To my family and friends running Windows...
Sep 18, 2009I regularly get questions about the virii, worms, trojans and other malware infecting Windows. Lately a very convincing and hard to clean piece of malware is making the rounds so I decided to write up several previous discussions to get all this in one place.
First, let’s be clear: I don’t manage or run Windows systems at work anymore and have not in several years. I spend most of my time in Unix; I’m an occasional user of a managed corporate Windows deployment and someone else worries about all this. When I do need to run Windows at home, it runs on a Mac inside a VMWare Fusion virtual machine or under FreeBSD or Linux using Virtual Box. I take snapshots of the virtual machine and restore it when I’m done. If that made no sense then detailing what I do for myself is probably not going to work for you, but I’ll try to offer some advice on cleaning up and avoiding some of these problems.
The procedure for cleaning up is simple, in theory:
- Take the machine off the network, preventing reinfection and the spread of the existing infection.
- Get the host to a state where important files (documents, pictures, music, etc.) can be backed up. If you do not have a backup device, improvise by burning to CD or DVD or use a USB stick.
- Use the original installation or recovery disk from the vendor to “nuke and pave” (wipe clean and reinstall) the box returning it to an original pristine state.
- Restore your data.
- Prevent reoccurrence.
In practice, it’s not so simple. Skim the longer explanation below. Don’t panic. If it sounds like more than you can do, spend the $250 for your local computer shop or the Geek Squad (Best Buy) to handle it.
Before getting into the malware, some comments on network hygiene. If the box is connected directly to the internet via a cable modem, it’s probably infected whether you know it or not. See this article Unpatched PC Survival Time Just 16 Minutes which was true in 2004 and still applies today. If you have DSL or FiOS with a company-supplied router (not a bridge) or have a router or wireless base that you supplied (like one of these from Linksys or Belkin among several makers) then you might have a small barrier between your machines and whatever comes knocking from the outside world. If you don’t have one, get one before you begin or you’re wasting your time. Be sure to update to the latest firmware and change the default password.
Next a comment on the behavior of malware, if the box is infected with one piece of malware it probably has more. Disconnect it from the network and leave it off until you can deal with it for a few hours uninterrupted. Many pieces of malware scan the local network or present fake services or subvert them (for example, DHCP which is used to dynamically assign an IP address) to infect other hosts. These can spread over a wireless network, too. Trojans often require someone to do something- accept a pop-up, run a game, load a program, play a video- as a means of getting their foot in the door. Worms and self-propagating nasty things don’t need help. Plan to spend time checking and cleaning any other computers on your home network.
Using a different, uninfected machine download fresh copies of Avast! (anti-virus), Ad-Aware (malware cleaner), Malwarebytes (another malware cleaner), and Spybot Search & Destroy (yet another malware cleaner) and burn them to a CD. The free versions are fine for this purpose. Be sure to only use the official releases linked above as there are a bunch of fakes circulating with trojans in them. Last download the complete Microsoft IE and Windows updates and burn those to a CD. You’ll need all of these to remove the initial infection or reinstall.
If you have a full-system backup, stop. Your backup is probably infected too. If you’ve made an ad hoc backup using a CD, DVD or memory stick assume it is infected but go ahead and make a second one now. Trying to save your applications and settings is usually a lost cause so focus on the data. If the machine is somewhat usable (ex, pop-ups, fake blue screen, etc.), try to install the new copies of the programs above then run them to clean out the system. If this fails or you can not install and clean you are at serious risk of losing your data. As a last ditch effort where you can not get one-on-one professional help, you might try creating a boot disk on another machine and copying off the files by hand or installing a second minimal copy of the original operating system in a second directory or on a different harddisk. If your machine is recent and can boot from USB, there are commercial and non-commercial (ex. Bart’s PE Builder) ways to build a bootable Windows image on a flash drive but if you can do that, you probably don’t need my help and would not be in this mess. Understand that even if you succeed in retaking the machine, the software on it is not trustworthy. The point is that you should be able to back up your data.
At this point, if it’s not obvious where I’m heading, I recommend wiping the machine entirely and reinstalling from scratch before you connect to the network. Apply the patches you downloaded above for Windows and Internet Explorer. Now that you have a clean machine, install the anti-virus and anti-spyware mentioned above. Do not restore your files from backup yet! All updates need to be done before putting the box back on the network or you’ll simply get reinfected. You should have that hardware device (router, access point, etc.) I mentioned earlier between you and the cable or DSL.
Do not restore your backups and reinstall your apps. Seriously. Scan them with the anti-virus and anti-spyware first. If you’ve taken full system backups, you are going to restore only the data (MyDocuments, etc.). Do not restore the whole system and overwrite what you just cleaned up. Restore this subset of the backup to a new folder and scan it. If you work with an ad hoc backup, copy the data to a new folder and scan it. Next move on to applications. Only install ones for which you have the original disk or trust the download site. Do not trust C