I'd never seen so many viruses before... I wished I had a memory stick with a write protect switch as whenever I used it to transfer antivirus software etc I ran the risk of it being infected.
Up to date virus definitions are essential here more than anywhere. At the school we used NOD32 as the school had a license for the Enterprise version which like many Enterprise versions allows the download of the virus definitions to a central location from where the client computers can get their updates. Thus minimising the use of the limited bandwidth to the internet.
For personal computers AVG Free or Avast Home can be used. As the school I was at had a very slow dial up connection I tried to keep a reasonably up to date copy of the virus databases on my computer and updated it whenever I had a good internet connection. With AVG you can download the latest virus definitions from http://free.avg.com/download-update
With Avast the updates are at http://www.avast.com/eng/updates.html
One of the most common ways of infections is through USB disk drives and Autorun so we have turned off Autorun on all the client computers. The article "How to correct "disable Autorun registry key" enforcement in Windows"
(http://support.microsoft.com/kb/953252)
is the most recent article on Autorun that I could find and explains why when I first tried editing the registry keys/group policy it didn't work! Note you can't use group policies on XP/Vista Home editions.
On computers that are infected with a virus starting up in safe mode will give you the best chance to disinfect them.
Reenabling registry editing
Many viruses disable editing the registry to make it difficult to remove their payload. I use regtools.vbs from http://www.dougknox.com/security/scripts/regtools.vbs
Reenabling Find/Search
This script will reenable the Find/Search functions: http://www.dougknox.com/security/scripts/find.vbs
Reenabling Task Manager
One virus I came across disabled the Task Manager and also if you then reenabled it and did manage to start Task Manager would kill the Task Manager if you weren't quick enough to kill the virus - this is why it is recommended to start in Safe Mode where only the basic Windows functions are started.
The registry key is:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
\System\DisableTaskMgr
Set it to 0 to stop the disable ie enable Task Manager.
Note with Vista you will need to run the scripts above with administrative privilege.
Startup Errors
Many times I would come across a computer that would give error messages when starting up. These would indicate that a program wasn't able to start as files hadn't been found. Usually this was caused by an infected computer having startup entries that pointed to viruses that had previously been deleted by an antivirus program.
Here is a list of places that I discovered invalid startup programs, you need to check in both HKLM and HKCU
\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\Software\Microsoft\Windows\CurrentVersion\RunServices \Software\Microsoft\Windows\CurrentVersion\Run \Software\Microsoft\Windows\CurrentVersion\RunOnce \Software\Microsoft\Windows\CurrentVersion\RunOnceEx (XP)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This one is a favourite the userinit.exe should be there but you can add others in a comma separated list:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
Then of course there are the more obvious places:
Documents and Settings\All Users\Start Menu\Programs\Startup
Documents and Settings\"username"\Start Menu\Programs\Startup
(If you have upgraded from NT, then the path is Profiles\"username"\Start Menu\Programs\Startup
Spybot S&D will automatically clean up many of the registry problems detailed above ans is available at:
http://www.safer-networking.org/en/download/index.html
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment