Every week I remove viruses from Windows computers. Here’s a common scenario:

Someone gets a fake alert like this and realizes that they have a virus.

When they call me, I tell them to turn off the computer. This is because a virus can continue to inflict more damage. It can install [...]]]> Viruses Abound

Every week I remove viruses from Windows computers. Here’s a common scenario:

Someone gets a fake alert like this and realizes that they have a virus.

When they call me, I tell them to turn off the computer. This is because a virus can continue to inflict more damage. It can install other viruses and even encrypt your hard drive to hold your data hostage to demand a $200 ransom. Turning off a computer stops whatever the virus is doing.

Use a Live Rescue CD

The first thing I do with the computer is boot into a Live CD to search for viruses. Typically the computer displays the key to press for boot options. It is usually one of these: F1, F2, , F10, F12 or Del. The computers may be set up to boot from the CD if one is available.

By booting into another operating system, you keep the virus from running, inflicting damage, and actively thwarting virus scans. The Live CDs I use include:

• Kaspersky Rescue Disk
• AVG Rescue CD
• Bitdefender Rescue CD
• Avira AntiVir Rescue System

Lately, I have found Kaspersky Rescue Disk to be the most effective. This approach also works from a USB stick if the computer’s BIOS supports booting from USB.

Update Virus Definitions

Because new viruses are out all the time, it’s best to update the virus definitions. This is done by connecting the computer to the Internet by an ethernet cable if your Live CD supports it.

Scan for Viruses

Kaspersky typically finds viruses like this, a trojan named Packed.Win32.Katusha.o.

Boot Computer and Fix Internet Redirects

Boot the computer, then check for a Proxy setup in Internet Explorer’s Connection Settings. If there is one, disable it by changing to automatic settings. Similarly, check your network connection properties for IPv4 TCP/IP. Often you will see something like this, which should be changed to automatic settings.

Install Microsoft Security Essentials

There are a lot of decent Antivirus programs, but I like Microsoft Security Essentials because it finds viruses, is lightweight, and is free without nagware.

Other Things To Do

If there are still problems, other things that can be done:

• Install Malwarebytes Antimalware or other antivirus software if you still suspect problems. You should not typically run multiple antivirus programs at once.
• Boot into Safe Mode (F8 key at computer startup) to make system changes if you suspect that there is still an active virus. Or try another Live Rescue CD.
• Uninstall unused or virus-installed programs, available in Control Panel – Uninstall a Program.
• Remove startup items from Programs – Startup folder. You can also remove startup items by typing msconfig into the Start or Run box.
• Give up on system. Wipe the hard drive and reinstall the operating systems and programs. Sometimes this is the only remaining option if the operating system has been severely compromised. By pulling the drive and connecting to another computer as a peripheral drive, you can backup the data.

Run Windows Update

By running Windows Update and installing all the service packs, you are applying security patches and reducing the likelihood of getting viruses in the future.

Conclusion

Viruses can be scary and destroy your data. These steps can help, but once you have a virus, there are no guarantees. An infected computer is owned by the virus folks.

Therefore, in addition to protecting your computer, you should have backups of your important files such as photos or financial documents. If you have sensitive data, it can be encrypted with TrueCrypt or other tools.

Some viruses are so bad that they lock you out of your computer’s administrative controls. When that happens, consider using a bootable CD that can clean the hard drive of viruses. This often fixes things enough to let you get into Windows and make further repairs.

AVG Rescue CD

How to Remove XP AntiSpyware [...]]]> Gina Trapani wrote up a great article on the infamous Antispyware 2009 and how to get rid of it. This software pretends to be legitimate antivirus software, but is itself a virus. There are many variants of the software and I wrote about one of them called Antivirus XP 2008.

How to Remove XP AntiSpyware by Gina Trapani

It’s been a long time since I’ve had to deal with a malware-laden PC, but my long streak of luck ran out this weekend when a family friend–who describes himself as computer illiterate–called. “Every time I try to do anything on the computer,” he told me, “I get a message saying it’s infected, and I have to pay $69 to clean it, but I tried to do that and I couldn’t.” He couldn’t even navigate to the Mozilla site to download Firefox; Internet Explorer was completely hijacked.

Read the rest of How to Remove XP AntiSpyware

Blurb from Microsoft:

Early tests show MSE to be very [...]]]> Microsoft officially released Microsoft Security Essentials (MSE) today. It is a free tool to protect your computer from malware, viruses, spyware, rootkits, and trojans. Unlike the previously released Microsoft Malicious Software Removal Tool (MSRT), MSE runs all the time and actively searches for threats.

Blurb from Microsoft:

Early tests show MSE to be very effective at catching threats. It updates itself automatically and without hassle.

It takes over all antivirus functions and is recommended to be run as the ONLY antivirus software on a computer. You should not run it alongside other popular software such as Norton Antivirus, McAfee, or AVG. Presumably this would cause the antivirus software to fight it out on your computer, hurting system resources and confusing one antivirus program, for example, when it finds a virus in the other antivirus’ quarantined vault.

I recommend this for all Windows computers: Windows XP, Vista, and 7.  The only exceptions are pirated versions of Windows since MSE requires Windows Genuine Advantage to run and make sure that your copy of Windows is legit.

MSE has a small footprint with low minimum requirements:

• For Windows XP, a PC with a CPU clock speed of at least 500MHz and at least 1GB of RAM
• For Windows Vista and Windows 7, a PC with a CPU with clock speed of at least 1.0GHz and at least 1GB of RAM
• VGA (display): 800×600 or higher
• Storage: 140MB of available hard-disk space
• An Internet connection is required for installation and to download the latest virus and spyware definitions

This Wednesday, April 1st the Conficker worm will do something. No one knows what. But it has security experts up late. It is believed that at one point Conficker was on 6% of the world’s PCs. This has been [...]]]> Is it time to buy those boxes of ammo and head for the hills? We’ll see.

This Wednesday, April 1st the Conficker worm will do something. No one knows what. But it has security experts up late. It is believed that at one point Conficker was on 6% of the world’s PCs. This has been reduced dramatically by the work of Microsoft in issuing special patches for the worm. But hundreds of thousands of PCs are still estimated to be infected.

Early this month, Symantec’s security researchers began noticing that the worm was changing in order to avoid steps to interrupt the worm’s links with its hacker controllers. The first versions of the worm generated a list of 250 possible domains each day that could be used to route instructions from hackers. The new edition uses a list of 50,000 URLs in order to overwhelm security researchers.

Typically hackers use large botnets of computers to commit distributed denial of service (DDOS) attacks against websites. The hackers will demand that large websites pay them in order to be spared.

If you are worried about your computers or those of people you love, you can read Microsoft’s alert and my earlier post on how to prevent and remove the virus.

You can run it whenever you want, not needing to take up resources when you aren’t [...]]]> SUPERAntiSpyware is very good antispyware that is free for personal use. While Antivirus software is very important, Antispyware can help too in making sure that you aren’t getting hijacked by Spyware, Adware, Malware, Trojans, Dialers, Worms, and Key Loggers.

You can run it whenever you want, not needing to take up resources when you aren’t using it.

An Arlington, VA client was recently infected by that Antivirus 2009 malware. It has been the most pernicious malware that I have seen recently, [...]]]> Microsoft recently reported that their Malicious Software Removal Tool (MSRT), which was included in Windows Updates on December 9, 2008, has now removed over 400,000 copies of the nefarious “Antivirus 2009″.

An Arlington, VA client was recently infected by that Antivirus 2009 malware. It has been the most pernicious malware that I have seen recently, as most users can be tricked into installing it. Many fake sites exist that you might find during a normal web search. The sites appear to be a standard Windows Control Panel page which pretends to search for and find viruses. If you click “Ok” or “Remove All” you will be infected.

It will eventually take away all administrative rights from you and ask for your credit card to update and remove the viruses. Of course, it never removes anything, but instead gives your credit card info to the bad guys to use as they wish. Your computer is also a zombie ready to do whatever they ask of it.

The problem is that the dialog boxes and alerts look just like legitimate ones that might appear from Microsoft. See the fake Antivirus 2009 alert above.

I mentioned another variant of this malware called Antivirus XP 2008 in an earlier post.

While there are other tools you could use, Microsoft’s Malicious Software Removal Tool (MSRT) is a real solution that will remove and protect the computer from this Malware. It is available as a critical update from Microsoft.

It is not always apparent how to run Microsoft’s Malicious Software Removal Tool (MSRT). If you have it installed, you can just go to Start – Run and they type mrt

The gang was identified publicly in May by Joe Stewart, director of malware research at SecureWorks, a computer security firm in Atlanta. Mr. Stewart, who has determined that [...]]]> This NY Times article talks about how a gang in a Russian town is using Microsoft administrative tools to infect private and government computers. A few excerpts:

The gang was identified publicly in May by Joe Stewart, director of malware research at SecureWorks, a computer security firm in Atlanta. Mr. Stewart, who has determined that the gang is based in Russia, was able to locate a central program controlling as many as 100,000 infected computers across the Internet.

The system infects PCs with a program known as Coreflood that records keystrokes and steals other information.

“The great thing about this system is that from one computer it is possible to push out updates to all machines in a corporate network at once,” Mr. Stewart said. “This is a useful tool that Microsoft has provided. However, the bad guys said, ‘We’ll just use it to roll out our Trojan to every machine in the network.’ ”

The gang then uses the passwords to access your bank account and transfer out money. Scary stuff.

This only affects Microsoft operating systems, so Macs are safe. In order to protect PCs, I suggest using:

• hardware firewall (included in routers)
• Windows Vista or XP with Service Pack 3 (latest)
• Anti-virus software such as AVG Free or Avast.

If you get infected by something like this Coreflood virus, you should do a complete re-install of your system.