The battle against the fake antivirus programs has intensified int he past few months, and unfortunately there’s no end in sight. Blair Fritz, ForthPhaze Support Specialist, cleaned up an infection this week on an XP system, and we thought it might be interesting to explain the process we use to fix these infections.
1. The first thing we have to do is stop the part of the attack that prevents installing or opening programs on your system. There are a couple of ways to go about this. The easiest way is to open the startup tab in msconfig (Start/Run/msconfig) and find the part of the virus that loads when you start your computer. The entries on the startup tab can be cryptic, but there are two ways to tell which is the bad program. Under the Command column, look for any entry that points to C:\Documents and Settings. Legitimate programs will be installed in C:\Windows or C:\Program Files. Anything that loads out of C:\Documents and Settings should raise a red flag. Another marker is a Startup Item name that’s just a random collection of eight letters and numbers. If you find these, click off the check mark next to it and click apply, then restart the computer.
If you have a simple infection, this will stop the program that was blocking your other programs. If it doesn’t work, plan B is to restart the computer again but this time press F8 while the computer is restarting. This will load the Windows startup option page. Select Safe Mode with Networking and press enter. Safe mode only installs the basic Windows components and drivers, no add-on software is installed and this stops the infection from loading most of the time.
If this doesn’t work, you’ll need to run a program that kills the blocking program from the desktop. We are huge fans of a program called rKill. Download it on an uninfected computer (only from that page!) to a thumb drive, copy it to the desktop, and then double click to run it. It might take a few minutes to complete, but when it’s finished you should be able to open all the programs on your computer that you weren’t able to open before.
One important note: Once you get to this point, do not restart your computer or you might go back to square one.
Now that we can open programs, it’s on to step two…
2. This one is short and easy. We need to make sure we can get to the internet. Open your web browser of choice. If it connects to your homepage and you can get around the web, you’re ready for step three.
If you can’t get online, the infection has tried to redirect your connection to the web. Fortunately it is an easy fix. Open the Control Panel and click Internet Options. Under the Connections tab, click the button for LAN Settings, and then uncheck the box for “Use a proxy server for your LAN.” Click OK to exit and restart your browser, it should open on your home page and you should be able to visit any website.
3. Now we’re ready to install the software we use to remove the virus from a system.
We use three different programs. The first is Combofix. (Again, only download it through that page.) It’s an amazing virus and malware removal tool. Download it, and double click it to run. There will be a pop-up screen warning that it might conflict with your antivirus program, but we always click to continue and have never had a problem.
Combofix will ask to install Microsoft’s Windows Recovery Console as part of its installation. Let it. This is an add-on that should be on every Windows system by default. After that, just let Combofix run. Depending on the infection it might take up to a half-hour to clean the system, and you might be prompted to reboot. (If so, return to safe mode by pressing F8 like before.) When Combofix is finished it will generate a text report that is going to be gibberish unless you’re a security specialist. Don’t worry about it.
The second program we use is Malwarebytes Anti-Malware, or MWB for short. We use MWB as part of a virus infection repair to double check for infections, but it’s really good at removing tracking cookies and other spyware that everyone gets on their computers. Running MWB every couple of weeks is a great habit to get into.
We do a full system scan with MWB after running Combofix. In almost all cases it comes back clean, but there have been a couple of times when it’s found infections that were missed by Combofix.
You can remove these with MWB, but infected files showing up in MWB after Combofix has always meant a deeper infection in our experience. If you delete them with MWB, the infection will probably return the next time you restart your computer.
The fix is in a good antivirus program. We have become big fans of Microsoft Security Essentials for home users. It has yet to let us down on cleaning up an infected system, even when Combofix didn’t work, and it’s tested very well on preventing infections.
You might be wondering, if Microsoft Security Essentials is so good then why not skip Combofix and Malwarebytes and just install MSE? It’s about time. It takes us less time to use Combofix and MWB to clean up a system, and then install MSE (or AVG Network Edition for our business clients) for future protection. Even when we have to use MSE to clean up an infection, we still do a second scan. It’s not clean until you have a clean scan.
4. The final step is doing what you can to prevent another attack.
Use a comprehensive antivirus program. We recommend Microsoft Security Essentials for home systems and AVG Network Edition for business networks.
Make sure your system has the most recent Microsoft, Adobe and Sun/Java updates installed. It’s hard to use a computer without Adobe Acrobat Reader and Flash, or Sun’s Java programming, but all three have been the source of security problems. Keep them updated.
Set your browser to block all pop ups. Firefox and Google Chrome have this setting by default, but it has to be changed on Internet Explorer through Tools/Internet Options/Privacy. Make sure the box for “Turn on Pop-Up Blocker” is checked, then click the Settings button and change the Blocking Level to High: Block all pop ups.
You can use the browsing history to see which site you were at when you got the infection, but it’s not going to be a lot of help in preventing a future infection. These attacks come from a pop-up ad. Most websites use third-party companies to sell and place ads on their site. The ad brokers scan submissions for viruses, but the virus writers get around this by creating an innocent looking fake ad that opens a pop up window when the page loads or you roll your mouse over it. The virus is in the pop up window, and this is beyond the control of the web site and the ad broker. The best defense is a good antivirus program to stop the program before it loads on your computer and setting your web browser to block all pop ups.
If you have tried doing the above steps but are still having trouble cleaning up the system, or you are uncomfortable performing any of these tasks, feel free to contact us. We are here to help! (and our rates are not as high as the Geek Squad)