2009-05-21

Configuring Windows Firewall

How To: Technical Article on how to configure the Windows Vista Firewall for outbound traffic. This gives your PC stronger protection and it will have complete control on how other programs interact on the net. This is an advanced computer topic.

This article was originally written for Windows Vista. These steps have not been tested under Windows 7, but they should work the same. The author will re-visit this article shortly.


If you are looking for
"the update server is not responding, which means it might be offline at the moment, or the Internet or Firewall settings may be incorrect."

--this is a classic indication of a Firewall (Microsoft's or your Virus Scanner suite) blocking the traffic. See details, below. If you are not using a software firewall, this article may not help solve this problem.



Contents:
* Do you have a firewall installed?
* Blocking Outbound Traffic with "wf.msc"
* Configuring Base (normal) exceptions
* Operating System Exceptions (SVChosts/Windows Update)
* Network Printing Exceptions
* Acrobat Reader (and other) Update Exceptions
* Ping and TraceRT exceptions
* How to temporarily disable outbound Firewall Rules


All computers need Virus/Spyware scanners and a firewall -- but the firewall is the area most of us are weakest. This article attempts to explain how to manage the firewall in Microsoft Vista.

Firewall 101

Thanks to our Cable or DSL Modems, most of us are behind a hardware firewall. This type of firewall blocks inbound traffic by hiding the computer's real IP Address behind the router's address. The process is called "Network Address Translation (NAT)". "NATting" hides your computer's real address from the Internet and this blocks all unsolicited inbound connections.

Without this, a computer would be infected within seconds of being connected on the Net -- with no action required on your part; you don't even have to launch a browser. Laptops are at a particular disadvantage because they can leave their own network and possibly attach to a public router where NATing might be turned off. If this happened, the laptops were sitting ducks.


But none of this helps when your computer
already has spyware that sneaks out and sends data outbound;
a normal hardware firewall will do nothing
to stop this type of traffic.



Microsoft realized this, and starting with Windows XP SP2, a default software-firewall was installed and it monitored inbound traffic, solving the missing NAT problem.

Then, starting with Vista, the firewall's capabilities were expanded so it could watch outbound traffic. However, because this feature required more end-user skill and knowledge, this feature was turned off. In this article, I suggest enabling outbound blocking -- but be prepared for a little work.


Half-Height Firewalls: The Need

A firewall that blocks inbound traffic (for laptops or desktops) is a minimum standard, but if you are a more sophisticated end-user, you can do better.

Consider the following: Imagine you had accidentally installed a virus, and didn't know it. Perhaps it arrived in an email or your children passed over a website that offered a free music-download. Now imagine the virus was too new to be detected by your scanners. Keystrokes could be captured, websites redirected, data uploaded; all without your knowledge.

A hardware or simple default software firewall is not going to capture the stuff happening behind your back. A properly-configured software firewall can intercept outbound traffic even when virus scanners fail.


Do you have a Firewall Installed?

If you are using their suites, other vendors, such as ZoneAlarm, McAfee, Symantec and others, probably installed a firewall. If so, those programs have different procedures to follow, but if you did not, you are probably using the default Windows firewall. To see which firewall is installed, do the following:

A. Click Start, Settings, "Control Panel"

B. Open "Security Center"

C. Click the down-arrows on Firewall. If it says Windows Firewall, then this article is for you.



Blocking Outbound Traffic
By default, Vista (and Windows 7) firewall only blocks unsolicited inbound traffic. Follow these steps to block unknown outbound traffic. This is a relatively advanced topic.

1. Launch the Windows Firewall Control Panel:
Start, Run, "wf.msc"
The control panel takes several seconds to load

2. On the (left) tree-side, highlight the top of the tree "Windows Firewall with Advanced Security".
On the Right side, click "Properties"

3. For each of the top-tabs [Domain Profile, Private, and Public Profile],
set "Outbound Connections" to "Block"
Do this three times, once for each tab.


Important: When you do this, all internet traffic will be blocked and web-browsers, email programs, software updates, etc., all quit working until they are granted an exclusion (next).

4. Click OK when done, returning to the main Windows Firewall control panel.


Configure Base Exceptions

Next, grant exceptions to your most commonly used programs. For example, on my machine, I allow the following:

Internet Explorer (browser)
FireFox (browser) + Firefox Updater
Outlook (email)
Thunderbird (email) + Thunderbird Updater
Windows Media Player
Itunes (or other music-players)
Your Virus Scanner
Base Operating System Exceptions (details below)
*Windows Update / Windows Defender / MSE
DOS Ping
DOS TraceRt
Network Printing

Except for these exceptions, all other programs will not see the Internet and will think the computer is "off the net." This also means they cannot ask for automatic updates. In my opinion, this is good: for application software, update when you want so you are not surprised; I typically manually download updates from the web and do not rely on automatic updates. If you would rather have them update automatically, add them to the list above. There are more details on this in a moment.

Also, be aware that Windows Defender (Spyware scanner) and Windows (auto) update will not see the network, and this is addressed separately in a few moments.

For each program in the list above, follow these steps:

5. In the Windows Firewall Control Panel, main screen, click "Outbound Rules" (on the left-window).

6. On the right-side, click "New Rule".

Select "Program" and click Next
Choose "This Program Path" and browse or type the executable's .exe name.

For example, Internet Explorer is found at "C:\Program Files\Internet Explorer\iexplore.exe" (do not use quotes even though there are spaces in the name).
Firefox might be installed at "C:\Program Files\Mozilla\Firefox\Firefox.exe".
Windows Media Player is at "C:\Program Files\Windows Media Player\wmplayer.exe"



Hint: To find a program's location, locate the program's icon, other-mouse-click and choose Properties. Copy and paste the "target" field, minus any parameters.

7. On the Next Screen:

Choose "Allow the connection"
Recommend choosing all three Domains [Domain, Private, Public]

8. When prompted, give it a "pretty name" such as "A-Internet Explorer" (I always like to prefix the programs I added by using an "A-" so they sort at the top of the list). As you can see, this screen is complicated and the A-dash helps organize it.



9. Add the other programs in the list, following the same steps.
If you forget to add a program, it simply won't connect to the Internet. For example, if you play a store-bought game that can connect to the Net, it will not work until granted an exception here.

The benefits are this: If a rogue program installs itself, the firewall blocks its ability to talk to the outside world and your computer will be safer. (Here it would be nice if the Windows Firewall would announce that program "XYZ is attempting to connect to the Internet" so you would know the virus was there. Perhaps this will be fixed in later versions.)


Operating System Exceptions

Windows Update and Windows Defender also need an exception. You *must* do these in order to adequately protect your system. If not, you will get this error: Windows could not search for new updates. Error(s) found: Code 80072EFD:

Follow these steps to grant an Exception in the Firewall.

1. As before, create a new Outbound Rule, selecting this program:

C:\Windows\System32\svchost.exe
Name the rule "A-Svchost" so it sorts with the others.

When selecting "svchost," Windows will display a warning. Ignore the warning and allow it to create the rule, but because this is an operating-system file, additional steps should be taken and these are detailed next.

2. Edit the new rule's properties by double-clicking the name ("A-svchost").

3. Illustrated below, select the [Programs and Services] tab
Click the "Settings" button.

4. Choose the radio-button "Apply to this service"
In the list, choose "Windows Update";
Click OK

5. In the "Protocols and Ports" tab

Change the Protocol Type from Any to "TCP"
Change the Remote Port from All Ports to "Specific Ports"; type ports "80, 443"


Save the changes and close the entire control panel. Windows Update and Windows Defender should now work properly.

Printing Exceptions

Microsoft was not thinking when they wrote the firewall software -- it surprisingly blocks IP-based Network printing. This turns out to be nuisance and you have to go to two different places to set the exception properly.

Follow these steps if you have a printer connected to a (Jet Direct or other IP-based print spoolers). If the printer is a USB or LPT printer attached to your local machine, you do not need to use these steps.

1. Start, Run, "FirewallControlPanel.exe" (or select Control Panel, Security Center, Windows Firewall).

2. Choose "Allow a program through Windows Firewall"

3. Click the [Exceptions] tab
Choose [x] File and Printer Sharing
Click OK, OK, etc. to close the control panel / Security Center screens.

Next, go to the Advanced Settings:

4. Start, Run, "wf.msc"

5. In Outbound Rules, click "New Rule"; Select "Custom", then "All Programs"

6. On the next screen,

Choose Protocol Type "TCP"
Local Port: "All Ports"
Remote Port: "All Ports"
Click Next

7. "Which local IP address does this rule match?" Choose "Any"

Which remote IP Address does this rule match?
Choose "These IP Addresses"
Add your (JetDirect's Print Server's IP Address) under "This IP Address or subnet"

This will not be your local PC's IP address. For example, my printer spooler is defined at 192.168.200.251. This step is only needed on those computers that talk directly to the print spooler/JetDirect. If other computers connect to your computer in order to share the printer, nothing needs to be done on the remote machine. Click Next to continue.



8. Choose "Allow the connection", then choose all three domains [Domain, Private, Public]

9. Name the rule, per my recommendations: "A-Printer 192.168.200.251"

Clearly, if the PC is on a corporate network, network printing may be problematic. Consider using an IPAddress Range. I welcome suggestions on how to improve this.

Adobe Acrobat Reader Update

If you wanted Adobe Acrobat (or other programs, such as WordPerfect, your photo-editor, etc.) to auto-update, they may fail with a message similar to "the update server is not responding, which means it might be offline at the moment, or the Internet or Firewall settings may be incorrect." This is a classic indication the Firewall is blocking the traffic.
This is by design. In the Outbound rules, *all* programs are blocked unless granted an exception and Adobe's product has no way of knowing a firewall was in the way.


Finding the Program:

In this case, granting Acrobat Reader an exception (AcroRd32.exe) will not solve the problem because the Reader is not the program doing the updating. It takes a moment of sleuthing to find the real program; here are the steps.

A. Press ctrl-alt-delete, "Start Task Manager". Leave this window open.

B. Launch Acrobat Reader, select Help, "Check for Updates"

C. In Task Manager, note how a new program jumps into the list: "Adobe_Updater.exe". This is the program that needs a hole punched through the firewall.


D. In Task Manager, other-mouse-click the EXE name and choose "Open File Location". You will find it in "C:\Program Files\Common Files\Adobe\Updater6\adobe_updater.exe".

You may find that other update-programs do similar things. Of course, you could ignore the auto-updater and download the installation manually from the web. Since your web-browser has been granted permission, there will be no problems.

Other Recommended Files

Grant a normal Outbound Exception rule to these programs, often used by technicians for network diagnostic work:

A-Ping: %SystemRoot%\System32\PING.EXE
A-TraceRt: %SystemRoot%\System32\TRACERT.EXE
If you do not grant this exception, Ping will report a "General Failure"

Also, consider these, if you have these products installed:
C:\Program Files\Common Files\Adobe\Updater6\adobe_updater.exe
%ProgramFiles%\Mozilla\Firefox\updater.exe
%ProgramFiles%\Mozilla\Thunderbird\updater.exe

Temporarily Stopping Outbound Rules

Sometimes the firewall's outbound rules can get in the way with other software updates and it is more trouble than it is worth to grant an exception. For example, the Java client install has a new name with each new version and will report "The installer cannot proceed with the current Internet Connection settings."

To work around this, you would have to grant an exception (discussed above) for each new installation file; this is a drag because Java is updated frequently. It may be easier to temporarily disable outbound rules just for the install. Follow these steps:

1. Start, Run, wf.msc (the Windows Firewall Control Panel)

2. Highlight the top of the tree ("Windows Firewall with Advanced...")

3. Click "Windows Firewall Properties"

4. Click the [Private Profile] tab
Set Outbound Connections to "Allow"

5. Install the software, then return Outbound connections to "Block"

As an aside, when installing Java Runtime, I recommend unchecking the Yahoo Toolbar (it is spyware). Since an exception was not granted to either the installation routine or to the actual Java client, you might as well stop it from running its automatic updates (which is an endemic problem with Sun's Java).

Start, Run, MSConfig and uncheck Java's automatic update, as illustrated.

(click illustration for a larger view; click right-x to return)

Read more about startup programs here: Cleaning up Startup Programs

Maintenance
If you install a new version of a program, the firewall rules will still work, as long as the .exe name is the same (this is different than other vendors: their products recognize the change and ask confirmation when updates happen). At any time, you can go into the wf.msc control panel and disable a program's access to the internet by disabling the rule.

Conclusions

Configuring Windows Firewall for outbound traffic is a nuisance and the interface is not as friendly as I would like. For example, ZoneAlarm's free firewall, recommended for Windows XP but not for Vista, prompts on the fly when it detects a new program attempting to talk on the network. With one click, it can add an inclusion or exclusion and essentially self-configures.

In comparison, Microsoft's firewall is cumbersome and an average end-user could not make it work. The product is capable, but trudging through the wizards is a drag and the complicated main screen will scare most people away.

Related to this, when Microsoft's firewall blocks a program, it doesn't tell you the program was stopped. For non-computer-experts, this could be a good thing because they won't be bugged and they will never be able to grant an exception. On the other hand, if you are wondering why a program isn't working, it could be the firewall, but you may not remember to grant the exception.

Personally, I prefer ZoneAlarm's free Firewall and I use it on my Windows XP computers. But on Vista, ZoneAlarm has been troublesome and I've de-installed it, which forced me to use Microsoft's firewall.

Now that I know how to configure it, Microsoft's product is 'usable' and it is doing what it is supposed to do. I wished it had a report or some other way to notify that a program has made an outbound-attempt -- I definately see room for improvement here. I would like to hear your experiences with ZoneAlarm and Vista/W7.

In any case, whether you use these or other commercial products, it will take about a half-an-hour to configure a firewall. Once it is setup, it should require little maintenance.

Related content
Vista Spiffs
Disable Vista UAC Nags
Streamlining Windows Start Menus

2009-05-05

Removing Win32/Cryptor Virus

Howto: Steps for removing the Boaxxe Win32/Cryptor Virus / rootkit from a Windows XP machine, using AVG, Malwarebytes, and other software. The Virus was successfully removed with these steps. Apologies on the length; this is a complicated subject. This article can be used for other viruses. Updated 2013.09.
 

My daughter's laptop was infected with the Win32/Cryptor virus when she downloaded a music-sharing program. The infection's symptoms were typical: The PC became progressively slower and dozens upon dozens of "you have a virus" messages ("scareware") ultimately made the machine unusable. Once infected, traditional virus scanners cannot clean the infection.

See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Start here.  Highly Recommended

Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials


Although this article has been tailored to the Cryptor virus, these steps will work with almost all viruses and spyware.



This article receives numerous hits, indicating a lot of people do not have backups. I continue to make modifications to this article, using information from readers and from vendors. Please leave comments on how well these steps have worked.

Removal Steps

I decided to do the a'la carte method, and install individual free scanners and firewalls from different vendors. It took about five hours, not including research, to clean the virus, with most of the time spent waiting. Here are the steps used and if you want a guaranteed success, you must follow all of the steps, in this order. There were mistakes made along the way, described separately.

Some of the steps are somewhat risky. If your machine is running well enough, manually copy important data (photographs, checkbook files, novels, etc.) to offline storage.


0.  Build a Bootable MSE disk.

Microsoft has a new Virus scanner that is very useful and I recommend following the steps in this article first.  See this Keyliner article:
Microsoft Standalone System Sweeper

Follow the steps in the article to create a bootable virus-cleaning disk. Use it before attempting the remaining steps. Do these steps for all machines, Windows 8.x, 7, Vista, XP.


1. Pre-Download files.
On a non-infected computer, download the following programs and burn them to a CD (steps on how to burn are not detailed here; ask a knowledgeable friend to help, if needed).

If the download is Zipped, de-compress the Zip file.
For ease-of-use, place each downloaded program in a separate subdirectory.

The viruses are sneaky and can stop you from running known cleanup utilities. Because of this, the instructions will have you rename the vendor's files to a random name, described below; use any name you see fit.

Ideally, burn all of the downloaded files to a CD -- not a pen drive; media should be Read-Only.

Files:

Download Process Explorer: technet.Microsoft.com
On the page, search/Ctrl-F for "Process Explorer"
Rename ProcExp.exe to "WinLogon.exe"

Download RootRepeal: http://rootrepeal.googlepages.com/
Only download if using Windows XP or Windows Vista 32-bit.
The download can be found about in the middle of the page, under "static links".
  • Click (download) the Zip version; select "Open file."
  • Highlighting "RootRepeal.exe" in the opened Zip folder
  • Other-mouse-click, select "Copy"
  • Paste to your temporary directory
  • Rename the pasted file to xxRootRepeal.exe (or other random name, including WinLogon.exe if in a separate directory)
Of note: Windows 8 is far-less likely to get a root-kit virus installed due to changes in how the operating system works.

Download ComboFix: ComboFix Download
*Only download if using Windows XP or 32-bit Windows Vista/7 ; not Windows 8
Rename to xxComboFix.exe

DownLoad SuperAntiSpyware: superAntiSpyware
Choose the Free Edition; this is a legitimate program, despite its flaky name.
Rename to xxSuperAntiSpyware.exe

Download MalwareBytes: Malwarebytes
Rename the installer to xxMBam.exe
Later, you will also have to rename the installed exe.

Burn these files to a CD.


2. Disconnect the infected computer from the Internet.

Unplug the Cat-5 network cable or press your laptop's function key/other key to disable wireless.

You do not want to be on the net while some of these steps run. I have found some of these virus cause too many problems while connected and this was the easiest solution. This will disable these programs abilities to download the latest updates; although this would be nice, the updates will have to wait.

3. Uninstall old virus scanners
 

If your existing virus scanners are old, obsolete or expired demo versions, un-install them now because they are not going to help and they can interfere with other steps. See Control-Panel, Add-Remove / Programs and Features.

However, some rootkit viruses will prevent you from entering the control panels. If this is the case on your PC, consider booting into Safe-mode (see below and try un-installing from there). Otherwise, continue with the next steps.

If you have McAfee Security Essentials installed (see Programs and Features), un-install.

4. Disable Existing Virus Scanners

If you have a current virus scanner, temporarily disable it to avoid conflicts. Since the machine is already infected, the virus scanner is not helping so it is safe.

See your vendor's documentation for exact steps on how to disable "real-time scanning," but here is a summary for many of the popular ones. Most programs have a system-tray icon to get to the correct menus.

AVG 8:
Open the System Tray's AVG8 Control Center, Tools, Advanced, in left-pane, scroll down to "Resident Shield"; deselect 'Enable Resident Shield'.

AVG 8.5:
Open the AVG Control Center; Double-click Resident-Shield; Deselect "Enable Resident Shield.

Avira:
"Other-mouse-click" the Avira System Tray Icon. De-select 'AntiVir Guard Enable'

F-Secure:
"Other-mouse-click" the system tray icon; choose "Pause Protection". Click "By User Request"
Microsoft Security Essentials (MSE)
Click Settings, Real-time protection; Uncheck "Turn on real-time protection"

McAfee:
"Other-mouse-click" McAfee System Tray Icon; choose Exit

McAfee Security Center 7.x:
Double-click system tray; click Advanced Menu, Configure, Computer and Files. Disable the VirusScan and the Internet & Network for Firewall.

Norton Antivirus:
"Other-mouse-click" System-tray icon; choose "Disable auto-protect". Set a duration of 6 hours

Norton 360:
"Other-mouse-click" system tray icon; choose 'Open Tasks and Settings Window'; Under Settings, click "Change advanced settings" Click 'Virus and Spyware Protection settings'; de-select 'Turn on Auto-protect'; Apply; choose "Until I turn it back on'

If you can't disable, consider un-installing before continuing; then re-install later.
 
5. Set Windows Screen Saver to None (disable the screen saver)
 
Some of these steps take a long time to run and the screen-saver impacts performance. If you are able to launch the Control panel, disable the screen saver with these steps:
Windows XP:
-Other-mouse-click the desktop, choose Properties, [Screen Saver], set to None.

Vista/Windows 7:
-Other-mouse-click the desktop, choose Personalize, ScreenSaver


6. Boot computer in "Safe Mode"

Author's note: I am having problems with this step, depending on which version of Windows is installed. Originally, I had suggested to run as many of the next steps as possible in "safe mode, but I am finding many of the following programs do not operate in safe mode, depending if you are running Windows 7/Vista or XP.

My new recommendation: Skip this step. However, I am leaving it documented here because it can be useful with some utilities and has helped me in the past catch some viruses.

Original comments:

"With the infected computers I have worked on, everything was locked down by the virus and I could not open many Control Panel applets and overall performance was bad. For these reasons, I recommend starting the computer in a special Windows diagnostic mode, called Safe-Mode. The steps to open it are weird and may take some practice:

- Cold boot the machine (power off/on).
- Just after the BIOS splash screen, repeatedly tap on the f8 key (press insistently but not frantically).
- Choose Safe-mode, when prompted
- If you miss and Windows loads normally, reboot gracefully and try again.


7. Run Process Explorer

This is a Cryptor-virus specific instruction.  Skip for other viruses.

"Process Explorer" is a Microsoft program and it can sometimes stop the Win32/Cyrptor virus long enough to remove it. However, the latest versions of this virus elude this program, but it is worth a try.

a. From the CD, run D:\ProcessExplorer\WinLogon.exe (the renamed file) by other-mouse-clicking the file and choosing "run as administrator."

b. Scroll to the Explorer.exe section; wait a few moments and watch for program changes

c. Open the "Explorer.exe" section.

(Cryptor Specific step): Look for a program with a name such as "1234023.exe"; the name will be random. (It wouldn't surprise me if future variations of the virus use more legitimate-sounding names; study the list and see what program seems out of place.)

Note: Other rootkit viruses can live in this area. The key is to pay attention to unusual programs running in the Explorer section. It is normal to see multiple svchosts in this area and note that "procexp.exe" is this program. The Cryptor virus may show up in the list but newer versions do not.

If you do not see an obvious candidate, continue with the remaining steps.

d. Assuming you found a suspicious process, right-click the process and "Kill"


8. Install RootRepeal:

Follow this step if you are using Windows XP.  For Windows Vista, 7 and 8, skip this step.

Before running this step, close all windows and programs on the computer -- including this browser page. You may need to write down these steps.

a. Copy xxRootRepeal.exe to a temporary directory (any) on the C: drive (this cannot run from the CD).

b. Launch the program by "other mouse clicking/right-click" and choosing "Run as Administrator". It will install; accept all the normal prompts; ideally, install in a different directory than the default one it recommends.

c. Once the program launches, select the bottom-tab "Files"

d. Select "Scan" and choose [x] the C:\ drive

The scan will take considerable time with *inconsistent* hour-glassing.
Wait for the status-bar message "Found xxx hidden/locked file(s)!"

e. Scroll down the list, looking for the C:\Windows\System32 or C:\Windows\System32\Drivers section.

The list will contain a mixture of legitimate and illegitimate programs.
Files in
C:\Windows\System32 or
C:\Windows\System32\Drivers

which are marked as "Hidden from the Windows API", will be the virus.

As of this writing, Win32\Cryptor reports as a .SYS filename, in the System32\Drivers area.

Other Viruses, such as the "Personal Security" rootkit, place a file called "C:\Windows\System32\Gather~1.xsl". In other words, look for any suspicious file with "Locked to the Windows API" in the System32 directory, as reported by RootRepeal.

The Win32\Cryptor virus will have a dot-sys (.SYS) extension and the name will be random (e.g. UACewsflctd.sys). The name can be long or short. Here are example names but it will be the only .SYS extension in the System32/drivers directory:
TDSSspax.sys
TDSSServ.sys
GAOPDXserv.sys
gaopdxohocrlokojvgccmieiquramguxlachqk.sys
UACmxegjtve.sys
UACd.sys
Senekarstpqyy.sys
ovfsthxkwpjtxfk.sys
kungsfxwrtceey.sys
SKYNEToyfjtpeo.sys
MSIVXwfjwbpbivasavbfjmtkibegxvnftiqxt.sys
(Don't be surprised if future versions of this virus use more legitimate-sounding names.)
f. Highlight the offending file, other mouse-click and choose "Wipe File".
Unfortunately, there is no indication this step succeeds; trust that it did.

g. Important: Immediately select Start, Shutdown and reboot the computer; do not close any programs. Reboot back into Safe Mode, as described above.

If you do not find a likely name, you may be infected with a different Root-kit virus.


9. Run ComboFix.exe (xxComboFix)


Windows XP users:  ComboFix is also a root-kit cleaning program for a different vendor. I also like to run it because they sometimes see programs that RootRepeal misses.

a. Close all programs, including this browser. You should be in Safe-Mode
b. Other-mouse-click the exe and select "Run as Administrator".
While it runs, it may need to install Microsoft's Recovery Console; allow this to happen. Do this by plugging in your network cable / turn on wireless; wait about 1 minute for the connection to establish; then click OK.

The scan process takes 10 to 20 minutes, depending. You may notice various black screens. Be patient.

It will reboot; come back up *without using Safe-Mode.* It will then take about 10 minutes to generate a log file. Your firewall may spring to life, prompting for pev.cfxxe -- this is a ComboFix program and allow it access to the Internet.

After the program runs, they recommend uploading your log-files for further review (see C:\Combofix.txt). You can do this if you like but I recommend continuing with the next steps. The displayed Log file will not be that interesting.




Assuming the RootKit Removal programs did their job, it is now time to remove the other viruses that are probably lurking in your system (cryptor installs other viruses, just to be mean).
 
10. Run SuperAntiSpyware

Despite its flaky-sounding name, this is a great program. To run, follow these steps:

a. If needed, reboot the computer; you cannot be in Safe Mode when running this program.

b. Locate the Renamed program; other-mouse-click; "Run as Administrator"

c. Accept the legal agreements, etc. Install in a different folder than recommended. I recommend choosing C:\Program Files\Util\SuperAntiSpyware

d. Accept various installation options, as you see fit; optionally allow it to send a diagnostic report.

e. Run a *Full/Complete* scan.
Allow it to reboot if it finds anything.


11. Install and run the renamed MalwareBytes program.

Despite its scary name, this is a legitimate program. For now, *do not* allow it to check for updates (I found this virus caused too many problems if the Internet were active).

a. Install the program by double-clicking the renamed exe file.

b. When prompted, choose a different install directory.
I recommend C:\Program Files\Util\MBam

c. Once installed, use Windows Explorer to locate the installed files:

See C:\Program Files\Util\MBam
Rename MBam.exe to "xxMBam.exe"

d. Launch the program (xxMBam.exe); allowing it to run. Under "Scanner", choose Full-Scan. Allow the scan to run. It will be time consuming.

e. Reboot gracefully once the scan completes.
By this stage, the Virus should be cleaned. Continue with the remaining steps.

11a. If you still suspect a virus
 
Plug in the network cable/wireless and re-establish a connection to the internet. Allow MalwareBytes to update to their latest version. Once it updates, you will have to re-re-name mbmam.exe to a new name, such as 123Mbam.exe. Re-run that step as "administrator."

12. Download and install a new Virus Scanner, if neededIf you still have an existing virus scanner installed, re-enable the program and run a full-system scan.

If you do not have a virus scanner, download and install one of the following free scanners (they also have commercial versions). I no longer recommend any commercial vendors. Although not the best, consider using Microsoft's MSE program (also free):

Microsoft Security Essentials (a new, free virus scanner "MSE")
Avira
AVG's Free AntiVirus

(Shift-click the link(s) to open the download page in a new window. Choose and install only one of the above)

(If installing AVG, be sure to download the Free version, which is different than the Trial version. It may take a moment to find it. As of 2009.09, the AVG link above takes you directly to the correct site. Here are detailed instructions on how to best install AVG in order to avoid a performance bug they have:
AVG Detailed Installation Steps)

With my daughter's computer, AVG detected 12 additional spyware and viruses but like Microsoft's product, these cannot clean RootKits. On another computer, infected with Win32/Vundo.B, MSE detected, but was unable to clean an already-installed virus.


13. Uninstall likely Viruses

Using Windows Control Panel, "Add-Remove Programs" or Windows 7 "Programs and Features", un-install p2p programs such as uTorrent, Bittorrent, LimeWire, Morpheus and others. These are typical sources for spyware. Take the time to delete other programs and toolbars you no longer need.


14. Delete all old Restore Points (they may be infected)

a. Launch Windows Explorer, other-mouse-click the C: drive.

b. In the [General] Tab, click "Disk Cleanup"; click "Cleanup System Files" (Windows 7), click top-tab "[More Options].

c. Click "Clean up" on the System Restore and Shadow Copies. Allow it to delete all but the most recent restore point.



Success!
These steps cleaned the virus and this article has been fine-tuned to give the best-to-date results. The steps may be over-kill, but they should clean the machine.

Consider giving a financial reward by sending a donation to the good folks at MalwareBytes and SuperAntiSpyware -- they are doing you a great service.

This is a good time to make a full-system backup. See this article: Using Acronis.


Mistakes in the Process: AntiSpyware

During my research, I was a fool and downloaded and installed www.antispyware.com. Antispyware came recommended on several discussion threads and it was free. As it installed, it asked for my name and email address, ostensibly to send a license key. I was suspicious. Why does a free program need a license key?

I quickly built a new junk Email address and used it to register. As soon as I clicked OK I knew I was in trouble -- the program installed, then detected a variety of bogus viruses -- and then asked for $50 in order to clean them. I had been duped. I was glad I registered with a fake email. I un-installed the program. If I would have provided a credit-card number, I would have been in deeper trouble.

Further research showed a lot of people happy with this program and a lot of others saying it was a scam. With mixed reviews like that, something is up. I suspect the happy people were plants.

MalwareBytes identified this as spyware and removed it. I learned my lesson: Search the net before committing to any product.

Do not confuse this program with a legitimate program, "superAntiSpyware" (which has a free and paid version.)

Manual Removal Steps:

Several have asked about manually removing Crytor. There is no manual way to remove a rootkit virus because, by their very nature, they hide in areas not visible to standard software. Of the dozens of sites I found that claimed to have the steps, I found most were flawed and often the steps fell apart half-way through the instructions. In the end, these sites hoped you would become frustrated and would then sell their removal product. I suspect some of these sites were written by the original virus authors.

Other Observations:
My daughter's computer had a three-year-old virus scanner, with current signatures, but this was not adequate to stop this virus from entering into her computer. There is no doubt that she should have had a newer scanner, but even that is no guarantee; poor surfing habits are hard to defend against.
 
From my previous article (see here), I have not been not impressed with any of the major vendors. In the end, I decided to try AVG's virus scanner. But AVG has been problematic. On three separate computers, the AVG engine hogs too many resources. After you complete these steps (including AVG), look at this article to determine if AVG is behaving. If you find AVG occupies 20 to 100% of your CPU resources, follow the steps in that article.
 
If you use AVG, be aware it also has a spyware scanner (that cannot be disabled) and it may conflict with Windows Defender and MalwareBytes.
 
Since this article was originally written, Microsoft released a free virus scanning software, 'Microsoft Security Essentials' (MSE) that is worth trying. On an infected machine, this scanner has detected viruses, but seems to have trouble cleaning them -- requiring a reboot after each virus is detected.
 
When a machine is infected with multiple viruses, this adds to the time. I suspect the program behaves better if it were running before the infection but I installed after-the-fact.
 
MalwareBytes free version is not a real-time program and runs only on demand. But with a purchased upgrade, the program runs in real time. The fee is a reasonable ($25) for a non-commercial, perpetual license, which is an honest price for an honest product. If you go this route, uninstall other virus and spyware scanners.  This program, especially the free version, is I program i trust.

Be sure to update Java and Acrobat Reader to the latest versions; both had flaws that were easily exploited by other viruses.


Final Recommendations:
This was a mess and it took hours to clean up. A far better solution is to make a disk-image (ghost) of the entire computer prior to the virus. Buy a cheap external USB drive and run a program like A*cronis or Maxtor's USB program. You can read about this idea in this article: G*host vs A*cronis.

See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials

Cleaning a Virus
G*host vs A*cronis
Maxtor USB External Drive
Configuring Windows Firewall for Outbound Traffic



Vendor Links and Products mentioned:
Microsoft Process Explorer: http://live.sysinternals.com/procexp.exe
RootRepeal Rootkit Killer
ComboFix
Malwarebytes (manual rename) Malwarebytes (random named)
Malicious Software Removal Tool


Other Products of Interest:
Mcafee "Stinger" Removal Tool (a batch removal tool; useful for some viruses)
VirusTotal (single-file Analyzer using 30 different scanners)
HijackThis By Trend Micro
Java (Updated/Install)
Acrobat Reader (install/Update)

The Win32/Cryptor is also known as okbjivb.dll, Win32/Alureon.gen, Generic Downloader.x, VirTool:Win32/Obfuscator.CT, Downloader.MisleadApp, Backdoor.Tidserv.
Please leave a comment (no registration required) on how well this article helped with your virus problem. This will help other people understand how successful these steps were.