Helping people with computers... one answer at a time.

A friend brought me his machine infected with several viruses. I'll review the steps I took to clean it up.

In a previous article, Why won't this "Your Computer Is Infected" warning go away? I described some of the symptoms I was faced with when a friend called me for help on his infected machine.

It was seriously infected by one, if not more, currently common forms of malware.

As an example of some of the steps you might consider if faced with a similar situation, let me describe what I did.

But First, a Disclaimer

I need to reiterate that once infected by anything the only way to know that you're no longer infected is to reformat the machine, reinstall Windows and all your applications from scratch, make sure everything is up to date and then restore your data from backups.

It's a huge pain, but the only way to be absolutely certain.

So, at the risk of having missed something (which you'll see actually did happen), I elected to try the more common "can't we just clean it?" approach.

"Thanks to reader comments on an earlier article ... I knew exactly where to start ..."

Initial Steps

One of the symptoms that my friend mentioned was something about a message including the phrase "antivirus 2009". Antivirus 2009 (and 2008) are viruses that are currently hitting a lot of people, and still being missed by many anti-spyware utilities. Thanks to reader comments on an earlier article, How can an infection like Antivirus XP 2008 happen? I knew exactly where to start: Malwarebytes. This anti-malware software is a relatively new player, and has garnered a lot of good buzz. It was time for me to try it.

However, before even getting that far, I had a known infected machine on my hands, and the one thing I did not want to do was connect that machine to my local network for fear of the virus spreading to my other machines. Instead, I left the machine disconnected and took a spare external hard drive and copied a number of tools, including the latest Malwarebytes installer. I then connected that to the infected machine and installed from there. Once connected to the infected machine, of course, that external drive could also no longer be trusted, and hence could no longer be safely connected to one of my machines until erased.

One thing I did not need to do immediately was backup the machine. My friend had an external drive of his own, and had been running the backup software that had come with the drive. While it might end up "backing up" the infection as well, it at least had all the data. More on the backup drive below.

Scanning, and Scanning Again

Malwarebytes Anti-Malware

The initial "quick scan" with Malwarebytes turned up over 30 separate infected files and settings. I had it quarantine those and ran the scan again, where it turned up only 2. This actually raises a good point: when scanning, always scan and rescan until the count of infections you care about reaches zero. I say "infections you care about", because depending on the tool you're running things like tracking cookies aren't worth worrying about or re-scanning for.

At this point, the anti-virus program pre-installed on the machine (Norton) also indicated that it had found something, and as such needed to reboot to finish cleaning up. I did, it did, I re-ran Malwarebytes and all was clean.

Since my friend was waiting in my living room, I sent the machine home with the same warning with which I started this article: it may appear clean, but the only way to be absolutely positive would be a reformat and a reinstall, which we're avoiding for now. Something certainly may have been missed.

It's probably a good thing I said that.

My Mistakes - More Intensive Recovery

The next day my friend called and indicated that he could no longer log into his machine. It had worked great that morning, but in the afternoon any attempt to log in appeared to work, but then immediately logged him out.

I told him to bring the machine, but to plan on leaving it for the weekend.

This time I took several, more time-consuming steps:

  • I ran SpinRite. Not for anything malware related, it's just something that made sense to run overnight once the machine was going to be here for a while. (Though, occasionally, boot issues can be the result of hard disk issues that SpinRite can clear up.) The disk scanned clean with no problems at all.

  • I ran Memtest86. The machine had recently had additional memory added to it, and I wanted to rule out bad memory as a potential problem. Test passed.

  • I did a little research and ended up digging up my own Dell Windows installation (not repair) disk, and booting from that to get into the Recovery Console. Once there, I was able to restore a copy of c:\windows\system32\userinit.exe from the installation CD. That file having gone missing was the cause of the immediate logout on login. Chances are it went missing by virtue of having been infected after which an anti-malware scan quarantined it. I could login again.

  • I performed a complete system image backup to a spare external drive.

  • I turned off System Restore

  • I cleared all temporary files, and cleared Internet Explorer's cache.

  • I ran alternating full disk (not "quick") scans by both Malwarebytes and Norton until both showed clean. Twice.

  • I set up a private network behind a second router specifically for this machine, so that I could connect it to the internet for updates without putting any of my own machines at risk.

  • I updated both Malwarebytes and Norton, and once again ran full disk scans until both showed clean.

  • I rebooted the machine a time or two, since some of the malicious behavior seemed to "kick in" after a reboot. No bad behavior resulted.

  • I let the machine sit overnight, connected to the internet. One of the vague reports was that the machine would sometimes show malicious behavior after it had been sitting for "a while", perhaps due to uncaught malware "reaching out" to the internet and infecting the machine more deeply. This also allowed the anti-malware software on the machine to perform its normal updates and scans. Nothing bad happened.

  • I reconnected the backup drive and scanned it with both Malwarebytes and Norton. Surprisingly, no infections were found at all. More on this below.

  • Finally, I defragged the hard drive, just because.

This time I was fairly certainly (though not absolutely positive) that the machine was clean. So far, a few days later, things seem to be well.

What was different about my second attempt that made it more successful than the first?

  • Full disk versus "quick" scans

  • Turning off system restore

  • Cleaning out temporary and cache file

  • Setting up a safe network connection that allowed the anti-malware packages to update to their latest databases.

Perhaps one or more of those made a difference, perhaps something else.

About that External Hard Disk

I fully expected the external drive to be infected, particularly when I saw that the backup program was not keeping things in a proprietary format, but rather a normal Windows filesystem, but that didn't happen.

What I discovered was that the backup that had been run was backing up documents only. Specifically, it was backing up the "My Documents" folder, and a few other things. It was not backing up the entire system. If the system or hard disk ever dies, the only recourse will be to reinstall Windows and applications from scratch. Data saved in "My Documents" can then be recovered from the backup.

This is a valid choice of backup approaches, but it should be a conscious one. For this type of situation, I actually prefer an image backup, since in the case of hardware failure it can be used to restore a system completely without having to wade through a lengthy reinstall process.

Lesson: don't assume your backup is backing up what you think it is. Confirm that it's doing what you want.

Epilogue

The day after returning the machine I got a call from my friend. He'd received an email from his ISP indicating that there had been reports of "malicious activity and spam" originating from his connection. All in all, not very surprising, considering his previously infected machine.

The "twist" was that the ISP had blocked outgoing port 25 on his connection - meaning he could no longer send mail, and neither could any malware. (Hence the phone call as opposed to email. Smile)

The ISP had instead opened up port 587 (an alternate email sending port), and configured that port to require authentication. Personally, I find this a very appropriate response on his ISP's part - it blocks spambots, but gives people a way to continue to send email. (Tip of the hat to Comcast on this issue.)

I walked him through reconfiguring Outlook Express over the phone, and moments later I received an email from him.

At this writing, about a week after it all started, all appears clear.

How Did This Happen?

I honestly don't know.

On the surface, the machine had appropriate safeguards in place and they were all configured appropriately.

My guess, and it is only a guess, is that a website popped up a fake message that looked enough like a system message to fool my friend into clicking on it. Who knows what was installed on his system, but with that foot in the door all bets were off thereafter.

Perhaps the strongest lesson I can take away from this experience reiterates some of what I said in a previous article: it's important to know what's running on your system and know what messages to recognize as legitimate.

And to, above all, be skeptical.

Article C3622 - January 16, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

12 Comments
vincent
January 16, 2009 3:34 PM

Always interesting to read how others tackle these issues.
The following guide has helped me remove a lot of nasty infections and I swear by it:
http://forums.majorgeeks.com/showthread.php?t=35407

It's not for the novice user, I guess, but it does do the job, and does it well!

KPTECH
January 16, 2009 5:48 PM

A great tutorial. Because, like you indicated, it's difficult to know if every trace of an infection has been removed, I like to add one more step.

I do some additional Internet research to find any instructions available for manually removing said infection. These instructions generally provide a list of malicious files and registry entries to remove. --I don't use the manual process unless absolutely necessary. Instead, I use the instructions to compile a checklist for use AFTER running anti-virus/anti-malware scans to ensure that these products have done a complete job.

If they haven't, I'll generally try re-running anti-virus/anti-malware scans from safe mode as sometimes this is necessary to remove files that were running in normal mode.

Finally, if any malicious files/registry entries still exist, I'll remove them manually.

john
January 19, 2009 12:11 PM

can someone tell me how I would configure the router behind the router method that he refers to? what are the steps and IP addressing setup to make this possible and secure?

fastfreddie1959
January 20, 2009 9:47 PM

leo i do desktop support for a sweepstakes site. We have our own puter forum.
I posted your article in there about malwarebytes. I can't possibly list all the people i help on a daily basis. You give great sound advice and for that
i want to personally thank you. I still run into issues..
Like no page display... And one person is having activex issues.
Which i am unable to figure out just yet. That xp-trojan appears as a popup.
And comodo antimalware has stopped it before it has entered my puter.
But ive cleaned up over a 100 puters all with either norton/AVG/mcafee.
None have stopped this trojan. Malwarebytes is top notch in my book.
Looking forward to your Emails.

Volg
January 22, 2009 10:53 PM

John - good point. I was reading this article and stopped short on that line about router behind a router as well. Leo - how does on eod this? I have been unable to get 2 routers to work like you describe.

If your ISP supports multiple IP addresses (most do NOT): broadband modem to hub, then hub to router 1 and hub to router 2.

If your USP does NOT support multiple IP address then: broadband modem to router A, then router A to router B, and router A to router C.

In most cases default router configurations (DHCP/automatic IP assignment) works just fine.

This article has more: How do I protect users on my network from each other?

- Leo
23-Jan-2009

Michael Horowitz
January 23, 2009 9:32 PM

For information on using two routers on a LAN, see this
http://news.cnet.com/8301-13554_3-10049768-33.html

Its the first of three blog postings I wrote on the subject.

Here is part two
http://news.cnet.com/8301-13554_3-10052912-33.html

and part three
http://news.cnet.com/8301-13554_3-10053212-33.html

Paul Higgins
January 24, 2009 7:37 AM

“ Antivirus 2009 (and 2008) are viruses that are currently hitting a lot of people, and still being missed by many anti-spyware utilities.”
My opinion, and I will be happy to be corrected if I am wrong, is that Antivirus 2009 (and 2008) are NOT viruses. They may be described as malware but the reason they are not caught by anti-spyware is they are not spyware and anti-virus doesn’t because they are not viruses. Clicking them invites the virus in. So you can appreciate that if the program that gives the warning is not spyware or a virus, the anti-spyware and anti-virus programs one might reasonably expect to catch them do not do so because they do not exhibit spyware or virus activity themselves.
While it might be possible to have them listed in virus and spyware definitions I assume the difficulty to be doing this without the risk of identifying genuine programs as spyware or a virus.
I’d be interested in others opinions. Especially yours, Leo.

I think it's splitting hairs on whether or not it could be called a virus or not. It could be caught by anti-virus programs without any more risks of false positives when compared to other viruses.
- Leo
26-Jan-2009

JustInspired
February 2, 2009 12:22 AM

I run a PC repair business from home and see this all the time. The antivirus/antispyware companies have a hard time keeping up with the variants of this family of pests. They may look the same outwardly but they are changed all the time. Also by their very nature (it's correct that they are not classified as viruses) most security packages don't detect them by default. For example, Kaspersky requires a tickbox to be checked for detection of 'Other Programs'. Of course this may result in false positives when installing or running some benign programs so be aware.

In regards to 'Page cannot be found' issues after cleanup:

1. Reset Internet Explorer's settings completely in 'Tools > Internet Options > Advanced'

2. While in settings, check that the malware hasn't added a proxy server that you don't use/need under Connections > LAN Settings.

3. Check the Security tab to make sure you haven't got unwanted entries in Trusted or Restricted Sites.

4. Run a network protocol/winsock reset program such as WinsockFix for XP. For Vista I don't know if such a program exists but you can do it manually:

1. Click on Start button.
2. Type Cmd in the Start Search text box.
3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
4. Type netsh winsock reset in the Command Prompt shell, and then press the Enter key.
5. Restart the computer.

NB: The Internet Settings in Internet Explorer can affect a lot of other programs that use the Net so it's always a good idea to look here first.
Also, security apps like Norton can be 'broken' by malware and the firewall may be blocking traffic. I have found this to be true sometimes even when said firewall is "turned off" but Internet access (and network sharing) worked after uninstalling Norton.

Bob
February 19, 2009 6:23 PM

Hi, Leo,

Thanks for an interesting article.

Perhaps your friends had a boot sector virus that the antivirus software was not detecting. Rubbing out a boot sector virus may involve rewritting the Master Boot Record, and this can cause a loss of partition information, rendering the disk unbootable.

So you are right; prevention is the best remedy.

Rien Snijder
February 25, 2009 2:08 AM

Hi Leo,


very good article; I would like to add 1 one more step with regards to the "cleaning"

In the past, I used to help a few friends with infected machines. One thing I always did (in the beginning of the process)was checking the "startup" in "msconfig" (windows xp)
I noticed sometimes that a clean machine (...) was diry again after reboot. Unchecking suspicious progs in the startup first and THEN do the necesssary scanning/cleaning/scanning etc etc worked for me (in some occasions)

One example: remember the blaster virus some 5 years ago. One of the things was your pc shut itself down after 10 secs (or something). Changing the startup and turn the thing off (forgot the name) was the first step to keep the machine running and perform the necessary cleaning steps.


From the old days but possibly of any use.......

Kind regards!


Rien Snijder


Holland.

Jarvis White
March 17, 2010 4:05 PM

I may have missed something through your articles, but haven't found reference to it. But this seems like a good place to ask this question:
Many of the new computers make a "D" partition that holds the equivalent of a Restore Disk, that used to be common practice to come with a new machine. My question is: if a machine is contaminated with viruses and/or malware, is the "Rebuild Partition" also infected.
Thanks!

Good point, and one deserving of a new article: Can a recovery partition be infected? (Preview answer: yes!)
Leo
19-Mar-2010

Yeppers
October 31, 2010 9:42 PM

Leo, I learned – the hard way – that when you turn off System Restore, you not only disable System Restore but also delete all the restore points. What was your primary reason for turning it off as mentioned in this article: Was it because anti-malware softwares, even in Full Scan mode, cannot scan the restore points in the System Volume Information folder? Or were you just concerned that there may be a copy of an infected file in the restore points which may be missed (or otherwise not quarantined) by the anti-malware softwares? Thanks…

I disable system restore because it's redundant with a good backup system, and system restore does not restore everything that people really want restored. Again, a good backup system does that.
Leo
01-Nov-2010

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.