Chrestomathy: Viruses & Spyware

Getting Started

The goal of this guide is to fix a virus and/or spyware/malware infection using only free programs, or protecting your computer proactively. Listed below are the base programs for this guide, you can click on the names for their optimal settings, and download links. Once they are installed and properly configured, continue to the next section. If you need individual help, feel free to send me a message on CrossLoop.

Scanning

If at any point after installing the above programs Avira gives you an infection warning, chose the Delete option. Launch Spybot and start a scan (Check for problems). Using the given settings, the program will rescan your computer when it finishes one. Once the results are clean, or the same results are shown and don't seem to be getting fixed, close the program. Launch Avira and start a "Complete system scan". Once it has finished, close Avira and start up Spyware Doctor Starter Edition. Do "Intelli-Scans" in the same method as Spybot (Until the results are clean, or same results are shown and don't seem to be getting fixed) and fix all results. At this point, do a "Full Scan", fix any infections found, and close the program. Finally launch Malwarebytes and "Perform full scan" and fix all results. Done.

If for any reason this procedure does not completely fix your problem and you are using a version of Windows prior to Vista, you should try disabling System Restore. This is done in System Properties which can be reached either through the Control Panel, by right clicking on My Computer and selecting properties, or holding down the Windows key on your keyboard and pressing the Pause/Break key.

Recommendations

Above all else, make sure that your system is up to date. Microsoft Update hosts all of the current Windows Updates. Once on the website, do select Custom and install all available updates. Also, to decrease your chances of getting infected again, I would strongly recommend that you use Firefox from here on out instead of Internet Explorer. If you were particularly annoyed by ads in the past, you may also be interested in installing the Firefox add-on Adblock Plus afterwards (I strongly recommend it). After it's installed, you can right click on an Ad, choose to block it, and never have to worry about seeing it again. When you first add it to Firefox, it will ask you if you want to add certain premade lists. It also gives you the option of visiting the websites hosting these lists. I would visit the website for EasyList and add all 3 of their lists (EasyList, EasyElement, and Tracking Filter) as well as the 3 specialty lists (Adult/Dating adservers, Myspace Junk Filters, and Rickroll Blacklist). Another common source of infections is caused by downloading infected video drivers. In order to avoid this, I would recommend that you use VLC media player which is known for playing just about anything.

Advanced

The following programs can be a litle trickier to use, and could slow your computer down if you do not have sufficient RAM. If you are worried about Keyloggers or Screenloggers, then ThreatFire (made by the same people as Spyware Doctor) is an excellent program behaviour analyzer, and will stop them dead in their tracks almost instantly. The program only needs to be installed and it does its job quietly in the background. I would also recommend that you have one software firewall program. I would recommend either ZoneAlarm or Comodo. Both are free but Comodo providers better protection, yet ZoneAlarm is easier to use. Remember, only use one.

Program Settings

Spybot - Search & Destroy Settings:

Launch the Spybot - Search & Destroy installer. At the select components windows, check in all the check boxes. At the select additional tasks, make sure that ONLY the Use Internet Explorer Protection box is checked in. DO NOT use tea timer! This program can go from great and amazing to horrible if you install tea timer, you have been warned. The program will then try to download updates (That's what the Ethernet cable was for). If for any reason you don't have one available, or it doesn't work, go back and uncheck Download updates.

Once the program is installed launch it. The first time it will give you a warning about how some programs require that you keep spyware in order to work. I would check in the box so that you're never warned about this again. If the program needs spyware, you don't want it anyways. You will be given a short little introduction to the program at this point. This is not important at all. Click next over and over, and then on the last slide click start using the program.

Now to configure it properly. Click on mode and choose advanced mode. Then click on settings, followed by the file sets tab. Make sure that they are all checked in. Then click on the settings tab... This one is a little complicated, so I'll just let you know which sections need to be changed. If a setting option is not listed, leave it the way it is:

Main settings (only the following should be checked in)

I do know about all that legal stuff
Save all settings

Automation (again, only these should be checked in)

Program start

Fix all problems on program start
Rerun checks after fixing problems
Immunize on program start if program has been updated
Don't ask for fixing confirmation
Wait a few seconds if something else than spies were found

System Start

Fix all problems on program start
Wait a few seconds if something else than spies were found
Close program if everything's O.K.

Web update

Search the web for new versions at each program start
Download updated include files if available online
Display available beta versions
Display updates for other languages
Display new and updates skins
Display PGP signature updates

Expert settings

Use shredder to remove usage tracks
Use shredder when purging recovery files
Show expert buttons in results list
Show expert buttons in recovery list

Now click on the Directories tab, right click on the empty space, and add your desktop. Then click on ignore products, click on the empty space of the all products windows, and choose Deselect all. Then finally click on the Ignore System Internals tab, and remove all the entries.

Then click on the tools tab on the bottom left hand corner, check in the "Hosts File" box, and then finally click on the Hosts File tab on the left. You will get a complete list of your host files. Select them all, and click on "Remove selected entries"

Finally click on the Spybot-S&D tab, then Immunize, and make sure everything is Immunized. Then on the update tab, search for updates, and when you get the list, right click on the empty space and select them all. On occasion some of the updates may restart spybot. If this happens, make sure that all the above settings are still in place. Top

Avira AntiVir Personal Settings:

Your computer should only have one antivirus program installed (The exception being if you have a fake trojan claiming to be an antivirus. These often pester you with popups and refuse to clean infections unless you pay). If you have an old/outdated/expired antivirus, make sure to remove it before installing Avira. Launch the installer, do a Full Install, when it asks you how quickly you want Avira to start, normally or as quickly as possible, choose the latter (I believe they call it safeboot, or something to that effect), and let it update. This update will install the latest virus definitions on your computer. Now launch the program, click on Update in the menu bar, and choose "Start Product Update". This will update the actual program to the latest version. Now click Extras in the menu bar and choose "Configuration". First thing to do is make sure that "Expert Mode" is checked in, and then click all the plus signs on the list of option categories. This is what you should change at each Level:

SCANNER

Scan: Files = All Files; Scan Process = Uncheck "Allow stopping the scanner" and change priority to low; Additional Settings = All checked in.

Action for concerning files: Switch to "Automatic"; Check in "Copy file to quarantine before action", Primary Action = Repair, Secondary Action = Delete.
Further actions: You can change the sound if you want, default one is fine.
Archives: All check boxed checked in, Recursion depth = 99.
Exceptions: Leave as is.
Heuristic: Both check boxes should be checked in, change bubble to "High detection level"

Report: If you needed to change these settings, you would know. Default is fine.

GUARD

Scan: Check in the box for "Scan archive", change the recursion depth to 20, change max. number of file to 99, and Max size to 9999; Files = All Files; Scan mode = Scan when reading and writing.

Action for concerning files: Leave as is.
Exception: Leave as is.
Heuristic: Both check boxes should be checked in, change bubble to "High detection level"

Report: If you needed to change these settings, you would know. Default is fine.

GENERAL

Extended threat categories: This section is really up to you. I personally have them all checked in except for "Games". If you are unsure, keep the Default values OR check more in and turn them off if you have undesired results.
Security: All check boxes checked in.

Click OK, and you are done with these settings. On the main screen click on Administration, then Scheduler. Right click on Daily Update and select Edit Job. Click next a few times until you see "Display mode". Switch the mode to invisible and then click Finish. Also make sure to edit the scan job that is present. I usually set it to weekly scans of the complete system, and also make them invisible. When you get around to doing a scan with this program (Not yet), you will click on "Local Protection" on the main screen, select "Complete system scan", and then click on Start Scan as Administrator (If this option is not available, then just click Start Scan).

There are a few tweaks that you can make to Avira in order to make it run a bit better. You can find instructions here. Top

Spyware Doctor Starter Edition Settings:

On the Google Pack website you will be given a list of programs you could install.

For the purpose of this guide, chose just Spyware Doctor. You also have the option to set your Home Page and Default Search Engine to Google. This might be helpful if you have an infection that changes your home page or one that redirects your searches to different search engines. Start the download, wait for Spyware Doctor to install, and launch it, (If for some reason the Google Pack website install method does not work, you can also find this program on Download.com) and click on the settings tab.

General

Check in "Run Scan on Windows Startup" and choose Intelli-Scan
Uncheck "OnGuard tools can display popup alert window"
Check in "When turning OnGuard on, check for pre-existing malicious entries"
Smart Update action = Download and install updates (silently)
Don't change the kernel compatibility mode box. This depends on what anti-virus program you are using, and Spyware Doctor will have picked the right setting when you installed it.

Scan settings

Uncheck "Play sounds"
Check in "Scan Alternative Data Streams"
Check in "Scan for rootkit hidden files"
Check in "Lower scan priority to reduce CPU usage"
Uncheck "Show disclaimer when repairing"
Check in "Include 'Information Only' low-level Threats in scan results"
Uncheck "Quarantine infections before removal"
Uncheck "Create 'Restore Point' before removal"

Now click on the "OnGuard" tab, click on "File Guard", and change "Check the following" to "All files and processes". At this point the program may ask you if you want to restart. Click "No".

Click on the Start Scan tab, check in Custom Scan, Under "Select drives and folders to scan" check everything in. Under "Select which scanners to use in this scan" check everything in.

Then click on the "Smart Update" button in the top right corner, and download all available updates.Top

Malwarebytes' Anti-Malware Settings:

Launch the installer. Toward the end of the installation you're given the option to update the program, make sure to do so. Top

Chrestomathy

Tuesday, September 11, 2007

Viruses & Spyware