Chapter 8 Damage Control How to remove viruses and spyware infections

Synopsis What to do when you think your computer is infected with malware. Strategies that use antivirus or antispyware products. How to remove infections with system restore and free infection specific tools. Removing infections manually. Removing browser hijackers with HijackThis and CWShredder

What to do when you think your computer is infected with malware. (1) Symptoms: – An antivirus or antispyware program has signaled that your system is infected – Your system is behaving oddly. – Your ISP calls you to tell you your system is infected and doing bad things across the Internet.

What to do when you think your computer is infected with malware. (2) Disconnect your computer from the Internet; wired is disconnected with a phone-like plug, turn wireless off. Boot into Safe Mode with Internet. Reconnect your computer Check your antivirus and antispyware programs; you might want to re-install and update them to make sure they work.

What to do when you think your computer is infected with malware. (3) Recommended Antivirus Programs: (choose 1) – Grisoft AVG free.grisoft.com – Avast from – Trendmicro from ($$) – Microsoft VirusScan (support.kent.edu) – F-Secure from ($$)

What to do when you think your computer is infected with malware. (4) Recommended Antispyware Programs (at least 2) – Microsoft Windows Defender – Spybot Search & Destroy networking.netwww.safer- networking.net – AdAware – Webroot Spy sweeper $$ – PC Tools Spyware Doctor $$

What to do when you think your computer is infected with malware. (5) Boot into Safe Mode without internet. Gather Information: do a deep/full scan if possible; jot down all information. If your software has been disabled, run the software in safe mode with networking and update them. Google all the infections found. (on another computer) The following sites are useful: – Mcafee.com – Symantec.com – Sophos.com

What to do when you think your computer is infected with malware. (6) Quarantine all infections found. – Beware of false positives. System Restore may be able to eliminate viruses; your files may still contain the viruses, however.

How to remove infections with free infection specific tools. If you have successfully determined what is infecting your system, but your antimalware tool is having difficulties, there is one more recourse: a Targeted Tool. They can be found at – movaltools.jsp Dates back to movaltools.jsp – (limited) – – (selection) – RemovalTool/ RemovalTool/ – (includes an antivirus program that can be run in DOS mode).

Removing infections manually A list of tools can be found in chapter 12. Do your research: – Name of the infection – Name and location of the infected Windows files or of the files that make up the malware. – Registry keys inserted/modified by the malware. – Windows “services” started by the malware. Help can be found at: – hreatexplorer/threats.jsp hreatexplorer/threats.jsp –

Removing infections manually (2) Steps: – Disconnect – Back up your data: be careful about backing up malware. – Disable System Restore (page 254) – Enter Safe mode without internet – Clean out Windows Startup with msconfig Startup tab Services tab (click Hide ALL Microsoft Services) – Clean out Registry with regedit (p 257) – Delete Files and folders – Restart and check

Removing browser hijackers with HijackThis Written by a Dutchman called Merijn Bellekom. Sold to TrendMicro. Still free. Download from Run (as administrator). – Close all browsers – Start HijackThis (may need to kill it first) – “Do a System Scan and Save a Logfile” – Post your log at one of the forums listed at and follow instructions. – Send the expert a nice reward

Removing browser hijackers with HijackThis (2) (DIY version) P Very detailed explanation which will not be covered.

Removing browser hijackers with CWShredder Download from download.html download.html Two buttons: – Scan Only – Fix: searches for infections and cleans them.