Treating Infected Systems

by Amit Zinman [Published on 17 Feb. 2005 / Last Updated on 17 Feb. 2005]

So your computer has a virus, a Trojan, or one of the other growing range of pests, what do you do?

Introduction

Most of us Windows users are by now painfully aware of what a computer infection looks like. It now takes all shapes and forms and has different words that indicated how you got it, the level of the risk, and how it can spread further. Some infections will produce annoyances such as Internet Explorer home page hijacking and some will trash your files. The software infecting your computer is now sometimes given the broad term "malware".

Network administrators today face the fact that their firewall will not protect them from Trojans. Even patching all your machines might not protect a computer where a user decided to download a malicious program. Nowadays, through group policy you can control more of the computing environment but when you have diverse operating systems and laptops that go to people's houses you might not have as much control as you would like to.

My article will provide you with several tools that can help you take care of such infections in an infected machine should you come by one and provide an alternative to the "Format you hard drive" method that works very well but might sometimes not be the best or even a viable option. It can come real handy if, for example, your CEO can spare you her computer only for a an hour or so before she flies off again, to fix those annoying IE pop-ups she is getting all the time.

Network Activity

One of the easiest ways to find out which file infected your computer is by identifying which process tries to access the internet most. You should close all file sharing and other applications to find this.

A handy freeware utility for doing is is TCPView from Sysinternals available here:

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Running it shows a typical virus that you could find on any unpatched Windows XP or 2000 machine moments after connecting to the Internet.

You can also terminate a process by right click it and choosing "End Process" instead of using the Windows Task Manager.

You can use the System Configuration Utility to stop the virus from running. Please note the button allowing you to launch System Restore process. If you have a valid checkpoint which you know to be before the infection you should use it to restore the registry and other important files.

Finally, you can delete the file itself from the hard drive.

Note that some viruses use the system restore mechanism of Windows XP to re-infect the machine if you delete their executable. To disable system restore in Windows XP you need to access Control Panel -> System -> System Restore.

Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.

As you can see this will delete the restore points so only do this if you do not want to use system restore to return your system to a state it was prior to the infection.

Internet Explorer Hijacking

With Windows versions before XP SP2 and 2003 SP1 it was pretty easy to click something and get all kind of Internet Explorer "add-ons" and other hidden utilities which change the default IE search and home page, and hijack it again when you attempt to change it back. Resetting this using IE's Internet Options might not help.

If you install Windows XP SP2 you can manage IE add-ons using the new Add-On Manager. For more information about this follow this link:

http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx

If you have a previous version you can use ToolbarCop, a freeware utility available here:

http://windowsxp.mvps.org/toolbarcop.htm

Like MSConfig, it can also delete processes that run when the operating system loads, but it can also disable IE add-ons.

Anatomy of an Infection

To prepare this article I installed Windows XP with SP1 and no patches. I surfed a few porn sites (though, strictly speaking, I'm against porn), answered a few dialog boxes, and presto, as the following screenshots show I had my IE hijacked and my computer infected with all kinds of pests.

TCPView showed a lot of network activity as well:

So I ran Toolbar cop and found more than 12 components to delete.

Most of these are Trojans. The difference between Trojans and viruses in this case is that seeing that I specifically surfed to certain web sites and said "yes" on the download dialog boxes the blame is on me unlike the previous example where the virus was using my unpatched Windows version to propagate itself.

But, to be frank, at this point, trying to delete all these Trojans with ToolbarCop, or trying to hunt for them through the registry becomes an impossibility. They work together, staying resident in memory, so once you delete them you can count to five and back they are.

So to fight them you need a good anti-virus which knows how to handle Trojans as well.

As some of you might know there are some online anti-viruses available on the web. Here is a list of a few of them:

http://housecall.trendmicro.com/housecall/start_corp.asp

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Today, almost every major anti-virus provider has one. These online anti-viruses work only with Microsoft's Internet Explorer by downloading an ActiveX control to your computer, which is essentially a program like any other which uses IE as its interface.

However when it comes to Trojans, my experience shows that these online anti-viruses cannot clean them. The next screenshot shows such a failure. The cause is probably a limitation of ActiveX technology.

There are also free anti-viruses and Trojan busters available for download on the web. I recommend starting with installing a good anti-virus. My personal favorite is AntiVir Guard from H+BEDV Datentechnik, a German company. It is most suitable for treating a system which is already infected because it about 5MB in size and downloads with the latest signature. Other anti-viruses rely on connecting to the web right after installation. Some viruses and Trojans recognize this and prevent this update from happening. AntiVir guard is also pretty good with handling Trojans and is updated daily.

You can download the freeware version of AntiVir Guard here:

http://www.avup.de/personal/en/avwinsfx.exe

To make sure AntiVir deleted all harmful components from your computer you should run its main program and choose Options -> Configuration. The following screenshots show my recommended configuration.

You might have to run the program's scan a few times and perform a few restarts before the system cleans.

You can find other free antivirus on the Nonags web site:

http://www.nonags.com/nonags/antivirus.html

Sometimes you need to use a combination of anti-viruses to really disinfect a system. To complement your antivirus you can install the freeware Lavasoft Ad-aware SE which specifically scans for Trojans, Adaware, Backdoors and Dialers. If you don't recognize all these terms, don't worry. They are all basically words for a piece of harmful software that needs to be erased from your computer.

http://www.lavasoftusa.com/support/download/

Another free Trojan remover is Spybot downloadable through this link:

http://www.safer-networking.org/en/mirrors/index.html

As with the Anti-virus you might have to run these utilities a few times and do a couple of reboots.

If you're having problems connecting to websites your hosts file might have been altered. This files tells your machine where to find websites and ignore your ISP or internal DNS server.

This file is located on Windows NT/2000/XP/2003 machines at <Windows installation directory>\system32\drivers\etc directory.

To fix it simply delete all of its contents and leave it with the following default:

Installing the latest service pack and updating through http://windowsupdate.microsoft.com might help prevent re-infections during the removal process.

If you find that Windows Update has been disabled by one of the Trojans or viruses you can download Windows XP SP2 here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a&displaylang=en

Another tool that can help you during an infection and can definitely be used as a preventive tool is IE-SPYAD which blocks known sites which adds websites to your registry that are known malware distributors and blocks them at the IE level. Download it here: 

https://netfiles.uiuc.edu/ehowes/www/resource.htm

Network wide infections

Fixing a single computer might take a lot of time, depending on the level and the type of infection. Treating a lot of computers on a network can be quite costly seeing that the free tools do not scan an entire network.

You could implement a network wide deployment of a professional tool such as WebRoot Spysweeper Enterprise and deploy the latest service packs and patches using Microsoft Windows Update Server.

However, such a method might prove quite tasking on your hardware. I believe that an Anti-virus should also filter out Trojans, Dialers, Backdoors, Adwares, and all other risks. A few good professional packages out there do this quite nicely and are worth the money for the upgrade. You check to see whether your Anti-virus package can deal with more than just viruses.

My favorite strategy for protecting a network is stopping Malware at the perimeter level and implementing a complementing OS and Antivirus update mechanism at the client level.

If you're implementing a brand new network you might consider solutions from Fortinet. They have hardware based Firewall which can handle all types of malware and Internet attacks and also implement a combination VPN/Antivirus client at the workstation level. This keeps things nice and easy for the network and security administrators. This type of solution eliminates the need to worry about whether your Antivirus is fighting your Anti-Trojan package or your VPN solution, whether all of them are updated properly and how much memory they are taking from you computers.

Conclusion

Removing malware from a computer is much trickier than protecting it properly, which should preferably be done at the network level if possible.

With the right combination of tools you can find out and repair a single virus or Trojan. For treating a computer infected with a combination of different Trojans, backdoors and viruses you need to use a combination of anti-malware utilities, some of which are free for use on home computers, but you've got to have patience. Windows infections have lots variations and sometimes even a solid Anti-virus program will not be able to deal with a well infected computer by itself, without some help and a lot of restarting.

See Also

Advertisement

Featured Links