Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Recover from an virus infected system

0 views
Skip to first unread message

Subba Rao

unread,
Sep 14, 2003, 3:42:04 AM9/14/03
to
Hello

An example scenario, after I connect to the Internet after several days, my
email infects my computer with a new virus. This infection happens before
I had a chance to upgrade my Anti-Virus signatures.

Now what is the process to restore this infected system? Whar are the best
practices in restoring an infected system?

Thank you in advance.

Subba Rao

Lil' Dave

unread,
Sep 14, 2003, 3:54:08 AM9/14/03
to
Restoring from your off system image backup of course. Most of the AV
companies are keeping up in general, and some have auto updates. Some
caution is needed of course.
Dave
"Subba Rao" <non...@nowhere.net> wrote in message
news:Xns93F6267CF637D...@216.168.3.44...

Wanderer

unread,
Sep 14, 2003, 4:07:08 AM9/14/03
to

> Hello

You don't say what AV software you have. Presuming that you can get your
AV signatures updated, the program should take care of any viruses it
finds on your system. All you need to do is run a full system scan.

You'd also be wise to instal something like MailWasher in front of your
email client. It allows you to see what emails are waiting for you on
your ISP's server, to preview them in text format only and delete them
from the server without ever downloading them.

Not wishing to appear rude, but how computer-literate are you? What
email client do you use? If you're using OE6 for your emails, you have
set it to text only display, haven't you? It's not fool-proof, but that
will help to stop some viruses propagating through the preview window.
You do know *never* to open emails from people you don't know?

Thor Kottelin

unread,
Sep 14, 2003, 4:37:04 AM9/14/03
to

Wanderer wrote:
>
> On Sun, 14 Sep 2003 07:42:04 -0000, Subba Rao wrote:

> > Whar are the best
> > practices in restoring an infected system?
>
> You don't say what AV software you have. Presuming that you can get your
> AV signatures updated, the program should take care of any viruses it
> finds on your system. All you need to do is run a full system scan.

OTOH, if the system has been wide open, known viruses may be one of the OP's
lesser problems. I'd suggest
<URL:https://www.cert.org/tech_tips/root_compromise.html>.

Follow-ups narrowed.

Thor

--
http://thorweb.anta.net/

Robert Moir

unread,
Sep 14, 2003, 4:41:01 AM9/14/03
to

The "best" practice, which almost no-one does out of laziness, is either to
restore from a known clean backup (you *are* taking backups aren't you?) or
to perform a clean install.


--
--
Rob
Microsoft MVP
Windows Servers and Security
http://www.robertmoir.co.uk


jayjwa

unread,
Sep 14, 2003, 2:23:42 AM9/14/03
to

Let's not turn a mole-hill into a mountain, BIG diff. between a root
compromise and a virus on one's system, especially with the lame viruses
that are going around now. If you got the "Microsoft Update
Patch/Security Patch" thing, you can pretty much just delete the
infected areas and get on with it in a couple minutes. Most of those
Viruses monkey with the windows registry to get their execution. If this
is one of those, you can just import the reg. from a backup, or manually
clear it out. The almost all hide in
HKLM-software-microsoft-windows-current-version- run, run-once, and I
forget the other: run- something, (it's been awhile, I don't run windows
anymore.) It depends on 1. What virus. 2. How far/long its gone/been
around 3. User's level of knowlege about computers in general.


--
----------------
-jayjwa Reg. Linux user #207147 PGPKey: http://atr2.ath.cx/jayjwa.asc
Spambox: jay...@hotmail.com -- 4 Spammers: lis...@listme.dsbl.org

*We have come for your Buffer!*
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%
u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 140 "-" "-"

shope

unread,
Sep 14, 2003, 8:57:59 AM9/14/03
to
"Subba Rao" <non...@nowhere.net> wrote in message
news:Xns93F6267CF637D...@216.168.3.44...
> Hello
>
> An example scenario, after I connect to the Internet after several days,
my
> email infects my computer with a new virus. This infection happens before
> I had a chance to upgrade my Anti-Virus signatures.

Best practice is to either:
1. connect and upgrade the anti virus before touching email
2. harden the email client so you have to run an attachment to get infected.

You might want to run a scan from sindowsupdate.microsoft.com as well unless
your system auto downloads patches in thebackground and applies them.


>
> Now what is the process to restore this infected system? Whar are the
best
> practices in restoring an infected system?

i know it sounds obvious - but the easiest way to clean a machine is not to
get infected in the 1st place.

if its too late for that - follow the advice from your anti virus package.

A backup of anything you cant afford to loose periodically to an offline
store such as CD or tape is good practice as well.


>
> Thank you in advance.
>
> Subba Rao

--
Regards

Stephen Hope - remove xx from email to reply


E.

unread,
Sep 15, 2003, 3:57:30 AM9/15/03
to
Subba Rao wrote:

> Hello
>
> An example scenario, after I connect to the Internet after several days, my
> email infects my computer with a new virus.

Well you obviously don't have an antivirus with email scanning if this
is occurring.

> This infection happens before
> I had a chance to upgrade my Anti-Virus signatures.

Why would you d'l email, the virus writers best friend, when you have no
protection? Install an email aware antivirus and update it before
checking email.


>
> Now what is the process to restore this infected system? Whar are the best
> practices in restoring an infected system?
>
> Thank you in advance.
>
> Subba Rao

Assuming an MS based system....
1. Stick the HDD in a PC with updated antivirus and scan it.
2. Note any infections, download the relevant cleaning tool from
symantec.com.
3. Stick your now clean HDD in your PC and boot.
4. Run the cleaning tools you downloaded (most virii create registry
entries, and the tools repair this e.g. klez, prettypark or whatever)
Alternatively you can repair the registry entries manually and restore
files replaced by the virus.
5. Install an antivirus
6. Install a firewall as well.
7. update the antivirus.
8. Now go browse and read email.

E.

JWMeritt

unread,
Sep 15, 2003, 10:23:18 AM9/15/03
to
Robert Moir wrote:
>Subba Rao wrote:
>> Hello
>>
>> An example scenario, after I connect to the Internet after several
>> days, my email infects my computer with a new virus. This infection
>> happens before I had a chance to upgrade my Anti-Virus signatures.
>>
>> Now what is the process to restore this infected system? Whar are
>> the best practices in restoring an infected system?
>
>The "best" practice, which almost no-one does out of laziness, is either to
>restore from a known clean backup (you *are* taking backups aren't you?) or
>to perform a clean install.

I was wondering if someone would get around to that. That'd be my preferences
- though as others have said a lot depends upon the 'computer literacy' of the
one using the system, what incremental changes have been made since the last
backup, what type of machine it is, what is on it,...

There are no silver bullets,one size fits all solutions. :-(


..........................................................................
..........................................
http://profiles.yahoo.com/jwmeritt and http://hometown.aol.com/jwmeritt/
James W. Meritt, CISSP, CISA


0 new messages