Thursday, May 21, 2009

Configuring Windows Firewall

How To: Technical Article on how to configure the Windows Vista Firewall for outbound traffic. This gives your PC stronger protection and it will have complete control on how other programs interact on the net. This is an advanced computer topic.

This article was originally written for Windows Vista. These steps have not been tested under Windows 7, but they should work the same. The author will re-visit this article shortly.


If you are looking for
"the update server is not responding, which means it might be offline at the moment, or the Internet or Firewall settings may be incorrect."

--this is a classic indication of a Firewall (Microsoft's or your Virus Scanner suite) blocking the traffic. See details, below. If you are not using a software firewall, this article may not help solve this problem.



Contents:
* Do you have a firewall installed?
* Blocking Outbound Traffic with "wf.msc"
* Configuring Base (normal) exceptions
* Operating System Exceptions (SVChosts/Windows Update)
* Network Printing Exceptions
* Acrobat Reader (and other) Update Exceptions
* Ping and TraceRT exceptions
* How to temporarily disable outbound Firewall Rules


All computers need Virus/Spyware scanners and a firewall -- but the firewall is the area most of us are weakest. This article attempts to explain how to manage the firewall in Microsoft Vista.

Firewall 101

Thanks to our Cable or DSL Modems, most of us are behind a hardware firewall. This type of firewall blocks inbound traffic by hiding the computer's real IP Address behind the router's address. The process is called "Network Address Translation (NAT)". "NATting" hides your computer's real address from the Internet and this blocks all unsolicited inbound connections.

Without this, a computer would be infected within seconds of being connected on the Net -- with no action required on your part; you don't even have to launch a browser. Laptops are at a particular disadvantage because they can leave their own network and possibly attach to a public router where NATing might be turned off. If this happened, the laptops were sitting ducks.


But none of this helps when your computer
already has spyware that sneaks out and sends data outbound;
a normal hardware firewall will do nothing
to stop this type of traffic.



Microsoft realized this, and starting with Windows XP SP2, a default software-firewall was installed and it monitored inbound traffic, solving the missing NAT problem.

Then, starting with Vista, the firewall's capabilities were expanded so it could watch outbound traffic. However, because this feature required more end-user skill and knowledge, this feature was turned off. In this article, I suggest enabling outbound blocking -- but be prepared for a little work.


Half-Height Firewalls: The Need

A firewall that blocks inbound traffic (for laptops or desktops) is a minimum standard, but if you are a more sophisticated end-user, you can do better.

Consider the following: Imagine you had accidentally installed a virus, and didn't know it. Perhaps it arrived in an email or your children passed over a website that offered a free music-download. Now imagine the virus was too new to be detected by your scanners. Keystrokes could be captured, websites redirected, data uploaded; all without your knowledge.

A hardware or simple default software firewall is not going to capture the stuff happening behind your back. A properly-configured software firewall can intercept outbound traffic even when virus scanners fail.


Do you have a Firewall Installed?

If you are using their suites, other vendors, such as ZoneAlarm, McAfee, Symantec and others, probably installed a firewall. If so, those programs have different procedures to follow, but if you did not, you are probably using the default Windows firewall. To see which firewall is installed, do the following:

A. Click Start, Settings, "Control Panel"

B. Open "Security Center"

C. Click the down-arrows on Firewall. If it says Windows Firewall, then this article is for you.



Blocking Outbound Traffic
By default, Vista (and Windows 7) firewall only blocks unsolicited inbound traffic. Follow these steps to block unknown outbound traffic. This is a relatively advanced topic.

1. Launch the Windows Firewall Control Panel:
Start, Run, "wf.msc"
The control panel takes several seconds to load

2. On the (left) tree-side, highlight the top of the tree "Windows Firewall with Advanced Security".
On the Right side, click "Properties"

3. For each of the top-tabs [Domain Profile, Private, and Public Profile],
set "Outbound Connections" to "Block"
Do this three times, once for each tab.


Important: When you do this, all internet traffic will be blocked and web-browsers, email programs, software updates, etc., all quit working until they are granted an exclusion (next).

4. Click OK when done, returning to the main Windows Firewall control panel.


Configure Base Exceptions

Next, grant exceptions to your most commonly used programs. For example, on my machine, I allow the following:

Internet Explorer (browser)
FireFox (browser) + Firefox Updater
Outlook (email)
Thunderbird (email) + Thunderbird Updater
Windows Media Player
Itunes (or other music-players)
Your Virus Scanner
Base Operating System Exceptions (details below)
*Windows Update / Windows Defender / MSE
DOS Ping
DOS TraceRt
Network Printing

Except for these exceptions, all other programs will not see the Internet and will think the computer is "off the net." This also means they cannot ask for automatic updates. In my opinion, this is good: for application software, update when you want so you are not surprised; I typically manually download updates from the web and do not rely on automatic updates. If you would rather have them update automatically, add them to the list above. There are more details on this in a moment.

Also, be aware that Windows Defender (Spyware scanner) and Windows (auto) update will not see the network, and this is addressed separately in a few moments.

For each program in the list above, follow these steps:

5. In the Windows Firewall Control Panel, main screen, click "Outbound Rules" (on the left-window).

6. On the right-side, click "New Rule".

Select "Program" and click Next
Choose "This Program Path" and browse or type the executable's .exe name.

For example, Internet Explorer is found at "C:\Program Files\Internet Explorer\iexplore.exe" (do not use quotes even though there are spaces in the name).
Firefox might be installed at "C:\Program Files\Mozilla\Firefox\Firefox.exe".
Windows Media Player is at "C:\Program Files\Windows Media Player\wmplayer.exe"



Hint: To find a program's location, locate the program's icon, other-mouse-click and choose Properties. Copy and paste the "target" field, minus any parameters.

7. On the Next Screen:

Choose "Allow the connection"
Recommend choosing all three Domains [Domain, Private, Public]

8. When prompted, give it a "pretty name" such as "A-Internet Explorer" (I always like to prefix the programs I added by using an "A-" so they sort at the top of the list). As you can see, this screen is complicated and the A-dash helps organize it.



9. Add the other programs in the list, following the same steps.
If you forget to add a program, it simply won't connect to the Internet. For example, if you play a store-bought game that can connect to the Net, it will not work until granted an exception here.

The benefits are this: If a rogue program installs itself, the firewall blocks its ability to talk to the outside world and your computer will be safer. (Here it would be nice if the Windows Firewall would announce that program "XYZ is attempting to connect to the Internet" so you would know the virus was there. Perhaps this will be fixed in later versions.)


Operating System Exceptions

Windows Update and Windows Defender also need an exception. You *must* do these in order to adequately protect your system. If not, you will get this error: Windows could not search for new updates. Error(s) found: Code 80072EFD:

Follow these steps to grant an Exception in the Firewall.

1. As before, create a new Outbound Rule, selecting this program:

C:\Windows\System32\svchost.exe
Name the rule "A-Svchost" so it sorts with the others.

When selecting "svchost," Windows will display a warning. Ignore the warning and allow it to create the rule, but because this is an operating-system file, additional steps should be taken and these are detailed next.

2. Edit the new rule's properties by double-clicking the name ("A-svchost").

3. Illustrated below, select the [Programs and Services] tab
Click the "Settings" button.

4. Choose the radio-button "Apply to this service"
In the list, choose "Windows Update";
Click OK

5. In the "Protocols and Ports" tab

Change the Protocol Type from Any to "TCP"
Change the Remote Port from All Ports to "Specific Ports"; type ports "80, 443"


Save the changes and close the entire control panel. Windows Update and Windows Defender should now work properly.

Printing Exceptions

Microsoft was not thinking when they wrote the firewall software -- it surprisingly blocks IP-based Network printing. This turns out to be nuisance and you have to go to two different places to set the exception properly.

Follow these steps if you have a printer connected to a (Jet Direct or other IP-based print spoolers). If the printer is a USB or LPT printer attached to your local machine, you do not need to use these steps.

1. Start, Run, "FirewallControlPanel.exe" (or select Control Panel, Security Center, Windows Firewall).

2. Choose "Allow a program through Windows Firewall"

3. Click the [Exceptions] tab
Choose [x] File and Printer Sharing
Click OK, OK, etc. to close the control panel / Security Center screens.

Next, go to the Advanced Settings:

4. Start, Run, "wf.msc"

5. In Outbound Rules, click "New Rule"; Select "Custom", then "All Programs"

6. On the next screen,

Choose Protocol Type "TCP"
Local Port: "All Ports"
Remote Port: "All Ports"
Click Next

7. "Which local IP address does this rule match?" Choose "Any"

Which remote IP Address does this rule match?
Choose "These IP Addresses"
Add your (JetDirect's Print Server's IP Address) under "This IP Address or subnet"

This will not be your local PC's IP address. For example, my printer spooler is defined at 192.168.200.251. This step is only needed on those computers that talk directly to the print spooler/JetDirect. If other computers connect to your computer in order to share the printer, nothing needs to be done on the remote machine. Click Next to continue.



8. Choose "Allow the connection", then choose all three domains [Domain, Private, Public]

9. Name the rule, per my recommendations: "A-Printer 192.168.200.251"

Clearly, if the PC is on a corporate network, network printing may be problematic. Consider using an IPAddress Range. I welcome suggestions on how to improve this.

Adobe Acrobat Reader Update

If you wanted Adobe Acrobat (or other programs, such as WordPerfect, your photo-editor, etc.) to auto-update, they may fail with a message similar to "the update server is not responding, which means it might be offline at the moment, or the Internet or Firewall settings may be incorrect." This is a classic indication the Firewall is blocking the traffic.
This is by design. In the Outbound rules, *all* programs are blocked unless granted an exception and Adobe's product has no way of knowing a firewall was in the way.


Finding the Program:

In this case, granting Acrobat Reader an exception (AcroRd32.exe) will not solve the problem because the Reader is not the program doing the updating. It takes a moment of sleuthing to find the real program; here are the steps.

A. Press ctrl-alt-delete, "Start Task Manager". Leave this window open.

B. Launch Acrobat Reader, select Help, "Check for Updates"

C. In Task Manager, note how a new program jumps into the list: "Adobe_Updater.exe". This is the program that needs a hole punched through the firewall.


D. In Task Manager, other-mouse-click the EXE name and choose "Open File Location". You will find it in "C:\Program Files\Common Files\Adobe\Updater6\adobe_updater.exe".

You may find that other update-programs do similar things. Of course, you could ignore the auto-updater and download the installation manually from the web. Since your web-browser has been granted permission, there will be no problems.

Other Recommended Files

Grant a normal Outbound Exception rule to these programs, often used by technicians for network diagnostic work:

A-Ping: %SystemRoot%\System32\PING.EXE
A-TraceRt: %SystemRoot%\System32\TRACERT.EXE
If you do not grant this exception, Ping will report a "General Failure"

Also, consider these, if you have these products installed:
C:\Program Files\Common Files\Adobe\Updater6\adobe_updater.exe
%ProgramFiles%\Mozilla\Firefox\updater.exe
%ProgramFiles%\Mozilla\Thunderbird\updater.exe

Temporarily Stopping Outbound Rules

Sometimes the firewall's outbound rules can get in the way with other software updates and it is more trouble than it is worth to grant an exception. For example, the Java client install has a new name with each new version and will report "The installer cannot proceed with the current Internet Connection settings."

To work around this, you would have to grant an exception (discussed above) for each new installation file; this is a drag because Java is updated frequently. It may be easier to temporarily disable outbound rules just for the install. Follow these steps:

1. Start, Run, wf.msc (the Windows Firewall Control Panel)

2. Highlight the top of the tree ("Windows Firewall with Advanced...")

3. Click "Windows Firewall Properties"

4. Click the [Private Profile] tab
Set Outbound Connections to "Allow"

5. Install the software, then return Outbound connections to "Block"

As an aside, when installing Java Runtime, I recommend unchecking the Yahoo Toolbar (it is spyware). Since an exception was not granted to either the installation routine or to the actual Java client, you might as well stop it from running its automatic updates (which is an endemic problem with Sun's Java).

Start, Run, MSConfig and uncheck Java's automatic update, as illustrated.

(click illustration for a larger view; click right-x to return)

Read more about startup programs here: Cleaning up Startup Programs

Maintenance
If you install a new version of a program, the firewall rules will still work, as long as the .exe name is the same (this is different than other vendors: their products recognize the change and ask confirmation when updates happen). At any time, you can go into the wf.msc control panel and disable a program's access to the internet by disabling the rule.

Conclusions

Configuring Windows Firewall for outbound traffic is a nuisance and the interface is not as friendly as I would like. For example, ZoneAlarm's free firewall, recommended for Windows XP but not for Vista, prompts on the fly when it detects a new program attempting to talk on the network. With one click, it can add an inclusion or exclusion and essentially self-configures.

In comparison, Microsoft's firewall is cumbersome and an average end-user could not make it work. The product is capable, but trudging through the wizards is a drag and the complicated main screen will scare most people away.

Related to this, when Microsoft's firewall blocks a program, it doesn't tell you the program was stopped. For non-computer-experts, this could be a good thing because they won't be bugged and they will never be able to grant an exception. On the other hand, if you are wondering why a program isn't working, it could be the firewall, but you may not remember to grant the exception.

Personally, I prefer ZoneAlarm's free Firewall and I use it on my Windows XP computers. But on Vista, ZoneAlarm has been troublesome and I've de-installed it, which forced me to use Microsoft's firewall.

Now that I know how to configure it, Microsoft's product is 'usable' and it is doing what it is supposed to do. I wished it had a report or some other way to notify that a program has made an outbound-attempt -- I definately see room for improvement here. I would like to hear your experiences with ZoneAlarm and Vista/W7.

In any case, whether you use these or other commercial products, it will take about a half-an-hour to configure a firewall. Once it is setup, it should require little maintenance.

Related content
Vista Spiffs
Disable Vista UAC Nags
Streamlining Windows Start Menus

Tuesday, May 5, 2009

Removing Win32/Cryptor Virus

Howto: Steps for removing the Boaxxe Win32/Cryptor Virus / rootkit from a Windows XP machine, using AVG, Malwarebytes, and other software. The Virus was successfully removed with these steps. Apologies on the length; this is a complicated subject. This article can be used for other viruses. Updated 2013.09.
 

My daughter's laptop was infected with the Win32/Cryptor virus when she downloaded a music-sharing program. The infection's symptoms were typical: The PC became progressively slower and dozens upon dozens of "you have a virus" messages ("scareware") ultimately made the machine unusable. Once infected, traditional virus scanners cannot clean the infection.

See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Start here.  Highly Recommended

Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials


Although this article has been tailored to the Cryptor virus, these steps will work with almost all viruses and spyware.



This article receives numerous hits, indicating a lot of people do not have backups. I continue to make modifications to this article, using information from readers and from vendors. Please leave comments on how well these steps have worked.

Removal Steps

I decided to do the a'la carte method, and install individual free scanners and firewalls from different vendors. It took about five hours, not including research, to clean the virus, with most of the time spent waiting. Here are the steps used and if you want a guaranteed success, you must follow all of the steps, in this order. There were mistakes made along the way, described separately.

Some of the steps are somewhat risky. If your machine is running well enough, manually copy important data (photographs, checkbook files, novels, etc.) to offline storage.


0.  Build a Bootable MSE disk.

Microsoft has a new Virus scanner that is very useful and I recommend following the steps in this article first.  See this Keyliner article:
Microsoft Standalone System Sweeper

Follow the steps in the article to create a bootable virus-cleaning disk. Use it before attempting the remaining steps. Do these steps for all machines, Windows 8.x, 7, Vista, XP.


1. Pre-Download files.
On a non-infected computer, download the following programs and burn them to a CD (steps on how to burn are not detailed here; ask a knowledgeable friend to help, if needed).

If the download is Zipped, de-compress the Zip file.
For ease-of-use, place each downloaded program in a separate subdirectory.

The viruses are sneaky and can stop you from running known cleanup utilities. Because of this, the instructions will have you rename the vendor's files to a random name, described below; use any name you see fit.

Ideally, burn all of the downloaded files to a CD -- not a pen drive; media should be Read-Only.

Files:

Download Process Explorer: technet.Microsoft.com
On the page, search/Ctrl-F for "Process Explorer"
Rename ProcExp.exe to "WinLogon.exe"

Download RootRepeal: http://rootrepeal.googlepages.com/
Only download if using Windows XP or Windows Vista 32-bit.
The download can be found about in the middle of the page, under "static links".
  • Click (download) the Zip version; select "Open file."
  • Highlighting "RootRepeal.exe" in the opened Zip folder
  • Other-mouse-click, select "Copy"
  • Paste to your temporary directory
  • Rename the pasted file to xxRootRepeal.exe (or other random name, including WinLogon.exe if in a separate directory)
Of note: Windows 8 is far-less likely to get a root-kit virus installed due to changes in how the operating system works.

Download ComboFix: ComboFix Download
*Only download if using Windows XP or 32-bit Windows Vista/7 ; not Windows 8
Rename to xxComboFix.exe

DownLoad SuperAntiSpyware: superAntiSpyware
Choose the Free Edition; this is a legitimate program, despite its flaky name.
Rename to xxSuperAntiSpyware.exe

Download MalwareBytes: Malwarebytes
Rename the installer to xxMBam.exe
Later, you will also have to rename the installed exe.

Burn these files to a CD.


2. Disconnect the infected computer from the Internet.

Unplug the Cat-5 network cable or press your laptop's function key/other key to disable wireless.

You do not want to be on the net while some of these steps run. I have found some of these virus cause too many problems while connected and this was the easiest solution. This will disable these programs abilities to download the latest updates; although this would be nice, the updates will have to wait.

3. Uninstall old virus scanners
 

If your existing virus scanners are old, obsolete or expired demo versions, un-install them now because they are not going to help and they can interfere with other steps. See Control-Panel, Add-Remove / Programs and Features.

However, some rootkit viruses will prevent you from entering the control panels. If this is the case on your PC, consider booting into Safe-mode (see below and try un-installing from there). Otherwise, continue with the next steps.

If you have McAfee Security Essentials installed (see Programs and Features), un-install.

4. Disable Existing Virus Scanners

If you have a current virus scanner, temporarily disable it to avoid conflicts. Since the machine is already infected, the virus scanner is not helping so it is safe.

See your vendor's documentation for exact steps on how to disable "real-time scanning," but here is a summary for many of the popular ones. Most programs have a system-tray icon to get to the correct menus.

AVG 8:
Open the System Tray's AVG8 Control Center, Tools, Advanced, in left-pane, scroll down to "Resident Shield"; deselect 'Enable Resident Shield'.

AVG 8.5:
Open the AVG Control Center; Double-click Resident-Shield; Deselect "Enable Resident Shield.

Avira:
"Other-mouse-click" the Avira System Tray Icon. De-select 'AntiVir Guard Enable'

F-Secure:
"Other-mouse-click" the system tray icon; choose "Pause Protection". Click "By User Request"
Microsoft Security Essentials (MSE)
Click Settings, Real-time protection; Uncheck "Turn on real-time protection"

McAfee:
"Other-mouse-click" McAfee System Tray Icon; choose Exit

McAfee Security Center 7.x:
Double-click system tray; click Advanced Menu, Configure, Computer and Files. Disable the VirusScan and the Internet & Network for Firewall.

Norton Antivirus:
"Other-mouse-click" System-tray icon; choose "Disable auto-protect". Set a duration of 6 hours

Norton 360:
"Other-mouse-click" system tray icon; choose 'Open Tasks and Settings Window'; Under Settings, click "Change advanced settings" Click 'Virus and Spyware Protection settings'; de-select 'Turn on Auto-protect'; Apply; choose "Until I turn it back on'

If you can't disable, consider un-installing before continuing; then re-install later.
 
5. Set Windows Screen Saver to None (disable the screen saver)
 
Some of these steps take a long time to run and the screen-saver impacts performance. If you are able to launch the Control panel, disable the screen saver with these steps:
Windows XP:
-Other-mouse-click the desktop, choose Properties, [Screen Saver], set to None.

Vista/Windows 7:
-Other-mouse-click the desktop, choose Personalize, ScreenSaver


6. Boot computer in "Safe Mode"

Author's note: I am having problems with this step, depending on which version of Windows is installed. Originally, I had suggested to run as many of the next steps as possible in "safe mode, but I am finding many of the following programs do not operate in safe mode, depending if you are running Windows 7/Vista or XP.

My new recommendation: Skip this step. However, I am leaving it documented here because it can be useful with some utilities and has helped me in the past catch some viruses.

Original comments:

"With the infected computers I have worked on, everything was locked down by the virus and I could not open many Control Panel applets and overall performance was bad. For these reasons, I recommend starting the computer in a special Windows diagnostic mode, called Safe-Mode. The steps to open it are weird and may take some practice:

- Cold boot the machine (power off/on).
- Just after the BIOS splash screen, repeatedly tap on the f8 key (press insistently but not frantically).
- Choose Safe-mode, when prompted
- If you miss and Windows loads normally, reboot gracefully and try again.


7. Run Process Explorer

This is a Cryptor-virus specific instruction.  Skip for other viruses.

"Process Explorer" is a Microsoft program and it can sometimes stop the Win32/Cyrptor virus long enough to remove it. However, the latest versions of this virus elude this program, but it is worth a try.

a. From the CD, run D:\ProcessExplorer\WinLogon.exe (the renamed file) by other-mouse-clicking the file and choosing "run as administrator."

b. Scroll to the Explorer.exe section; wait a few moments and watch for program changes

c. Open the "Explorer.exe" section.

(Cryptor Specific step): Look for a program with a name such as "1234023.exe"; the name will be random. (It wouldn't surprise me if future variations of the virus use more legitimate-sounding names; study the list and see what program seems out of place.)

Note: Other rootkit viruses can live in this area. The key is to pay attention to unusual programs running in the Explorer section. It is normal to see multiple svchosts in this area and note that "procexp.exe" is this program. The Cryptor virus may show up in the list but newer versions do not.

If you do not see an obvious candidate, continue with the remaining steps.

d. Assuming you found a suspicious process, right-click the process and "Kill"


8. Install RootRepeal:

Follow this step if you are using Windows XP.  For Windows Vista, 7 and 8, skip this step.

Before running this step, close all windows and programs on the computer -- including this browser page. You may need to write down these steps.

a. Copy xxRootRepeal.exe to a temporary directory (any) on the C: drive (this cannot run from the CD).

b. Launch the program by "other mouse clicking/right-click" and choosing "Run as Administrator". It will install; accept all the normal prompts; ideally, install in a different directory than the default one it recommends.

c. Once the program launches, select the bottom-tab "Files"

d. Select "Scan" and choose [x] the C:\ drive

The scan will take considerable time with *inconsistent* hour-glassing.
Wait for the status-bar message "Found xxx hidden/locked file(s)!"

e. Scroll down the list, looking for the C:\Windows\System32 or C:\Windows\System32\Drivers section.

The list will contain a mixture of legitimate and illegitimate programs.
Files in
C:\Windows\System32 or
C:\Windows\System32\Drivers

which are marked as "Hidden from the Windows API", will be the virus.

As of this writing, Win32\Cryptor reports as a .SYS filename, in the System32\Drivers area.

Other Viruses, such as the "Personal Security" rootkit, place a file called "C:\Windows\System32\Gather~1.xsl". In other words, look for any suspicious file with "Locked to the Windows API" in the System32 directory, as reported by RootRepeal.

The Win32\Cryptor virus will have a dot-sys (.SYS) extension and the name will be random (e.g. UACewsflctd.sys). The name can be long or short. Here are example names but it will be the only .SYS extension in the System32/drivers directory:
TDSSspax.sys
TDSSServ.sys
GAOPDXserv.sys
gaopdxohocrlokojvgccmieiquramguxlachqk.sys
UACmxegjtve.sys
UACd.sys
Senekarstpqyy.sys
ovfsthxkwpjtxfk.sys
kungsfxwrtceey.sys
SKYNEToyfjtpeo.sys
MSIVXwfjwbpbivasavbfjmtkibegxvnftiqxt.sys
(Don't be surprised if future versions of this virus use more legitimate-sounding names.)
f. Highlight the offending file, other mouse-click and choose "Wipe File".
Unfortunately, there is no indication this step succeeds; trust that it did.

g. Important: Immediately select Start, Shutdown and reboot the computer; do not close any programs. Reboot back into Safe Mode, as described above.

If you do not find a likely name, you may be infected with a different Root-kit virus.


9. Run ComboFix.exe (xxComboFix)


Windows XP users:  ComboFix is also a root-kit cleaning program for a different vendor. I also like to run it because they sometimes see programs that RootRepeal misses.

a. Close all programs, including this browser. You should be in Safe-Mode
b. Other-mouse-click the exe and select "Run as Administrator".
While it runs, it may need to install Microsoft's Recovery Console; allow this to happen. Do this by plugging in your network cable / turn on wireless; wait about 1 minute for the connection to establish; then click OK.

The scan process takes 10 to 20 minutes, depending. You may notice various black screens. Be patient.

It will reboot; come back up *without using Safe-Mode.* It will then take about 10 minutes to generate a log file. Your firewall may spring to life, prompting for pev.cfxxe -- this is a ComboFix program and allow it access to the Internet.

After the program runs, they recommend uploading your log-files for further review (see C:\Combofix.txt). You can do this if you like but I recommend continuing with the next steps. The displayed Log file will not be that interesting.




Assuming the RootKit Removal programs did their job, it is now time to remove the other viruses that are probably lurking in your system (cryptor installs other viruses, just to be mean).
 
10. Run SuperAntiSpyware

Despite its flaky-sounding name, this is a great program. To run, follow these steps:

a. If needed, reboot the computer; you cannot be in Safe Mode when running this program.

b. Locate the Renamed program; other-mouse-click; "Run as Administrator"

c. Accept the legal agreements, etc. Install in a different folder than recommended. I recommend choosing C:\Program Files\Util\SuperAntiSpyware

d. Accept various installation options, as you see fit; optionally allow it to send a diagnostic report.

e. Run a *Full/Complete* scan.
Allow it to reboot if it finds anything.


11. Install and run the renamed MalwareBytes program.

Despite its scary name, this is a legitimate program. For now, *do not* allow it to check for updates (I found this virus caused too many problems if the Internet were active).

a. Install the program by double-clicking the renamed exe file.

b. When prompted, choose a different install directory.
I recommend C:\Program Files\Util\MBam

c. Once installed, use Windows Explorer to locate the installed files:

See C:\Program Files\Util\MBam
Rename MBam.exe to "xxMBam.exe"

d. Launch the program (xxMBam.exe); allowing it to run. Under "Scanner", choose Full-Scan. Allow the scan to run. It will be time consuming.

e. Reboot gracefully once the scan completes.
By this stage, the Virus should be cleaned. Continue with the remaining steps.

11a. If you still suspect a virus
 
Plug in the network cable/wireless and re-establish a connection to the internet. Allow MalwareBytes to update to their latest version. Once it updates, you will have to re-re-name mbmam.exe to a new name, such as 123Mbam.exe. Re-run that step as "administrator."

12. Download and install a new Virus Scanner, if neededIf you still have an existing virus scanner installed, re-enable the program and run a full-system scan.

If you do not have a virus scanner, download and install one of the following free scanners (they also have commercial versions). I no longer recommend any commercial vendors. Although not the best, consider using Microsoft's MSE program (also free):

Microsoft Security Essentials (a new, free virus scanner "MSE")
Avira
AVG's Free AntiVirus

(Shift-click the link(s) to open the download page in a new window. Choose and install only one of the above)

(If installing AVG, be sure to download the Free version, which is different than the Trial version. It may take a moment to find it. As of 2009.09, the AVG link above takes you directly to the correct site. Here are detailed instructions on how to best install AVG in order to avoid a performance bug they have:
AVG Detailed Installation Steps)

With my daughter's computer, AVG detected 12 additional spyware and viruses but like Microsoft's product, these cannot clean RootKits. On another computer, infected with Win32/Vundo.B, MSE detected, but was unable to clean an already-installed virus.


13. Uninstall likely Viruses

Using Windows Control Panel, "Add-Remove Programs" or Windows 7 "Programs and Features", un-install p2p programs such as uTorrent, Bittorrent, LimeWire, Morpheus and others. These are typical sources for spyware. Take the time to delete other programs and toolbars you no longer need.


14. Delete all old Restore Points (they may be infected)

a. Launch Windows Explorer, other-mouse-click the C: drive.

b. In the [General] Tab, click "Disk Cleanup"; click "Cleanup System Files" (Windows 7), click top-tab "[More Options].

c. Click "Clean up" on the System Restore and Shadow Copies. Allow it to delete all but the most recent restore point.



Success!
These steps cleaned the virus and this article has been fine-tuned to give the best-to-date results. The steps may be over-kill, but they should clean the machine.

Consider giving a financial reward by sending a donation to the good folks at MalwareBytes and SuperAntiSpyware -- they are doing you a great service.

This is a good time to make a full-system backup. See this article: Using Acronis.


Mistakes in the Process: AntiSpyware

During my research, I was a fool and downloaded and installed www.antispyware.com. Antispyware came recommended on several discussion threads and it was free. As it installed, it asked for my name and email address, ostensibly to send a license key. I was suspicious. Why does a free program need a license key?

I quickly built a new junk Email address and used it to register. As soon as I clicked OK I knew I was in trouble -- the program installed, then detected a variety of bogus viruses -- and then asked for $50 in order to clean them. I had been duped. I was glad I registered with a fake email. I un-installed the program. If I would have provided a credit-card number, I would have been in deeper trouble.

Further research showed a lot of people happy with this program and a lot of others saying it was a scam. With mixed reviews like that, something is up. I suspect the happy people were plants.

MalwareBytes identified this as spyware and removed it. I learned my lesson: Search the net before committing to any product.

Do not confuse this program with a legitimate program, "superAntiSpyware" (which has a free and paid version.)

Manual Removal Steps:

Several have asked about manually removing Crytor. There is no manual way to remove a rootkit virus because, by their very nature, they hide in areas not visible to standard software. Of the dozens of sites I found that claimed to have the steps, I found most were flawed and often the steps fell apart half-way through the instructions. In the end, these sites hoped you would become frustrated and would then sell their removal product. I suspect some of these sites were written by the original virus authors.

Other Observations:
My daughter's computer had a three-year-old virus scanner, with current signatures, but this was not adequate to stop this virus from entering into her computer. There is no doubt that she should have had a newer scanner, but even that is no guarantee; poor surfing habits are hard to defend against.
 
From my previous article (see here), I have not been not impressed with any of the major vendors. In the end, I decided to try AVG's virus scanner. But AVG has been problematic. On three separate computers, the AVG engine hogs too many resources. After you complete these steps (including AVG), look at this article to determine if AVG is behaving. If you find AVG occupies 20 to 100% of your CPU resources, follow the steps in that article.
 
If you use AVG, be aware it also has a spyware scanner (that cannot be disabled) and it may conflict with Windows Defender and MalwareBytes.
 
Since this article was originally written, Microsoft released a free virus scanning software, 'Microsoft Security Essentials' (MSE) that is worth trying. On an infected machine, this scanner has detected viruses, but seems to have trouble cleaning them -- requiring a reboot after each virus is detected.
 
When a machine is infected with multiple viruses, this adds to the time. I suspect the program behaves better if it were running before the infection but I installed after-the-fact.
 
MalwareBytes free version is not a real-time program and runs only on demand. But with a purchased upgrade, the program runs in real time. The fee is a reasonable ($25) for a non-commercial, perpetual license, which is an honest price for an honest product. If you go this route, uninstall other virus and spyware scanners.  This program, especially the free version, is I program i trust.

Be sure to update Java and Acrobat Reader to the latest versions; both had flaws that were easily exploited by other viruses.


Final Recommendations:
This was a mess and it took hours to clean up. A far better solution is to make a disk-image (ghost) of the entire computer prior to the virus. Buy a cheap external USB drive and run a program like A*cronis or Maxtor's USB program. You can read about this idea in this article: G*host vs A*cronis.

See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials

Cleaning a Virus
G*host vs A*cronis
Maxtor USB External Drive
Configuring Windows Firewall for Outbound Traffic



Vendor Links and Products mentioned:
Microsoft Process Explorer: http://live.sysinternals.com/procexp.exe
RootRepeal Rootkit Killer
ComboFix
Malwarebytes (manual rename) Malwarebytes (random named)
Malicious Software Removal Tool


Other Products of Interest:
Mcafee "Stinger" Removal Tool (a batch removal tool; useful for some viruses)
VirusTotal (single-file Analyzer using 30 different scanners)
HijackThis By Trend Micro
Java (Updated/Install)
Acrobat Reader (install/Update)

The Win32/Cryptor is also known as okbjivb.dll, Win32/Alureon.gen, Generic Downloader.x, VirTool:Win32/Obfuscator.CT, Downloader.MisleadApp, Backdoor.Tidserv.
Please leave a comment (no registration required) on how well this article helped with your virus problem. This will help other people understand how successful these steps were.


Excel User-Defined Formulas

How to create custom Excel User-Defined Functions using Visual Basic (VBA). Demonstrated will be =FindLastSpacePos and =ReturnLastWord, which act like new Excel Keywords. This is a relatively advanced topic but even if you do not know Visual Basic, this article will guide you through the steps. Do not be afraid to try this; you can't hurt anything and it will be fun.

Additional Related Articles:
Using Excel Functions to Parse City,StateZip fields
SuperTrim <-Go here if you just want the code for SuperTrim, Find First, Find Last



Demonstrated:
FindLastSpacePos (Returns the numeric position of last space in a phrase or sentence)
ReturnLastWord  (Returns the last word in a phrase or sentence / Find Last Word)


 

Excel User-Defined Formulas: Tutorial


In Excel it is easy to build horrendous formulas that are so long they become unmanageable and Excel "if-statements" are a famous example. This article describes a way to tame complicated formulas by writing your own Excel User-Defined Functions.

In other words, Excel has built-in functions, such as "Sum", "Find", "Mid", "Left," now you can write your own keywords. This moves the complexity out of the spreadsheet and places it within a mini Visual-Basic program.

Benefits:
  • The function is written once but can be called many times
  • Allows for if-statements, nested-ifs and other logic
  • Logic is formatted with indentation; easier to interpret
  • Transportable to other sheets

The techniques illustrated work with either Office XP and newer versions. Illustrations are from Office 2007 and Office XP.  These techniques work in all versions of Office.


Standard Excel Formulas:

As an introduction, spend a moment reviewing Excel's "Find" function. "Find" locates any character (or group of characters) and returns the position of the found-character. For example, if cell A3 contained the text

"Dog and Cat and Moose"

This formula:

=find(" ",A3,1)

The Formula searches for the first-found space in cell A3, starting at position 1 and, in this example, returns a numeric 4. You can try this yourself by typing the formula in cell B3.

What if you needed to find the position of the last space? Excel does not have an obvious way to do this. This is where you can write your own function.


Simple User-Defined Function:

In this section, write a user-defined Excel function that locates the "last space" in a string, returning a numeric value.

When done, you could type this cell formula in cell (B3): =FindLastSpacePos(A3) and it would return a number (in the example, '16'). The end-result will look like this:



"FindLastSpacePos" ("Find Last Space Position") is not a normal Excel function-name. To build the function, follow these steps, starting with a new, blank sheet:

1. In cell A3, type "Dog and Cat and Moose"
Press Enter.

2. Start the Visual Basic Editor:

In Excel 2010/2013 and newer:
Click File, Options, "Truct Center"
In "Trust Center Settings", "Macro Settings", select "Enable all Macros"
Click OK to return to your worksheet.
Press Alt-F11

In Excel 2007, click top-menu "Developer", then click "Visual Basic" (See illustration, below).

In Excel 2002, click "Tools, Macro, Visual Basic Editor".
(or for either version, press Alt-F11)


3. In the Visual Basic (VBA) editor, highlight your workbook (e.g. "Book1")
Select menu "Insert, Module".

Note a new Module name, probably called "Module1", is added on the tree-diagram on the left
. The module can hold multiple new function; you do not need a new module for each function in the spreadsheet. The name, Module1, is not particularly important. Alternately, you can build the new module in this fashion:



3. Begin coding in the blank editing Window.

In the blank editing screen (Book1 - Module1 (Code)), type this statement, which tells VBA to require declared variable names – this is recommended for all VBA Macros:

"Option Explicit" (no quotes, press enter when done)

4. Create the new "FindLastSpacePos" routine by literally typing this statement on the next blank line (this is typed on one line, no word-wrapping):

Public Function FindLastSpacePos (ByVal passedCell as String) As Integer

Complete the remainder of the function by typing the rest of the routine. Type the text carefully, including upper and lower-case. (Click the illustration for a larger view; click right-x to return or copy from the code-window, below):


Code:
Optionally, copy this code, follow these steps:

1. Highlight all of the code below.
IE users may need to scroll to the bottom, then back to the top in order to highlight properly.


2. Edit, Copy (or type Control-C)


Option Explicit

Public Function FindLastSpacePos (ByVal passedCell As String) As Integer
'This function returns a numeric value showing
'the last space in the passed-string.
'Use: =FindLastSpacePos(Celladdress c3)

Dim ihpos1 as integer 'Horizontal Position
ihpos1 = InstrRev(passedCell, " ")

'Return the results to the calling function:
FindLastSpacePos = ihpos1
End Function



3. Close the Visual Basic editor by clicking the Big-X, in the upper Right corner (no need to "Save;" it saves automatically). This returns you to the spreadsheet. See Office 2007 Save Warning, later in this article.
 

where:
  • "Public Function" means the function is visible to the Excel Spreadsheet. (As an aside, "Private Functions" would only be visible to VBA routines).
     
  • "ReturnLastSpacePos" is an arbitrary name invented to describe the function and this is the name you will type within the Excel sheet (e.g. =ReturnLastSpacePos...).

    "passedCell" is an invented name, which represents the first value passed into the function. In the example, =ReturnLastSpacePos(A1) – cell A1 is the first passed parameter and it gets temporarily re-assigned the name "passedCell" once it arrives in the new function.
     
  • "passedCell" must be declared as a String, Integer, "Float", etc. This tells the function what 'type' of value is expected. "Integer" means a non-decimal-number, "Float" means decimals are allowed, and "boolean" means True/False.
     
  • In Excel, the keyword "ByVal" is required for all passed parameters.
     
  • Ultimately, the function "returns" an integer (the answer) to the calling-spreadsheet; note the "As Integer" after the closing parenthesis. In other words, the function itself has a 'type'.

Testing the New Function:
Assuming a test-string is in cell A3 ("Dog and cat and moose"), type this formula in cell B3:

=FindLastSpacePos(A3)

Press Enter.
Results: B3 should report "16": The 16th position in the string is the last-space in the string.


Write a Return Last Word:

Continue the example by writing a second routine that parses the last word from the phrase. The new function, which will be called "=ReturnLastWord", uses the previous function as a subroutine, further demonstrating the power of UDFs.

Admittedly, this is non-sense, but have ReturnLastWord check to see if the last-word is "Moose" and if so, change the spelling slightly. Doing this demonstrates several other concepts. Follow these steps:

1. Press Alt-F11; returning to the Visual Basic Editor.

2. Confirm "Module1" is highlighted on the tree-side and locate your previously-written code (you should arrive there, by default)

3. Place the editing cursor after the last statement (End Function) and press return a few times, inserting a few blank lines for cosmetic effect.

4. Create a new function called "ReturnLastWord".

Type this logic, including the "Public Function" statement (click the illustration for a larger view; click Back to return):


Code: Or cut and paste the code from here:


Public Function ReturnLastWord (ByVal passedCell As String) As String
Dim ihpos1 as Integer
Dim lastWord as String

ihpos1 = FindLastSpacePos(passedCell)
lastWord = Mid(passedCell, ihpos1 + 1, 9999)

'This if-statement demonstrates more complicated logic
'If LCase(lastWord) = "moose" Then
' lastWord = "Mooses!"
'Else
' lastWord = Ucase(lastWord)
'Endif

ReturnLastWord = lastWord

End Function


where:

* Calculate where the last word is by calling the previously-written "FindLastSpacePos" routine (which returns the numeric position of the last word.

* The "Mid-string" command substrings from the last-space-position plus 1, until the end of the string (e.g. 9999 characters).

* For the fun of it, the optional if-statement can look at the substringed word and if it is "moose", make adjustments.

* Return the results with ReturnLastWord = lastWord.

5. Close the Editor and return to the sheet.


Testing ReturnLastWord:


In the Excel sheet, move to cell C3 and type this formula, which uses the new function name: =ReturnLastWord(A3)

Results in Cell C3: "Mooses!". (if you used the optional if-statement)
In cell A3, type other test-text, including single-word sentences and sentences that end with differing text. The routine should always find the last word.


Excel 2007 Save Warning:


When Excel 2007 saves the sheet, it will save it as an ".XLSX" sheet and it will strip the macros out as it saves! When prompted: 'Do you want to save as a macro-safe) workbook', click "No" (counter-intuitive menu-choice). On the next dialog, change the File type from XLSX to XLSM. Or get the the same menu using "File, Save-As". Once set, save the file.
If the macros are stripped, when you next open the sheet, the new functions will display as "#Name?" -- indicating the underlying macro/UDF is missing. Press Alt-F11 and rebuild/re-link the code.


Permanently SAVING MODULE 1

Follow these steps to save the code separately from the sheet; this way you can re-use the same code in any spreadsheet.
1. Alt-F11, locate Modules, Module1
2. Highlight Module1's Name
3. In the Properties Window (below the tree diagram), change the (Name) from 'Module1' to a more meaningful name. For this, I recommend "M800_Util", or any other name of your choosing.

4. In the tree-diagram, "other-mouse-click" the newly-renamed M800_Util, choose "Export"
5. Browse to a good directory (for example, C:\Data\Source\CommonVB)
6. Accept the filename "M800_Util.bas" (note the .bas - basic - extension)

To Re-Use the Code in a New Sheet:

1. Alt-F11 for the Visual Basic Editor
2. On the tree-side, highlight the spreadsheet name (e.g. Book1)
3. Other-mouse-click the sheet's name, choose "Import File"
4. Browse to (C:\Data\Source\CommonVB); select M800.
5. Close the VB Editor (The big "X") and return to the sheet. The new functions are now available for use. In any cell, type "=FindLastWord()" to test.


Advanced Calls:

If you are writing a function that needs multiple input parameters, pass each value separately, through the parenthesis. Use commas to separate the values.

For example, =MyFunction(A1, A2, A3) would be represented as:


Public Function MyFunction _
(ByVal passedCell1 as String,
_ByVal, passedCell2 as Integer,
_ByVal, passedCell3 as String) as String


Naturally, better names than "passedCell" should be coined: Name, EmployeeNumber, Address.

From the Excel side, you can also pass more complicated values into the downstream function:
=MyFunction(A1, Vlookup(....), B3&B5)


Summary:

This is a taste of how to write your own functions in Excel. It is helpful to know Visual Basic, but this article should get you started. Writing this same logic in native Excel would be difficult and would probably require multiple columns and long, complicated formulas.

By tucking the logic within a procedural language, the spreadsheet becomes almost readable because it can have if-then-else statements, indentation, and can call other modules and subroutines. Excel's long and horrible formulas can be reduced to a single keyword with some passed parameters.


Followup:
I found this gem on the net the other day: This standard Excel formula also parses the last word in a string and is very creative in how it works:

=RIGHT(A1,LEN(A1)-FIND("*",SUBSTITUTE(A1," ","*",LEN(A1)-LEN(SUBSTITUTE(A1," ","")))))

There is a tradeoff here: the =FindLastWord function is esoteric and most Excel users do not understand how it works, but I would argue most Excel users do not understand this formula either. If the formula needed to be debugged, which is easier?

Related Keyliner articles:
Using Excel for Raffle-Ticket Drawing: Prizeorama
Excel VLookup - a complete tutorial
Excel Coloring Alternate Rows
Excel Parsing City-State-Zip
Excel Importing Text with Leading Zeroes
VB - Return First Word, Last Word, Supertrim
Using VBA to Send Email
Using Excel to select Raffle Tickets - Prize-orama