part of a domain and logs in across the network, their subkey is not stored here, but on a Domain Controller. Things such as Desktop settings and user profiles are stored here.

The third and fourth main keys, HKEY_CURRENT_USER and HKEY_CLASSES_ROOT, contain copies of portions of HKEY_USERS and HKEY_LOCAL_MACHINE respectively. HKEY_CURRENT_USER contains exactly would you would expect a copy of the subkey from HKEY_USERS of the currently logged in user. HKEY_CLASSES_ROOT contains a part of HKEY_LOCAL_MACHINE, specifically from the SOFTWARE subkey. File associations, OLE configuration and dependency information.