Here's What I Do When My Computer Gets a Virus

[UPDATE:] Below you will see the steps I took in trying to rid my computer of some powerful viruses that were slowing my computer down like molasses on a keyboard. Unfortunately, the steps below led to a meltdown of my computer's functioning, after which I lost all of my data stored in the computer over the last three or four years.

The lesson I've learned is to back up my harddrive somewhere else before I start messing with the innards of my computer by trial and error.

Having suffered a complete meltdown of my computer functioning, I formatted the harddrive and replaced all of the programs from scratch. Even then, a virus managed to infect my computer.

I am happy to report that by using Hijack This to see what viruses were operating in my computer, and then using the Hijack This log (printout) and Googling one of the suspicious entries I found operating in my computer, I was able to find out that an antivirus program called ComboFix could remove the virus. I used ComboFix following the instructions (downloading ComboFix to the desktop, shutting off all other programs and antivirus programs, and letting ComboFix do its work.)

I was initially afraid to download the Windows Recovery program offered in the free ComboFix antivirus program, but I did download the Windows Recovery system and it didn't cause any problems.

(I am a fervently self-taught person and I would generally prefer to make a mistake myself then pay someone else to make a mistake for me. And yet, there are people online who will analyze your Hijack This printout for you for free, and then tell you exactly what virus(es) your computer has and what you must do to remove them. Here's an example, but it's in Portuguese. The same kind of thing is available in English.)

Now my computer works much better. I only wish I had backed up all of my data of a different computer, or on a DVD, before taking the steps that you can see below.

Keep Antivrus programs in a separare "Antivirus Folder",
so you can find then quickly in an emergency.

I have known for a couple of weeks that my computer has some viruses in it because:

• it suddenly locks up when I'm using the Internet;
• the RAM measurement tells me that my browser (Firefox) is using practically all of the RAM that my computer has available

Before I describe what I'm doing about it, I have to explain my philosophy of computer maintenance: I do not like to format my computer because (a) I have a lot of photographs and other documents in my harddrive that I don't want to lose; (b) It's monotonous to have to reinstall all of the programs that I regularly use; and (c) I learn a lot more about viruses and computer maintenance while identifying and removing viruses than I would by serially formatting my computer every time it gives me a problem.

If I paid someone else to format my computer that would be even less cost-effective because they earn their money by letting my computer get gummed up so that I have to return to format my computer once again. Few computer technicians will take the time to explain how to use antivirus programs effectively to avoid getting the same or other viruses again.

I know how to format my computer myself, (completely clearing out everything in the harddrive and then replacing all of the formatting and programs one step at a time), but I just don't want to do that. To me, formatting a computer is like getting a lung transplant because you have a cold. It's a lot less work and less intrusive to just clear out the cold without replacing or nuking your whole respiratory system.

Anyway, getting a lung transplant won't prevent you from getting a cold again. Instead, I want to figure out exactly what virus I have and then find out what medicine will kill or remove that virus.

(Windows XP has a "Restore Systems" function, but it's actually dangerous to try to use it to remove a virus. Hackers have learned that the first thing inexperience computer users do when the have a virus is to try to use the Restore Systms function to put back the computer the way it was before. So, they hide new viruses within the files that restore the system, and these new viruses assert themselves as soon as you use the restore systems function, like bank account hacker that sets your computer to send him more money from your bank account every time you use the "report fraud" function.

I would say to NEVER try to "Restore System" if your computer starts acting strangely, because there will probably be new and even more devastating surprises waiting for you. This is especially so because restoring the system requires rebooting the computer, and many viruses are designed to get even worse when the computer is rebooted.

So, here's another tip: If your computer starts acting strangely, do not reboot it until you have identified the problem and removed it. Otherwise rebooting the computer might actually make the problem worse, like turning on a self-cleaning function on your stove because your stove is on fire.

Usually, I can avoid getting viruses or remove them by using free software available online, including a "firewall" that stands as a sentry between my computer and the Internet and blocks threats to my computer, controlling both incoming and outgoing traffic, and mine is called "Online Armor".

I also use a "registry protector" that prevents viruses from changing the DNA of my computer's brain without my permission, and the program I use for this is also free, called "SpyBot Search and Destroy." (Most people just call it "SpyBot.") The registry protector supervises all activity constantly to prevent viruses from making a mess of my computer.

If you haven't installed some protective programs like these before your computer goes crazy, it will probably be too late when you discover that your computer is full of viruses. The viruses will take over the computer completely, preventing you from accessing the Internet, and so you won't be able to download the programs and tools that you need to get rid of the virus. Like the human body, you have to have at least SOME antibodies and white blood cells and other immune system to protect you beforehand, or ANY kind of little virus will put you in the intensive care unit.

Even using these two programs (Spybot and Online Armor), sometimes a virus gets past my defenses and then I need to find a way to remove it, so that I won't have to format my computer. Spybot tells you that something is trying to invade your computer and lets you make a choice, "yes" or "no". If you make the wrong choice, you can let in a virus from which Spybot ws designed to protect you. Spybot makes threats knock on your door, but YOU still have to make a decision whether there is a threat and whether to let it in or not.

If all of the above doesn't prevent a virus from getting into my computer, I have another program called "Hijack This," that helps me to look at everything that is going on inside of my computer, all of the processes, and figure out which ones are caused by viruses that are causing my computer to be slow or useless.

None of these programs will help you unless they are already loaded to your computer and have saved them in a place where you can easily find them when you need them. What good is a fire extinguisher if it's hidden among mounds of other crap in your attic or garage?

That's why I have placed a folder in my harddrive called "Software" and, within that folder, I have another folder called "Antivirus Software" (see graphic above). Whenever I think I have a virus, I go to that antivirus folder and I know all of the tools that I have are there to help me work through the problem.

Unfortunately, new and sneaky viruses are created every day, so there are often viruses that my standard programs won't identify or kill. That's when I need Hijack This, which analyzes the computer's running programs and automatically saves a detailed list on my desktop.

Now's where the "fun" begins, because viruses are often disguised to hide in seemingly innocuous folders, or with names that the average computer user will not identify as a virus. So, what I do is I Google the name of each process that is running and see whether the expert volunteer computer forums online have identified these as viruses or not and, if so, the steps I need to take and the programs I need to use to remove the viruses.

Now, I have run used Hijack This, by pushing the button that says "Do a system scan and save a logfile (to the desktop)." Here is the program census that Hijack This has provided to me, and the census seems to the untrained eye to be almost as complex as the computer itself. But don't get scared. By Googling the items in the list, you can discover exactly what they are, whether they're safe and necessary or not, and what to do if one of them indicates a virus. (I don't usually try to read the entire post, but only the description of the problem and then, down at the bottom, whether the "experts" say a running process is a problem and, if so, what to do about it.

Next to each running process below, I'm going to put a link to a forum that tells me what it is and whether it's a problem or not, but I know some forums are just sneaky hacker sites that temp the unwise to download viruses that they didn't already have, so I only use advice from the sites I recognize, and I'm very leary about downloading "free" software. If they recommend using a certain well-known virus removal tool, I'll go directly to that tool's main site and download the tool.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:12:00, on 6/7/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

The smss.exe that is in C:\WINDOWS\System32\

is legítimate but if it appears somewhere else it may be a virus, says Forum Hardware Club.

C:\WINDOWS\system32\csrss.exe

Spybot Forums says the above "appears not to be [a virus], however to be certain we would need to see a log (like this log we're examining right now]. (Now it's back to Google to see what I can learn about the next process below.)

C:\WINDOWS\system32\winlogon.exe

Kapersky.Com antivirus program and forum says, "Winlogon.exe, in system32 is the "Windows NT Logon Application". It's a vital component."

C:\WINDOWS\system32\services.exe TechSupportGuy.Com advises downloading COMBOFIX to the desktop and running it to discover viruses. I'm going to try that, because it won't hurt. I find there's a questionable file called dbi.exe on my computer and I've never seen it before. A couple of sites say that dbi.exe is Trojan Horse virus, but that Kapersky Online can remove it.

Although most antiviruses and virus removal tools are in the same professional, they do not all use the same professional tools and provide the same results. Some anti-viruses kill or remove virus "A" but don't identify or remove virus "B", and vice versa. So, depending upon the virus that the computer has, online skilled virus removers (there are free message boards for this purpose) will recommend one antivirus tool while recommending a different tool for removing a differnt virus. Therefore it's possible to have ten antivirus tools saved to your Antivirus Folder and still have to download one more in order to get rid of a specific virus. Remember, too, that the databases of these anti-hacker tools have to be constantly updated, or they become like dishwashing sponges with no soap or hot water.

Now, I'm downloading Kapersky Online to see if it can identify AND remove the virus I have found: dbi.exe But, kapersky online finds no viruses

C:\WINDOWS\system32\lsass.exe

Neuber.com says,

"lsass.exe" is the Local Security Authentication Server. It verifies the validity of user logons to your PC or server. Lsass generates the process responsible for authenticating users for the Winlogon service. This is performed by using authentication packages such as the default, Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates then inherit this token. More info

Note: The lsass.exe file is located in the folder C:\Windows\System32. In other cases, lsass.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager.

My lsass is in C:\Windows\System32, so I guess it's ok.

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\system32\RunDll32.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\Arquivos de programas\Tall Emu\Online Armor\oaui.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\ARQUIV~1\AVG\AVG8\avgnsx.exe

C:\Arquivos de programas\Nonoh.net\Nonoh\Nonoh.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\winmine.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Arquivos de programas\Tall Emu\Online Armor\oaui.exe"

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Nonoh] "C:\Arquivos de programas\Nonoh.net\Nonoh\Nonoh.exe" -nosplash -minimized

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{AB499F3F-BB05-43DD-B2B8-41C82A69D7EC}: NameServer = 200.225.197.34 200.225.197.37

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Arquivos de programas\Tall Emu\Online Armor\oasrv.exe

--

End of file - 3946 bytes

In Victory for Freedom Technology, Young Man's MP3 Player Changes the Balance of Power in a Criminal Case

The police routinely lie to get confessions, to force defendants to accept plea bargains, and to thereby get convictions. But look what happened when a defendant secretly recorded a police interrogation and then sprung that recording on a police officer in court:

NEW YORK - A teenage suspect who secretly recorded his interrogation on an MP3 player has landed a veteran detective in the middle of perjury charges, authorities said Thursday.

Unaware of the recording, Detective Christopher Perino testified in April that the suspect "wasn't questioned" about a shooting in the Bronx, a criminal complaint said. But then the defense confronted the detective with a transcript it said proved he had spent more than an hour unsuccessfully trying to persuade Erik Crespo to confess — at times with vulgar tactics.

Once the transcript was revealed in court, prosecutors asked for a recess, defense attorney Mark DeMarco said. The detective was pulled from the witness stand and advised to get a lawyer.

( . . . )

Perino had arrested Crespo on New Year's Eve 2005 while investigating the shooting of a man in an elevator. While in an interrogation room at a station house, Crespo, then 17, stealthily pressed the record button on the MP3 player, a Christmas gift, DeMarco said.

After Crespo was charged with attempted murder, his family surprised DeMarco by playing him the recording.

"I couldn't believe my ears," said the lawyer, who decided to keep the recording under wraps until he cross-examined Perino at the trial.

Prosecutors then offered Crespo, who had faced as many as 25 years if convicted, seven years if he pleaded guilty to a weapons charge. He accepted Yahoo News

This shows the importance of the AfroSpear's Freedom Technology Christmas campaign, because if the defendant hadn't had an MP3 player to record the police interrogation, that officer's word might have been accepted as fact. Instead, the officer could be looking at some jail time.

Digital Cameras Promote Technological Literacy in Black Teenagers

One of the main reasons that I bought a digital camera for my daughters (12 and 14 years old) was to encourage them to experiment with photography, layout, and explore natural science as Leonardo Da Vinci did with his anatomical drawings.



So, I am pleased to discover that my 14 year daughter has an entire folder of photographs of our cats and dog, using various types of lighting, in various poses and natural states. I don't know if she will ultimately be a photographer or receive a color scholarship based on her work, but I know that neither of those things can happen if she doesn't know how to use a digital camera.


My daughter NEEDS a digital camera to explore and develop her creativity, and this exploration, in turn, is part of her intellectual, academic and professional preparation for life in a complex and technological society. Because of her interest in photography, she has learned how to use PhotoShop, which is the professional program used in the layout of print advertisements and commercial business signs. (Notice how my "Free The Jena Six" placard appears to be resting in my and my wife's arms, but was actually pasted in by my daughter, using PhotoShop.)

I bought my daughters a used Sony DSC-S40 camera from Amazon.Com that is so old that they don't sell them anymore. Other similar but updated models that take excellent photographs include the Sony Cybershot S650 and S700, available by next-fews-days mail from Amazon.Com for between $110.00 and $140.00, new and used. (Although the used ones work, you might as well get a new one, since the difference in price is so small.)


Also, get a memory stick, because a digital camera's internal memory tends to be frustratingly small, but a memory stick allows you to take hundreds or thousands of photographs.

Freedom Technology Christmas Free and Open Source Gift Ideas

Thank you, Francis, for extending an invitation to post on the Afrospear Freedom Technology Christmas blog. Now that the Christmas season has officially arrived, I will be posting more frequently on ideas that I have for making the most out of the gifts that Afrospear members and friends may be giving.

Here are a few ideas I have for Christmas gifts and gift complements of the Open Source variety. Expect more in the near future.

A laptop preloaded with Ubuntu Linux from Dell

Why a laptop with Linux installed rather than, say, Windows? There are several good reasons to consider Linux. The first is security and stability. Linux is less vulnerable to viruses. While it's true that virus writers don't attack Linux systems often due to it's small market share, Ubuntu is designed in a way that even if you do get a virus, the harm will be minimal. Of course, there are anti-virus and firewall programs for Linux as well, so you can always rest assured that your computer is at least more safe than a Windows machine.

Most Linux programs are open source and free. Installing programs is as easy as a mouse click, and to boot, you almost never have to restart your computer after installing a program, thus increasing your productivity. There is a Linux alternative to just about any Windows or Macintosh program you can imagine.

If you are buying for a child, there is a plethora of educational software available, all free of charge. Notably, there are the Edubuntu packages, which can be easily added to any Ubuntu installation.

Ok, so you're not ready to abandon Windows? That's cool.You can still compliment a new Windows computer or an existing one with all of the productivity software you need for a fraction of the cost.

For your Windows using relatives and friends - an OpenDisc CD.

It's loaded with productivity software. It's free. A great compliment to a new or existing computer.

A domain name.

Domain names are cheap. You can get one for ten dollars a year. You can give an aspiring blogger the domain name of their choice for two years for twenty bucks. For another ten a month, you can purchase a month of web hosting, and if you pay for a year in advance, you will end up paying significantly less. So, for under 100 dollars you can purchase a full year of blogging for someone. All they would have to do is install the Open Source Wordpress blogging software and they're ready to go.

While online services like Blogger, Wordpress, Typepad, etc., are all great, there are many benefits to owning and controlling your own site. Most importantly is that you own and control your site. There are no restrictions to what you can do with your blog (barring illegal activities, of course). If, for instance, the recipient of your gift is interested in podcasting, it is much easier to do on a site that they own and control than on a Blogger site. Once you own and control your own site, the possibilities become infinite.

Over the next few weeks, I plan on commenting on some of the ideas offered by the widgets on the sidebar here. If any readers have any questions about a particular product or technology, or want to know more about how to incorporate open source technology into their lives, please leave a comment letting me know and I'll respond in comments or write a post addressing it.

Happy Afrospear Freedom Technology Christmas!

Give One Get One: One Laptop per Child

A friend has told me about a program that, they say, sells laptops computers for $200.00 in the developing world, and will send one to a friend of yours in the United States this Christmas if you pay for one for a child who lives somewhere else.

Between November 12 and November 26, OLPC is offering a Give One Get One program in North America. This is the first time the revolutionary XO laptop has been made available to the general public. For a donation of $399, one XO laptop will be sent to empower a child in a developing nation and one will be sent to the child in your life in recognition of your contribution. $200 of your donation is tax-deductible (your $399 donation minus the fair market value of the XO laptop you will be receiving).

For all U.S. donors who participate in the Give One Get One program, T-Mobile is offering one year of complimentary HotSpot access. Find out more.

Please be aware that we will make every effort to deliver the XO laptops by the holidays, but quantities are limited. Early purchasers have the best chance of receiving their XO laptops in time for the holidays, but we cannot guarantee timing. Give One, Get One

I admit that I haven't read the small print about this program or considered it from a political perspective. Do any of our readers have any more information about this or any perspective to provide? Or even any personal experience with these laptops?