In At The Bleep End
Wednesday, August 25, 2004
Cleaning a PC riddled with viruses and other nasties Someone at work was having serious problems with their home PC, so I offered to look at it for them at work (dinner hour natch!). Here's a rough rundown of what I did, for reference by anyone who is interested. * The only clue I had was that the homepage in IE kept reverting to a porn site. This was obviously being done by a browser hijack program. At some point the owners couldn't connect to the internet at all any more. * Plugged it in except for network cable - don't want to expose the network to any nasties! * Switched it on. Start up seemed a bit sluggish, but not outrageously so. * First thing I noticed was that both McAfee and Norton antivirus were on there. Having 2 antivirus programs is going to slow any machine down. It isn't necessary either - just one of them kept up-to-date should be fine. * On checking these antivirus programs I found both were using virus definition files that were over a year old. * By now, everything I did was taking forever. I tried to do run > msconfig to see the list of startup programs but it wouldn't have it. I began to think we may have a mixture of nasties on here. Time to wheel out the big guns methinks. * So that all the following steps wouldn't take all day, I restarted the machine in Safe Mode (holding down F8 during startup brings up the option for this in XP). * First up, I put Adaware plus the latest definitions file on a CD, then installed and ran it. I've run this on several work machines before and it usually finds quite a lot of undesirables. Our record so far was 700+ on one machine. On this occassion I was suprised to see it only found 4 items. Then I looked closer and saw that one was W32.Sasser and another was asianraw dialer. Hmm, not nice. I deleted these with adaware. * Next step was to find out if any of the other main viruses were present and kill them. If these 2 got in then there was a serious probability that others would have also. * I disabled system restore then installed and ran the program Stinger. This finds and removes many of the major viruses in current circulation. In this case it found many instances of around 10 different viruses, including Blaster. This machine was turning out to ba a real virus zoo! * Stinger is good, but it doesn't catch everything. I now needed to bring one of the virus scanners up to date and run a comprehensive check. This was only possible with McAfee, because the DAT files are available for download. I downloaded the latest SuperDAT file using another machine, transfered it across and installed it. A SuperDAT file is one which includes all the latest virus definitions plus the latest version of the scan engine. * I ran a full system scan with McAfee. It picked up another virus which Stinger had missed. (Note: this one was resident in a temporary internet file - I had forgotten that it's a good idea to empty this folder on an infested machine). * Now I was reasonably confident that this machine was clean. Next step was to see what I could do to stop it happening again as soon as they got it home! * XP Service Pack 2 had just come out (for sysadmins anyway) at the time. The windows updates on the machine appeared to have stopped at Service Pack 1, so I thought it best to install 2 and bring them up to speed with the latest patches etc. * After installing the service pack it became apparent that there was a problem with the built-in firewall. Whatever I tried it just wouldn't start. It gave an error message which suggested a Winsock problem (error 10047 - can't remember the exact message). At this point the user arrived to take the PC home. I quickly restarted system restore, uninstalled Norton completely and told them they needed to buy a new copy of either Norton or McAfee imediately. I also pointed out the firewall problem and said I wasn't confident they would have interent connection when they got home. * The next morning I found out they couldn't connect. They rang their service provider and went through the dial-up settings. All were correct. The helpline suggested they reinstall XP. * Just before coming home I did a search for something related and found out about a small application called winsockfix. This seemed to be well worth a try for fixing this kind of problem (caused by adware removal). Here's more. I sent the owner away with a copy of this. Next morning they reported it had worked! |