In a previous article,
Why won’t this “Your Computer Is Infected” warning go away? I
described some of the symptoms I was faced with when a friend called me
for help on his infected machine.
It was seriously infected by one, if not more, currently common
forms of malware.
As an example of some of the steps you might consider if faced with
a similar situation, let me describe what I did.
But First, a Disclaimer
I need to reiterate that once infected by anything the only way to know that you’re no longer infected is to reformat the machine, reinstall Windows and all your applications from scratch, make sure everything is up to date and then restore your data from backups.
It’s a huge pain, but the only way to be absolutely certain.
So, at the risk of having missed something (which you’ll see actually did happen), I elected to try the more common “can’t we just clean it?” approach.
One of the symptoms that my friend mentioned was something about a message including the phrase “antivirus 2009”. Antivirus 2009 (and 2008) are viruses that are currently hitting a lot of people, and still being missed by many anti-spyware utilities. Thanks to reader comments on an earlier article, How can an infection like Antivirus XP 2008 happen? I knew exactly where to start: Malwarebytes. This anti-malware software is a relatively new player, and has garnered a lot of good buzz. It was time for me to try it.
However, before even getting that far, I had a known infected machine on my hands, and the one thing I did not want to do was connect that machine to my local network for fear of the virus spreading to my other machines. Instead, I left the machine disconnected and took a spare external hard drive and copied a number of tools, including the latest Malwarebytes installer. I then connected that to the infected machine and installed from there. Once connected to the infected machine, of course, that external drive could also no longer be trusted, and hence could no longer be safely connected to one of my machines until erased.
One thing I did not need to do immediately was backup the machine. My friend had an external drive of his own, and had been running the backup software that had come with the drive. While it might end up “backing up” the infection as well, it at least had all the data. More on the backup drive below.
Scanning, and Scanning Again
The initial “quick scan” with Malwarebytes turned up over 30 separate infected files and settings. I had it quarantine those and ran the scan again, where it turned up only 2. This actually raises a good point: when scanning, always scan and rescan until the count of infections you care about reaches zero. I say “infections you care about”, because depending on the tool you’re running things like tracking cookies aren’t worth worrying about or re-scanning for.
At this point, the anti-virus program pre-installed on the machine (Norton) also indicated that it had found something, and as such needed to reboot to finish cleaning up. I did, it did, I re-ran Malwarebytes and all was clean.
Since my friend was waiting in my living room, I sent the machine home with the same warning with which I started this article: it may appear clean, but the only way to be absolutely positive would be a reformat and a reinstall, which we’re avoiding for now. Something certainly may have been missed.
It’s probably a good thing I said that.
My Mistakes – More Intensive Recovery
The next day my friend called and indicated that he could no longer log into his machine. It had worked great that morning, but in the afternoon any attempt to log in appeared to work, but then immediately logged him out.
I told him to bring the machine, but to plan on leaving it for the weekend.
This time I took several, more time-consuming steps:
I ran SpinRite. Not for anything malware related, it’s just something that made sense to run overnight once the machine was going to be here for a while. (Though, occasionally, boot issues can be the result of hard disk issues that SpinRite can clear up.) The disk scanned clean with no problems at all.
I ran Memtest86. The machine had recently had additional memory added to it, and I wanted to rule out bad memory as a potential problem. Test passed.
I did a little research and ended up digging up my own Dell Windows installation (not repair) disk, and booting from that to get into the Recovery Console. Once there, I was able to restore a copy of c:\windows\system32\userinit.exe from the installation CD. That file having gone missing was the cause of the immediate logout on login. Chances are it went missing by virtue of having been infected after which an anti-malware scan quarantined it. I could login again.
I performed a complete system image backup to a spare external drive.
I turned off System Restore
I cleared all temporary files, and cleared Internet Explorer’s cache.
I ran alternating full disk (not “quick”) scans by both Malwarebytes and Norton until both showed clean. Twice.
I set up a private network behind a second router specifically for this machine, so that I could connect it to the internet for updates without putting any of my own machines at risk.
I updated both Malwarebytes and Norton, and once again ran full disk scans until both showed clean.
I rebooted the machine a time or two, since some of the malicious behavior seemed to “kick in” after a reboot. No bad behavior resulted.
I let the machine sit overnight, connected to the internet. One of the vague reports was that the machine would sometimes show malicious behavior after it had been sitting for “a while”, perhaps due to uncaught malware “reaching out” to the internet and infecting the machine more deeply. This also allowed the anti-malware software on the machine to perform its normal updates and scans. Nothing bad happened.
I reconnected the backup drive and scanned it with both Malwarebytes and Norton. Surprisingly, no infections were found at all. More on this below.
Finally, I defragged the hard drive, just because.
This time I was fairly certainly (though not absolutely positive) that the machine was clean. So far, a few days later, things seem to be well.
What was different about my second attempt that made it more successful than the first?
Full disk versus “quick” scans
Turning off system restore
Cleaning out temporary and cache file
Setting up a safe network connection that allowed the anti-malware packages to update to their latest databases.
Perhaps one or more of those made a difference, perhaps something else.
About that External Hard Disk
I fully expected the external drive to be infected, particularly when I saw that the backup program was not keeping things in a proprietary format, but rather a normal Windows filesystem, but that didn’t happen.
What I discovered was that the backup that had been run was backing up documents only. Specifically, it was backing up the “My Documents” folder, and a few other things. It was not backing up the entire system. If the system or hard disk ever dies, the only recourse will be to reinstall Windows and applications from scratch. Data saved in “My Documents” can then be recovered from the backup.
This is a valid choice of backup approaches, but it should be a conscious one. For this type of situation, I actually prefer an image backup, since in the case of hardware failure it can be used to restore a system completely without having to wade through a lengthy reinstall process.
Lesson: don’t assume your backup is backing up what you think it is. Confirm that it’s doing what you want.
The day after returning the machine I got a call from my friend. He’d received an email from his ISP indicating that there had been reports of “malicious activity and spam” originating from his connection. All in all, not very surprising, considering his previously infected machine.
The “twist” was that the ISP had blocked outgoing port 25 on his connection – meaning he could no longer send mail, and neither could any malware. (Hence the phone call as opposed to email. )
The ISP had instead opened up port 587 (an alternate email sending port), and configured that port to require authentication. Personally, I find this a very appropriate response on his ISP’s part – it blocks spambots, but gives people a way to continue to send email. (Tip of the hat to Comcast on this issue.)
I walked him through reconfiguring Outlook Express over the phone, and moments later I received an email from him.
At this writing, about a week after it all started, all appears clear.
How Did This Happen?
I honestly don’t know.
On the surface, the machine had appropriate safeguards in place and they were all configured appropriately.
My guess, and it is only a guess, is that a website popped up a fake message that looked enough like a system message to fool my friend into clicking on it. Who knows what was installed on his system, but with that foot in the door all bets were off thereafter.
Perhaps the strongest lesson I can take away from this experience reiterates some of what I said in a previous article: it’s important to know what’s running on your system and know what messages to recognize as legitimate.
And to, above all, be skeptical.
10 comments on “How did you clean up your friend's infected machine?”
Always interesting to read how others tackle these issues.
The following guide has helped me remove a lot of nasty infections and I swear by it:
It’s not for the novice user, I guess, but it does do the job, and does it well!
A great tutorial. Because, like you indicated, it’s difficult to know if every trace of an infection has been removed, I like to add one more step.
I do some additional Internet research to find any instructions available for manually removing said infection. These instructions generally provide a list of malicious files and registry entries to remove. –I don’t use the manual process unless absolutely necessary. Instead, I use the instructions to compile a checklist for use AFTER running anti-virus/anti-malware scans to ensure that these products have done a complete job.
If they haven’t, I’ll generally try re-running anti-virus/anti-malware scans from safe mode as sometimes this is necessary to remove files that were running in normal mode.
Finally, if any malicious files/registry entries still exist, I’ll remove them manually.
can someone tell me how I would configure the router behind the router method that he refers to? what are the steps and IP addressing setup to make this possible and secure?
leo i do desktop support for a sweepstakes site. We have our own puter forum.
I posted your article in there about malwarebytes. I can’t possibly list all the people i help on a daily basis. You give great sound advice and for that
i want to personally thank you. I still run into issues..
Like no page display… And one person is having activex issues.
Which i am unable to figure out just yet. That xp-trojan appears as a popup.
And comodo antimalware has stopped it before it has entered my puter.
But ive cleaned up over a 100 puters all with either norton/AVG/mcafee.
None have stopped this trojan. Malwarebytes is top notch in my book.
Looking forward to your Emails.
John – good point. I was reading this article and stopped short on that line about router behind a router as well. Leo – how does on eod this? I have been unable to get 2 routers to work like you describe.
If your USP does NOT support multiple IP address then: broadband modem to router A, then router A to router B, and router A to router C.
In most cases default router configurations (DHCP/automatic IP assignment) works just fine.
This article has more: How do I protect users on my network from each other?
For information on using two routers on a LAN, see this
Its the first of three blog postings I wrote on the subject.
Here is part two
and part three
I run a PC repair business from home and see this all the time. The antivirus/antispyware companies have a hard time keeping up with the variants of this family of pests. They may look the same outwardly but they are changed all the time. Also by their very nature (it’s correct that they are not classified as viruses) most security packages don’t detect them by default. For example, Kaspersky requires a tickbox to be checked for detection of ‘Other Programs’. Of course this may result in false positives when installing or running some benign programs so be aware.
In regards to ‘Page cannot be found’ issues after cleanup:
1. Reset Internet Explorer’s settings completely in ‘Tools > Internet Options > Advanced’
2. While in settings, check that the malware hasn’t added a proxy server that you don’t use/need under Connections > LAN Settings.
3. Check the Security tab to make sure you haven’t got unwanted entries in Trusted or Restricted Sites.
4. Run a network protocol/winsock reset program such as WinsockFix for XP. For Vista I don’t know if such a program exists but you can do it manually:
1. Click on Start button.
2. Type Cmd in the Start Search text box.
3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
4. Type netsh winsock reset in the Command Prompt shell, and then press the Enter key.
5. Restart the computer.
NB: The Internet Settings in Internet Explorer can affect a lot of other programs that use the Net so it’s always a good idea to look here first.
Also, security apps like Norton can be ‘broken’ by malware and the firewall may be blocking traffic. I have found this to be true sometimes even when said firewall is “turned off” but Internet access (and network sharing) worked after uninstalling Norton.
Thanks for an interesting article.
Perhaps your friends had a boot sector virus that the antivirus software was not detecting. Rubbing out a boot sector virus may involve rewritting the Master Boot Record, and this can cause a loss of partition information, rendering the disk unbootable.
So you are right; prevention is the best remedy.
very good article; I would like to add 1 one more step with regards to the “cleaning”
In the past, I used to help a few friends with infected machines. One thing I always did (in the beginning of the process)was checking the “startup” in “msconfig” (windows xp)
I noticed sometimes that a clean machine (…) was diry again after reboot. Unchecking suspicious progs in the startup first and THEN do the necesssary scanning/cleaning/scanning etc etc worked for me (in some occasions)
One example: remember the blaster virus some 5 years ago. One of the things was your pc shut itself down after 10 secs (or something). Changing the startup and turn the thing off (forgot the name) was the first step to keep the machine running and perform the necessary cleaning steps.
From the old days but possibly of any use…….
I may have missed something through your articles, but haven’t found reference to it. But this seems like a good place to ask this question:
Many of the new computers make a “D” partition that holds the equivalent of a Restore Disk, that used to be common practice to come with a new machine. My question is: if a machine is contaminated with viruses and/or malware, is the “Rebuild Partition” also infected.