Saturday, March 12, 2011

Cleaning the Aftermath of a Virus Part 2

This is a continuation of part 1 of cleaning up a virus:
In this part, I’m going to go over how to return your computer to working condition, that is if it is not already.  If you are lucky, removing the virus removed all the problems with the computer.  More than likely though just removing the virus did not fix all the problems and your anti-virus program most likely is not up to the task.  Now, I can’t hope to cover all the problems that the virus may have caused, but I can cover one of the most common problems – no internet access or internet that redirects to, some shall we say, questionable sites.  The second most common problem that viruses cause is shutting down anti-virus programs and Windows applications, such as Task Manager.  Normally, removing the viruses fixes this problem.  If not I would suggest uninstalling and reinstalling your anti-virus program.
Messing up your browsers internet access has to be one of the most common problems that viruses cause.  Combine that with the fact that there are so many ways a virus can mess up internet access; it can take some work to get your browser working again.
There are a couple main ways that a virus blocks access to the internet:
  • Configures the host file with incorrect entries.
  • Change proxy settings
  • Re-configure connection settings
The hosts file is a simple text file that contains web addresses and their respective IP addresses.  By changing the IP address to that of a malicious site, the virus can have the browser redirect from a legitimate site to the malicious site.  The hosts file in general is not used by the Windows Operating system so it is generally easy to determine if this file has been tampered with.  Normally there are either no entries or at most an entry for the localhost (  The hosts file can be found under “My Computer >> Local Disk C (assuming Windows is installed to the C drive) Windows >> System 32 >> Drivers >> Etc.”  To open the file right click on the file, click Open, from the list of available programs, use Notepad to open the file.  Below I have pasted the contents of a hosts file, the pound (#) symbol in front of the line indicates that the line is commented out and not active.  With this hosts file there are no active entries.
# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # #          # source server #              # x client host
# localhost name resolution is handled within DNS itself. #       localhost #    ::1             localhost
If your hosts file contains a number of entries (especially if it contains a large number of anti-virus sites) I would suggest removing all the entries except the commented # lines.
windows host file
The second most common area that causes problems is proxy settings.  This is starting to become the most common.  This situation can be quickly remedied in Internet Explorer by going to Tools (or round gear icon) >> Internet Options >> Connections tab >> LAN Settings (near the bottom) >> Uncheck the option to use a proxy server, or if you do use a proxy server (not very common) make sure configure it with the correct IP address.  The virus usually changes the proxy settings to use an incorrect IP address that either does not exit or leads to a malicious website.
internet proxy settings
The third common area is Network Connection (adapter) settings.  To access the Network settings go to Start >> Control Panel >> Network and Internet >> Network and Sharing Center >> Change Adapter Settings (it is on the left side).  This will bring up a list of network adapters installed on your system.  Select the adapter that you use to connect to the internet with, most likely “Local Area Connection” or if you have Wi-Fi “Wireless Network Connection.”  Right click on the adaptor and click on Properties this will bring up the adaptors properties.  There will be a list of protocols associated with the adapter.  From the list you want to select “Internet Protocol Version 4” and click Properties.  Here you will be able to configure the IP address and DNS addresses for the connection.  With most connections the IP Address and DNS address should be set to obtain automatically.  I would recommend that you write the settings down before you make any changes in the event that the settings are legitimate.
Network Internet Connection Settings

No comments:

Post a Comment