User Guides How to clean an infected computer

History

Viruses were the first computer bugs, and anti-virus (AV) software were made specifically to detect and get rid of these. Worms are a little different than viruses, which is one reason why AV software has a harder time catching them.

Explanation & characteristics of worms :- A computer worm is a self-replicating computer program similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers. The main difference between a computer virus and a worm is that a virus cannot propagate by itself whereas worms can. A worm uses a network to send copies of itself to other systems and it does so without any intervention. In general, worms harm the network and consume bandwidth, whereas viruses infect or corrupt files on a targeted computer. Viruses generally do not affect network performance, as their malicious activities are mostly confined within the target computer itself.

The first worms to do some kind of national chaos of have some kind of National acclaim was the Morris worm. You can find more about the worm here .

Some other recent big names include Sobig & MyDoom . Now these are sophisticated ones which create zombies. Zombie computers are compromised computer/s which are in turn used to infect or carry out other malacious tasks. The most recent example of the same is the Debian server which was compromised 2 nights before. Details here .

Finally came trojan horses, usually just called trojans. These are very different than both viruses and worms. They actually take advantage of the weaknesses that are inherent in AV software. For one, most trojans actually try to hide from being detected by AV software. They also work "smarter" by creating hidden copies of themselves so that when they do get detected and cleaned, they can re-infect the computer with the hidden copy right after the AV software cleans the original infection. Basically, trojans are AV software's worst nightmare simply because AV software wasn't designed to specifically go after this type of threat. Today, AV software is much better at detecting all types of parasites than before but they will need to be redesigned and start using multiple methods if they are ever going to be effective against all parasites.

In fact the trojan horse name comes from The Seige of Troy & the great wooden horse episode. One can find more details about the whole episode here .

If I remember correctly then Age of Mythology -Titans expansion has one of the missions in which trojan horses are used .

Spyware isn't a new bread of parasite. It is simply a combination of various computer exploits and they utilize various combinations of scripts, trojans and worms. Currently they take advantage of trojans the most since they are harder to detect and clean properly. Anti-spyware (AS) software was created specifically for detecting and cleaning this type of parasite, so when it comes to trojans and some worms, AS software is much better equipped to fight these than the AV software is.

The Sony Rootkit affair is one of the newest example of this. You can find more details of the same at Mark's Blog here . There was a major blacklash & then Sony had to recall all the CD's back which were with the rootkit.
[break=Tools]
Tools

First, you will need to get some software programs to help you. The following programs are what I use personally. Not only do I trust them, but they are also free for personal use. The companies that provide the free software, also provide software that they sell for use in a commercial environment. Usually, the free versions are just as good but simply don't have as many of the extra features which make the commercial versions even more attractive to use.

Anti-spyware

• Trend Micro's CWShredder:- A great anti-spyware tool but commercial in nature. One can find the details here

•Spybot S&D :- A free anti-spyware. You can find more details here

•Lavasoft's Ad-Aware - Another great free anti-spyware product. You can find it at here

•Ewido Antimalware - You can find it at Ewido's site as well as AVG's site Latest version is v4.0 . They're both part of the same group so work pretty well together.

Anti-Virus Software

•Grisoft AVG Free - You can find it at AVGFree Latest version is v7.1.394

•Nonags:- Find it at nonags . There is a freeware as well as a commercial/shareware version also.

•nod32 :- This is commercial in nature. Find it here

•Kapersky :- This again is commercial in nature. Find more info. here

•Avast :- Avast has a free home edition. Find more info. here

• There is also a commercial version which goes by the name AVG

First you will want to download each of the above programs and then install them except for the anti-virus program which one has to choose from the list. You can have only 1 anti-virus program running at a time. After you install them, you MUST update them so you will have the latest protection. There is one small exception: CWShredder is a stand-alone program that doesn't need to be installed, but you do need to have it check for an update to ensure that you have the latest version. If you don't update these programs and you are infected with the latest parasites, you will not be able to effectively detect and clean them from your computer, so remember to update, update, update.

Since spyware is a bigger problem today than viruses, and spyware is typically harder to find and get rid of, I suggest to start looking for spyware first. I also use the different AS software packages in a specific order so that I go after the tougher problems first and the easiest ones last.

Turn off System Restore

• WinME and WinXP have a cool feature called System Restore. It is used to restore your computer to an earlier configuration in case of a problem. The only problem is that it wasn't made with parasites in mind, and often it can't tell the difference between an infected file and a good file, so it might automatically restore an infected file also if it had been in a protected area, effectively re-infecting your computer. Because of this, it is recommended to turn off System Restore before you test, and when you're done, turn it back on so you are still protected from standard computer problems.

• In WindowsXP

Click Start.
Right-click the My Computer icon, and then click Properties.
Click the System Restore tab.
Check "Turn off System Restore" or "Turn off System Restore on all drives."
Click Apply.
When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
Click OK.

Carefully Look at Windows Add/Remove programs for suspicious programs

• Many of the spyware threats actually install into your system like a program. Many appear to be utilities that you may think are helpful but in reality aren't. Look for add-an toolbars, while toolbars like those provided by Google, MSN, Yahoo and other are great utils, there are many more that aren't and if in doubt check it out to see if ones you have are parasitic. Another common exploit are the Search helpers, WinTools, Gator products, IE Helper, Comet Cursor and many others just to name a very few. Peer-to-Peer (P2P) programs are another common source for these and even the ones that doen't come with spyware themselves are a security risk that may lead to your system being infected or to spread infections like these. Remove all suspicious programs, if you are wrong, you may always re-install them later.
This happens 80% of the time.
Run Disk Clean-Up

• This actually comes with Windows and has been installed by default since Windows 98. You can find it by clicking the Start Button and then going to Programs / Accessories / System Tools / Disk Clean-up. I recommend selecting all of its options except the ones for Office Setup Files and Compress Old Files if you have them. While you may select those if you wish, they aren't as important. This will clean up all of the temporary files so your testing will go faster, and may also delete any spyware that may hiding there if the spyware isn't already running. To clear systems that have System Restore you will need to select the second tab and click the button for clearing this.

Run CWShredder

• This is made for detecting and cleaning of the infamous CoolWebSearch exploits. Currently there are about 40 types of these, each with up to 4 variants and growing. These are some of the toughest ones to get rid of.

CoolWebSearch is a malacious keylogging program. One can find more details about CoolWebSearch here

Run Ad-Aware Next

• This handles the next toughest types the best. When it finally presents you with the list of parasites it has found, put a check mark in the box next to the ones you want to get rid of, I suggest checking them all. If you want to select all, just right-click your mouse on the boxes to get the options menu, and left-click on Select All. If it says it can't get rid of a problem right now, it will ask if you want to run it again after you restart your computer, answer yes and restart your computer so it may test again.

Run Spybot Next

• When you run it, it will automatically select all the spyware that it finds, if there is something you don't want to get rid of for some reason, deselect it and then let Spybot fix all of the rest of the problems that it finds. This program also will ask to restart your computer so it can test again if it has problems removing something, so let it.

If you had Windows 2000 or Windows XP ( not the 64bit version ) you also have this option...

Run Ewido Antimalware Next

• This is a part of a new bread of antispyware utils and probably one of the best I've worked with. The only down side is that only certain versions of Windows can run it at this time. When you run it, it will prompt you to select to remove or keep each item or you can select to have it remove all that it finds.

Now Run The AVG Program

• All antivirus programs, including AVG, by default have their settings to only scan executable files in an attempt to speed up looking for infections. While most of the time this is just fine, the newest threats that can infect your computer have started getting sneaky on how they hide their files making it easier for them to reinfect your system if your antivirus program detected and removed their executable file. To help also detect these "backup" files that the infection leaves on your system, you should in my opinion, make a couple of changes to what your AVG scans from just executable files to all files.

• To change AVG's settings, open AVG's Test Center.
Click the Tests menu then in both of the tests labeled Complete Test Settings and Selected Area Test Settings select Scan all Files and click the Ok button.

• Now AVG will scan all of the files when you scan your computer. This will take longer to complete, but I feel it is a small price to pay for the added security it provides.

• Have it scan for the remaining parasites that the others may have missed. If you found any parasites, you need to restart your computer so you can test everything again. There are times that after cleaning certain parasites, you will need to test again because something may have been hidden earlier by the infection. So repeat this process of testing and restarting until you find no more parasites.

• Run the scans again in Safe Mode. This will keep many of the parasites from loading and being able to hide from your protection software. To access Safe Mode on most versions of Windows, start tapping the [F8] key after you first start or restart your system, start tapping it before you ever see a Windows Splash Screen and continue until you get the Menu where you may select it from the list. On WinNT, this is called VGA mode and on Win2k you actually start tapping just after the first splash screen shows. For Detailed instructions see Restarting Your Computer in Safe Mode

These procedures should have cleaned most cases of infection that you will find. Yes I said MOST because there are some infections that are very hard to detect and remove. Generally, if you have one of these, you will need the assistance of an expert to help you get rid of it.

When you believe you are finished, remember to turn System Restore back on if you had turned it off.

I recommend testing for parasites as often as you can, probably at least once a month if not more. The sooner you catch them, the less damage they can do to your computer, and the less chance of a hacker finding your sensitive information such as checking account info, passwords, etc.

Windows Tip

Windows itself, by default, hides certain files, system folders or file extentions from the user to make it easier to navigate. If you are having to find an infected file or just one you are looking for, this can cause you to not find it. If you wish you may change this to show all of the files on your computer.

Open your My Computer icon (Either from your desktop or the Start Menu)
Click the Tools menu and select Folder Options(on older systems it may be in the View menu)
Select the View tab and scroll through the Advanced settings
Enable or disable the following (using a checkmark to enable)

enable - Show hidden files and folders
disable - Hide extentions for known file types
disable - Hide protected operating system files (WinME and WinXP only)

Now click Apply and Ok

[break=Conclusions]
Conclusions​

Now, firstly as can be seen above it's an ongoing war/game between malicious tool writers & the good people. There might be people who might argue tht why did I write more about viruses then the tools to clean them. They may right but then somehow it's also true tht viruses have always had colorful names unlike the security tools.

I've also not gone on the precautionary tools path as tht would have enlarged the scope of the article too much. Perhaps would follow on the same later on.

Lastly have used AVG intimately hence used the AVG experience. Don't have much idea about other tools except Norton which I've always found to be a big memory hog. Of course the corporate editions have many more tools but tht is outside the scope of the article

Sources :- AVG Free forum, wikipedia & experiences :)
 
very nice article shirish.

a few suggestions though :

if you can add a paragraph of how to prevent infections later with a tad of info in firewalls.

second but important imo : if the system has been down with symptoms of infections and one can not boot into it how can it be recovered with boot disk. this in my view would be more usefull to new and inexperienced members here.

You must spread some Reputation around before giving it to shirish again.

thread rated.
 
medpal said:
very nice article shirish.

a few suggestions though :

if you can add a paragraph of how to prevent infections later with a tad of info in firewalls.

would do the same tomorrow & ask a mod to open the article for an edit. I'm not feeling so well so will be relaxing quite a bit today.

medpal said:
second but important imo : if the system has been down with symptoms of infections and one can not boot into it how can it be recovered with boot disk. this in my view would be more useful :) to new and inexperienced members here.
You must spread some Reputation around before giving it to shirish again.

thread rated.

well nice to see being thought of :) Now the business of doing with boot disk would require a whole article in itself. Not something which I'm prepared for at the moment. This also came by because so many queries in troubleshooting are to do with anti-virus & malware stuff & didn't see any article which gives the full info. Perhaps might do one on tht later on though :)
 
hi,

this jus sounds 2 basic, i guess dude u need to get something better then this......maybe something like what i did and some ppl here didnt seem to like it so they say i ripped it frm the net and posted it here....i guess every person using the net for over a period of 2 to 3 years would know all this elementry stuff....
 
vishalk said:
hi,

this jus sounds 2 basic, i guess dude u need to get something better then this......maybe something like what i did and some ppl here didnt seem to like it so they say i ripped it frm the net and posted it here....i guess every person using the net for over a period of 2 to 3 years would know all this elementry stuff....

vishal,
I read u'r brturbo article but as was said one needs to quote source. In fact most of the guides/articles wherever I've used material of the net I've tried to quote the source. Now AFA knowing the elementary stuff, well one can't say that u'r sense of elementary stuff is the same as everybody else. Go to the troubleshooting section & u'll see tht many a times the same issues are being raised. People need to have some tools & procedures in place so tht can be taken care of. I could always have said that move to GNU/Linux & avoid all these problems but wouldn't tht be snobbish, wouldn't it :) .
Another thing the debian server compromise which happened yesterday or the night before & the recent yahoo phishing scam which happened. Now both of these are goliaths in technology as well as in money terms so if they can be compromised then who're u & I. I've tried to keep things simple & narrow-focussed. Give things in small bytes & people will understand.

An e.g. of phishing site is here now one can even look & there is a verisign there while the original one is here . Now how do I know, check for the entry of Fifth Third Bank through wikipedia & then through google. While google takes u to the phishing site, the wikipedia entry gives the correct one. Also look closely at the URL u'll see the minute difference :)

Edit :- Google seems to have corrected it & now gives the correct one.

Lastly, while you gave the whole thing, you didn't mention what the tweak is supposed to do as somebody asked. AFAI understand from the article either you're trying to download files through some proxy servers. A quick google search reveals tht Brturbo seems to be a brazilian p2p or file hosting site similar to rapidshare, megaupload etc. Now I don't think many people would be knowing the language or the site to make use of it. The article could've been tweaked to suit the latter ones. Btw was also able to find the source of the article. Now don't think I'm trying to blame u or anything of sort. If u look into it, it's a game of sharing & sharing with ethics. You could very well use all the tools & resources from the net & put it up but without quoting source it kinda lacks stuff. You could also come up with some great content on your own for e.g. If I had a GB or more RAM & a dual-core or more as my rig I would've been experimenting a lot with virtualization & lot of different things which are in my head. Things which have been tried but never had an indian perspective to it. So the possibilities are endless. You could see some of the guides & reviews & find it a great place to be :)
 
Back
Top