Wednesday, February 3, 2010

Manually Killing Viruses, Part 4

This is the mop-up, or the repair. At this stage, all the viruses, worms, Trojans, rootkits, etc. are gone, but Windows is damaged. A repair-install often doesn't fix things. Installations often only look to see if something exists, and if it's already there, it wont' actually re-install.
Some Windows XP machines are infected because they don't have the latest patches or service packs. If there's an i386 folder on the hard drive, it would be wise to make sure it has the latest service pack applied. To find out at a glance, just look for a file starting with SP3 in i386. If all you can find is SP2, then try slipstreaming SP3 into the folder.
You might want to consider the SFC command. The right command can force all files to match a specific source.

If the problem is that you can't reach the Internet, check the "hosts" and "lmhosts.sam" files. They're in C:\Windows\System32\drivers\etc\ Open them with Notepad and make sure the only line in hosts is the standard loopback... localhost
lmhosts.sam should be blank, but lines beginning with "#" are comments. All of lmhosts.sam is normally comments.
Malware can redirect valid Internet addresses to go to malicious sites instead.

Damaged Internet security suites, like McAfee and Norton Internet Security are usually damaged by malware, and you can't get to the Internet until the products are forensically removed. Luckily McAfee and Symantec/Norton each have removers.

You might also try repairing the winsock with WinsockFix, or something like it. Delete the network device(s) from Device Manager and rebuild them.
If you still can't get to the Internet, run all these commands in this order...
net use * /d /y
NET USE /persistent:no
ipconfig /release
net start lanmanserver
net start Server
net start lanmanWorkstation
net start Workstation
net start "Remote Procedure Call (RPC)"
net start RpcSs
net start "Plug and Play"
net start Telephony
net start wuauserv
net start Dhcp
net start "DHCP Client"
net start Dnscache
net start "DNS Client"
net start helpsvc
net stop NetSvc
net stop Netlogon
net start Netlogon
net start Netman
net start "Network Connections"
net start "Remote Access Connection Manager"
net start "Security Accounts Manager"
net start prepdrvr
net start LmHosts
net start TapiSrv
net start "TCP/IP NetBIOS Helper Service"
net start TermService
net start WebClient
net start Browser
netsh int ip reset
netsh winsock reset
netsh firewall reset
ipconfig /renew
arp -d *
nbtstat -R
ipconfig /flushdns
nbtstat -RR
ipconfig /registerdns
netdiag /test:winsock /v

If you can get to the Internet, but specific addresses are blocked, look in hosts or lmhosts.sam, as mentioned above, or look in the Registry under...
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

As soon as you get to the Internet, you should update all anti-virus and anti-malware definitions, update Windows, or install/reinstall the protections that were removed.
As of this writing, these are my favorites, in this order...
Microsoft Security Essentials
Rootkit Revealer

The Rootkit tools only reveal rootkits, they don't clean.
Plus, you have to know what you're looking at. Some of the items in the revealed list are not bad things, but good. But the list is normally short.

Oh, one more thing... If you encrypted the hard drive, and a virus ruined your computer, none of this is likely to work at all. Reformat. Encryption at the hard drive level is a nasty bit of business. Not worth it, in my opinion. If you have data that critical, stick it on a secure USB drive. I have one that requires a password, plus a fingerprint. That's should work for paranoid data. I highly recommend avoiding entire hard drive encryption, unless it's a secondary drive.

No comments:

Post a Comment