Shutt World .co.uk

Just because you paranoid doesn’t mean they’re not after you.

Everyone’s worried about spyware, cookies, viruses and worms, and if your not worried your either not using your own computer to surf or very confident in your current security set up (mac users seem to fit in this category form what I’ve seen on other blogs and forums).

I’m not so worried about me getting some form or malware, I’m more concerened about other people getting something then calling me to fix it, as this actually does happen I’ve actualy compiled a CD with a collection of downloads to clean a system, unfortuatly its not bootable and all the apps need installing onto the infected system, ideally this CD would be bootable nd scan the system for malware and maybe even misconfigs, then fix them all, but as it is its still quite a manual process.

So firstly before I get to cleaning up a system no computer I configure leaves without all available windows updates, minimal Antivirus and anti spyware.

Before connecting a clean (as in windows just installed onto a formatted disk) make sure its either behind a firewall or the windows firewall is active, this is jsut to make it difficult for worms to get at you before you have any kind of protection installed.
The best method of getting updates and protection installed is to have them all on a disk you can install from without ever cconnecting to the internet or your network.

So to get your windows updates I recommend Microsoft Update because it will also update office and they claim other products but I don’t know what other products are covered.

For anti-virus if you have them Norton or Mcafee will probably be fine, but if you want something that the internet community claim is better there are plenty of comparisons out there and pleanty of people to give their views on whats best, I think the current favourite is Nod32 and from the comparisons I’ve seen I’m inclined to agree. However a free to home users product would probably be of benifit to everyone as its probably home users that have the most trouble not having an IT department or It support contract to just call someone up and get the machine fixed, so Avast seem to be holding its ground quite well, they also have a paid for proffesional edition for corporate users.

Now you have antivirus and all your windows updates sorted its a good idea to get some anti-spyware, a good start would be Microsoft Anti-Spyware as its free and has resident protection which will alert you to any sytem changes it thinks are a bit dodgy.

Well that’s the minimum protection any machine I configure will have installed. If however I’m called to fix a machine because its managed to get a virus or spyware or any other kind of malware, I tend to use a much larger selection of tools to clean up the infection.

If the computer needs a firewall its probably worth adding ZoneAlarm to protect the computer, its been a while since I’ve looked at that but it seemed to work when I used it and its very likely tohave improved since, they also sell a complete internet security package now.

Firstly the current anti-virus needs updating and a scan running to make sure that’s not able to clean up the infection, all major anti-virus programs will pick up the best known infections, but may not get less well known ones and most will ignore other kinds of malware.
While the virus scans running, the next tool is a little lest clever I use the task manager and google to identify the running processes. This way I can identify any problems and terminate their processes if possable. Also Microsoft antispyware includes a startup list where you can block programs from starting at boot time so this is also used to stop possable malware from running while I find a cure for the infection.
As spyware tends to infect internet explorer to watch your surfing habbits using HijackThis can help remove anything from the startup and and browser helper objects, just be careful using this as you could seriously mess thisng up if you’re not careful.

By now the Virus scan should be finished and you should have identified any potential problems, you need to remove the active infections.
Sometimes just terminating their processes will work, unless they restart. Booting into safe mode will stop them running. If you”ve found removal instructions for any of the infections follow them to get rid of it.

Now you have the current threats either eliminated or disabled, you need to make sure the system has no hidden threats, there’s no point in cleaning a system of the most obvious problem but leaving an other one you didn’t know was there to just reinfect the system, so its time to run your malware scans using products not currently on the system.

You will need to download both the program and the latest definition file for
Microsoft Anti-spyware – if its not already installed
– this is quite a good malware scanner it will pick up trojans and spyware it also has a resident scanner
Ad-aware – everyone should have heared of this and its probably still one of the most used scanners
Spybot Search and Destroy – this has one of the fastest scans I’ve seen, it also has an inoculate feature that will block access to sites it knows are bad.

Run a scan with each of these programs, between them they should be able to catch everything on the system and remove any problems running or not.

So the system should be pretty much clean now, to finish off its worth scanning for viruses using a different virus scanner to the one currently installed.
Trend Micro Provide a System cleanup scanner, its a small download that you just dorp the program and its definition file into a folder then set it running. You can get this from the Damage Cleanup Engine / Template page and the defintions from the Virus Pattern Files page.
A good one to try is ClamAV this is open source, so free and by all reports quite good at catching things, unfortunatly they haven’t developed an on access scanner yet.

After all this and about a days worth of system scanning you will be sat infront of a clean protected system, with hopefully no mallware of any kind, only the most obscure infections would have slipped through, if your worried that might have happend then all I can recommend is more scanning with other products you can find, or formatting the drive as that will almost garentee elimination of any infection, unless the infections comming from another machine in which case you probably need to isolate and scan every machine on the network (this is probably a good idea anyway).

I hope this is helpful, if I’ve missed anything out be sure to post your tips and links to any apps you prefer.

And before anyone points out that a disconnected machine cant use the internet and using internet explorer to search would probably put the machine at risk, I use Firefox on my laptop to identify processes and search for removal code, I also use it to download any fixes or tools and burn them to a rewritable CD.