G
Guest
Guest
There have been enough posts lately regarding how to cleanup an infected PC.
I do this stuff every day. In most cases, it is NOT necessary to reformat and reinstall Windows, but there are some instances when that can be the path of least resistance.
With all of that in mind, here are some straightforward instructions to help you to diagnose and fix common problems with Malware and Viruses.
These instructions apply to Windows-based machines only. All linked software is free.
All of these operations should be run from Windows Safe Mode With Networking, and the computer should be connected via Ethernet cable to the Modem or Router. If you're on dial-up, I have no means of helping you. You need professional counseling.
<span style="font-weight: bold"><span style="text-decoration: underline">Restoring Internet Connectivity:</span></span>
In some cases, the infected machine cannot access the Internet, because the infections have altered system configurations in such a way as to prevent access to resources to remove the problems.
In these cases, it may be necessary to have another computer with Internet access and a USB flash drive. However, be advised that some rootkit infections set themselves up to infect removable drives and then configure themselves to spread when connected to another PC. It's best to use a drive that has a manual write lock, or at least use one that doesn't have anything important on it.
(Edit) - <span style="color: #009900">See ArcticLight's post below on how to reset Internet Explorer's defaults. This may cure the connection problem easily and quickly.</span>
One quick fix to get back Internet access is to check to make sure that the bug hasn't configured the machine to use a false proxy server.
Go to the Control Panel > Internet Options and look under the Connections tab. Click LAN Settings and make sure that there is NOT a check by the option to use a proxy server.
Another common trick of infections is to alter the Windows Networking configuration of LSP's (Layered Service Providers), or Winsock stacks.
Don't worry about the technical stuff here. Just do the following.
<span style="text-decoration: underline">Windows Vista and Windows 7</span>
Go to Start -> Programs -> Accessories -> right click on the Command Prompt and choose Run as administrator.
Type <span style="font-weight: bold">netsh winsock reset</span> in the Command Prompt window, and then press the Enter key.
Restart the computer.
<span style="text-decoration: underline">Windows XP</span>
Go to Start -> Run
Type cmd and press Enter
Type <span style="font-weight: bold">netsh winsock reset</span> in the Command Prompt window, and then press the Enter key.
Restart the computer, IN SAFE MODE with Networking again.
Others will re-write the HOSTS file to block access to search engines and security sites. http://en.wikipedia.org/wiki/Hosts_file
Check to see if Internet Connectivity is restored by opening the Browser and going to www.google.com
If the Internet works, let's proceed. If not, you'll need that USB drive.
Once again, booted to Safe Mode With Networking, do the following:
1. <span style="font-weight: bold">Disable System Restore</span> - Windows XP - Vista/Windows 7
2. <span style="font-weight: bold">Download, Install, and Run Malwarebytes</span> from http://www.malwarebytes.org/ If no Internet, then get the program on a USB drive and install it from there.
Run a full scan and remove everything it finds.
(Advanced users can expedite the scan by manually deleting temp files and temporary Internet files before scanning.)
3. <span style="font-weight: bold">Reboot</span> when prompted and run another scan from Safe Mode.
4. <span style="font-weight: bold">Download, install and update Microsoft Security Essentials</span> from http://www.microsoft.com/security_essentials/
Once updated, run a Full Scan and remove whatever it finds.
5. <span style="font-weight: bold">Reboot and scan again</span> to maker sure the machine is clean. You'll want uninstall all other antivirus programs.
At this point, most machines have been cleaned up, but some just don't go this easy.
A powerful tool called Combofix can help with some of the nastiest infections out there, called rootkits.
http://www.combofix.org/download.php
If Combofix, Malwarebytes, and MSE don't have you fixed up, you're ready for professional help or a full reinstall. Yeah, there's more you <span style="font-style: italic">could</span> do, but from my experiences, you're fighting a losing battle.
When finished, you can turn System Restore back on. It's almost completely useless, but go ahead and do it anyway.
For Advanced users, two more great tools are available for free from Microsoft's Sysinternals site.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
The first one, Autoruns, shows you every single file that loads when when your computer starts up. Since and infection must load in order to run, it will be there. But some have creative ways of disguising themselves as either hardware drivers or legitimate system processes, so you really have to develop a nose for what to look for.
You can also export the results to text file and send them to people like myself and other helpful souls here who may be able to tell you what items to turn off.
Process Explorer, the second utility, can help to shut down malicious processes and regain control of the system in order to proceed with the steps outlined above. But again, the truly nasty ones, have a way of hiding themselves from this utility as well.
Another great way to get the upper hand is to remove the infected drive from the machine and scan it with another machine with both utilities mentioned above.
Going even further, there are ways to recover saved clean copies of the Windows registry hives and restore them, replacing the corrupted ones. That's over the heads of most users and some techs.
_________________________________________________
<span style="font-weight: bold">Going Forward - Proactive Protection</span>
I could write all night and still not cover all of the possible ways to clean up a system, but the above will get all but the worst of them.
An ounce of prevention......
Here are some steps that you can take in order to protect against future infections:
<span style="font-weight: bold">Get a watchdog:</span> WinPatrol is a free utility that monitors changes that create new startup entries. It will place itself between the new startup item and you and prompt you to authorize the entry.
http://www.winpatrol.com/
It also features tabs for reviewing startup items and toggling them on or off.
<span style="font-weight: bold">Browse more safely:</span>
Firefox + Adblock Plus + Flashblock = a much safer and more pleasant browsing experience.
<span style="font-weight: bold">
Use DNS filters</span>. DNS filters block known malicious sites from ever making it to your browser's window.
Go to https://www.opendns.com/start and choose the free basic service, or you can pay for more advanced services like family content protection, etc.
<span style="font-weight: bold">STOP slumming!</span> This means porn sites, poker sites, free games, free cutesy screensavers with dancing bunnies, and third-grade level file-sharing software like Limewire.
The Internet is no different than any good-sized city in the world. There a tourist areas and there are dangerous areas. Use some common sense.
<span style="font-weight: bold">Alt + F4</span>: The key combination of Alt + F4 can save your butt better than a backup .380 strapped to your ankle. If you get a questionable pop-up or prompt (typical of fake antivirus scams), DO NOT CLICK ANYTHING! Not even Cancel or the Red X.
Instead, use Alt + F4 and close every window that's open.
Immediately reboot the computer and tap F8 for the startup options menu. Choose "Last Known Good Configuration".
Then run a full antivirus scan.
_________________________________
More information:
Sometimes Norton Antivirus doesn't properly uninstall. It's crap software. What do you expect?
Luckily, Symantec has recognized this problem and they now offer removal utilities.
http://service1.symantec.com/support/tsgeninfo.nsf/docid/2005033108162039
Antivirus and Security tools change. At times, I have recommended AVAST!, AVG, Symantec, Spybot Search & Destroy, Adaware, and others.
As of this writing, my top recommendations are Malwarebytes and Microsoft Security Essentials, linked above. Both are free, and they do excellent jobs.
IF you're going to scratch that file-sharing itch, then by all means learn how to do it the right way and the safe way.
Bit torrents and binary Usenet can be complicated to master, but that their complexity means that the stupid users aren't there in the heavy numbers like they are with the automated P2P's like Limewire.
Better yet, support bands and artists that like Radiohead that have kicked the RIAA to the curb and have taken the bold step of selling their product for market driven prices.
I do this stuff every day. In most cases, it is NOT necessary to reformat and reinstall Windows, but there are some instances when that can be the path of least resistance.
With all of that in mind, here are some straightforward instructions to help you to diagnose and fix common problems with Malware and Viruses.
These instructions apply to Windows-based machines only. All linked software is free.
All of these operations should be run from Windows Safe Mode With Networking, and the computer should be connected via Ethernet cable to the Modem or Router. If you're on dial-up, I have no means of helping you. You need professional counseling.
<span style="font-weight: bold"><span style="text-decoration: underline">Restoring Internet Connectivity:</span></span>
In some cases, the infected machine cannot access the Internet, because the infections have altered system configurations in such a way as to prevent access to resources to remove the problems.
In these cases, it may be necessary to have another computer with Internet access and a USB flash drive. However, be advised that some rootkit infections set themselves up to infect removable drives and then configure themselves to spread when connected to another PC. It's best to use a drive that has a manual write lock, or at least use one that doesn't have anything important on it.
(Edit) - <span style="color: #009900">See ArcticLight's post below on how to reset Internet Explorer's defaults. This may cure the connection problem easily and quickly.</span>
One quick fix to get back Internet access is to check to make sure that the bug hasn't configured the machine to use a false proxy server.
Go to the Control Panel > Internet Options and look under the Connections tab. Click LAN Settings and make sure that there is NOT a check by the option to use a proxy server.
Another common trick of infections is to alter the Windows Networking configuration of LSP's (Layered Service Providers), or Winsock stacks.
Don't worry about the technical stuff here. Just do the following.
<span style="text-decoration: underline">Windows Vista and Windows 7</span>
Go to Start -> Programs -> Accessories -> right click on the Command Prompt and choose Run as administrator.
Type <span style="font-weight: bold">netsh winsock reset</span> in the Command Prompt window, and then press the Enter key.
Restart the computer.
<span style="text-decoration: underline">Windows XP</span>
Go to Start -> Run
Type cmd and press Enter
Type <span style="font-weight: bold">netsh winsock reset</span> in the Command Prompt window, and then press the Enter key.
Restart the computer, IN SAFE MODE with Networking again.
Others will re-write the HOSTS file to block access to search engines and security sites. http://en.wikipedia.org/wiki/Hosts_file
Check to see if Internet Connectivity is restored by opening the Browser and going to www.google.com
If the Internet works, let's proceed. If not, you'll need that USB drive.
Once again, booted to Safe Mode With Networking, do the following:
1. <span style="font-weight: bold">Disable System Restore</span> - Windows XP - Vista/Windows 7
2. <span style="font-weight: bold">Download, Install, and Run Malwarebytes</span> from http://www.malwarebytes.org/ If no Internet, then get the program on a USB drive and install it from there.
Run a full scan and remove everything it finds.
(Advanced users can expedite the scan by manually deleting temp files and temporary Internet files before scanning.)
3. <span style="font-weight: bold">Reboot</span> when prompted and run another scan from Safe Mode.
4. <span style="font-weight: bold">Download, install and update Microsoft Security Essentials</span> from http://www.microsoft.com/security_essentials/
Once updated, run a Full Scan and remove whatever it finds.
5. <span style="font-weight: bold">Reboot and scan again</span> to maker sure the machine is clean. You'll want uninstall all other antivirus programs.
At this point, most machines have been cleaned up, but some just don't go this easy.
A powerful tool called Combofix can help with some of the nastiest infections out there, called rootkits.
http://www.combofix.org/download.php
If Combofix, Malwarebytes, and MSE don't have you fixed up, you're ready for professional help or a full reinstall. Yeah, there's more you <span style="font-style: italic">could</span> do, but from my experiences, you're fighting a losing battle.
When finished, you can turn System Restore back on. It's almost completely useless, but go ahead and do it anyway.
For Advanced users, two more great tools are available for free from Microsoft's Sysinternals site.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
The first one, Autoruns, shows you every single file that loads when when your computer starts up. Since and infection must load in order to run, it will be there. But some have creative ways of disguising themselves as either hardware drivers or legitimate system processes, so you really have to develop a nose for what to look for.
You can also export the results to text file and send them to people like myself and other helpful souls here who may be able to tell you what items to turn off.
Process Explorer, the second utility, can help to shut down malicious processes and regain control of the system in order to proceed with the steps outlined above. But again, the truly nasty ones, have a way of hiding themselves from this utility as well.
Another great way to get the upper hand is to remove the infected drive from the machine and scan it with another machine with both utilities mentioned above.
Going even further, there are ways to recover saved clean copies of the Windows registry hives and restore them, replacing the corrupted ones. That's over the heads of most users and some techs.
_________________________________________________
<span style="font-weight: bold">Going Forward - Proactive Protection</span>
I could write all night and still not cover all of the possible ways to clean up a system, but the above will get all but the worst of them.
An ounce of prevention......
Here are some steps that you can take in order to protect against future infections:
<span style="font-weight: bold">Get a watchdog:</span> WinPatrol is a free utility that monitors changes that create new startup entries. It will place itself between the new startup item and you and prompt you to authorize the entry.
http://www.winpatrol.com/
It also features tabs for reviewing startup items and toggling them on or off.
<span style="font-weight: bold">Browse more safely:</span>
Firefox + Adblock Plus + Flashblock = a much safer and more pleasant browsing experience.
<span style="font-weight: bold">
Use DNS filters</span>. DNS filters block known malicious sites from ever making it to your browser's window.
Go to https://www.opendns.com/start and choose the free basic service, or you can pay for more advanced services like family content protection, etc.
<span style="font-weight: bold">STOP slumming!</span> This means porn sites, poker sites, free games, free cutesy screensavers with dancing bunnies, and third-grade level file-sharing software like Limewire.
The Internet is no different than any good-sized city in the world. There a tourist areas and there are dangerous areas. Use some common sense.
<span style="font-weight: bold">Alt + F4</span>: The key combination of Alt + F4 can save your butt better than a backup .380 strapped to your ankle. If you get a questionable pop-up or prompt (typical of fake antivirus scams), DO NOT CLICK ANYTHING! Not even Cancel or the Red X.
Instead, use Alt + F4 and close every window that's open.
Immediately reboot the computer and tap F8 for the startup options menu. Choose "Last Known Good Configuration".
Then run a full antivirus scan.
_________________________________
More information:
Sometimes Norton Antivirus doesn't properly uninstall. It's crap software. What do you expect?
Luckily, Symantec has recognized this problem and they now offer removal utilities.
http://service1.symantec.com/support/tsgeninfo.nsf/docid/2005033108162039
Antivirus and Security tools change. At times, I have recommended AVAST!, AVG, Symantec, Spybot Search & Destroy, Adaware, and others.
As of this writing, my top recommendations are Malwarebytes and Microsoft Security Essentials, linked above. Both are free, and they do excellent jobs.
IF you're going to scratch that file-sharing itch, then by all means learn how to do it the right way and the safe way.
Bit torrents and binary Usenet can be complicated to master, but that their complexity means that the stupid users aren't there in the heavy numbers like they are with the automated P2P's like Limewire.
Better yet, support bands and artists that like Radiohead that have kicked the RIAA to the curb and have taken the bold step of selling their product for market driven prices.
