Malware avoidance and removal
Windows-based computers need three extra components to secure them effectively. These components are anti-virus software, anti-spyware software, and a firewall. They are all different functions. However they do sometimes come in the same package. As with hifi gear, separate components give a better result. Malware is a generic term given to any kind of malicious software, whether it be a virus, spyware, a trojan horse, a worm, or something else. The security components above, when used together, provide a decent defence against most malware on the net today.
Avoiding Malware
Antivirus software is useful for avoiding many types of malware, and should be installed as a simple preventative measure. AVG is free and seems to work. Similarly, a firewall is a must-have item, whether it be software-based such as ZoneAlarm, or hardware-based (such as inside your broadband router). Firewalls prevent many network-based attacks. Note that Windows XP's built-in firewall does not filter outbound connections, only inbound, and Vista and up only provide limited outbound filtering, so on important machines, the use of a third-party firewall such as ZoneAlarm is recommended.
Internet Explorer, Microsoft's web browser, is the primary route of spyware infection for most PCs at present. If you use a different browser, for example Opera or Firefox, then your browser will successfully resist many attacks, simply because many attacks are crafted to exploit vulnerabilities in software you're not using. Anti-virus and anti-spyware software only cleans up the mess afterwards and does not stop your browser being hijacked. The best way to avoid spyware is to avoid using Internet Explorer to browse the web.
Outlook and Outlook Express also have their issues, and should be replaced with more secure and more feature-laden free programs such as Thunderbird or Pegasus Mail.
MSN Messenger, another common route of infection, can be replaced with Trillian or Pidgin. If you would like to replace Microsoft Office, try OpenOffice.
You should also ensure your Acrobat Reader, Flash, Java and other common programs are kept up-to-date, as some malware targets known vulnerabilities in older versions of these packages.
Email filtering may also be of benefit, in that it can be used to strip all emails with executable attachments, for example, from your POP3-based mailboxes.
Removing Malware
Anti-virus software is useful here but it's often attacked by the malware during infection. If your antivirus software has malfunctioned, it should be reinstalled, and its signatures updated, but only once your system has been cleaned, otherwise the antivirus software may continue to malfunction.
Spybot Search & Destroy is the best spyware remover we have seen, and recommend it to all our customers. Use these instructions to scan your computer with Spybot Search & Destroy 1.6.2 (immunisation is also performed):
- open Spybot Search & Destroy
- in the right-hand panel, click the Search for Updates button
- select a site
- tick all the updates you'd like (all boxes ticked is recommended here - although don't tick any Teatimer updates if you're not using that)
- click the Download button
- wait for the updates to download, then press the Exit button
- back on the main screen, in the left-hand panel, click the Immunize button
- wait for the analysis to complete, then, in the upper left of the right-hand panel, click the Immunize button (it has a green plus sign next to it)
- wait for the immunisation to complete
- in the left-hand panel, click the Search & Destroy button
- in the upper left of the right-hand panel, click the Check for Problems button (it has a magnifying glass next to it)
- wait for the scan to complete (this may take some time)
- review detected items - ensure all items to remove are ticked (all boxes ticked is recommended here)
- in the upper centre of the right-hand panel, click the Fix Selected Problems button (it has a tools icon next to it)
- wait for the items to be removed
- close Spybot Search & Destroy
If you still have spyware problems after you have run Spybot Search & Destroy, try Hijackthis. Don't use Hijackthis unless you need to and even then, I'd suggest doing so very carefully as it's very powerful, and you can break your system with it - or at least your Acrobat Reader, anti-virus software, Yahoo Toolbar etc.
Cleanup Process
- Disconnect the machine from the network as soon as possible. You may wish to install software and update signatures, this is an unavoidable necessity but once done the network cable should be physically disconnected, to make it impossible for any data to be sent or received by any software, including malware, on the system.
- Avoid entering any valuable passwords or numbers into the computer while you're cleaning it (for example, to login to a remote machine to download a tool or backup some data, or to pay online for new or updated security software). These passwords and numbers may well be captured by malware on the system and sent into some dark and unforgiving region of cyberspace. A CD containing your favourite tools can prove useful in these circumstances.
- Make sure System Restore is turned OFF before you try and clean your system. Otherwise, the malware might be automatically reinstalled by Windows! We'd actually leave it off permanently, since it doesn't work properly anyway, and slows down the system, and takes up gobs of diskspace.
- Open the Add and Remove Programs applet in Control Panel and uninstall anything you don't recognise, anything that resembles spyware, and anything else you don't want.
- Delete your browser cache(s) BEFORE doing any scans for viruses or spyware. In IE, use Tools.. Internet Options.. and on the General tab, in the 'temporary files' panel, click the Delete Files button. We'd also delete the temp directory which is probably at c:\windows\temp, and any other temp directories (for example, under XP, in all user profile directories). And lastly we'd empty the recycle bin in case anything is still lurking. All this done, THEN we would run the malware scans, we do this last because otherwise we're just scanning junk for junk - a waste of time. Delete the junk outright and the problem will be partially solved, and it will take a lot less time to scan!
- Run the malware scans. Run them in this order:
- Spybot Search & Destroy
- anti-virus
This is because Spybot Search & Destroy is fairly precise, while anti-virus software knows little about spyware. So running the scans in that order means malware gets deleted as quickly as possible, which speeds up the scans that come next.
- Check the system. If there's still malware active, try Hijackthis. If you still have problems after that, see the Further Reading section below.
- Once the machine is stable, patch it with WindowsUpdate, ensure the firewall, anti-virus and anti-spyware software are all up-to-date, disable non-essential services (for example, under XP, remote desktop and registry access), take a disk image with Ghost or equivalent, and run a backup, possibly burning the image and the backup to CD or DVD. You can ensure the backup and disk image are good by using the "test archive" or "check image" function in the backup or imaging software, and you can ensure the CD or DVD is good by using the "verify data after writing" option of the burning software. Remote storage systems can also be used to provide cost-effective offsite backup.
logfiles
If you'd like to see exactly what Spybot Search & Destroy has cleaned, you can view the logfiles. Logging must be enabled for the logfile to be created - check the options if you're not sure - however it is enabled in the default configuration.
The location of the logfiles varies with program and operating system:
operating system | logfile location |
---|---|
Windows 9x | c:\Windows\Application Data\Spybot - Search & Destroy\Logs\ |
Windows NT/2000/XP | c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs |
Windows Vista | C:\ProgramData\Spybot - Search & Destroy\Logs |
Further Reading
Really tricky malware sometimes requires you to reboot into safe mode and kill the thing manually. This usually involves examining process listings and startup locations for unusual executables and then examining any unusual executables found for unusual features. If you decide the program is dodgy you must then move it to a safe directory, or just delete it if you aren't sure which directories are safe and which aren't (but if you are sure the file is safe to delete). However you can't move it until you kill the process - if this isn't possible reboot into safe mode, which should kill the process, allowing you to move or delete the executable. And then delete the startup key or hook it was using to execute, and any datafiles it left lying around, and any other suspicious-looking files - since often a computer once cracked with spyware will then become infested with multiple instances and other cracks, there may be all kinds of junk on the system. However, going further into this is beyond the scope of this document, and if you're unsure, it might be time to contact us.