Here's a list of typical virus files....

I was recently doing a virus/malware clean up on a dude's PC. It was so messed up, so infected with malware, that it wouldn't even completely load to the desktop due to being overrun with viruses. So, I booted to a LiveCD (the UBCD4Win to be exact) and manually started deleting files from his hard drive. NOTE: deleting files in this manner is NOT for the novice or inexperienced PC user!! You can do some SERIOUS damage to the system files by deleting the wrong things!! I do NOT recommend this course of action to anyone who doesn't have years of virus removing experience!! Anyway- I'm looking through the system32 folder and primarily looking for files with 2008 in the date, and generally from the past month or so as a starting point. When I find the first obvious virus file, I look at the date. It's a pretty safe bet that any other file with that date is also malware. So, long story short, the screen shot is the files I removed from the hard drive while in the UBCD4Win environment. I then rebooted, and Windows loaded to the desktop, and I was able to run scans and finish the clean up...

Here's the screen shot:

http://img159.imageshack.us/img159/9599/viruslistyt6.jpg

The items in the red boxes are the launchers (.exe files) and the screen savers/wallpapers (.scr and .bmp) for the infamous desktop hijacker where the screen is blue with yellow and white letters "Your PC is infected with spyware...", and WinAntivirus XP 2009. As you'll probably notice, many modern malware/virus files are a random string of 8 characters. This is dead giveaway for virus files. If you see files similar to those posted above, and you're unsure if it's legitimate, you can do several things to find out: Google it; if it comes back with nothing, as in zero results, or a bunch of spyware references, then you'll know. Or, right click the file and look at the properties, or pause the mouse pointer on the file. Legitimate files will provide the creators name (usually Microsoft) and a date. If the file is less than a month or two old, there's a good chance it's malware.

>>> This is in NO WAY meant to be a guide for cleaning malware!!! I posted this as a point of interest, and so the less experienced could see what typical virus/malware files look like. That's it. I accept no responsibility for the actions of the end user. If someone royally messes up their PC by trying to use this post as some type of guide, well, too bad. THIS IS NOT A GUIDE!!!

[dlb]

(yes- all those files were on a single PC and were removed by manually looking through the system files on the hard drive while in a 'live' CD (PE) environment; additional scans were required to completely clean the system)

 

Hi dlb,
Where can I find more information on this like how to define a virus, what is safe to remove in the system32 folder and registry cleaning. I find amazing that someone like you can go in and know what is safe to remove and what is not! Is there someplace you can send me to learn a little about these procedures?

Thanks in advance,

Dan

 

Here's more details on the prgram that dlb mentioned (UBCD4Win) in his post.

Check out UBCD4Win at http://www.majorgeeks.com/UBCD4Win_d5710.html

My note: Almost perfect rating by MG members. Don't try this download on dialup. :-D Get a friend with fast Broadband to download it for you.

Bazza

 

Wow bigbazza,
That is a big program so I will say many thanks now. My connection is pretty good but thats still going to take awhile.

Thanks again,

Dan

 

You're welcome, dromano. :major I'll download it as part of my off-peak quota. Damn daylight savings time. I've lost an hour off my usual morning logon time. :cry

Bazza

===

 

Interesting post there dlb, I will grab n' burn that sucker right now.

EDIT: Oh, it's based on bartPE. I've got that lying around somewhere, I obviously need a recent copy.

 

Hi,
I have downloaded http://www.majorgeeks.com/UBCD4Win_d5710.html
When I try to run the the install I recieve this:
corrupted files popup click ignore (not recomended) retry or cancle
C:UBCD4Win\plugin\AntiSpyware\Spybot\files\TeaTimer.exe
Tools.dll
unins000.dat
unins000.exe

unins000.msg
update.exe
YUGZUWYBBRCYOTUIYX.SCR
As you can see it seems that all of the spybot files are corrupted.

This is the second time I have downloaded it . The first time I uninstalled it and tried again but I am getting the same results.

Would someone please advise me on what to do to get this program going.

Thanks in advance,

Dan

 

Your best bet is to visit the UBCD4Win web site. They have full support forums, FAQs, and all that good stuff: www.ubcd4win.com

I know how to do this through years of experience in having to manually remove viruses. After a while, I got to where I can pretty much just look at a file and know if it's legit or an infected file. If I'm in doubt, there's several things I can do: check the file's properties (right click; Properties), I can Google the file name, and I can check the date. When manually removing virus files, I usually notice a pattern in the infection dates. For example, lets say I find 3 or 4 infected files dated July 14 2008. Then I'll notice that on July 15-18 2008 there will be many more infected files being created. This is because the first bits of malware that got in on the 14th are now inviting all there friends to come in and party, and they are multiplying and spreading thru the system32 folder, trying to get a more secure foothold to be more difficult to remove. In the case listed in my first post, the PC was so infected that Windows didn't even load to a desktop, but everything else worked (the sound, the internet connection) and this is what many viruses try to accomplish: cripple the machine for the user, but make it a happy safe place for malware with functioning web access.... anyway..... the only way to learn this stuff (IMHO) is through years of trial and error, years of recognizing and removing viruses..... like I said in the first post, virus files are commonly named with a random string of 6, 7, or 8 characters, and they will almost always be less than 1 month old....

Again- NONE of this is meant to be any type of guide! The un-experienced can really cause some big time damage by removing the wrong files....

[dlb]

 

Just downloaded it right now, as part of my off-peak quota. Took 7 minutes at an average speed of 548KB/s so I managed to finish it just before my off-peak time ran out. :major :cool

Now to go the home site and learn all about it.
Bazza

===

 

I just visited theie homesite and came across this

This may be the reason behind your troubles.

Make sure you have the latest MG download.
http://www.majorgeeks.com/UBCD4Win_d5710.html

=====================================
Author: Benjamin Burrows
Date: 2008-07-04
Size: 239 MB
License: Freeware
Requires: Win XP/2K/2003
Downloaded: 19626 Times
====================================

Anyone using the latest MG download, with success?

Bazza

===

 

Hmm, the copy I got from MG's also stopped at the teatimer bit whereas a d/l from a non-MG site worked just perfectly. Asked me if I wanted to confirm the hash and it did when I installed. I would try another d/l from here but I can't afford the bandwidth ATM. I have a good and fast connection and with several of us experiencing the same issue, I'll post a bad link report to them. BTW, I grabbed the first FL link for my download.

EDIT: I just noticed that dromano lives in Florida so that 1st FL link may be the culprit.

 

I'm using v3.2 downloaded from the UBCD4Win site about 2 months ago (???). The last one I downloaded from MG was v3.1.1 and it works fine also, but v3.2 is much cleaner and has more features, but also takes longer to boot.

 

I went to the UBCD4Win site and it downloaded just fine no problem.
Now my comp can't find any installation files. :cry:confused
I am running XP Pro on a dell dimension.
Is there anything else they might be called or do I need to borrow a disck from someone tyo make this work?
By the way thank you dlb for all the info!

Thanks,
Dan

 

Yup Dan, you need some files off of the XP CD or you might be able to access the files if it's on a hidden drive but I know nothing about pre-installed rigs.

 

Hi,
Can anyone tell me if any version of XP will work?
Does it matter that I am running XP Pro but the only disk I can borrow is XP Home.
Will that be OK?

Thanks,
Dan

 

I don't see why it would matter which ver of XP you have as long as it's at least SP1 according to the site. My reasoning is if you need this then your system is hosed anyways and doesn't work so this should bypass the Home/Pro issue. I've been wrong before but create a bootable disk and see what happens.