Disinfecting a PC… part 11



All in all, what I’ve documented was a bit over three hours worth of attention to the machine (much more for the full scans, but I didn’t have to stand and watch them.) I didn’t document a sidetrip to a second antivirus scanner. It’s nice to see a system cleaned up that had been so thoroughly infected. There are a couple other notes I should pass along though. When a system has been trojaned the BEST advice is to wipe the disc and reinstall from scratch. (Erase/reformate/install from scratch.)


That’s the best way to make sure that nothing else is trojaned. *(Maybe a bug dropped a rootkit that is invisible to Windows – much like the Sony XCP Digital Rights software did?) Certainly, it’s not something you WANT to be doing. The time spent usually turns out about the same either way. (Uninstall or wipe and reinstall). One of the more time consuming processes is finding the files to salvage.

After the reinstall and cleaning I also ran netstat /a to see if there was anything listening on a network port that looked suspicious, however in reality a rootkit could hide such entries. From what I was able to see from another networked computer nothing looked suspicious though.

The earliest malware on the disc seemed to date from August of 2004 (the system was worked on in early December 2005.) I advised that word be passed along that any passwords used for online banking or credit cards should be changed and the accounts monitored for suspicious activity. The truth is there is no good way to know that those details are secure. (Within all those trojans (?)) I didn’t go through each one for a detailed analysis, but I’d certainly consider at LEAST changing online passwords for sites visited from that machine.

It’s worth noting, I didn’t mention the system restore feature. It had been disabled when I first saw the system and one of the last things I did was re-enable it. The only other things I did were let it run a full scandisk and defrag (overnight – may as well.)

The last note to pass along is that the systems user says it runs like new now. They’re going to make sure to keep the antivirus updated and try to be careful in their web browsing. It’s good to see another one cleaned up.

   Send article as PDF   

Similar Posts