CSN

Computer Security News

Computer Security News and Related Information for IT Professionals and Home Users
HOW TO:  Clean-up
  January 14, 2013

Removing Malware from your Computer:

IMPORTANTHow to Remove Malware
The instructions on this page are intended for “very experienced” and “very knowledgeable” computer users. If your skill level is only average, or less than average, then we strongly advise you to seek a computer professional to perform cleanup work on your computer. Some of these tasks can require much time to execute, and these instructions were written with the expectation that you possess a thorough knowledge of computer operations. To the experienced user, this work is not difficult. However, some of these operations may be confusing and intimidating for those who are not intimately familiar with cleanup procedures.
WHEN IN DOUBT,  HIRE a PROFESSIONAL.



     THESE INSTRUCTIONS ARE FOR COMPUTERS RUNNING WINDOWS


Introduction:
A typical cleanup procedure may take 2 to 10 hours, depending upon your skill level, and depending upon the sophistication of the malware and the severity of any damage it caused, and assuming nothing else goes wrong during the procedure.  Even "experts" can run into unpleasant surprises.

Be sure to allow adequate time to complete the tasks in a single session.

One reason for the long duration of time is that the procedure detailed within this document does not alter or damage the current configuration, nor does it cause risk to your data (documents, pictures, music, etc.)

Many repair shops will simply reformat the disk and reinstall the operating system and any necessary drivers. That is a drastic method, but requires far less time and effort, hence is more profitable for them.  However, all data is lost in the process, and any/all custom configuration is also lost. Reconfiguration of your exact setup can be a time-consuming process, which you are generally stuck having to do after a repair shop cleans your computer.  And, if you do not have a full up-to-date CLEAN (uninfected) backup of all your files, then not only have you lost your configuration and your data files, but the original problem is quite likely to return as soon as you attempt to restore your data.

Be aware, however, that some malware may have already destroyed your data files, and the procedure detailed within this document does nothing to attempt to restore them IF they are already damaged.

Restoration IS possible in many cases, but that is beyond the scope of the procedure we are presenting within this document.



Preliminary:
If you are only interested in checking your computer for malware, then this page is not the best source of helpful information for you. Your first line of defense should be anti-malware software, sometimes referred to as "anti-virus", or "security", or "internet security", and/or other names. If you do not already have such software installed and operational on your computer, you are at high risk any time the computer is connected to the internet (or to almost any network).

You will need access to a known clean computer.  This is important!
Many types of malware will hijack your email account(s). It is strongly recommended that you change the password for your email account(s).
Do it on a known clean computer, NOT on a possibly infected computer.
Be sure to use a strong password. Current “botnet” and other malware can easily crack weak passwords. To create a strong password, use a combination of lower and uppercase letters, and numbers, and "special" characters....
!@#$%^&*()_+-[] for example. Avoid short passwords.
Use at least 11 characters; more is better.

NOTE:
For a typical home computer user, passwords should be enforced on:
  → Your computer(s)
  → Your router
  → Your email



Copy Your Data:
Create data backups! Use a clean (never previously used) backup device, such as an external USB drive. Do NOT backup your programs (executable files). Make backup copies of your important documents, text files, music, pictures, database, financial records, source code, and that sort of thing. Ensure that anti-malware or anti-virus is running while the files are being backed up. Never run more than ONE anti-[whatever] application at the same time, as they do not play well together.

We recommend operating in “safe mode” while doing preliminary backups. Note that sometimes the computer may not allow direct access to use an external USB drive in “safe mode”, but you can use “Disk Management” to assign a drive letter to it, and then it will work properly.  Also note that some anti-malware or anti-virus applications will not operate properly in “safe mode”. If that is the case for your security software, then do not perform the preliminary backups in “safe mode”.

People ask us, “Why do you recommend a  'clean'  backup device?

The reason is that this is about fixing an infected computer system.
It is our recommendation that everybody maintain scheduled backups of all important data files on some external device(s). However, if the computer has been infected by malware, then it is possible that there are infected files on the backup device. Therefore, we recommend a clean (never previously used) backup device.

For truly critical data files, you should use at least two (2) external backup devices, and the devices should be password-protected, and the data files should be encrypted.

For general home-user backup software, we recommend the following:

 Replicator  (Karen's Power Tools)
 Paragon Backup & Recovery Free

Each of those is free. The "Replicator" software is simple, very powerful,
and efficient.  It is our top choice for general purpose backup software.

If you don't have a clean external storage device available, this one works well, has adequate storage, and is quite affordable ($20, January 2013).



Getting Started:

 •  You suspect trouble, maybe due to slow performance, or crashes.
     (or perhaps your email account sent mails that YOU did not send)

 •  Know the Operating System:  Is it 32-bit or 64-bit? (important!)
     (Not sure??  Look here)

 •  Next: get access to the internet on a known clean computer.
     (it must have ability to save files to your external device)

 •  Log into your email account(s) and change the password.

 •  [continuing on known-clean computer] . . .
  -  Download the newest Microsoft Security Essentials engine.
  -  Download the newest Definition Files for Security Essentials.
  -  Download the newest Microsoft Safety Scanner.
  -  Download the newest version of Malwarebytes.
  -  Download the newest version of CCleaner.  (use "Piriform" link)
  -  Download the newest HOSTS file.
  -  If you need the Oracle JRE, download the newest version here.
     Store those files on your external device, but do not connect
     the device to the [suspected] infected computer yet.


 •  NOTE: If you use the Adobe Reader for PDF files, we strongly
     recommend that you replace it with the Foxit PDF Reader.
     The Adobe Reader has a long history of security issues.



Cleaning an Infected Computer:   Part 1 of 3 

 •  Disconnect internet/network on the computer to be cleaned.

 •  Completely UNINSTALL and remove ANY/ALL "security" software.
     If you need help uninstalling security software, read this page.
     (normally, you can uninstall software via Control Panel)

Above, "Completely UNINSTALL and remove..." refers to any/all existing anti-virus, anti-malware, anti-ADware or non-Windows firewall software. A reboot is often required after removing security software. For products such as Symantec's Norton Internet Security suite, a special "removal tool" (software) is available from Symantec, because its own built-in uninstaller may not (usually does not) always work properly.
The Symantec/Norton "removal tool" software is free, available from:
 http://us.norton.com/support/

 •  If "Adobe Reader" installed, completely uninstall it.

 •  Completely UNINSTALL and remove ANY/ALL 3rd-party browser toolbars.
     (You can re-install them later, though we recommend against them)
       →  Read about Browser Toolbars

 •  If the infected computer is running "Windows Vista", and IF the Sidebar
     is active, disable it at this point in the procedure.
     We recommend removal of any/all "Gadgets" due to the potential for
     causing system instability and/or opening vulnerabilities to malware.


 •  "Instant Messenger" software is a security nightmare. We urge removal
     of any/all Messenger software.  At a minimum, exit/terminate any/all
     Messenger software that is active, for the remainder of this procedure.

 •  "Peer-to-Peer" software is a severe security nightmare.
     We urge removal of  any/all  "Peer-to-Peer"  applications.
     Examples of dangerous "Peer-to-Peer" applications include . . .
• ANts P2P
• Bearshare
• eMule
• iMesh
• LimeWire
• Piolet
• uTorrent
• Azureus
• BitTorrent
• FrostWire
• Kaaza
• Morpheus
• Shareaza
• Vuze
• Ares
• eDonkey
• Gnutella
• KCeasy
• Overnet
• Soulseek
• WinMX

 •  Shut off and/or disable any/all unnecessary software not previously
     mentioned.  During malware removal, there should be no software
     running except what is required to perform the cleanup procedure.

Above, "Shut off and/or disable..." means to close any/all open programs, and any/all unnecessary "background" tasks.  Background tasks can include automatic update services  (but ignore the Windows Update service), Browser Toolbars, Instant Messengers, Peer-to-Peer software, Photo/image monitoring applications, QuickTime, etc.  When in doubt, ask an IT professional for advice.  They should [should!] know which tasks to disable. And don't worry... upon subsequent reboot, those tasks will all be loaded again, automatically.

Note that Asus, Dell, HP, IBM and some other computers all have a lot of unnecessary software that runs in the background.  Note also; Acer and Toshiba computers sometimes have a lot of unnecessary software that runs in the background.


NOTE:
 AT NO TIME SHOULD MULTIPLE SECURITY SOFTWARE APPLICATIONS BE
 INSTALLED AND RUNNING CONCURRENTLY.   USE ONE, AND ONLY ONE!
 




Cleaning an Infected Computer:   Part 2 of 3 

 •  Make sure the computer is not connected to the internet.

 •  On drive C: create a folder named  install

 •  Connect your external device to the computer, and copy the files
     you previously downloaded into the new install folder.

 •  Disconnect (Safely Remove) your external device from the computer.

 •  Open an Explorer window, and open the install folder.

 Install "Malwarebytes" 
  -   It will ask you to choose Language
  -   It will tell you to close all other programs
  -   It will present the User License Agreement
       →  Click "Accept"
  -   In "Select Additional Tasks" dialog, UNcheck "Create a desktop icon"
       →  Click "Next", then click "Install"
  -   Now UNcheck  "Update Malwarebytes Anti-Malware"
      (because your internet connection if OFF at this time)
  -   A "trial" dialog will open -- click the "Start Trial" button
  -   Select "Perform full scan", then click the "Scan" button
  -   When completed (takes a while), if "Objects detected" is NOT zero:
      »  Click "Show Results"
      »  Evaluate items in the list
      »  UNselect any items that you deem mistakenly flagged
      »  Click the "Remove Selected" button
      »  Close the log file that opens (you can review it later)
      »  Click the "Exit" button
  -   TERMINATE Malwarebytes
  -   Right-click the Malwarebytes icon in the System Tray
  -   Click "Enable Protection" to UNselect it
  -   Click "Yes" when it asks "Are you sure..."
  -   UNinstall Malwarebytes completely
  →  NOTE that a reboot may be required
 

 Install "CCleaner" 
  -   It will ask you to choose Language -- do it
  -   Click the "Next" button
  -   Click the "I Agree" button
  -   UN-check the following choices . . .
      »  "Add Desktop Shortcut"
      »  "Add Start Menu Shortcuts"
      »  "Add 'Run CCleaner' option to Recycle Bin context menu"
      »  "Add 'Open CCleaner' option to Recycle Bin context menu"
      »  "Automatically check for updates to CCleaner"
  -   UNcheck "Install the free Google Toolbar along with CCleaner"
  -   Click the "Install" button
  -   Click the "Yes (Recommended)" button
  -   Click the "Analyze" button
  -   When it shows "ANALYSIS COMPLETE" click on the "Run Cleaner"
       button, then click "OK"
  -   When it shows "CLEANING COMPLETE" click the "Registry" square in
       the left-side panel
  -   Click the "Scan for Issues" button
  -   When the progress bar shows 100% click on the
       "Fix selected issues..." button
  -   Click "Yes" when asked if you want to save backup of changes to
       the registry
  -   Click the "Save" button
  -   Click the "Fix All Selected Issues" button
  -   When finished, click the "Close" button
  -   Close CCleaner
  -   UNinstall CCleaner completely
  →  REBOOT after the uninstall has completed



Cleaning an Infected Computer:   Part 3 of 3 

 •  Install the HOSTS file per instructions found here.
     You should print the installation instructions for your specific
     Operating System BEFORE you start to do any of the clean-up
     procedure (above) and this subsequent installation procedure.


 •  Open and run the Microsoft Safety Scanner, "msert.exe"
     Note that the Safety Scanner may take some time to complete.
     Allow it to finish before proceeding.


 •  Open/run Microsoft Security Essentials (MSE), "mseinstall.exe"
     If it complains about no update available because of no internet,
     ignore it (see next step).


 •  Open and run the MSE definition installer, either "mpam-fe.exe",
     or for 64-bit systems "mpam-fex64.exe".
     This step can sometimes take several minutes to complete.
     Allow it to finish before proceeding.


 •  Now the Microsoft Security Essentials (MSE) software is ready to run.
     Choose "Full" under "Scan options:" on the "Home" tab.
     After the full scan is finished, reboot the computer.
     The full scan will take a long time to complete.

 •  Connect internet/network connection.

 •  Open "Windows Update" and be sure that all the latest important
     updates are installed.
     A system reboot may be required after Windows Updates.





If you followed the instructions above, then unless your computer was infected with a sophisticated rootkit, it should now be clean and secure. If you continue to have problems with your computer, we recommend that you take it to a professional, and request a detailed analysis.




 →  Below is a general summary.  The actual instructions are all above.


Basic Security Steps:    GENERAL SETUP   for Windows™ computers

 •  Password-protect your equipment.   (not only Windows™ devices)
     This applies to computers, phones, routers, modems — any and all
     devices that can be considered “internet connected”.
     Any device that holds “sensitive” data should be password-protected.
     Passwords should always be “strong”,  meaning a combination of some
     lower-case letters, some upper-case letters, some numbers, and a few
     “special” characters, such as  !@#$%^&*()_+-[] for example.
     Avoid short passwords.  Use at least 11 characters; more is better.

 •  If you use a wireless network, be SURE it is properly secured.
     Similar procedures are used for routers and modems. Be safe!

 •  Use a maintained HOSTS file.  Update it monthly, if possible.
     Read Blocking Unwanted Connections with a Hosts File to learn more.

 •  Make sure your Firewall is enabled.

 •  Make sure your anti-malware software is enabled and up-to-date.
     We recommend Microsoft Security Essentials anti-malware.

 •  Do NOT run the Oracle JRE.
     Unless you really need the Java Runtime Environment (JRE), we strongly
     recommend against it. The software has a long history of security flaws
     that are frequently exploited. If you absolutely require the JRE, then it
     would be wise to make SURE that it is always kept up-to-date.
     NOTE that the automatic update feature of the JRE has a history
     (a long history, dating back to Sun Microsystems) of unreliability.

 •  If you run the Adobe Flash Player, check for updates weekly.
     The Adobe Flash Player has a long history of security flaws.
     Flash's security record has caused several security experts to
     recommend to either not install Flash or to block it.
     As of November 3, 2012, The Flash Player has over 200 CVE entries
     (Common Vulnerabilities and Exposures),  185 of which were ranked
     with a “high severity” (leading to arbitrary code execution).
     Unfortunately, the Flash Player is required by many websites.
     NOTE that the Adobe Flash Player installer wants to install the
     Chrome browser by default. You must manually tell it NOT to, if
     you do not wish to replace your current browser with Chrome.
     We do not recommend the Chrome browser at this time.


 •  If you view PDF files, we recommend against the Adobe Reader,
     and instead recommend the Foxit PDF Reader.  The reasons are
     the same as those listed above, regarding Adobe Flash Player.

 •  Learn about and use a “sandbox” application.
     We recommend Sandboxie to isolate all of your browser sessions.
     It is a simple and safe way to help protect against modern malware.

 •  Know what software is running on your computer.
     Computers often have unnecessary software running, much of which
     you may not even be aware of.  If you do not really want or need it,
     you should uninstall it. The first step is to open Control Panel to see
     what applications are installed. Take notes. If you see names you do
     not recognize, use a Search Engine such as Google to help discover
     exactly what it is. Then decide if you want to keep it.  You can also
     software such as the Belarc Advisor and Silent Runners to help learn
     exactly what is running on your computer.  Note that those programs
     are intended for experienced users.  If in doubt, hire a professional.

 •  Run your browser sessions in a “sandbox” at all times.
     We recommend Sandboxie.  Their website has many good tutorials.
     You can save downloaded files to your internal disk, or to an external
     device, when operating in a sandbox environment, but one additional
     step is required before you close the session.
     If you use a “webmail” interface, such as Gmail or Yahoo, then those
     sessions should be run within the sandbox as well.  Working within a
     sandbox environment provides strong protection against malware that
     any anti-malware software could miss, and it is a minor inconvenience
     compared to cleaning an infected computer.

 •  Further steps to help secure your computer:
     - Do not use any form of “Instant Messenger”. None are secure.
     - Do not use any form of “Peer-to-Peer” software. None are secure.
     - Do not install any Browser Toolbars. Some of them are not secure.
     - If you play online games, run them in a sandbox environment only.
     - Never use “Preview mode” when viewing email.
     - Never open email from any unknown source.
     - Use common sense before clicking on any link.
     - Never share your password(s). Not with anybody.
     - Scan your computer with anti-malware daily.
     - Backup your important computer data daily.
     - Update your HOSTS file monthly, if possible.
     - If you use Facebook, you should secure it.
     - If you use Gmail, enable 2-step verification.
     - If you run Adobe Flash, check for updates weekly.
     - Never stay logged in to social networks if away from your computer.
     - After logging out of a social network, CLOSE your browser session.
     - Always keep your system software up-to-date!

 •  The US-CERT site offers much good advice.  Read and learn!






Quote of the month:

If you browse the internet, malware and/or hackers will find your computer, and break into it, and cause harm to it.






We hope the information on this page is helpful. As time permits, we will update this information to help ensure it is accurate in this world of ever-changing technology.


Keep your computer up-to-date and secure!

Summary

Thank you for taking the time to visit Computer Security News.   This site is intended to help people become more aware of potential security threats to their computer and to their personal data that is often stored on-line.  Computer hardware and software changes quickly, with new replacing old. New threats occur, and we shall try to always present up-to-date information to help you.



Computer Security News

http://computersecuritynews.us/ This site was developed and is maintained by Steve Thornburg. Contact via Secure WebForm All site and its content is ©2005—2012 Steve Thornburg       v1.01.14.13.1441
 computersecuritynews.us  designed & developed  by  Steve Thornburg   ©2005—2012