General Computer Information

Hardware Troubleshooting

Backing Up

Floppy disks - Is anyone still even using these?! Floppies are the worst media you could choose.  They are fragile and the data is easily corrupted (leaving a floppy next to a monitor for any length of time can destroy all the data).  Also, sometimes floppies used in old drives can only be read on those drives, which defeats the purpose.  A floppy disk holds 1.44 megabytes (MB) of data, which is nothing in today's world of big files and cheap storage. Modern computers don't even come standard with a floppy drive any more. If you find you need one, you can always buy an external USB floppy drive.

Zip and Jaz-Type Drives - In the "is anyone still even using these?!" category. To overcome the size limitations of floppies,  Iomega created the Zip Drive.. Zip disks hold either 100, 250, or 750 MB of data.  Jaz disks hold up to 2 Gigabytes (GB). A Zip Drive can be internal or external. Transferring data to a Zip disk is slow, and the disks are expensive. Now that CD/DVD-RW drives are inexpensive and universally available and external hard drives are dirt cheap for the amount of storage you get, the Zip Drive is obsolete. I haven't seen a Zip Drive in use for years and the last time I did, the client was replacing it.

CD-RW Drives - CD burners are cheap and single-purpose (CD-RW-only) drives are obsolete.  A CD disk can hold 650-800 MB of data.  CD-RW disks can be erased and rewritten, but are not always reliable because they can't be read on all drives.  With CD-R disks so inexpensive, they are a good choice for backup unless your data files are very large; then get a DVD burner (see next item).

External hard drives- USB or firewire-connected external hard drives are relatively inexpensive. I recommend them to everyone as a great backup solution combined with regularly burning CD/DVDs. I back up to an external hard drive frequently during the day using Time Machine in Mac OS X and once a month I burn DVDs and put them in a safe place. I like the same strategy on Windows using either Second Copy or Acronis True Image. Second Copy does just what it says: it copies whatever files you choose to wherever you choose when you choose. I like it because it is inexpensive, scalable, easy to use, and doesn't put the backed up data into a proprietary format. Acronis True Image can clone drives, image partitions, and do incremental backups.

Seagate has created a backup appliance called "Replica" that is an external hard drive with a specially-licensed version of Acronis True Image running on it. I haven't tried Replica but it looks like an interesting all-in-one solution for people using Windows operating systems who don't want to set up True Image and an external hard drive themselves.

USB thumb drives - These little drives are great, but remember that they can break, the data can become corrupted, or they can be easily lost. They are wonderful devices and very inexpensive now, but not a permanent backup solution.

Network-Attached Storage (NAS) - These devices are hard drives running an operating system - usually Linux - that is transparent to the end user. The NAS device connects directly to your network by ethernet so is available to all computers on your Local Area Network (LAN). The cost of NAS devices has decreased radically so they are an excellent choice for small businesses and large home LAN's. Apple's Time Capsule is in this category. I would still back up the data to DVD in addition to the NAS because I like a layered backup strategy Just To Be Sure.

Off-site Backup - There are companies which provide off-site backups by hosting your files on their servers. Normally you will run a small client program on your computer that will upload your data files to the company's server over the Internet (in the "cloud"). Two of the best-known are Mozy and Carbonite. I have several clients who use Mozy and are very happy with them. Being the rather obsessive person I am about backups, even if you use an off-site backup service I would still want data backed up locally to an external hard drive. You know yourself best - if you know you won't take the time to burn DVDs or there is just too much data to make this practical - then use an off-site backup service. The cost is usually based on whether you are a home or business user and by the amount of data you have, but prices are very reasonable.

No matter how you do it, back up your data often.  Although Elephant Boy Computers cannot take responsibility for your data backups, we are happy to set up a backup solution for you and provide training.

What to do if you didn't back up

Let's face it, sometimes disaster strikes and you didn't back up your data. A lot of the data recovery success (and cost of the process) depends on what caused the disaster. If your computer is infected with a virus that hasn't destroyed all data, there are various methods that Elephant Boy Computers can use to recover the data before reinstalling Windows. Please note that data recovery is time-consuming and therefore not cheap. Even if we are able to recover data, we cannot warrant that all of the data you need will be recovered. We will do our best, which is a lot better than that Very Big Computer Store will do for you (they will normally not attempt to save your data, but simply reinstall Windows); however, we do not take responsibility for your data. There's no sweet way to say this: you should have made backups.

If the hard drive is unbootable or too badly corrupted and the data on it is important, then all is still not lost. The data recovery wizards at DriveSavers can perform what certainly look like miracles. If you are an Elephant Boy Computers client and we are not able to help you, if you decide to use DriveSavers you are eligible for a discount. Data recovery from a company like DriveSavers is not inexpensive, but in our admittedly awed opinion completely worth it if your data is vital. It is my understanding that some insurance companies will now cover data recovery expenses so check with yours.

Back to top
Home

Reinstalling Windows

Maintenance

Basic Security

Viruses/Malware

Back to top
Home  

Warning to my fellow computer techs about Prism Pointe Technologies

Removing Malware

A. Preliminary Preparation

1. Before anything else, take the machine into Safe Mode. To get to Safe Mode, repeatedly tap the F8 key as your computer is starting up. This will get you to the correct menu where you can choose "Safe Mode". Use your Arrow keys to navigate; the mouse will not work here. After you've cleaned up your computer, simply allow the machine to boot normally and it will go into Regular Mode.

Since you will be scanning in Safe Mode with no Internet access, this means that you should get any tools and updates from a different, known-clean computer which has Internet access. Either use that computer's CD/DVD-RW drive to burn the files you get onto a CD-R or transfer the files using a USB thumbdrive with enough capacity to do the job. If you don't have another computer, then get what you need from a friend's computer or take the machine to a professional.

I do not suggest using online virus scanners because viruses and malware will be active in Regular Mode and while the machine is on the Internet. A computer infected with one of the many trojans that spews spam and/or virus-laden emails or malware that downloads even more bad stuff to the infested machine has no business being on the Internet.

Note: There are a few exceptions to this. If you scan with Multi-AV as suggested below, you will need to start out by updating its modules in Regular Mode. In addition, the Malwarebytes people and other malware removal experts suggest that the first scan with MBAM be the Quick Scan done in Regular Mode. I will usually do another full scan with MBAM in Safe Mode after the initial Quick Scan in Regular Mode.

2. Disconnect any suspect computers from all networks. This means disconnecting from the Internet and your Local Area Network (LAN) if you have one. If you have multiple computers on a network and one computer was infected with a network-aware worm, you will need to clean all computers on that network before connecting the LAN again. If you connect your nice, clean computer to a LAN with infected machines, it will just get infected all over again. Trust me on this. Yes, this is a lot of work but if you try and cut corners you'll wind up spending even more time on the job.

3. Make sure you are able to see all hidden files and extensions (View tab in Folder Options). In XP, Vista, and Windows 7 there are four checkboxes to deal with:

a. Check "Display the contents of system folders".
b. Check "Show hidden files and folders".
c. Uncheck "Hide extensions for known file types".
d. Uncheck "Hide protected operating system files" and click "OK" to the dialog box.

4. Delete all Temporary and Temporary Internet Files, uninstall older versions of Java (removing all Java files/folders).

a. For Internet Explorer's Temporary Files, go to Control Panel>Internet Options>General tab. You'll see where you can delete cookies and files.
b. For Firefox, clear its cache by going to Tools>Options>Privacy>Cache> Clear.
c. For Windows Temporary files, run the Disk Cleanup. In XP you can find the shortcut for Disk Cleanup in your Start Menu under Programs>Accessories>System Tools>Disk Cleanup. In Vista and Windows 7, just type "Disk Cleanup" without the quotes into the Start Orb>Search box.
d. To clear Sun Java's cache, Start>Settings>Control Panel>Java applet>Cache>Clear or follow the same path to the Java applet and then to General>Settings>Delete files. You should also make sure that you have the latest version of Java. Uninstall all older versions and get the latest version from the Java website here: http://www.java.com/en/download/index.jsp

A very good utility for cleaning things out is CCleaner. CCleaner is a powerful tool and I strongly urge you not to use the more advanced tools unless you totally know what you're doing. I never use the registry cleaner portion of this utility and I do know what I'm doing! If you don't know how to work in the registry by hand, you shouldn't be playing in there.

5. Uninstall any known malware from Add/Remove Programs (XP) or Programs and Features (Vista, Win7) if there is an entry for it. This usually will do no good (the Bad Guys commonly lie about the effectiveness of their uninstaller), but nevertheless you can try it. A lot of malware will attempt to open your browser during the "uninstall" process - often to download more garbage - but since you are in Safe Mode and can't connect to the Internet, just close out of the browser and move onto the rest of the cleanup.

B. Scanning for viruses

D. Recap of what you will need to have on-hand before you start the cleanup process

1. LSPFix or WinSockFix for XP - see links - in case the malware removal breaks your Internet connectivity. If you have XP SP2, you don't need either program since you can repair the connection from the commandline:

Start>Run>cmd [enter]
netsh winsock reset catalog [enter]

1a. To repair or reset Winsock in Vista/Win7:

a. Start Orb>Search box>type: cmd.exe.
b. When cmd.exe appears in the Results above, right-click it and choose "Run as administrator". Supply authentication in answer to UAC prompts and you'll get the command prompt box. At the command prompt, type:
netsh winsock reset [enter]

When the command is completed successfully, a confirmation appears followed by a new command prompt. Type:
exit [enter]

2. Sysclean or Multi-AV
3. Full-featured antivirus with updates downloaded separately for manual update
4. MBAM
5. SuperAntiSpyware
6. HijackThis
7. Possibly Process Explorer and Killbox. The free Autoruns program is excellent to have, too.

E. After the machine is clean

G. Links to help with malware
 
 Software/Methods:

http://www.malwarebytes.org/index.php - MalwareBytes
http://www.superantispyware.com/ - SuperAntiSpyware
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download - HijackThis
http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after removing spyware
http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe
 
 HijackThis:

General:
http://aumha.net - look under "Security" for various forums
http://mvps.org/winhelp2002/unwanted.htm
Bleeping Computer removal how-to's - http://www.bleepingcomputer.com/forums/forum55.html
Malwarebytes malware removal guides - http://tinyurl.com/5xrpft

Back to Removing Malware
Back to top
Home

TrendMicro's Sysclean

TrendMicro's Sysclean is an extensive antivirus tool which has the advantage of not needing to be installed. It requires two parts - the scanning engine and the virus pattern files. Delete all Temporary and Temporary Internet Files before running the program.

1. Create a new folder on your Desktop or the C: drive named something useful like "Sysclean".
2. Go here and download the two parts of the program to that folder:

http://www.trendmicro.com/download/dcs.asp - Sysclean
http://www.trendmicro.com/download/pattern.asp - virus pattern files

The pattern files will be zipped - extract them with your unzipper (like WinZip) or if you have XP, you can just open the folder. You need to put the extracted files in the Sysclean folder you made. For a more automated way to get Sysclean, use Dave Lipman's Sysclean_FE from http://www.ik-cs.com/got-a-virus.htm .

3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly tapping the F8 key as the computer is starting up to get to the proper menu.
4. Go to the Sysclean folder you made and double-click on sysclean.com. Start the scan. After the scan is finished, look at the log. You may need to make a note of where any viruses were found if they were not able to be removed so you can manually delete them.

David Lipman's Multi-AV

If you are using Vista or Windows 7, you must run elevated. The download link is here:

and some additional instructions are here:

http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

Execute: Multi_AV.exe (Note: You must use the default folder C:\AV-CLS)

Choose: Unzip
Choose: Close

Execute: C:\AV-CLS\StartMenu.BAT  (or double-click on "Start Menu" in C:\AV-CLS)

This will bring up the initial menu* of choices and should be executed in Regular Mode first. This way all the components can be downloaded from each respective AV vendor’s web site. The menu choices are Sophos, Trend, Kaspersky, McAfee. Exit the menu and reboot the PC.

*When the menu is displayed hitting ‘H’ or ‘h’ will bring up a PDF help file.

The package includes three additional DOS BAT files: C:\AV-CLS\DOSCLEAN.BAT; C:\AV-CLS\KAVCLEAN.BAT; and C:\AV-CLS\SOFCLEAN.BAT. They are for use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after you have booted from an Emergency Boot Disk (EBD) or DOS disk and have already executed C:\AV-CLS\StartMenu.BAT and selected McAfee and or Sophos from the menu. These batch files will execute their respective DOS CLS. If needed, DOS disk boot images can be obtained from http://www.bootdisk.com/bootdisk.htm

If you are on a NT4, Win2K, WinXP or Win2003 Server that is using NTFS partitions, you can obtain a free, personal copy of NTFS4DOS and create a NTFS compliant DOS boot disk from http://www.datapol-technologies.com/dpe/freeware/index.html

After you boot from the DOS Boot Disk you would execute;

C:\AV-CLS\DOSCLEAN.BAT -- for the McAfee DOS Command Line Scanner
C:\AV-CLS\SOFCLEAN.BAT -- For the Sophos DOS Command Line Scanner
C:\AV-CLS\KAVCLEAN.BAT -- For the Kaspersky DOS Command Line Scanner

You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode (F8 key during boot) and re-run the menu again and choose which scanner you want to run in Safe Mode. In each scanning module you will be prompted if you want to scan at that moment or not; if you choose to perform a scan, the McAfee and Sophos modules will prompt you if you want to scan a specific folder or location. The Trend Sysclean module uses the Sysclean GUI which also provides the ability to scan a selected folder or location. So with this utility one has the ability to scan in Normal Mode, Safe Mode, a selected folder or location and to scan FAT32 and NTFS partitions after booting from a DOS Boot Disk. The application and usage will depend upon the needs to disinfect the system. To improve the efficacy of the scanning process, it is suggested that you also read the following information:

"How to perform a clean boot in Windows XP" - http://support.microsoft.com/kb/310353

To start the use of the Multi AV scanning front end:

Execute: C:\AV-CLS\StartMenu.BAT (or Double-click on 'Start Menu' in C:\AV-CLS)

NOTE: You may have to disable your software firewall or allow WGET.EXE to go through your firewall to allow it to download the needed AV vendor-related files.

Each Command Line Scanner (CLS) will create a log of what has been done.

Sophos - The files for the Sophos CLS are located in C:\AV-CLS\Sophos and the log file is called C:\AV-CLS\Sophos\ScanReport.TXT. At the end of the scan, it will be displayed in in your text editor, NOTEPAD.EXE.

Kaspersky - The files for the Kaspersky CLS are located in C:\AV-CLS\KAV and the log file is called C:\AV-CLS\KAV\ScanReport.TXT. At the end of the scan, it will be displayed in in your text editor, NOTEPAD.EXE.

Trend - The files for the Trend Sysclean CLS are located in C:\AV-CLS\Trend and the log file is called C:\AV-CLS\Trend\Sysclean.log. At the end of the scan, and when you close Sysclean, it will be displayed in in your text editor, NOTEPAD.EXE.

McAfee - The files for the McAfee CLS are located in C:\AV-CLS\McAfee and the log file is called C:\AV-CLS\McAfee\ScanReport.HTML. At the end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).

It is suggested that you move each repective report out of the vendor’s folder (C:\AV-CLS\<AV vendor>) or save a new copy of the report before performing another scan. It would be good practice to scan in both Safe Mode and in Normal Mode and to save a copy of the report representing each session for comparison of the results.

Process Killer - Included in the C:\AV-CLS folder is a file called killproc.txt which is used to shutdown or kill running processes prior to scanning the platform. There are two processes already in the text file. Iexplore.exe (Internet Explorer) and firefox.exe (FireFox).



The objective would be to add any more names in the text file, making sure the last line is a blank line. For example if the following files needed to be shutdown - mszx23.exe , w32tm.exe , Tibs3.exe and rundll32.exe



They would be appended to the list in killproc.txt - again, make sure that the last line of the text file is a blank line. Then prior to scanning the platform, all of the processes listed in the text file will be shutdown (killed).

Further notes:

1. If a hosts file is found by this utility, it will be renamed from "hosts" to "hosts.bak" since malware has a tendency to modify the hosts file to block access to antivirus vendor web sites and thus possibly blocking the ability to download the needed Sophos, Trend Micro or McAfee files.

2. The directory C:\AV-CLS is hard coded and should not be changed.

3. Due to the fact that malware corrupts AUTOEXEC.NT and CONFIG.NT, these files will be renamed to have the .BAK extension and the OS default files restored. This will help to make sure that other software will run correctly and without errors when using those files.

4. You may have to disable your software firewall or allow WGET.EXE to go through your firewall to allow it to download the needed AV vendor related files.

5. On Win9x/ME platforms a backup of WIN.INI and SYSTEM.INI will be made (with the BAK extension) and both will be examined such that the SYSTEM.INI SHELL= statement is set to shell=explorer.exe and the WIN.INI LOAD= and RUN= statements are set to null. If the SHELL= line is other than shell=explorer.exe, it will be set to shell=explorer.exe and if the LOAD= and/or RUN= lines are not set to null then they will be set to null since these are vectors for loading malware.

6. If you run the McAfee CLS from a DOS boot disk or from a DOS boot disk with NTFS4DOS, the HTML log file will be truncated to conform to the DOS 8.3 naming convention and the resultant file will be called; C:\AV-CLS\McAfee\ScanRepo.HTM.

7. If you run the Sophos CLS from a DOS boot disk or from a DOS boot disk with NTFS4DOS, the log file will conform to the DOS 8.3 naming convention and the log file will be called C:\AV-CLS\Sophos\AVReport.txt.

8. If you run the Kaspersky CLS from a DOS boot disk or from a DOS boot disk with NTFS4DOS, the log file will conform to the DOS 8.3 naming convention and the log file will be called C:\AV-CLS\KAV\AVReport.txt.

9.  Continued use of the respective AV scanners will keep them current since they will download the most recent signature and engine files for you.

Getting Tech Support

Back to top
Home   EBC Reports   Extras   Links