It's not for the novice user, I guess, but it does do the job, and does it well!
Posted by: vincent at January 16, 2009 3:34 PM
A great tutorial. Because, like you indicated, it's difficult to know if every trace of an infection has been removed, I like to add one more step.
I do some additional Internet research to find any instructions available for manually removing said infection. These instructions generally provide a list of malicious files and registry entries to remove. --I don't use the manual process unless absolutely necessary. Instead, I use the instructions to compile a checklist for use AFTER running anti-virus/anti-malware scans to ensure that these products have done a complete job.
If they haven't, I'll generally try re-running anti-virus/anti-malware scans from safe mode as sometimes this is necessary to remove files that were running in normal mode.
Finally, if any malicious files/registry entries still exist, I'll remove them manually.
Posted by: KPTECH at January 16, 2009 5:48 PM
can someone tell me how I would configure the router behind the router method that he refers to? what are the steps and IP addressing setup to make this possible and secure?
Posted by: john at January 19, 2009 12:11 PM
leo i do desktop support for a sweepstakes site. We have our own puter forum.
I posted your article in there about malwarebytes. I can't possibly list all the people i help on a daily basis. You give great sound advice and for that
i want to personally thank you. I still run into issues..
Like no page display... And one person is having activex issues.
Which i am unable to figure out just yet. That xp-trojan appears as a popup.
And comodo antimalware has stopped it before it has entered my puter.
But ive cleaned up over a 100 puters all with either norton/AVG/mcafee.
None have stopped this trojan. Malwarebytes is top notch in my book.
Looking forward to your Emails.
Posted by: fastfreddie1959 at January 20, 2009 9:47 PM
John - good point. I was reading this article and stopped short on that line about router behind a router as well. Leo - how does on eod this? I have been unable to get 2 routers to work like you describe.
If your ISP supports multiple IP addresses (most do NOT): broadband modem to hub, then hub to router 1 and hub to router 2.
If your USP does NOT support multiple IP address then: broadband modem to router A, then router A to router B, and router A to router C.
In most cases default router configurations (DHCP/automatic IP assignment) works just fine.
Posted by: Michael Horowitz at January 23, 2009 9:32 PM
“ Antivirus 2009 (and 2008) are viruses that are currently hitting a lot of people, and still being missed by many anti-spyware utilities.”
My opinion, and I will be happy to be corrected if I am wrong, is that Antivirus 2009 (and 2008) are NOT viruses. They may be described as malware but the reason they are not caught by anti-spyware is they are not spyware and anti-virus doesn’t because they are not viruses. Clicking them invites the virus in. So you can appreciate that if the program that gives the warning is not spyware or a virus, the anti-spyware and anti-virus programs one might reasonably expect to catch them do not do so because they do not exhibit spyware or virus activity themselves.
While it might be possible to have them listed in virus and spyware definitions I assume the difficulty to be doing this without the risk of identifying genuine programs as spyware or a virus.
I’d be interested in others opinions. Especially yours, Leo.
I think it's splitting hairs on whether or not it could be called a virus or not. It could be caught by anti-virus programs without any more risks of false positives when compared to other viruses.
- Leo 26-Jan-2009
Posted by: Paul Higgins at January 24, 2009 7:37 AM
I run a PC repair business from home and see this all the time. The antivirus/antispyware companies have a hard time keeping up with the variants of this family of pests. They may look the same outwardly but they are changed all the time. Also by their very nature (it's correct that they are not classified as viruses) most security packages don't detect them by default. For example, Kaspersky requires a tickbox to be checked for detection of 'Other Programs'. Of course this may result in false positives when installing or running some benign programs so be aware.
In regards to 'Page cannot be found' issues after cleanup:
1. Reset Internet Explorer's settings completely in 'Tools > Internet Options > Advanced'
2. While in settings, check that the malware hasn't added a proxy server that you don't use/need under Connections > LAN Settings.
3. Check the Security tab to make sure you haven't got unwanted entries in Trusted or Restricted Sites.
4. Run a network protocol/winsock reset program such as WinsockFix for XP. For Vista I don't know if such a program exists but you can do it manually:
1. Click on Start button.
2. Type Cmd in the Start Search text box.
3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
4. Type netsh winsock reset in the Command Prompt shell, and then press the Enter key.
5. Restart the computer.
NB: The Internet Settings in Internet Explorer can affect a lot of other programs that use the Net so it's always a good idea to look here first.
Also, security apps like Norton can be 'broken' by malware and the firewall may be blocking traffic. I have found this to be true sometimes even when said firewall is "turned off" but Internet access (and network sharing) worked after uninstalling Norton.
Posted by: JustInspired at February 2, 2009 12:22 AM
Hi, Leo,
Thanks for an interesting article.
Perhaps your friends had a boot sector virus that the antivirus software was not detecting. Rubbing out a boot sector virus may involve rewritting the Master Boot Record, and this can cause a loss of partition information, rendering the disk unbootable.
So you are right; prevention is the best remedy.
Posted by: Bob at February 19, 2009 6:23 PM
Hi Leo,
very good article; I would like to add 1 one more step with regards to the "cleaning"
In the past, I used to help a few friends with infected machines. One thing I always did (in the beginning of the process)was checking the "startup" in "msconfig" (windows xp)
I noticed sometimes that a clean machine (...) was diry again after reboot. Unchecking suspicious progs in the startup first and THEN do the necesssary scanning/cleaning/scanning etc etc worked for me (in some occasions)
One example: remember the blaster virus some 5 years ago. One of the things was your pc shut itself down after 10 secs (or something). Changing the startup and turn the thing off (forgot the name) was the first step to keep the machine running and perform the necessary cleaning steps.
From the old days but possibly of any use.......
Kind regards!
Rien Snijder
Holland.
Posted by: Rien Snijder at February 25, 2009 2:08 AM
Comments
Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.
Always interesting to read how others tackle these issues.
The following guide has helped me remove a lot of nasty infections and I swear by it:
http://forums.majorgeeks.com/showthread.php?t=35407
It's not for the novice user, I guess, but it does do the job, and does it well!
Posted by: vincent at January 16, 2009 3:34 PMA great tutorial. Because, like you indicated, it's difficult to know if every trace of an infection has been removed, I like to add one more step.
I do some additional Internet research to find any instructions available for manually removing said infection. These instructions generally provide a list of malicious files and registry entries to remove. --I don't use the manual process unless absolutely necessary. Instead, I use the instructions to compile a checklist for use AFTER running anti-virus/anti-malware scans to ensure that these products have done a complete job.
If they haven't, I'll generally try re-running anti-virus/anti-malware scans from safe mode as sometimes this is necessary to remove files that were running in normal mode.
Finally, if any malicious files/registry entries still exist, I'll remove them manually.
Posted by: KPTECH at January 16, 2009 5:48 PMcan someone tell me how I would configure the router behind the router method that he refers to? what are the steps and IP addressing setup to make this possible and secure?
Posted by: john at January 19, 2009 12:11 PMleo i do desktop support for a sweepstakes site. We have our own puter forum.
Posted by: fastfreddie1959 at January 20, 2009 9:47 PMI posted your article in there about malwarebytes. I can't possibly list all the people i help on a daily basis. You give great sound advice and for that
i want to personally thank you. I still run into issues..
Like no page display... And one person is having activex issues.
Which i am unable to figure out just yet. That xp-trojan appears as a popup.
And comodo antimalware has stopped it before it has entered my puter.
But ive cleaned up over a 100 puters all with either norton/AVG/mcafee.
None have stopped this trojan. Malwarebytes is top notch in my book.
Looking forward to your Emails.
John - good point. I was reading this article and stopped short on that line about router behind a router as well. Leo - how does on eod this? I have been unable to get 2 routers to work like you describe.
If your USP does NOT support multiple IP address then: broadband modem to router A, then router A to router B, and router A to router C.
In most cases default router configurations (DHCP/automatic IP assignment) works just fine.
This article has more: How do I protect users on my network from each other?
23-Jan-2009
For information on using two routers on a LAN, see this
http://news.cnet.com/8301-13554_3-10049768-33.html
Its the first of three blog postings I wrote on the subject.
Here is part two
http://news.cnet.com/8301-13554_3-10052912-33.html
and part three
Posted by: Michael Horowitz at January 23, 2009 9:32 PMhttp://news.cnet.com/8301-13554_3-10053212-33.html
“ Antivirus 2009 (and 2008) are viruses that are currently hitting a lot of people, and still being missed by many anti-spyware utilities.”
My opinion, and I will be happy to be corrected if I am wrong, is that Antivirus 2009 (and 2008) are NOT viruses. They may be described as malware but the reason they are not caught by anti-spyware is they are not spyware and anti-virus doesn’t because they are not viruses. Clicking them invites the virus in. So you can appreciate that if the program that gives the warning is not spyware or a virus, the anti-spyware and anti-virus programs one might reasonably expect to catch them do not do so because they do not exhibit spyware or virus activity themselves.
While it might be possible to have them listed in virus and spyware definitions I assume the difficulty to be doing this without the risk of identifying genuine programs as spyware or a virus.
I’d be interested in others opinions. Especially yours, Leo.
26-Jan-2009
I run a PC repair business from home and see this all the time. The antivirus/antispyware companies have a hard time keeping up with the variants of this family of pests. They may look the same outwardly but they are changed all the time. Also by their very nature (it's correct that they are not classified as viruses) most security packages don't detect them by default. For example, Kaspersky requires a tickbox to be checked for detection of 'Other Programs'. Of course this may result in false positives when installing or running some benign programs so be aware.
In regards to 'Page cannot be found' issues after cleanup:
1. Reset Internet Explorer's settings completely in 'Tools > Internet Options > Advanced'
2. While in settings, check that the malware hasn't added a proxy server that you don't use/need under Connections > LAN Settings.
3. Check the Security tab to make sure you haven't got unwanted entries in Trusted or Restricted Sites.
4. Run a network protocol/winsock reset program such as WinsockFix for XP. For Vista I don't know if such a program exists but you can do it manually:
1. Click on Start button.
2. Type Cmd in the Start Search text box.
3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
4. Type netsh winsock reset in the Command Prompt shell, and then press the Enter key.
5. Restart the computer.
NB: The Internet Settings in Internet Explorer can affect a lot of other programs that use the Net so it's always a good idea to look here first.
Posted by: JustInspired at February 2, 2009 12:22 AMAlso, security apps like Norton can be 'broken' by malware and the firewall may be blocking traffic. I have found this to be true sometimes even when said firewall is "turned off" but Internet access (and network sharing) worked after uninstalling Norton.
Hi, Leo,
Thanks for an interesting article.
Perhaps your friends had a boot sector virus that the antivirus software was not detecting. Rubbing out a boot sector virus may involve rewritting the Master Boot Record, and this can cause a loss of partition information, rendering the disk unbootable.
Posted by: Bob at February 19, 2009 6:23 PMSo you are right; prevention is the best remedy.
Hi Leo,
very good article; I would like to add 1 one more step with regards to the "cleaning"
In the past, I used to help a few friends with infected machines. One thing I always did (in the beginning of the process)was checking the "startup" in "msconfig" (windows xp)
I noticed sometimes that a clean machine (...) was diry again after reboot. Unchecking suspicious progs in the startup first and THEN do the necesssary scanning/cleaning/scanning etc etc worked for me (in some occasions)
One example: remember the blaster virus some 5 years ago. One of the things was your pc shut itself down after 10 secs (or something). Changing the startup and turn the thing off (forgot the name) was the first step to keep the machine running and perform the necessary cleaning steps.
From the old days but possibly of any use.......
Kind regards!
Rien Snijder
Posted by: Rien Snijder at February 25, 2009 2:08 AMHolland.
To post a comment on "How did you clean up your friend's infected machine?", please return to that article's main page.