Sunday, June 29, 2008

Virus Recovery Tips

Why is a computer virus harmful? For the same basic reason that biological viruses are: they damage components that keep systems healthy.

Some are relatively benign - they generate annoying, juvenile messages or crash the system once, then go away. But many are specifically designed to do substantial harm - by deleting files needed to run word processing programs or perform essential operating system tasks. Some prepare the way for further attacks by opening up access to administrative functions.

Combating them is simple - install antivirus software, keep it up-to-date and running in the background and don't open email attachments from unknown sources.

Nonetheless, odds are high that someday the system will be infected. Important data will be lost, essential program and operating system files will be zapped. Now what?

First thing: Don't panic. You may not even be infected. Before implementing a cure you have to diagnose properly.

If the system is still functional and you have access to the Internet, search for current, known viruses. Scan your system manually and search the file system for virus programs or infected files. Search memory too - sometimes the little creeps hide there.

Test multiple programs and operating system functions. It may be that something just went wrong with one component. Not a fool-proof method, the virus may have just attacked those specific ones.

If the system isn't functional, boot the system using an antivirus diskette or CD. You did prepare one, right? No? Er, go back to Step 0 - pre-attack - and (1) prepare bootable antivirus diskettes and a CD, (2) create CD copies of software purchased and/or organize the originals, and (3) backup important data.

Scan the system after booting from diskette or CD and look for the virus or infected files. You really are infected? Ok, on to the next phase.

If you're running Windows select the boot option: Last Known Good Configuration. It rarely helps, but sometimes you'll get lucky, and if you've re-booted twice you've lost the opportunity.

If you're running Windows, check for existence and the dates of key operating system files. (The list is too long to display here. Search Microsoft's web site for 'Operating System files', or make a list from the Windows (or WINNT) directory and System (or System32) sub-directory, of another computer. For the same service pack level, the dates should match other files, for the most part.

Check especially kernel32.exe and lsass.exe. Hackers like to go after those two. Fixes from Microsoft update some, but they tend to come in bunches. Just one with a different date is suspect. Yes, no one said this was going to be easy. Windows is to some extent self-protecting and self-healing but far from perfect. Replace those files with good ones, if needed.

Again for Windows users, it may be the Registry that's corrupted. There are several useful tools available to fix it. Just search on Windows Registry repair utilities and choose one suitable for your version. Any recommendation made here will be out-of-date in six months, but forums are full of helpful up-to-date opinions.

If the problem is only a program - word processing software, or email client or browser, for example - de-install and re-install. Annoying, but usually pretty straight forward, and most programs won't delete any user created data files without prompting you first.

In the worst case scenario - lost user data not backed up somewhere (oops, you skipped Step 0) - several commericial Data Recovery services are available that can sometimes get it back. They tend to be expensive, but your data may be worth it. It sounds like magic, but they often can recover at least some even though you've searched thoroughly and the data appears lost.

No comments:

Post a Comment