Click
Here
for more articles |
|
|
Recognizing
a PC with Malware |
by:
Ronald
Merts |
What
can you do if you think your computer is
affected by spyware or a virus or other
malware? (Malware is short for malicious
software.) First let me assure you that
you aren't in this alone. There are excellent
resources and community sites dedicated
to
helping dig people out of the mess that
malware can make. Many of them are free
and I'll point you to them in this column.
I'll also
explain how to recognize if your computer
has malware running on it and point you
to antivirus programs and anti-spyware tools
to
help you get rid of it. And I'll describe
how to use recovery options that help get
your PC back to working the way it's supposed
to. And, finally, I'll talk about "The Last
Resort"-rebuilding your PC from scratch.
How to recognize malware
Malware is designed to run undetected in
the background. So how can you tell if you
have undesirable software on your system?
The
signs to look for include:
. Advertising pop-ups that appear every
few seconds.
. Extra toolbars in your browser that won't
go away.
. Browser going to sites you didn't tell
it to go to.
. Browser settings changing so your home
page won't open.
. Unexplained system slowdowns.
. Sudden rise in computer crashes.
If you're experiencing these kinds of problems,
it's a good idea to treat your PC as if
it might be infected by checking it out
thoroughly. Although there are other reasons
why your system might slow down or frequently
crash, if you're noticing these obvious
indications of malware, your system has
probably been compromised. It's time to
take defensive action.
Update antivirus programs
The first step in any attempt to repair
or recover a compromised PC is to update
your defensive tools. Your antivirus or
anti-spyware tools need to be updated to
the absolute latest versions and the most
recent definition files. If you can do this
on
the PC that has the problem, then do it
there. If not, you'll need to use another
PC to download the latest versions and put
them on
a CD or USB drive that you can use to work
on the infected PC. I like the USB drive
because it's highly portable and easy to
update
if you need to. And everything you'll need
will fit easily on a 128-MB USB drive.
Gather your original software CDs and disks
as well, including your original Windows
CD and the Windows XP Service Pack 2 (SP2)
CD.
You may need them before this is over, and
it's good to get everything organized and
ready before you start. Windows XP SP2 provides
better protection against viruses, hackers,
and worms. If you don't have a copy of the
Windows XP SP2 CD, you should borrow one
from
a friend, order SP2 on a CD, or download
the Network Install and copy it to a CD.
If you don't already have an antivirus program
running on your computer, you'll find a
number of companies offering antivirus
software and firewall protection programs,
among them:
. Computer Associates (http://www.ca.com)
. F-secure (http://www.f-secure.com/protectyourpc/)
. McAfee (http://www.mcafee.com)
. Panda Software (http://www.pandasoftware.com/microsoft/english.htm)
. Symantec (http://www.symantec.com)
. Trend Micro (http://www.trendmicro.com)
. Grisoft (free for home users - http://www.grisoft.com/doc/40/lng/us/tpl/tpl01)
Important: Uninstall any antivirus software
you are currently using before installing
a new product; having two different programs
might cause problems on your computer.
Typically, these software companies make
special offers of free trial versions of
their antivirus and firewall packages, which
should be enough to get you through this
process. But to help avoid being back in
this mess again, you'll want to choose one
of them
and get a full subscription to it so you
stay up to date.
If you still have good working Internet
connectivity, you can also use one of the
excellent, free, online virus scanners.
My
favorite and one of the best is Panda Software's
Panda Free Online Scanner
(http://www.pandasoftware.com/activescan/com/activescan_principal.htm).
One of the most annoying and difficult to
remove pieces of unwanted software is Cool
Web Search and its variants. To remove this,
you're best bet is CWShredder, a dedicated
program that just goes after this.
You'll also need a good anti-spyware product
that can help you with the detection and
removal of spyware or other malware. Here,
one
is good and two or more are sometimes better.
They don't interfere with each other, generally,
and they each seem to have slightly
different strengths. The two I use regularly
and recommend are Spybot search & destroy
(http://www.safer-networking.org/microsoft.en.html)
and Computer Associates PestPatrol 5. There
is new anti-spyware software from
Microsoft, which is in beta testing now
and holds some promise as well. (Beta software
is pre-release software that is distributed
for feedback and testing purposes.) The
Microsoft product is a security technology
that helps you detect and remove known spyware
from your PC. It also helps prevent spyware
from getting on your computer in the first
place. I've been using it and really like
the
way it works, but because it's a beta version,
it won't be the right choice for everyone
until the final release. For one thing,
Microsoft doesn't provide technical support
for beta releases. Although formal support
is not offered for this beta, you can go
to
the newsgroups to help get your questions
answered.
Finally, it's a good idea to have a couple
of other programs available. LSPFix and
WinSock XP Fix can help restore your Internet
connection if the cleanup process messes
that up.
Back up critical files
If you can, now would be a really good time
to back up critical files you'd hate to
lose. Don't try to back up programs or the
operating system-there's no point since
they may be compromised and can be replaced.
But those pictures of your daughter's wedding,
your résumé, and your doctoral thesis-those
are irreplaceable. Please, copy them somewhere
safe, since anything you do to remove
this kind of malicious software is serious
and could leave your PC in a state where
it might be difficult to recover or save
your
critical files.
Where or what you copy them to doesn't really
much matter. A CD or DVD if you've got the
hardware and software to do that, or a Zip
disk, or just plain old floppy disks will
work. But whatever medium you use, having
a backup will give you the confidence to
attack
this malicious software without fear of
losing something critical. Ed Bott's Windows
XP Backup Made Easy
(http://www.microsoft.com/windowsxp/using/setup/learnmore/bott_03july14.mspx)
explains how to let Windows XP do most of
the backup
work.
Scan and remove
Once you have your defensive programs ready,
located your original CDs and DVDs, and
made a backup of your critical data files,
it's
time to start figuring out exactly what
you have on your system that shouldn't be
there. But before you start, disable System
Restore. The last thing you'd want to do
is restore to this point anyway, and this
will prevent versions of the noxious software
from being saved in the restore point.
To disable System Restore
1. Click Start, right-click My Computer,
and then click Properties.
2. On the System Restore tab, select the
Turn off System Restore box, and click OK.
The first step should be to try the obvious.
Use Add/Remove Programs in Control Panel
for programs that shouldn't be there and
try
to uninstall them first. Some of the annoying
adware programs will actually uninstall
and stay uninstalled so you might as well
get
rid of them first.
Next I scan for conventional viruses. Use
the antivirus software that you downloaded
and updated or one of the online scanners
if
you're still online. Deal with anything
it finds, either by deleting or cleaning
as appropriate. Microsoft offers a Malicious
Software Removal Tool (http://www.microsoft.com/security/malwareremove/default.mspx)
that is updated on the first Tuesday of
each
month. This tool checks computers running
Windows XP, Windows 2000, and Windows Server
2003 for infections by specific, prevalent
malicious software-including Blaster, Sasser,
and Mydoom-and helps remove any infection
found. When you're done, it's time to
disconnect from the Internet. Unplug the
network connection or disconnect the modem.
Next, run CWShredder. Although it only deals
with a single (but pervasive) problem, many
of the Cool Web Search variants can prevent
the other anti-spyware programs from doing
their job correctly, so it's best to go
after this one first.
Now it's time to run the anti-spyware scanners.
It doesn't really matter what order you
run them in, but be prepared for a fairly
lengthy list of things to deal with. Initially,
I'd ignore any that are described as cookies-they're
low on our list of concerns for
now. But everything that looks like a program
or that they report as a critical issue
should be quarantined or deleted.
Running in safe mode
One recommendation that some experts make
is to run your antivirus and anti-spyware
scans and cleanup in safe mode. Some problems
that can hide from these programs in normal
user mode are exposed in safe mode. Other
experts disagree and suggest that there
is
little difference. I'm of the school that
thinks it can't hurt, so I suggest you try
running your scans first from a normal boot,
but when you've done all you can from there,
start in safe mode and try running the scans
again.
To start in safe mode
1. Click Start, click Shut Down, click Restart
from the list, and then click OK.
2. While your computer is starting, press
the F8 key until the Windows Advanced Options
Menu appears.
3. Select Safe Mode and press ENTER as needed.
For more on safe mode and the options available
in the Windows Advanced Options Menu, see
a Description of the Safe Mode Boot
Options in Windows XP at http://support.microsoft.com/default.aspx?scid=kb;en-us;315222.
Finally, when you're done fixing everything
and you think you've got it all, I think
it's wise to install or reinstall Windows
XP
Service Pack 2. Now turn on Windows Firewall,
turn on System Restore, and you can connect
your PC back to the Internet. Before you
do anything else, go to the Windows Update
site (http://update.microsoft.com) and download
all of the latest security fixes. Then,
turn on Automatic Updates to make sure you
stay up to date.
Getting help
Removing undesirable software can be a daunting
task. But as I said in the beginning, you're
not in this alone. There are a wealth
of resources available to you at every stage
of the process. I can't begin to list them
all, but some that I know about are the
following:
. Microsoft Security Help and Support-the
support is free for security problems and
getting help removing malware is definitely
a
security problem: Located at http://support.microsoft.com/default.aspx/gp/securityhome.
. Microsoft Security Home Users Newsgroup-good
place to start, with a wealth of users and
MVPs responding to your queries 24 hours
a
day: Located at
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.security.homeusers&cat=en_us_d06efcb7-0e61-00
ed-6e0f-a86481b6aa20&lang=en&cr=us.
. Broadband Reports Online Security Community
Forum-an excellent resource for really persistent
and difficult problems, with help
from Microsoft MVPs and other users: Located
at http://www.broadbandreports.com/forum/security.
. SpywareInfo Forums-excellent help and
fast responses: Located at http://forums.spywareinfo.com/.
. AumHa Forums-a great resource for a wide
variety of Windows problems, run and staffed
by Microsoft MVPs: Located at
http://forum.aumha.org/.
The last resort
Finally, I want to talk about the last resort,
which is performing a clean installation
of Windows XP. This is not something to
do
casually, since you will certainly lose
data and have to re-install all your programs,
but it is an option if all else fails.
For more information check out our articles
at http://www.tornadocomputers.com/techie
About the author:
Vice-President and CIO for Tornado Computers
in Oklahoma City. Specializing in small/medium
businesses and home-users Ron has become
their Information Security specialist becoming
more and more proficient in the removal
and prevention of viruses, spyware and other
threats to people's data.
Circulated by Bandoni
Media
|
|
