1. Chapter 8 Damage Control How to remove viruses and spyware infections

2. Synopsis What to do when you think your computer is infected with malware. Strategies that use antivirus or antispyware products. How to remove infections with system restore and free infection specific tools. Removing infections manually. Removing browser hijackers with HijackThis and CWShredder

3. What to do when you think your computer is infected with malware. (1) Symptoms: – An antivirus or antispyware program has signaled that your system is infected – Your system is behaving oddly. – Your ISP calls you to tell you your system is infected and doing bad things across the Internet.

4. What to do when you think your computer is infected with malware. (2) Disconnect your computer from the Internet; wired is disconnected with a phone-like plug, turn wireless off. Boot into Safe Mode with Internet. Reconnect your computer Check your antivirus and antispyware programs; you might want to re-install and update them to make sure they work.

5. What to do when you think your computer is infected with malware. (3) Recommended Antivirus Programs: (choose 1) – Grisoft AVG free.grisoft.com – Avast from www.avast.comwww.avast.com – Trendmicro from www.trendmicro.com ($$)www.trendmicro.com – Microsoft VirusScan (support.kent.edu) – F-Secure from www.fsecure.com ($$)www.fsecure.com

6. What to do when you think your computer is infected with malware. (4) Recommended Antispyware Programs (at least 2) – Microsoft Windows Defender www.microsoft.com/defender www.microsoft.com/defender – Spybot Search & Destroy www.safer- networking.netwww.safer- networking.net – AdAware www.lavasoft.comwww.lavasoft.com – Webroot Spy sweeper www.webroot.com $$www.webroot.com – PC Tools Spyware Doctor www.pctools.com $$www.pctools.com

7. What to do when you think your computer is infected with malware. (5) Boot into Safe Mode without internet. Gather Information: do a deep/full scan if possible; jot down all information. If your software has been disabled, run the software in safe mode with networking and update them. Google all the infections found. (on another computer) The following sites are useful: – Mcafee.com – Symantec.com – Sophos.com

8. What to do when you think your computer is infected with malware. (6) Quarantine all infections found. – Beware of false positives. System Restore may be able to eliminate viruses; your files may still contain the viruses, however.

9. How to remove infections with free infection specific tools. If you have successfully determined what is infecting your system, but your antimalware tool is having difficulties, there is one more recourse: a Targeted Tool. They can be found at – www.symantec.com/business/security_response/re movaltools.jsp Dates back to 2000 www.symantec.com/business/security_response/re movaltools.jsp – http://us.mcafee.com/virusinfo (limited) http://us.mcafee.com/virusinfo – www.kaspersky.com/removaltools www.kaspersky.com/removaltools – www.microsoft.com/security/malwareremove/ (selection) www.microsoft.com/security/malwareremove/ – www.bitdefender.com/site/Downloads/browseFree RemovalTool/ www.bitdefender.com/site/Downloads/browseFree RemovalTool/ – www.f-secure.com/download-purchase/tools.shtml (includes an antivirus program that can be run in DOS mode). www.f-secure.com/download-purchase/tools.shtml

10. Removing infections manually A list of tools can be found in chapter 12. Do your research: – Name of the infection – Name and location of the infected Windows files or of the files that make up the malware. – Registry keys inserted/modified by the malware. – Windows “services” started by the malware. Help can be found at: – www.symantec.com/norton/security_response/t hreatexplorer/threats.jsp www.symantec.com/norton/security_response/t hreatexplorer/threats.jsp – http://vil.nai.com/vil. http://vil.nai.com/vil

11. Removing infections manually (2) Steps: – Disconnect – Back up your data: be careful about backing up malware. – Disable System Restore (page 254) – Enter Safe mode without internet – Clean out Windows Startup with msconfig Startup tab Services tab (click Hide ALL Microsoft Services) – Clean out Registry with regedit (p 257) – Delete Files and folders – Restart and check

12. Removing browser hijackers with HijackThis Written by a Dutchman called Merijn Bellekom. Sold to TrendMicro. Still free. Download from www.trendsecure.comwww.trendsecure.com Run (as administrator). – Close all browsers – Start HijackThis (may need to kill it first) – “Do a System Scan and Save a Logfile” – Post your log at one of the forums listed at www.merijn.org/forums.html and follow instructions. www.merijn.org/forums.html – Send the expert a nice reward

13. Removing browser hijackers with HijackThis (2) (DIY version) P 263-268 Very detailed explanation which will not be covered.

14. Removing browser hijackers with CWShredder Download from www.intermute.com/spysubtract/cwshredder_ download.html www.intermute.com/spysubtract/cwshredder_ download.html Two buttons: – Scan Only – Fix: searches for infections and cleans them.