Mac, Win XP, Parallels & now a bloody virus

New switcher here, & I was hardly a "Power user" to begin with, anyway prob is I installed Parallels to run some Win only SW I have to have. Of course I didnt install AV SW and I got eaten alive by Brave Sentry/SpySherrif. I had great fun getting Paralles to run in the first place, so I'm not looking forward to wiping WinXP & Parallels so I can start fresh. How would I go about getting this spyware off & how difficult or wise is it to erase Win & Plls. & re-install? WIll this get rid of the hidden files that Adaware, Spyhunter, Norton and a few others dont seem to be able to find & destroy ? TIA Dubliner

Once you have viruses and spyware, your best bet is to just reinstall.

First thing you should do after installing windows is run ALL updates including IE7 and NEVER randomly click yes on boxes that appear from the internet.

"NEVER randomly click yes on boxes that appear from the internet."
I got you there, it posed as an Anti Spyware notice.

Ask yourself, "What would I do if I had this infection on a windows PC?"
Would you format the HD then reinstall Windows and all applications? Granted, the process is a little easier with a virtual machine, but it can be dealt with. It is possible to clean up from this. When you are done, install Spybot, AdAware, and reputable antivirus software (if you haven't).
Don't even use the internet on the Windows VM! I mean, why would you do this?
Finally, NEVER, UNDER ANY CIRCUMSTANCES, CLICK ON POPUPS! NEVER!

Good luck

After cleaning up the malware, it might be wise to use the Mac on the web to download all the Windows anti-malware programs you need, copy them over to the Windows side and install them before going on the web with Windows again.

That way, it will have protection from the outset.

I don't see a need to reinstall Parallels, though you may want to delete the shared folder.

Disinfecting Windows can be very tricky and often times it's quicker just to reinstall Windows, but it depends on your time cost/benefit. Perhaps this forum http://forums.techguy.org/54-malware-removal-hijackthis-logs/ can help if you want to try to disinfect before you reinstall your Windows virtual machine.

This is what virtual machine snapshots are for. I would just blow out your virtual machine, reinstall XP in a new vitual machine and then fully patch it and install anti virus. Install IE 7. Then when all that is done make a snapshot. Now if you get any trouble you can always revert back to this saved point.

Are you saying he needs to format his whole mac, just for the windows virus?

I've actually had a good success rate of removing any viruses I've ever got on my windows xp system. Not sure about vista, but on xp even though it might've took a week, i was able to remove all viruses and spyware from the systems i've worked on.

Dubliner said:

"NEVER randomly click yes on boxes that appear from the internet."
I got you there, it posed as an Anti Spyware notice.

Click to expand...

It doesn't matter, don't answer Yes from ANY questions from the Internet.

One more word of advise would be to take a snapshot immediately after install ... if you face a similar problem you can always go back to the snapshot which is a point in time image of your xp installation.... No amount of AV & spywares can protect windows completely. This can save you lot of effort to restore back.

Ofcourse this feature is available in VMF not sure whether Parallels has it.

1.) Run Ad Aware
2.) Run Spybot
3.) Run HiJackThis and post your report log at a PC security forum such as www.security-forums.com
The sole purpose of these forums is to help people who post their HiJackThis logs.

Reinstalling should be a last resort. 95% of junk can be removed by people helping you on HiJackThis forums.

knightlie said:

It doesn't matter, don't answer Yes from ANY questions from the Internet.

Click to expand...

No, it DOES matter! I've seen pop-ups that LOOK like a message box with a Yes and Cancel button and all, but the whole popup was the Yes button. Even if you clicked the Close button in the top right corner, it would proceed to install the bad thing. For instance, think about those annoying, floating Flash popups.) The best thing to do (in Windows) is to key Alt + F4 to close the popup when it has focus.

Neo said:

No, it DOES matter! I've seen pop-ups that LOOK like a message box with a Yes and Cancel button and all, but the whole popup was the Yes button.

Click to expand...

It's very simple to spot this - if you get a hand-pointer when you hover over the Yes or No buttons then you can tell it's an ad. This is a basic form of security - DO NOT just blindly click on an unsolicited question box without taking a few seconds to work out what it is.

Even if you clicked the Close button in the top right corner, it would proceed to install the bad thing.

Click to expand...

Same thing - hover over the X close button - if you get a web-link hand pointer, then it's a popup/ad. Either way, you should not click on an unsolicited question box displayed when you visit a web page, no matter what they look like. Think about it - no Windows message box displays a Hand pointer on any of it's buttons, Yes, No, OK or Close.

Another simple method is to adjust your Windows fonts or colours slightly, so spoof message boxes from web pages don't look like your Windows setup and are easier to spot.

Word of advice for future reference....

This is what I do on all my VMs...

Set your virtual hard disk to Non Persistant. That way, if you catch a virus or malware, you just reboot and its gone because all changes are discarded...

All you need to do then is use the shared folder to store any important files and such...

knightlie said:

It's very simple to spot this - if you get a hand-pointer when you hover over the Yes or No buttons then you can tell it's an ad...
Same thing - hover over the X close button - if you get a web-link hand pointer, then it's a popup/ad. Either way, you should not click on an unsolicited question box displayed when you visit a web page, no matter what they look like. Think about it - no Windows message box displays a Hand pointer on any of it's buttons, Yes, No, OK or Close.

Another simple method is to adjust your Windows fonts or colours slightly, so spoof message boxes from web pages don't look like your Windows setup and are easier to spot.

Click to expand...

So it DOES matter...
It's still not as simple as you make it out to be.
Yes, the hand pointer is often the GUI default for links, but if you are coding a spoof popup, you can assign different pointer types for different areas of the window (or, in this case, the same pointer type for the whole window).

I like the color-tweak idea! However, since it is well-known where Windows settings are stored, a sophisticated spoof could populate itself with those settings. It's not fool-proof. We need something like...keying Alt + F4.

damainman said:

Are you saying he needs to format his whole mac, just for the windows virus?

Click to expand...

No. They are saying to just delete the current Win image file, create a new image file and go through the whole install process for Windows on that.

Neo said:

So it DOES matter...
It's still not as simple as you make it out to be.
Yes, the hand pointer is often the GUI default for links, but if you are coding a spoof popup, you can assign different pointer types for different areas of the window (or, in this case, the same pointer type for the whole window).

Click to expand...

It depends on how the ad is constructed - standard inline image ads you certainly can't do that. But... the answer is still not to answer questions like that which appear when you load an internet page. If I get them I simple close the browser tab, 'nuff said. They're BS anyway - a web page cannot know that your machine has a virus or needs optimising, common sense tells you that.

I like the color-tweak idea! However, since it is well-known where Windows settings are stored, a sophisticated spoof could populate itself with those settings. It's not fool-proof. We need something like...keying Alt + F4.

Click to expand...

Web pages cannot obtain or adjust system settings, at all.

My answer is just to stay away from sites that contain these spoofs - after 15 years or so, it's served me well.