 |
Help! I have a virus, and I am going to reformat my C: drive!
|
 |
|
If you are the tech support guru in your social group, you may have heard this cry: Help! I have a virus and I am going to
reformat my C: drive!
This is usually followed by: All virus writers should be drawn and quartered! (or similar gruesome punishment.)
Do not despair! Before you go off the deep end, we need to find out just exactly what the problem is. You may not be totally dead.
Viruses do many different things these days. Mostly they want to gain control
of your computer and replicate themselves. Past viruses tended to infect
executables, usually rendering the computer inoperable. Someday, we might see a
prolific time-bomb virus. But to be successful, a virus must at least replicate
itself. If you can stop the intruding program from running, you can usually
clear up the problem.
This article was written after a relative with a PC running Microsoft Windows XP Home received a variant of the
W32 Beagle worm virus. Along with this virus, a pair of Trojan download
viruses came along for the ride. The whole purpose of this blended attack was for
the virus author to gain control of the computer over the Internet. It would eventually be used to send unsolicited computer email (spam). It is also possible to have the computer participate in a
Distributed Denial of Service attack (DDOS.)
Based upon the resolution, I have gathered the notes together on how to proceed. Before you call your computer support person
(relative), you may want to gather some information:
1.) What happens? How do you know you have a virus? Here are
some possible symptoms:
- System will not boot
- Certain programs do not run
- System is very slow
- Lots of disk drive activity even when no programs are
running on screen
- Lots of requests to connect to the internet/dialup
- Friends notified my of e-mail from me with virus
- Internet service provider cut service because of SPAM emails
originating from my computer
- Unexpected programs running or web sites popping up.
(This virus FAQ has much more detailed information about viruses in general.)
2.) How do you think you got this virus?
- Opened an E-mail attachment
- Installed a new program
- Browsed a web site
- Ran a "keygen" program
- Downloaded or swapped a file
3.) What operating system are you running? (examples: Apple
OS-X, Microsoft Windows XP, Microsoft Windows 98, RedHat Linux 9)
4.) Do you have a virus protection program? How up to date
is it? Here is a link about anti virus programs:
http://www.us-cert.gov/cas/tips/ST04-005.html
5.) Do you have a spyware protection program? Here is a link
about spyware: http://www.us-cert.gov/cas/tips/ST04-016.html
Note that spyware, adware, worms, and viruses all work similarly. They are all programs that you would not really choose to have on your computer if you knew they were there and what they did. The one difference between an adware and a virus is that people unwittingly choose to install adware as part of other packages, not realizing that having adware is part of the terms of use of the software. Kazaa is a very good example of a spyware/adware install.
6.) Does your Internet service provider have virus
protection? Many of the larger ones do out of necessity; Time Warner Roadrunner
broadband for example keeps reasonably up to date.
OK, you have the information. What next?
1.) Disconnect yourself from the Internet. Most viruses are
trying to replicate over the network.
2.) Update your anti-virus definitions and run a computer
scan.
-- What, you do not have an virus scanner? --
OK, that will be your first
purchase. There are free ones out there, which may be useful. But, I highly
recommend commercial programs Norton/Symantec AntiVirus
or McAfee
Antivirus. Most require subscriptions however, which makes their use
prohibitive with a dialup Internet connection. You will find yourself spending
all your time downloading virus updates.
3.) If your Anti-virus tool finds a virus in a file, it
should quarantine it. Commercial Anti-virus vendors thoughtfully provide
removal tools for specific viruses on their web sites. I recommend going to a
different uninfected computer and downloaded the removal tool. A USB flash
drive is very useful for transferring data between a known good computer and an
infected computer. The flash drive can be switched into read only mode so that
nothing can be written.
4.) Verify that no strange programs are being started
automatically on operating system boot. The Microsoft Windows registry key is
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run. If you do not
recognize an entry here, you can take note of it and probably remove it.
Most programs in this Run key are not necessary to the operation of the computer. It is just another way of running background processes or putting items in the
system tray. It works similarly to putting items in the startup menu. Some viruses can block the running of regedit. A useful tool in
this case is "Hijackthis" from Spyware Info
5.) Now, notify all those that you can that you had a computer virus and what to look for: friends, co-workers, and Internet
providers. Computer Viruses are nothing to be ashamed of, they happen to very
smart and very nice people. You will be respected if you tell them how to cure
themselves.
How to protect from viruses and spyware in the future
- Do not use your computer as the administrative or root user! Create a special internet user that is a regular user. Regular users cannot run programs that will perform the kinds of modifications that viruses want to do. In UNIX machines, this means not logging on as root. In Windows XP, it means going to Start Menu --> Control Panel --> User Accounts. Set you Internet/Mail/network access account as a limited account, not administrative.
- Do not open unsolicited attachments in email messages (Many
email clients like Microsoft Outlook XP/Outlook 2003 now block most attachments
with potential danger issues like .vbs, .scr, and .exe programs.)
- Do not follow unsolicited links in web pages
- Maintain updated anti-virus software
- Use an Internet firewall (Windows XP service pack 2 contains
one, ZoneAlarm is a popular software firewall, a hardware firewall, like a
broadband router will also do the job)
- Keep your system patched - For Windows systems, go to the www.microsoft.com/windowsupdate site and get the latest Windows Security updates.
- Do not click to install programs that are offered on the Internet. Gator and Comet Cursor are two examples.
In the end, the beagle virus and the other trojans were removed using the Hijackthis tool, run from a USB flash drive. I had to remove the strange "winshost" and "wingo" processes. One thing I noticed is that the virus would replace the entries within a few seconds. So I had to pull the power immediately after making the changes. Aftward I ran Norton Antivirus and quarantined all the strange files the virus had copied in any directory with "shar" in the name. I updated to Windows XP service pack 2. I created a special "Internet" user. I updated Eudora to version 6, so that it will warn about attachments. Eudora would not be my first preference for a mail client. I recommend Outlook XP or Outlook 2003 or the latest Outlook Express.
More information about computer threats in general can be found at the US Government Computer Emergency Response Web site: http://www.us-cert.gov
Here is a Webopedia article on the differences between adware, spyware and viruses.
|
|
|
|
|
|
Posted on Tuesday, November 23, 2004 @ 00:00:00 UTC by BB
|
|
|
|
| "Help! I have a virus, and I am going to reformat my C: drive!" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
|
|
|
No Comments Allowed for Anonymous, please register |
|
|
|
|
|
