Tuesday, August 25, 2009

Repairing a Malware/Spyware Infected Computer

As a seeming cycle, I've helped a couple of friends lately with their infected home computers.

There have been some common denominators on these computers which I think are interesting:
1. Both have had teenager users who have installed file sharing software for downloading media (music and video files).
2. Both have lots of poorly tagged music files, typically indicative of files garnered from peer to peer sites (iTunes and Amazon and most of the legitimate paid services and software properly label/tag music files).
3. Windows updates were set to a decline mode
4. One was completely devoid of any anti-virus

The last one was pretty bad with the nasty Antivirus XP 2008 software that had managed to get installed. This stuff is really nasty as it is what I like to call extortion-ware. It constantly pops up telling you that your're infected with a bunch of stuff and to get cleaned you have to pay them $50 or so. Considering what a batch of crap it installs itself and oodles of pop-ups, I'd hate to think what happens when someone does actually pay the ransom. Something tells me you'll keep hearing from the program....

Extracting this special application is not so much fun either.

For the last couple of years Microsoft has included their Malicious Software Removal Tool. On one computer I discovered the tool had been deleted, presumably by the malware. I easily copied the program from a known good computer and ran it on the infected computer while in Safe Mode (when the computer first powers on, press f8 repeatedly until the menu comes up with options to boot into 'Safe Mode'). By booting into Safe Mode, Windows only starts essential services, it's designed for diagnostics to make it easier to troubleshoot and repair Windows issues.

Run the Microsoft tool by clicking on Start/Run and then key in mrt and click OK. I ran the tool in a complete scan mode and it rooted out lots of stuff but I knew it would take more than just that. I then went to the Control Panel/Add/Remove Programs and uninstalled as many of the oddball programs the spyware had installed. I asked the owner to identify the known/wanted programs and we pulled out most of the others.

After that, I installed Malware Byte's software and did a thorough scan to eradicate more stuff. It found a bunch.

After that, I could safely boot into normal Windows mode and get on the network. I was still getting some pop-ups but at least now I could get to Microsoft Update and the time wasn't being reset to a date 3 years in the past. I then used the Microsoft Live online scanner (free) and ran a comprehensive scan. This took about 5 hours to run but it found lots of stuff. Since this stuff invariably requires more than one 'opinion', I then used Trend Micro's free online scanner to get rid of still more suspicious programs and files. This took another couple of hours.

I then re-ran Malware Bytes while in Windows safe mode. Then I installed a reasonably good free anti-virus program but encouraged her to purchase a real program. I'm personally liking Trend Micro these days as it's quick, light-weight, and pretty configurable.

I want to remind you, doing all of this is still no guarantee that the system is completely clean. The level of cleanliness is only as good as what the scanners pick up, while statistically improbable that there's still more bad stuff, it's possible. In my house, where I have the user data living on a server, I'd reinstall the operating system if a computer became infected. Most home users don't have that option or expertise. This is also why Geek Squad and other services charge $125 and up to clean a computer.

This article also popped up in my RSS feed today, a good reference of additional tools: http://blogs.techrepublic.com.com/10things/?p=970


###

Here's a sum of the specific instructions I have given to a couple of people:

Start by using the Windows Malicious Removal Tool by clicking Start/Run and type mrt and enter. When it comes up, choose full scan and let it run uninterrupted. May take an hour or two.

After that, I usually run Windows Live Online scan: http://onecare.live.com/site/en-us/default.htm and choose full scan, may take up to 6 hours depending on how much data you have on your computer

Still not done.... After that one, I like to do another scan, this time, use Trend Micro (the same company that makes the anti-virus software we use here): http://housecall.trendmicro.com/

Now if you can’t get to aforementioned sites, the computer has some more serious issues and if you want, bring it by and I’ll see if I can at least get it partially cleaned.

After it’s clean, make sure you run Microsoft Updates. I go to the Control Panel and set it to automatically check for updates and install them every day. It may be annoying, particularly if there are lots of updates and it might take a couple of days of what seems like incessant rebooting but after it’s caught up, the updates will probably only come up once or twice a month.

Also be sure there’s a current version of anti-virus on there. If you watch www.slickdeals.net you’ll see one of the major brands have a great deal at least once every 2 weeks. You can also go the free route with AVG Free edition (http://free.avg.com/) which works pretty well, of course they have paid versions that are heavier-duty. ComputerWorld recently reviewed several free anti-virus programs.

Lastly, and mostly because I hate spyware/malware, I also install the free Microsoft Windows Defender ( http://www.microsoft.com/windows/products/winfamily/defender/default.mspx).

No comments: