Category Archives: Virus/Software Cleanup

Rolling Back Windows Updates

From time to time, Microsoft may release a Windows patch that causes issues with parts of operating system (printing, connectivity, stability issues). And to resolve those issues in a timely fashion, the patch may need to be rolled back (removed).

Steps for Removing A Windows Update Patch

  1. In the Windows search bar, enter: appwiz.cpl

    This will launch the dialog box for uninstalling programs and updates.
  2. Click on View installed updates

  3. Scroll down to the section titled: Microsoft Windows

  4. Click on the specific update to be removed
  5. Click on Uninstall

    It might take a few minutes to uninstall, and most likely will force a restart of the computer.

Collecting a HijackThis Report

One of the quick ways of detecting many types of spyware/virus infections is using a diagnostic tool called HijackThis.  Here are the steps for collecting a HijackThis report and sending it in to us.

  1. Download a copy of Hijack This.  We recommend simply downloading the executable, as it does not need to be installed on your system.   Link for the HijackThis download
  2. Run the program.
  3. A dialog box should appear, showing you a number of options.  Select the first option, labeled ‘Do a system scan and save a logfile’

    Collect a report
    Collect a report
  4. HijackThis will run a report and generate a text file with the report results.  This should automatically be displayed in Notepad on your screen.   On the menu bar for the report in Notepad, choose Edit and then Select All — this will highlight all of the report.  Then choose Edit and Copy to copy the text.

    Select All the text, then Copy
    Select All the text, then Copy
  5. Go to our Contact Page and in the message section, right click and select Paste to paste the report.  Fill in your name, email address, and subject (HijackThis Report), and then finally hit the ‘Send Message’ button.

    Paste the report, send the message
  6. Close out the report and the HijackThis program.

    Close out the program
    Close out the program

That’s all there is to it.

We’ll analyze the report and let you know if your system appears to be infected.

Let Me Count the Ways…

There are an increasing number of ways you can get malware (spyware, virus, etc) on your system. Here is a basic summary of the types:

  • Running a program from removable media: This was the original method. You start a program that has the infection code embedded in it. In the early days, this usually involved viruses on diskette and they would let you know very quickly that you had let them loose on your computer, usually deleting or corrupting files. These attacks can still occur with CD/DVD or USB drives, but are fairly uncommon.
  • Booting with infected media: You start your computer with a diskette or CD/DVD that has infected code on it. The automatically attempts to boot or run off the media, thus launching the virus.
  • Opening an email: Many early viruses took advantage of programming defects in common email programs like Outlook and would be able to activate themselves when you simply opened the infected email. They would usually then access your address book and automatically propagate themselves and sending copies to all your contacts. This is a fairly uncommon method of transmission now, as most email programs have been fairly well patch, and many people are relying more on online email systems like gmail.
  • Clicking on pop up windows: Many early forms of spyware gained entry into your computer via your web browser, usually using security holes in Internet Explorer. You would visit some web page that showed some kind of pop up that enticed you into clicking on it. Once clicked on, the script would gain access to your system and download its payload.
  • Opening an email attachment: More modern viruses rely less on programming defects and instead use social engineering to deceive you into activating some kind of email attachment, usually containing an executable program, possibly embedded in a .zip file (archive).
  • Viewing an infected file:  Some very sophisticated attacks have virus code embedded in files such as graphic images or even PDF files.  Most of these types of infection can be prevented by keeping your system software up-to-date with the latest patches.
  • Clicking on an link: Usually coming in an email, the user clicks on a click that launches a virus from a web site. It can also happen via a web site link.
  • Accessing an infected web site: The latest wave of malware involves very sophisticated attacks. It starts by infecting susceptible websites with a virus delivery sytem. Once you simply visit that infected web site, even without clicking on anything, the virus will be instantly launched, attacking your web browser to gain access to your system via programming defects or lax security. This type of infection is one of the most difficult to prevent, but is generally not that common (as it requires a website to remain infected).

Most good antivirus programs can prevent most of these attacks, as long as the software is kept up-to-date with the latest program updates. And most quality email providers automatically scan your email to check for most types of virus.

Think you might have been infected? Read our article on Spyware/Virus Detection, or simply Contact Us to arrange a full system scan.

Spyware/Virus Detection

Your computer is acting “strange”, seems to be running really slow, or you’re getting popups and/or messages about viruses?  Then it’s time to scan the system for possible malware (spyware/viruses, etc).

Professional software packages like Nortons or McAfee should usually do the trick in detecting infections, but you need to make sure the virus definitions are up-to-date.  Even so, it is possible for even the best software to miss some infections, especially if it is a new variant.

Online Scanners

The simplest way to quickly check for an infection is to use run a virus scan.  There are a couple of online scanners for checking your system.  These operate through your web browser:

Kaspersky Virus Scan – Kaspersky seems to do the best job at detecting most infections.   Requires Java, which most browsers already have installed.

Panda ActiveScan – Requires a special plug-in download the first time you use it.

Generally, you want the program to scan your entire disk.  Most infections will be located either in your Windows directory, reside in the cache for your web browser, or as an email attachment.  The full scan will take a while to complete — anywhere from 30 minutes to a couple of hours.

These online scanners will only detect infections, they will NOT fix the problems.   Make sure you save any report or write down the details from the report if any infections are found.

Collecting a Hijackthis Report

A faster method for checking for an active infection (something currently running on your system) is to use a tool called HijackThis.  While the tool can be used to fix some infectionss, you generally only want to use it to collect a report.

As of this writing, HijackThis was being offered by TrendMicro (TrendSecure).  Link to download page. In general, you can just download the executable and run that without having to actually install it.

Run the program and select the option to ‘Do a system scan and save a log file’.  It scans all your active programs and system configuration, then provides you with a text report (usually in Notepad).   Save that report.

You can take things one step further and analyze your log online.  Here is one site that will analyze the results. It usually flags obvious malware, but can also mark a lot of programs as unknown or even false positives.

No Tools Checkup

If you don’t have the time to run an online scan or the HijackThis software, you can still do an  examination.  This may require more effort on your part, but sometimes its the fastest way to make a quick check.

Bring up the Task Manager and look at the process list.  The easiest way to start up the Task Manager is to hold down the Ctrl-Alt-Delete keys.  Once the Windows Task Manager dialog appears, click on the ‘Processes’ tab and make sure the ‘Show processes from all users’ is checked.   This tool shows you all the currently running processes on your system.  Almost all of them have to do with the operating system and utilities running on your system.  You’ll need to examine each process by name.  Usually you can ignore these as part of the operating system:

  • dllhost.exe
  • explorer.exe
  • rundll32.exe
  • services.exe
  • lsass.exe
  • csrss.exe
  • svchost.exe
  • taskmgr.exe
  • iexplore.exe

Look up any unknown entries using Google or try this web site: ProcessLibrary.com

While this quick check may turn up some suspicious entries, do not use it as a way to claim your system is clean.  Some malware can actually hide under one of the legitmate process names (like lsass.exe).  A full system scan is still the best diagnostic.  And many types of malware actually generated randomly named files, making it impossible to search by name.

We provided comprehensive malware scanning and removal — Contact Us when you need help with diagnosis or removal.