Five Tips For Removing Viruses & Spyware

It’s inevitable that clients will infect workstations, PCs, and laptops with spyware and viruses. Regardless of preventive steps, from gateway protection to automated scans to written Internet use policies, malware threats sneak through even layered defenses. What makes the situation worse is that many clients aren’t willing to invest in standalone anti-spyware software, even though they understand the need for minimal antivirus protection.

Some IT professionals advocate simply wiping systems and reinstalling Windows, while others suggest that’s akin to giving up and letting the bad guys win. The truth lies somewhere in between. After making an image copy of the drive (it’s always best to have a fallback option when battling malicious infections), here are the measures I find most effective.

1: Isolate the drive

Many rootkit and Trojan threats are masters of disguise that hide from the operating system as soon as or before Windows starts. I find that even the best antivirus and antispyware tools — including AVG Anti-Virus Professional, Malwarebytes Anti-Malware, and SuperAntiSpyware — sometimes struggle to remove such entrenched infections.

You need systems dedicated to removal. Pull the hard disk from the offending system, slave it to the dedicated test machine, and run multiple virus and spyware scans against the entire slaved drive.

2: Remove temporary files

While the drive is still slaved, browse to all users’ temporary files. These are typically found within the C:\Documents and Settings\Username\Local Settings\Temp directory within Windows XP or the C:\Users\Username\App Data\Local\Temp folder within Windows Vista.

Delete everything within the temporary folders. Many threats hide there seeking to regenerate upon system startup. With the drive still slaved, it’s much easier to eliminate these offending files.

3: Return the drive and repeat those scans

Once you run a complete antivirus scan and execute two full antispyware scans using two current, recently updated and different anti-spyware applications (removing all found infections), return the hard disk to the system. Then, run the same scans again.

Despite the scans and previous sanitization, you may be surprised at the number of remaining active infections the anti-malware applications subsequently find and remove. Only by performing these additional native scans can you be sure you’ve done what you can to locate and remove known threats.

4: Test the system

When you finish the previous three steps, it’s tempting to think a system is good to go. Don’t make that mistake. Boot it up, open the Web browser, and immediately delete all offline files and cookies. Next, go to the Internet Explorer Connection settings (Tools | Internet Options and select the Connections tab within Internet Explorer) to confirm that a malicious program didn’t change a system’s default proxy or LAN connection settings. Correct any issues you find and ensure settings match those required on your network or the client’s network.

Then, visit 12 to 15 random sites. Look for any anomalies, including the obvious popup windows, redirected Web searches, hijacked home pages, and similar frustrations. Don’t consider the machine cleaned until you can open Google, Yahoo, and other search engines and complete searches on a string of a half-dozen terms. Be sure to test the system’s ability to reach popular anti-malware Web sites, such as AVG, Symantec, and Malwarebytes.

5: Dig deeper on remaining infections

If any infection remnants persist, such as redirected searches or blocked access to specific Web sites, try determining the filename for the active process causing the trouble. Trend Micro’s HijackThis, Microsoft’s Process Explorer, and Windows’ native Microsoft System Configuration Utility (Start | Run and type msconfig) are excellent utilities for helping locate offending processes. If necessary, search the registry for an offending executable and remove all incidents. Then, reboot the system and try again.

If a system still proves corrupt or unusable, it’s time to begin thinking about a reinstall. If an infection persists after all these steps, you’re likely in a losing battle.

Other strategies

Some IT consultants swear by fancier tricks than what I’ve outlined above. I’ve investigated KNOPPIX as one alternative. And I’ve had a few occasions in the field where I’ve slaved infected Windows drives to my Macintosh laptop to delete particularly obstinate files in the absence of a boot disk. Other technicians recommend leveraging such tools as Reimage, although I’ve experienced difficulty getting the utility to even recognize common NICs, without which the automated repair tool can’t work.

All About SAM Files

What is SAM?

SAM is short for Security Accounts Manager, which is located on the PDC and has information on all user accounts and passwords. Most of the time while the PDC is running, it is being accessed or used.

What do I do with a copy of SAM?

You get passwords. First use a copy of SAMDUMP.EXE to extract the user info out of it. You do not need to import this data into the Registry of your home machine to play with it. You can simply load it up into one of the many applications for cracking passwords, such as L0phtCrack, which is available from:

Of interest to hackers is the fact that all access control and assorted parameters are located in the Registry. The Registry contains thousands of individual items of data, and is grouped together into “keys” or some type of optional value. These keys are grouped together into subtrees — placing like keys together and making copies of others into separate trees for more convenient system access.

The Registry is divided into four separate subtrees. These subtrees are called


We’ll go through them from most important to the hacker to least important to the hacker.

First and foremost is the HKEY_LOCAL_MACHINE subtree. It contains five different keys. These keys are as follows:

  • SAM and SECURITY – These keys contain the info such as user rights, user and group info for the domain (or workgroup if there is no domain), and passwords. In the NT hacker game of capture the flag, this is the flag. Bag this and all bets are off.

The keys are binary data only (for security reasons) and are typically not accessible unless you are an Administrator or in the Administrators group. It is easier to copy the data and play with it offline than to work on directly.

  • HARDWARE – this is a storage database of throw-away data that describes the hardware components of the computer. Device drivers and applications build this database during boot and update it during runtime (although most of the database is updated during the boot process). When the computer is rebooted, the data is built again from scratch. It is not recommended to directly edit this particular database unless you can read hex easily.

There are three subkeys under HARDWARE, these are the Description key, the DeviceMap key, and the ResourceMap key. The Description key has describes each hardware resource, the DeviceMap key has data in it specific to individual groups of drivers, and the ResourceMap key tells which driver goes with which resource.

  • SYSTEM – This key contains basic operating stuff like what happens at startup, what device drivers are loaded, what services are in use, etc. These are split into ControlSets which have unique system configurations (some bootable, some not), with each ControlSet containing service data and OS components for that ControlSet. Ever had to boot from the “Last Known Good” configuration because something got hosed? That is a ControlSet stored here.
  • SOFTWARE – This key has info on software loaded locally. File associations, OLE info, and some miscellaneous configuration data is located here.

The second most important main key is HKEY_USERS. It contains a subkey for each local user who accesses the system, either locally or remotely. If the server is a part of a domain and logs in across the network, their subkey is not stored here, but on a Domain Controller. Things such as Desktop settings and user profiles are stored here.

The third and fourth main keys, HKEY_CURRENT_USER and HKEY_CLASSES_ROOT, contain copies of portions of HKEY_USERS and HKEY_LOCAL_MACHINE respectively. HKEY_CURRENT_USER contains exactly would you would expect a copy of the subkey from HKEY_USERS of the currently logged in user. HKEY_CLASSES_ROOT contains a part of HKEY_LOCAL_MACHINE, specifically from the SOFTWARE subkey. File associations, OLE configuration and dependency information.

All Windows Games’ Cheats

Use Your Computer As An Alarm

Now this is specially for the ones who are too lazy to get up even when the trust cellphone dies screeching its lungs out. Its pretty simple Creating the playlist create a playlist of your favourite songs in Winamp, WMP or any other player. Export the playlist as a M3U playlist. M3U is generally accepted by almost every player. Triggering the alarm point to start> programs >accessories > system tools >scheduled tasks Create a new task and choose program as windows media player or winamp (May work with others too but I haven’t tried anything else) Choose “daily”, Enter the time and choose “every day” at next screen. It would now ask for password (leave blank in case you don’t have one) Right click on the newly created task and check the “run only if logged in” check box. In the properties. Append the path to the playlist you created in the “run” text box. It should now look like Code:
“D:\windows mediaplayer\wmplayer.exe”K:\Playlists\smoothies.m3uthe text inside quotes is my WMP’s path. It may vary for you. The text after WMP’s path is the one to the playlist. Click OK and you’re done.

Increasing Internet Band-Width By 20%

Microsoft reserves 20% of your available bandwidth for their own purposes like Windows Updates and interrogating your PC etc. Click Start then Run and type gpedit.msc. This opens the group policy editor. Then go to: Local Computer Policy–>Computer Configuration–>Administrative Templates–>Network–>QoS Packet Scheduler and then to LimitReservableBandwidth. Double click on Limit Reservable bandwidth. It will say it is not configured, but the truth is under the ‘Explain‘ tab i.e.”By default, the Packet Scheduler limits the system to 20 percent of the bandwidth of a connection, but you can use this setting to override the default.” So the trick is to ENABLE reservable bandwidth, then set it to ZERO. This will allow the system to reserve nothing, rather than the default 20%.It works on Windows 2000 and XP as well.