Every week I remove viruses from Windows computers. Here’s a common scenario:

Someone gets a fake alert like this and realizes that they have a virus.

When they call me, I tell them to turn off the computer. This is because a virus can continue to inflict more damage. It can install [...]]]> Viruses Abound

Every week I remove viruses from Windows computers. Here’s a common scenario:

Someone gets a fake alert like this and realizes that they have a virus.

When they call me, I tell them to turn off the computer. This is because a virus can continue to inflict more damage. It can install other viruses and even encrypt your hard drive to hold your data hostage to demand a $200 ransom. Turning off a computer stops whatever the virus is doing.

Use a Live Rescue CD

The first thing I do with the computer is boot into a Live CD to search for viruses. Typically the computer displays the key to press for boot options. It is usually one of these: F1, F2, , F10, F12 or Del. The computers may be set up to boot from the CD if one is available.

By booting into another operating system, you keep the virus from running, inflicting damage, and actively thwarting virus scans. The Live CDs I use include:

• Kaspersky Rescue Disk
• AVG Rescue CD
• Bitdefender Rescue CD
• Avira AntiVir Rescue System

Lately, I have found Kaspersky Rescue Disk to be the most effective. This approach also works from a USB stick if the computer’s BIOS supports booting from USB.

Update Virus Definitions

Because new viruses are out all the time, it’s best to update the virus definitions. This is done by connecting the computer to the Internet by an ethernet cable if your Live CD supports it.

Scan for Viruses

Kaspersky typically finds viruses like this, a trojan named Packed.Win32.Katusha.o.

Boot Computer and Fix Internet Redirects

Boot the computer, then check for a Proxy setup in Internet Explorer’s Connection Settings. If there is one, disable it by changing to automatic settings. Similarly, check your network connection properties for IPv4 TCP/IP. Often you will see something like this, which should be changed to automatic settings.

Install Microsoft Security Essentials

There are a lot of decent Antivirus programs, but I like Microsoft Security Essentials because it finds viruses, is lightweight, and is free without nagware.

Other Things To Do

If there are still problems, other things that can be done:

• Install Malwarebytes Antimalware or other antivirus software if you still suspect problems. You should not typically run multiple antivirus programs at once.
• Boot into Safe Mode (F8 key at computer startup) to make system changes if you suspect that there is still an active virus. Or try another Live Rescue CD.
• Uninstall unused or virus-installed programs, available in Control Panel – Uninstall a Program.
• Remove startup items from Programs – Startup folder. You can also remove startup items by typing msconfig into the Start or Run box.
• Give up on system. Wipe the hard drive and reinstall the operating systems and programs. Sometimes this is the only remaining option if the operating system has been severely compromised. By pulling the drive and connecting to another computer as a peripheral drive, you can backup the data.

Run Windows Update

By running Windows Update and installing all the service packs, you are applying security patches and reducing the likelihood of getting viruses in the future.

Conclusion

Viruses can be scary and destroy your data. These steps can help, but once you have a virus, there are no guarantees. An infected computer is owned by the virus folks.

Therefore, in addition to protecting your computer, you should have backups of your important files such as photos or financial documents. If you have sensitive data, it can be encrypted with TrueCrypt or other tools.

Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used [...]]]> Wikipedia describes computer phishing scams:

Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.

Remember to avoid these scams by going directly to the site instead of clicking on a link sent to you in an email.

Here’s an email I just got. It’s either a classic phishing email, an attempt to infect your computer with a virus, or both.

From: Paypal <Services@support.com>

Subject: Your account has been temporarily limited

Date: November 12, 2010 1:26:37 PM EST

Dear customer,

Your account has been temporarily limited

Click here to resolve the problem

Thank You.

* Please do not reply to this email, as your reply will not be received. This is an automatic notification of new security messages.

Sincerely,

PayPal Security Department Team.

Much of the report covers recent botnets. Botnets start when a virus infects a computer, either through spam or an infected web page. [...]]]> The Microsoft Security Intelligence Report (SIR) outlines PC security threats and is based on data captured by Microsoft. Here is a download to the latest volume, covering the first half of 2010.

Much of the report covers recent botnets. Botnets start when a virus infects a computer, either through spam or an infected web page. The virus puts the Windows machine under the control of the botnet, typically run by criminal syndicates. The report explains how criminals use and share your information.

Viruses are on the rise. In the three months between April and June 2010, Microsoft cleaned up more than 6.5 million infections, twice as much as the same period in 2009.

This chart shows the number of computers cleaned by Microsoft, listed by country.

This map illustrates the percentage of computers infected in particular regions. The infection rate was highest in South Korea where 14.6 out of every 1000 machines were found to be enrolled in botnets.

Stay Safe

As always, be sure to run Windows Updates and some form of Anti-virus. I prefer the free Microsoft Security Essentials, which I find to be just as effective but less of a memory hog than anti-virus by Symantec or McAfee.

Or you can just use a Mac which has had almost no threats. The only real-world attack that I know of for the Mac was a Trojan-infected version of Apple iWork that you would get from a pirated torrent download site. Besides that, the only Mac threats have been proof-of-concept attacks developed by researchers but never used.

Other fake emails are trying to infect your computer with a [...]]]> Be careful of fake emails pretending to be from your bank or shopping sites. Many are phishing scams trying to get your personal information. To avoid those scams, it’s best to go directly to the site instead of clicking to the site from an email.

Other fake emails are trying to infect your computer with a virus. This fake email with a shipping alert has been making the rounds lately:

Subject: Shipping Notification

Message Body:

Shipping Notification Thank you for shopping with us. We look forward to serving you again.

The following is your receipt. Please retain a copy for your records.
Qty  Item no  Description  Price  S&H  Tax  Return
Code
1 FC864-2038B Msg Drma7303 White 650.99 6.95 3.37 ____

Merchandise total 650.99
Shipping and handling 6.95
Tax on mdse 6.75% 3.37
Invoice total 706.31

Welcome to the convenience of shopping JCPenney Catalog

Doing a web search, we confirmed that this was malicious from Cisco Security:

Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a shipping notification attachment for the recipient.  The text in the e-mail message instructs the recipient to open the attached file to view the notification.  However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the targeted system with malicious code.

E-mail messages that are related to this threat (RuleID2979) may contain the following files:

Shipping Notification.zip
Shipping Notification.exe

Microsoft just came out with a beta of their next version, Microsoft Security Essentials 2.0 featuring:

The Atlantic Monthy magazine has a great article titled The Enemy Within on the history of Conficker and where we are now. It’s a fascinating read for both technical security buffs and non techies.

It starts:

The Enemy Within by [...]]]> I have mentioned several times that Conficker is considered the most dangerous virus to date.

The Atlantic Monthy magazine has a great article titled The Enemy Within on the history of Conficker and where we are now. It’s a fascinating read for both technical security buffs and non techies.

It starts:

The Enemy Within by Mark Bowden

When the Conficker computer “worm” was unleashed on the world in November 2008, cyber-security experts didn’t know what to make of it. It infiltrated millions of computers around the globe. It constantly checks in with its unknown creators. It uses an encryption code so sophisticated that only a very few people could have deployed it. For the first time ever, the cyber-security elites of the world have joined forces in a high-tech game of cops and robbers, trying to find Conficker’s creators and defeat them. The cops are failing. And now the worm lies there, waiting …

Image credit: Alex Ostroy

Some viruses are so bad that they lock you out of your computer’s administrative controls. When that happens, consider using a bootable CD that can clean the hard drive of viruses. This often fixes things enough to let you get into Windows and make further repairs.

AVG Rescue CD

How to Remove XP AntiSpyware [...]]]> Gina Trapani wrote up a great article on the infamous Antispyware 2009 and how to get rid of it. This software pretends to be legitimate antivirus software, but is itself a virus. There are many variants of the software and I wrote about one of them called Antivirus XP 2008.

How to Remove XP AntiSpyware by Gina Trapani

It’s been a long time since I’ve had to deal with a malware-laden PC, but my long streak of luck ran out this weekend when a family friend–who describes himself as computer illiterate–called. “Every time I try to do anything on the computer,” he told me, “I get a message saying it’s infected, and I have to pay $69 to clean it, but I tried to do that and I couldn’t.” He couldn’t even navigate to the Mozilla site to download Firefox; Internet Explorer was completely hijacked.

Read the rest of How to Remove XP AntiSpyware

Because of security concerns, both the German and French [...]]]> I used to tell people that the newest Internet Explorer 8 was safe enough. But recent events have changed my mind. The Chinese attacks on Google over Christmas were perpetrated using a vulnerability that exists in all versions of Internet Explorer. Microsoft still hasn’t fixed this.

Because of security concerns, both the German and French governments have officially recommended that people not use Internet Explorer. One could attribute this to the EU’s dislike of Microsoft, but Mircrosoft has a more fundamental problem.

Closed Source

Many people say that Internet Explorer isn’t as safe because it has the largest market share (over 60%). Hackers want to attack the largest market they can. But I think that the real problem is that Internet Explorer is written with closed source code.

Unlike the Gecko engine powering Firefox or the Webkit engine powering Chrome and Safari, Internet Explorer has its own broswer engine that is closed source. This means that people can not look at how it is written. While you might initially think that this makes Internet Explorer more protected, it’s actually the opposite. Open source code can be reviewed and improved by the entire development community. Once a problem is seen, any developer can suggest a solution. The response time of Firefox for fixing exploits is typically days compared to Internet Explorer taking weeks or months.

Other Browsers

The fastest browsers use Webkit as their engine. These include Google’s Chrome and Apple’s Safari browsers.

Mozilla Firefox is slower but remains the current leader among alternative browsers, largely due to its popular add-ons. Google is working on growing out its extensions to compete with Firefox add-ons.

Give one or more of these browsers a try.