What is malware?
Malware is pretty much any application that reduces the functionality and performance of a pc.
<b>some examples include: </b>
Popup windows alerting you that your "machine is at risk", or that "your machine is infected"
Changes to your homepage, and/or sudden redirects to pages that you would normally <b>never visit</b> (also known as browser hijacks, or browser re-directs)
Random browser lockups & crashes. Usually, the browser locks up, and eventually the window that it’s in turns white, with a "(not responding)" message in the title bar.
However, this does <b>NOT</b> mean that you <b>DO</b> have spyware. This could also be caused by corrupted plug-in from a bad install, or bad download.
Now, there’s 2 ways to go about this, and they both have their good points & bad points:
<hr>
One, is to adjust your browsers security settings by removing execution privileges for certain folders on your system, as well as disabling features that could be used to cause you grief, such as active x & javascript.
Exec & Synja both have a tutorial on that, I'll have to convince them to post it here on the forums :-P
Basically what the above means is, is that because each user has rights & abilities, (such as running files) by removing it, malware may still be downloaded to your pc, but, because it doesn’t have permission to run (aka – execute) it cant modify your system (such as: disabling taskmanager, running on boot up, etc)
(Note: This tips/tutorial is geared more towards Internet Explorer users - If you use Firefox, that’s fine. Personally, I don't like it, but on the same token, I have more than the "average" users knowledge, so doing this is a snap for me and other peeps here on the Comp & Tech forum)
The good thing about doing this, is that it's a one time deal. Do it once, and your good for life. (At least... until you reformat =o| )
The only bad thing, (and this can't even be deemed "bad") is that it may seem too intimidating for someone who uses their pc for browsing the web, and writing email.
<hr>
The second thing to do, is to install, configure, update, and then scan your system for malware, which is the purpose of this tutorial.
And yes, that is the preferred order. What good is doing a scan if your using out of date "fingerprints" to scan? Thats like looking at last weeks t.v guide to find out what time this week your favorite t.v. show is on.
Now:
First things first.
Scanners:
There's a whole plethora of them out there:
<a href="
http://www.ewido.net">AVG/Ewido</a>
<a href="
http://www.pctools.com/spyware-doctor/">Spyware Doctor </a>
<a href="
http://www.webroot.com/?rc=4929&ac=5190722">Webroot</a>
<a href="
http://www.safer-networking.org/en/download/">Spybot Search & Destroy</a>
<a href="
http://www.lavasoftusa.com/software/adaware/">LavaSoft Ad-Aware</a>
<b>Note: Use ALL the default installation options - especially the one that says "install for all users" or "install for just this user"</b> ( Make sure the "install for all users" option is the one that’s checked - You'll see why later on in this tutorial.)
It's always a good idea to update the definitions before doing a scan & removal, simply because new malware is being written & released on literally an hourly basis. Granted, updating your definitions now, may not protect you against malware that was released 10 minutes ago, but it still a good idea.
For the purposes of this tutorial, my workstation has Ewido/AVG Anti-spyware installed, so that’s where the screen shots are going to be from.
<b>Here's the main screen for AVG:</b>
<img src="
http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/avg_main.jpg">
Now, before we do anything, we want to update our signatures/definitions. Because like what was previously stated, new spyware types are being released on literally on an hourly basis.
<b>So, click the following icon:</b>
<img src="
http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/avg_circled.jpg">
<b>Clicking that icon will bring you to the following screen:</b>
<img src="
http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/avg_update.jpg">
<b>Now, before you scan, you want to change the default action:</b>
<img src="
http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/scanner_circled.jpg">
<b>Then, click the "Settings" tab</b>
<img src="
http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/settings_circled.jpg">
<b>After that, click the link that says "Recommended actions" and a little drop down menu will open up:</b>
<img src="
http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/reccomended_actions.jpg">
Personally, I would reccomend that you select the "Delete" option. There is one down side to this however:
If an application critical file becomes infected, (usually malware targets files that end with .dll) then Ewido/AVG will delete the file, more than likely rendering the program unusable.
<b>However, there is a very simple fix for this: just reinstall the application. </b>
Ok.
Lets go through our checklist:
Anti-Spyware application installed? - Check
Spyware definitions updated to the latest signature file? - Check
Default action set to delete? - Check
Now, lets get the ball rolling:
Once the above things are done, reboot your pc.
Immediately, during the boot up process, <b>continually hit the "F8" key</b>
(You only have a 5-10 second window to access the boot up menu, so you have to continually hit the F8 key)
You should get a black screen that says "Windows Boot Options menu"
You want to select <b>"Safe Mode"</b>
<img src="
http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/boot_options_menu_safe_mode.jpg">
Now, your going to see <b>a lot</b> of white text show up, don't worry about this, that’s normal.
However, when you get to the login screen (It should be blue screen with 2 user accounts showing up)
<b>Make sure you select the account titled "Administrator"</b>
Why?
2 Reasons:
1. Because usually pre-built pc's have 2 accounts on them:
One titled "Administrator" and the other, depending on the make/model/manufacturer, will say something along the lines of: "HP_User"
2. Most types of malware installs it self under the account that was being used at the time of infection, and, 95% of the time malware creates several registry keys to allow it to start up when windows starts up. However, that usually only applies to the account that was being used when the pc was infected.
Usually, the Administrator account isnt the one that’s being used.
Most of the time, you wont see the login screen that allows you to select the account if there’s only one person using the pc.
Windows Xp, by default, automatically logs into the one account that was created when the pc was built. ( for example - if its an hp machine, there will be 2 user accounts: one called "hp_user" and one called "Administrator" the pc will then automatically log in using the "hp_user" account)
Now, because the Administrator account isn't normally used, the chances that this user profile has the start up entries for the malware written to it, is fairly low. This is important because, when a file is running, Windows prevents the files from being changed (namely: deleted and/or renamed)
Have you ever gotten the error message:
"Cannot delete "file name here" - Access is denied. Please make sure the disk is not write protected, or that the file is not in use"
That is because the file is in use, and windows has "locked" the file. The same thing applies to malware.
Here's why we did this:
1. Safe mode loads up with the bare minimum files needed to make it to the desktop.
2. Chances are that the Administrator account doesn't have the entries needed for the spyware to start up.
(Some spyware still starts up regardless if your in safe mode or not… think of this as added insurance that its <b>not</b> running.
Think of it like this: because each user profile is like a different set of instructions, and the instructions are specific to each person.
Now that that explaination is out of the way, lets go on with the scan.
<b>Click the "Scanner" icon </b>
<b> Then below that, you should see "Complete System Scan"</b>
<img src="
http://i49.photobucket.com/albums/f257/zero_defekz/Tutorials/system_scan.jpg">
Allow the scan to finish, and if anything comes up in the window, there should be a link at the bottom that says: "Apply default actions"
<b>One important note:</b>
It would be a wise idea to install/update and then scan with several different scanners, because one scanner will pick up several things that another scanner failed to pick up. There is no one "cure all" scanner out there.
Discord
Light Style