A client of mine has a business in a building that is on a network. They are different companies, so they don't share files, but they do share an Internet connection.

In any case, one of his systems was so infected, that after hours of using tools to scan and clean it, it was finally decided that the best thing to do would be to do an LLF to make sure everything is gone, and then format and reinstall, which is what was done.

However, they could not get the pc back on the net until the network admin for the building came down and configured it. So I could not load the AV program and update to the latest definitions. Because of this, I didn't bother installing the AV program, and told them not to connect it to the net until I could come back and protect it.

Well, they connected it to the net anyway, and when I came back ONE day later, it had 34 Trojans! Even the windows.exe file was infected. It was pretty insane.

In any case, the network is obviously laden with viruses and Trojans. My question to you guys is how would one go about cleaning the network? Is it simply a matter of cleaning all of the machines on the network, or are there other places on the network where the viruses and Trojans can reside?

I came across an a product called Network Malware Cleaner which claims to clean the nodes on your network of all threats:

http://www.emco.is/tutorials/networkmalwarecleaner/features_of_network_malware_cleaner/features_of_network_malware_cleaner.html

Is this the type of product that one would need to do this?

Are there other products that are better?

From which machine should this program be executed?

Any advice on cleaning up a network would be greatly appreciated.

Multi-anti virus protection is the best.

I use:

Norton AV
The Cleaner (for trojans)
Spywareguide.com block list
Spywareblaster
AdAware 6
and SpyBot S&D (only if req'd).

You can never have enough protection from voruses and trojans.

Don't forget to get and install ALL of the Microsoft updates and then switch browsers to Mozilla because IE is a prime target.

Not sure why you had to wait until the admin configured the machine for the internet. Your telling us there were no CD Burners on any machine there? Possible of course but a burner is pretty much standard equipment these days. Anyway, as to your question. You can protect with any number of software packages but if that company is on the same network as the other's, then you'll have to involve their IT people as well to get a handle on their workstation security. I would recommend Spybot first. The most recent version comes with TeaTimer, which basically stops any system configuration changes. There is also a tool to stop IE scripting. You can choose to stop, prompt, or disable the service. Pretty nifty utility. Norton and McAfee either both, or both will have spyware protection in thier next/current version. McAfee is beta now and we're testing it before deploying. This is the enterprise version however I would imagine the newest consumer version will follow suit. Norton is another big player and frankly, these companies have no choice but to address the spyware issue, along with the already addressed viruses, worms, and trojans. If the other companies PC's are not protected, you are still vulnerable, as the dat's may not get updated on your machines in time to stop the spread from the remote machines that you cannot control, the neighbors. I'd try to segment the network to put your PC's behind a router. Alot of SOHO routers support RIP so you could isolate your IP's from the LAN completely.

Who is in charge of administering the backbone connection common to both companies? Whoever it is should be responsible for ensuring first of all that both companies are on separate LANS. It should be a relatively simple matter for that admin to subnet the 2 companies out so problems on one don't affect the other. As for cleaning the network effectively? You probably need to pull the plug on your networks WAN / Internet connection first of all. If you don't have too many PC's on the infected network, I would recommend discnnecting each one from the LAN as well. Otherwise, you might erradicate a virus or trojan from one host only to have it reinfected by another infected host on your network before you can apply a patch / hotfix for the virus to prevent it from getting the bug again. The best and safest way is to disconnect each machine on the LAN and go to each individual machine and then erradicate the virus (or virii), then apply the security patch. Do not reconnect the LAN or the WAN ports until all machines are cleaned.

Or you could boot each machine with a BartPE CD (I use this at work) and use the power of a live WinXP CD to clean each machine, be connected to the LAN and Internet, and have ZERO chance of infecting any other machines since the PCs HDD is a slave to the CD while booting and the host OS is never even started.

You should see some of the 50+ out of almost 300 cool programs and utilities I have built into BartPE for us to use.

P.S.: It sounds to me like the system admin should update his resume and find a new job before he gets fired from that one.

EDIT

I should add that I did protect the two systems that my client had with the following programs:

AVG Anti-Virus
Ad-aware - told him to do a weekly update of
Spybot - again, weekly update and scan

I also immunized their IE with Spybot.

It's just that one day of not being protected, and their system was infected with 34 Trojans.

So obviously, the network is infested with threats. I was just wondering if the threats can come from places other than their neighbors' systems.

In other words, if all the systems were to rid of the Trojans and viruses, would it be a clean network, or could the threats still be residing elsewhere.

The program that I mentioned earlier mentioned cleaning the nodes. First of all, what are nodes? Secondly, I assume that threats can reside on them since the program claims to clean them. And from which system would one execute this program that would clean the entire network?


Thanks, Sterl. I do most of what you mentioned with all my clients.

kwebb, not sure what a CD burner has to do with getting a connection to the net. I simply thought one of the following scenarios were true:

[list=a]
That their office was on a router, and all that needed to be done was to plug the ethernet cable into the router to get a connection
That they had a record of the settings somewhere
That their IT guy was always available
[/list=a]

As it turned out, none of the above options were true. Had to enter the IP addresses and DNS Server addresses manually. They had no record of these, and their IT guy was on a week vacation. Lesson learned.

It looked like the ethernet cords were plugged into a router, but I did not look at it too closely. What is RIP?

ahurtt, I do not know who is in charge of administering the backbone connection. I just there is one IT guy there, but I'm not sure how much he knows or how much he does.
I was just called in by one of the tenants to take care of their computers. And, btw, there are a fair amount of small businesses in that building, maybe 20-30.

I'm guessing, based on what I know, that they (the owners of the building) pretty much just had someone set up the system, but did not have them maintain it. And the IT guy they have on hand might just know the available IP's that they can use on the LAN, but not much more. However, I am just speculating.

Btw, when I was dealing with my clients systems, I did disconnect them from the network before I started to work on them, and did not reconnect them until they were protected. As I mentioned above, the one system that was infected a second time was on account of my client leaving the computer hooked up to the net after the IT guy reconfigured it, even though I warned them not to.

Could you tell me the difference between LAN and WAN? I guess WAN is Wide Area Network? And of course LAN is Local Area Network. Is it that the entire building is on a WAN connection, and each company is on their own LAN?

Also, what is virii?

And yes, that would be the best option, to disconnect all systems and clean each system one by one. However, since each tenant in the building is independent of the other, then that would mean a matter of going to each business separately, and soliciting business, which would not be a bad thing at all. It would be a gold mine, actually. I just wouldn't want them to think that I was the one who infected the network so that I could make a quick buck. :rolleyes:

Originally posted by Sterling_Aug
Or you could boot each machine with a BartPE CD (I use this at work) and use the power of a live WinXP CD to clean each machine, be connected to the LAN and Internet, and have ZERO chance of infecting any other machines since the PCs HDD is a slave to the CD while booting and the host OS is never even started.

You should see some of the 50+ out of almost 300 cool programs and utilities I have built into BartPE for us to use.

Sounds cool. I found the link (http://www.nu2.nu/pebuilder/), but if you could give me a mini crash course on it, that would be great. Are you saying there are almost 300 programs that you can choose to include on the CD? Are these programs from the same site? If not, where do you get them?

P.S.: It sounds to me like the system admin should update his resume and find a new job before he gets fired from that one.

LOL. You got that right. And that's assuming there is one. No idea what that IP guy is all about.

If you look at the bottom of the BartPE webpage, you will notice about 40 links to other websites, each of those sites may link to 1 or dozens more websites. The possibilities are almost endless at finding support lsites for BartPE plugins.

There are almost 300 commercial/shareware/free programs, utilities, and such that are already known to work in the BartPE environment. At work I bought several commercial software such as Nero Burning ROM, Get Data Back and Defrag VoptXP among several others. I then found about 40+ free and shareware programs and added then into my CD build (I even added Open Office.org Office suite).

It would be impossible to give you a crash course. I have been working on this CD for the last 7 months and I haven't even started to try scripting and some of the more useful things that can be done.

Send me an email and I will reply with a list of the programs I have installed now. It is turning out to be the company "Ultimate Tech Support CD".

OK. Thanks. Just sent you an email. Btw, why would you need to have Open Office on your BartPE CD? In what circumstances would you use the programs in that suite?

Opening/reading/creating documents, spreadsheets, graphics from the slave drive or running as a stand alone OS.

You can install BartPE to a hard drive and it will boot just like it was installed that way from scratch.

My idea on this is:

"If I still have room to fit an app on the CD, then I will install it in BartPE and have it available "just in case".

OK. Thanks. Makes sense.