Sunday, April 27, 2008

Cleaning a Pest-Infected Computer (This is 4U Shanton)

Tools for Success!

You will need certain tools in order to accomplish the cleaning tasks ahead of you. It would be best to get them using a known-clean computer and directly from the source, then put them on a CD or other media and take them to your computer.

You can substitute other tools in their places if you have them handy and/or have your own preferences.The best spyware/adware or antivirus scanner is of no use if it's not the latest version and fully updated.

AdAware SE - http://www.lavasoftusa.com/
Get the latest version of AdAware SE, and also get the latest signature files for that version from their download section.

Spybot Search&Destroy - http://www.spybot.info/
Get the latest version along with the latest signatures.
(Personally I do not recommend Spybot for the first-time user as it will want to remove items that I don't think it should be removing, and its advanced features can cause problems that are tricky to solve if you don't know how to reverse the changes it makes. But if you prefer it and are comfortable with it, then by all means go ahead.)

HijackThis - http://www.spywareinfo.com/~merijn/downloads.html
Download this tool but do not use it to clean anything unless you are working with an expert. Many of the items listed in a HijackThis report are normal and removing them may cause your computer to stop working.

Antivirus scanner - Most of the major antivirus manufacturers have a basic version of their program that you can download and use to clean the most common viruses and trojans. Avast! antivirus, for example, has a basic cleaning tool that can be downloaded. McAfee has their Stinger cleaner available, and AVG antivirus offers the vcleaner tool. And, of course, the Microsoft Windows Malicious Software Removal Tool is updated monthly and can remove some common threats. You may do well to select several of these tools as they tend to catch different threats. As these are "mini-scanners" they aren't as comprehensive as a full antivirus product that has been installed and maintained with the latest updates.

Got your tools? Printed out a copy of the guide? Then let's begin ...

Before we start, isolate your computer

The first thing you need to do before we start is to disconnect your computer from the Internet or your home network.

Please note that you are going to do a couple of things with the computer disconnected from the Internet. Until you have a fairly good idea that you've isolated or removed most of the threats present on your computer you don't want to connect to the Internet again. Many viruses, adware or spyware programs can "repair" themselves using your Internet connection until they are fully removed, and many of the worms and Trojans in circulation these days are also capable of using the Internet to repair themselves or allow remote access to your computer. So let's stay disconnected until you've cleaned up as many of them as we can. That makes it a little more inconvenient, but much safer.

Next, empty Temporary Internet Files

Not only will it make the scanning and cleaning processes faster, but a number of the pests we want to get rid of will use the Temporary Internet Files folder to hide in. It would also probably be wise to restart the system after you do this, then locate and delete any files in the \Windows\Temp or \WinNT\Temp folder (depending on what version of Windows you have). Windows 2000 and Windows XP users will also want to check the \Documents and Settings\\Local Settings\Temp folder and delete anything in that folder. Note that you will need to have the option to view hidden files in Explorer turned on to find and empty this folder.

To eliminate the Temporary Internet Files, right-click the Internet Explorer icon on your desktop and select "Properties" from the pop-up menu (for Windows XP users, if you didn't put the Internet Explorer icon on your desktop click the Start button, right-click the Internet Explorer icon near the top of the Start menu, then select "Internet Properties" from the pop-up menu). Look under the section titled "Temporary Internet files" for the button to delete files, and then click it, and when it brings up the confirmation message be sure you also check the "Delete all offline content" box. This process may take several minutes to complete.

STEP TWO - Limited Antivirus Clean-Up

Before you proceed, you need to try to eliminate the common viruses from your computer. Most of them can sense antivirus or firewall software and either disable or damage them so they won't work correctly.

Again, I recommend the use of at least two of the antivirus cleaners mentioned above. I personally would use the Windows Malicious Software removal tool and at least one antivirus company's scanner. Install and run these tools as instructed by the manufacturer.

When done, reboot if you are told to.

STEP THREE - Install a Firewall

Before you can safely get back onto the Internet, you need a way to stop any remaining adware or spyware programs from getting access to the Internet. If you have a virus, worm or Trojan on your system you definitely don't want them to be able to get onto the Internet. The easiest way to do this is to install a firewall program that will block them from being able to get outside your computer.

Even though you may already be using the firewall built into Windows XP or your Internet access device, you still need a second firewall for at least the time being. The Windows XP firewall and the firewall built into some routers and Cable/DSL modems are only 'one-way' firewalls, designed to prevent access from the Internet to your computer. They won't prevent programs already on your system from getting out, and once these programs reach the Internet the one-way firewall will allow them to bring whatever they want to back onto your system. You need to stop them before they get out and this is what a true firewall will do.

ZoneAlarm has a free personal firewall program you can install, and CA (Computer Associates) also has a free personal firewall program.

If the thought of installing a firewall program concerns you or you aren't sure about this step, it can be skipped. However, it will leave your system at a higher risk of re-infection or could allow further malicious activity from your system.

STEP FOUR - Re-enable Internet Access

Now that you've done what you can to clean off the most common threats, let's get connected to the Internet again. If you have a modem, re-connect your phone line and go back into Internet Connections and turn your favorite dialing option (autodial or dial if no connection is present) back on again. If you have an Ethernet network connection, connect it back up and restart the computer.

STEP FIVE - Install SpywareBlaster

SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) is an excellent program to install and keep installed on your computer. It has only one purpose - it blocks known spyware programs from being installed, or if they're already installed, it blocks them from running. It does this by changing the settings in Windows to block these programs from running (in technical terms, it sets a 'kill bit' that prevents the spyware program or spyware installer from running at all).

If it's so good, why didn't we install it before? Oh, because you need to have Internet access to get the latest list of known programs for it to block. It doesn't have a downloadable update like AdAware does.

So let's install it now. When it's installed, start it up and click the "Updates" button. Note that when you tell SpywareBlaster to look for updates, your firewall will alert you that SpywareBlaster is trying to connect to the Internet. Since we trust this program, click the box to remember that you said it's OK to do so, and then click the button to allow it to connect. Once the updates are loaded, click the "Protection" and select to "Enable all protection". This will block all known spyware programs from loading and prevent your browser from going to certain Web sites that install spyware on your computer. You should restart your computer once SpywareBlaster is installed so you start clean with blocking turned on. You should periodically run SpywareBlaster and download and apply the latest updates to be sure that you keep updated on new threats that may appear.

STEP SIX - Remove Viruses

Now that you have blocked all the spyware you can, let's get to work on viruses and such. Since it's possible that any virus software you have now could have been damaged or destroyed by your unwanted guests, let's use some of the free online virus scanners to do a quick scan-and-clean. I would recommend using at least two of these web sites:

http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/licence.php
http://security.symantec.com/sscv6/home.asp
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Remember that you still have our firewall on and active, so you'll see some warnings as these pages load the online scanners and run them. Again, it's OK to trust them, so let's do so.

After you've run the online scans and removed the viruses you can remove, it's time to either install an antivirus program (if you didn't have one already) or uninstall and reinstall your current antivirus program (if the online scans found viruses, then your virus scanner is either outdated or damaged). You can either install the EZ Armor antivirus scanner from the CD, or check out the above web sites since each of them also offer trial/free antivirus scanners for home use.

A WORD OF WARNING - Before, I indicated that having more than one firewall was a good thing if your primary firewall (Windows XP or Internet device) provides only limited protection. With antivirus software this is not the case - you need to pick one antivirus program and have it installed. Installing more than one can cause system instability, lock-ups of your computer, or false alarms that may cause damage to the antivirus software. This is a case where "enough is enough" and one is enough.

STEP SEVEN - What have I missed?

Depending on the nature of the invader you're trying to get rid of, you may still not be done with the process. The steps you've taken to date will get rid of most viruses, worms, Trojans, adware and spyware. But you're not out of the woods yet.

In the introduction above we discussed several types of threats that are capable of hiding from the detection tools we've used to date. We need to take further steps to be sure that we've caught and cleaned everything that may have crept into your system.

Fortunately there's a very powerful tool, called "HijackThis", that can spot every program that's loading and running on your system and allow you to clean them up. Sounds good, doesn't it? Well, the problem is that it does, literally, show pretty much EVERYTHING that loads and runs. And the vast majority of the things that are loading and running are there for a reason. If you remove them, your computer won't work correctly.

That's why there are people who specialize in reading HijackThis logs. You must consult with them after running the log and before cleaning anything up, so that you don't kill anything necessary.

You'll find details on how to download and run HijackThis at these sites:

http://www.aumha.org/a/hjttutor.htm
http://www.tomcoyote.org/hjt/

But again - very important! - don't try to clean anything up until you consult with the experts at these Web sites:

http://www.computercops.biz/forums
http://www.tomcoyote.org/forums
http://www.spywareinfo.com/forums
http://forum.aumha.net/viewforum.php?f=30
http://www.lavasoftsupport.com/index.php?s=1570453ec76bc9f7c1f73a9a19440d6f&showforum=44

(From time to time the locations/links to these forums may change. You'll find the latest support forum lists at Aumha.org or Tomcoyote.org along with the instructions on installing and using HijackThis.)

STEP EIGHT - Okay, what now?

If you've reached this point, I'm hoping that your system is clean and behaving well and you're breathing a sigh of relief. If so, let's take some steps to try to ensure that this is the last time you'll need to go through this!

Post a Comment