Spyware&Viruses

The dark and sinister world of Computer

Spyware and Viruses

Written and distributed by Christian Mayer

Introduction

With the advent and popularity of the internet and the progression of knowledge enhancement the bad guys are getting better by the day. Gone are the days when a kid in a back room wrote a virus and unleashed it on the world. Now viruses and spyware are written by professional programmers making large sums of money for either corporations trying to market to you, scammers trying to steal your personal information, or governments gathering secret information about other governments for sinister reasons. Viruses and Spyware are big business!

I opened my business in 1998 with the intention of servicing Personal Computers which I had worked on at IBM for numerous years until retirement. The first year I probably saw, maybe, 10 viruses all year. Now I see 10 a week! Ten years ago there were cheep or free virus scanners that fit on 1 diskette and could get rid of any problems quickly. Hard drives were small and viruses were scarce. Today it is not uncommon to see 100 gigabytes of data on a drive and it can take up to 3 hours or more just to scan for viruses or spyware. Frequently a disk must be scanned by numerous programs. Depending on the virus some scanners may remove it and others may not. Some of the more well known programs are quite expensive also and not quite as good as some of the free ones.

Another problem with today's viruses is that they may do other damage to your system. You can remove the virus but parts of your system may have been reconfigured so it is, for all intents and purposes, not useable. Even after the virus is removed you must recover many things. One of the most prolific viruses today is called "AntiVirus2008" or "Antivirus2009". These two are progressive in that initially they try to get you to buy their removal tool (which won't do much by the way). As time progresses and you try aimlessly to get the thing off it just get worse. It removes access to things like your "C drive". C: is actually missing from "My Computer". Help, Run, Control Panel, and others begin disappearing from the start menu. You get a message that "Task Manager has been disabled by your administrator" when you ctrl/alt/delete. I refer to this as "Computer Extortion" since they are trying to extort money from you to repair their virus.

Every computer shop has its own group of specialty programs it uses for virus removal. Trying to remove a virus with only your virus scanner is likely to prove useless. The intent of this document is to introduce you to some of the many specialty programs used by numerous different shops doing virus and spyware removal. I shall present about 4 different programs which most shops have and use frequently. Most of these are free versions readily available from the internet but not advertised or known but to a select few specialists.

With these programs and utilities probably about 95+% of infected computers can be recovered successfully. That still leaves the occasional system that must be reloaded. This means all data and software will probably be lost. Understanding the importance of keeping a backup of your data and programs is a must. A few months ago a young lady came in to my shop, not for a virus or cleanup, but with a clicking hard disk drive. She has a fairly new (< 2 years old>) computer with a good CD/DVD burner and front USB for memory sticks, etc. Her system was being used for keeping the books of her business, a landscaping service with about 10 employees. When I told her she needed a new hard disk and all her data was gone the tears just flowed. Tax data, employee data, customer data, everything GONE! Her response was "I never had time to learn to use the CD burner". Ask yourself... How important is the data on my computer?? Can it be recreated? How much data is there? In her case it was extremely important and could not be recreated yet learning to backup was a low priority??? Viruses and spyware can destroy or corrupt data just as easily as operating system files and be almost as traumatic as a crashed Hard Disk Drive! A virus is no more than a program. What can a program do? Anything the programmer wants it to do! In my store I backup QuickBooks daily across a LAN to another computer. Weekly, I back it up to a memory stick and take it to my computer at home. It is in 4 different places. Two at work, one at home, and in my pocket. This is 10 years of personal/business data and must NOT be lost! If you are not sure PLEASE ask a professional for an analysis of your data security and protection.

Getting Ready

First I shall ask some questions then give some recommendations depending on the answers. As we decide to install programs or utilities (all free and available from the internet) I shall give you links to where the programs may be found. As we install and use them I may give screen shots (pictures) of what you should be seeing.

Please understand some of the programs are small (less than 1 meg) and can be downloaded fairly easily from a dialup connection. Some are large and pretty much require a fast connection (DSL, cable, or direct connect to the internet). If you have dialup buy a USB memory stick (1 Gig or more) and get familiar with its use. When you plug it in it becomes just another Hard Disk Drive (logically) to Windows. It will show up as an additional drive in your My Computer icon. You can write to that drive, create personal folders on it and write to them, then take it to another computer, plug it in and read the data you wrote before. You can take this memory stick to a library, coffee shop, hot spot for a laptop, or just a friend's house that has high speed internet access. Do your downloads, copy them to your memory stick then take them home for use on your dialup computer. In our shop we have numerous computers available for open use that may be used for big downloads by customers.

Question... Can you even boot your computer? Try 'Safe Mode' if you can't boot in normal mode. Do this by pressing the F8 key once or twice a second shortly after you power up and before windows begins to load. This should give you a menu with numerous options, safe mode at the top. With the up and down arrow keys select "Safe Mode" then press enter. This will give you a very 'skinny' load of Windows. (BTW (By The Way)... For most of this dissertation we will be using Windows XP. Vista is very similar and where there are differences I will try to point them out. If you were successful getting into safe mode it will look different but many thing will still work.

While in safe mode click on start then rt. click on My Computer then click on properties. If I say click it implies left click. Rt. click means right click (the other mouse button that almost nobody uses). You should see the following:

Notice the tabs at the top. At first General will be selected and you can see some general info about your computer such as its speed and amount of memory, etc. I have clicked on the System Restore tab at the top. Put a check mark in the box next to "Turn off System Restore". Remember, I am assuming you have a bad virus or spyware infection and they can infect the System Restore area! Usually scanners don't go to, or can't clean, the system restore area. Checking this box will cause all system restore points be be erased which will remove any viruses in that area. Now click on OK. BTW... Apply means apply your changes and stay on the current window. OK means apply your changes and then close the window.

Now click on Start then Run. You should see the following:

I have typed in 'msconfig'. You do the same and click OK. This should bring you to:

I have already clicked the circle next to "Selective Startup" and then unchecked "Load Startup Items". You do the same. This will stop most of those pesky little icons next to the clock from starting. They may be slowing you down or one may be your virus! For what we need to do your computer should run much better in normal mode when we restart again. Lets do it now. Click OK in this window and when it asks you to restart click the restart button.

If the above steps could not be done (can't boot in safe mode, Run missing from start menu, etc.) then its time to stop and take your system to a pro for help. It probably is NOT beyond saving but the procedures are beyond the scope of this document or the experience level of most users. If I included them here you might do more harm than good. If you are still with me lets continue.

You should now be in Normal mode with many of the little icons next to the clock missing. If you have High Speed internet lets go get some things. Downloading is no more than copying files from one place to another. Its just that for us they happen to elsewhere in the world. We are going to copy them from that 'elsewhere' to our computer so we can use them.

First lets get the Ccleaner program. Stands for Crap Cleaner. Ya, that's the real name! It is a fast and neat little program that cleans junk files from your computer. Most computers have from a few meg (million) to 4 or 5 gig (billion) bytes of junk that is not necessary for most people and just clutters up the system. Windows temporary files, Temporary Internet files, dump files, log files, etc. just to name a few. Here are the steps to get it: Clicking on this link Ccleaner should bring up the following.

Now click on 'Download Latest Version' on the right. (Note) If you get a blue bar near the top of your browser window saying it has blocked you from downloading... click on the bar and then choose 'Download Now'. You should get this:

Click on 'save' and it will ask you where you want to save the file. Looks like:

Make note of the file name at the bottom and the location at the top then click on save. You may change the location by clicking the down arrow next to the 'save in' location and selecting the folder where you choose to save the file. Just remember its name and where you saved it! If your desktop is not too cluttered with too many icons it is a good place to save these files. They may be deleted later after the cleanup is complete. After the download has completed look for the file where you told it to save. Just downloading a program is only half of the job. It must then be installed. When you find the program where you told it to save double click on it and the install process should begin.

Lets regress a bit for those of us with minimal knowledge about programs. There is a big difference between copying a program and installing a program. By downloading we copied the entire program, with all its definitions and modules of code, as a single file to your computer. By installing the program is broken apart into many pieces and placed in numerous locations. For example, Ccleaner will put files into a new folder in the Program Files folder of Windows XP. It will also place numerous pointers and definitions into the Windows Registry (a windows file containing references to all things, hardware and software, on your computer), and it may put other files in other locations like the Windows folder as well. This is why it is NOT generally possible to just move a program from one computer to another, like when you purchase a new computer. You must have the original install program so it can be "re-installed". Data files can be backed up or copied but programs generally can't. 'Nuff said about "install'.

Now lets get the second program. Its name is 'Anti-Malware' from a company called MalwareBytes. The program can be found at MalwareBytes download page. You should see this:

Choose a location close to you from the list of 'Free Downloads From' area. You will get a page that should start your download. Read the instructions at the top of the page. The rest of the page is advertising for other 'pay for play' programs they want you to buy. Most of the 'best' programs available on the Internet for download are 'Free'. Web sites like Major Geeks make their money by advertising and trying to entice you to buy the priced programs. The ones we want are usually the 'Free' versions. Download this program the same as we downloaded Ccleaner. Once again, remember where you saved it and what the name is. You will need this info when we install the programs.

There are numerous Anti-Virus programs on the Internet, some for sale and some free. I have tried numerous. I am not impressed with any of the Internet Protection Suites which contain an additional firewall or Spam Killer. They can also be expensive! For home users the built in Windows Firewall is quite adequate and Spam Protection will frequently delete email you want and let junk in that you don't want. A few months back a comparison was done in a major Windows magazine and the top two were free! They found them to be better than the priced competition. The two were AVIRA and AVG. I prefer the AVG 8.0 Free edition. It does, not only Virus scanning, but Spyware scanning, email scanning, and link scanning for search results from Google or Yahoo. Lets download it also! The free version can be found here "free.avg.com". It is big (48 meg) so don't try to get it with dialup! If you are having a problem getting AVG go here: Download AVG Save it to your favorite location like before.

By now you should have the install programs for Ccleaner, Anti-Malware, and AVG 8.0 Free. Now lets start installing.

Installation & Cleanup

Lets begin by going to where you downloaded Ccleaner above. Double click on the Icon called ccsetupxxx.exe. this should give you the welcome screen. Just select English then OK. Select "next" then "I agree". Your next view will give you the destination folder where the program will install. Let it default by clicking on "Next" again. Now you should be at this screen:

The four bottom check marks will be checked. I uncheck them because I don't care about a Yahoo Toolbar or the others. All I want is to be able to find the program in 'Start/All Programs and to have an Icon on the desktop initially so I can run the program. Next click on "Install" and the installer should begin. When it tells you that it has been installed on you computer you may click "Finish" and you have installed it successfully.

You will now find the Ccleaner Icon on the Desktop. Double click the Icon and you will get:

Notice I have unchecked 'cookies'. There are good and bad cookies so lets not delete them all with Ccleaner. We will wait for the subsequent programs to delete the bad cookies and leave your good ones alone.

Next click on 'Run Cleaner' at the bottom right. Don't panic when it tells you about permanently deleting files. This is what you want to do! At the end it will give you a summary of what has been deleted and how much room you cleared. If you use your computer a lot and this has never been run it may take a while (numerous minutes).

Next lets click on the 'Tools' icon at the left. This will give you a windows that shows all the programs installed on your computer. If you see something you definitely want to get rid of you can do it here instead of Control Panel - Add/Remove Programs. Something like "Antivirus2009" would be an excellent target for example but before you get too aggressive you may want to get a little help.

On the left is another selection that is useful. Startup is a list of the programs that are starting up each time you power up your computer. They continue to run in the background whether you are using them or not. A real popular one with my customers is Kodak Easyshare. Great program but is it necessary to be running all the time taking up memory?? When you need it run it. It may be a great program but unless you are using it very frequently you don't need to waste system resources on it. If you are not sure about what programs to stop from auto starting you can disable one. Restart your computer and see if you really needed it running all the time or not. If you are not sure ASK first though. Some of the things auto starting may be necessary for your system like video drivers or sound drivers. BTW... A driver is a small object of software that tells Windows how to handle an object of hardware like your sound system. If you are not sure leave it alone or ASK first.

Next lets install the AntiMalware program. Double click the Antimalware.exe icon where you downloaded it. This install will start off similar to the last one. There are subtle differences in the install sequence but read each screen and it should be straight forward. At the end of the install select to get the updates. Viruses and Spyware are a lot like bad guys in the real world. They both have finger prints. In our case 'digital' finger prints. If you don't get the updates it would be like not having your finger print database up to date. If you don't have the finger print you can't ID the bad guy! Always do your updates to Virus and Spyware scanners before you run them!

Your should see the Icon on the desktop. Double click it to start the program. At the top click on the update tab to verify the date is current. If so click on the Scanner tab. Select "Perform full scan" then click on the 'scan' button. Select your C: drive and any other drives that may be suspect. then 'Start Scan'. Go grab a cup of java or whatever turn you on because this could take a while. Somewhere between 15 minutes and 2+ hours depending on what you have on your computer and how fast it is. If it finds any 'bad guys' it will show a Red line in the middle of the window stating what it found. At the end of the scan you will get a summary and the program will delete the bad objects found if you choose to. Do it!.

MalwareBytes/Antimalware and SuperAntiSpyware (Download here) are probably the two best free cleanup programs available today. SuperAntiSpyware runs similar to Antimalware but sometimes one will find things the other misses. You may need both to clean a really bad infection and sometimes they must be run more than once! Make sure you get a clean scan from both before going to the next level of protection, AVG Free 8.0. Here is the intro. page for SuperAntiSpyware after installing and updating and a shot while scanning my own computer. Tracking cookies are to be expected and will be removed after the scan is complete. This is where the unwanted, advertiser's cookies are deleted and your good cookies are left alone.

After the Cleanup

Make sure you have a good Anti Virus Program! Keep the definition files up to date!

I can't stress this enough. I prefer "AVG Free 8.0" but you must have an anti virus program. Whether you pay $80 for "Norton Internet Security" or $0 for AVIRA or AVG make sure you have something. This is probably the most important program on your computer!. All those expensive games and programs like Microsoft Office or PageMaker will be useless if a bad virus gets in. A popular question is "Should I run more than one Virus Program?" It is true that while AVG may miss catching a virus while McAfee might catch (protect against) the same virus. The opposite may happen with another different virus. Most virus scanners are highly effective but some are resource hogs. The internet protection suites usually fall into this category. Someone likened running two scanners at the same time to listening to two songs at the same time. One virus scanner should be plenty. Talk with a few people about what they prefer in your area. Also note that while having a good, free virus scanner like AVG is nice it can be hard, at times to get your updates. Understand, the company supports 80 million free users. This takes many people and a ton of bandwidth to provide AVG updates daily to that many people for free. They make their money by selling to business. If you are a free user of any program get your updates in the evenings when Europe is asleep and the USA is just shutting down for the day. It makes it easier for you and the company.

Lets Download and install then run AVG. You can get it at "free.avg.com" but, since it is a free program they want to sell you the upgrade to the priced version. You will need to go through some advertising pages to get the free download. Here is a link bypassing much of the confusion "AVG Download". You may see some more adds at the top of the page. You want the link that says "Download Now" in blue. It will have a size next to it of around 48 meg (currently). Please don't try to get this with dialup. Even with DSL it is a healthy download. Use the memory stick on a computer with high speed internet to get the file then take it to your system, copy it to your hard drive then install it. Once again, remember the filename and where you are downloading it to. This is what the link above should look like:

Now that you have the file double click on the icon to begin the install process. After the individual files are extracted from the single large download the first screen you see is the welcome screen. Click on the "Next" button and accept the license agreement. Now it will check a few things to determine how to install. For instance, if you have an earlier version of AVG then the process will change slightly and a reboot will be necessary after installing. Next, select 'Add or remove' components then just select 'Next' at the license configuration screen, 'Next' at the Destination Info screen. You will see a screen that asks about installing the 'AVG Security Toolbar'. I uncheck this. Most Internet toolbars are for not much more than advertising and they take up browser space. The AVG toolbar is not much different. If you put it in by mistake remember our new friend Ccleaner? You can use the tools icon / startup selection screen to disable or remove the AVG toolbar later.

At the end of the configuration screens you should get:

Now click 'Finish' the configuration and the actual install will begin. When it completes it will ask a couple more questions like "Do you want it to scan the whole hard drive daily" I don't recommend this as it will slow you down dramatically while it scans. Remember, they don't own your computer. You do! Scan your hard drive when you choose, not when they want. I set mine up to scan weekly so I don't forget but you should check the date of the last update at the bottom left of the AVG summary window and scan your C: drive at least weekly. Now would be an excellent time since you just removed a pesky virus!.

When you run AVG weekly you will get some "warnings" at the completion. Warning are not necessarily bad, they are usually trivial spyware (cookies). Here is the summary page after a scan:

I have no viruses or significant spyware but notice the "warnings count" entry. Now click on the warnings tab at the top and it will show you all the trivial, cookie type, spyware. If you now click on "Remove all unhealed infections" all this spyware will go the the 'virus vault'. This is a special holding area where a virus or spyware can't do any damage. Please click on "Remove all unhealed infections" now. The reason they put them in the vault is that some few programs require their spyware to run! If you delete it the program will not run. I've only seen it once but it could happen again. If it does you can view the virus vault and restore the spyware object you need for that program. Now close the results. At the introductory screen of AVG click the "Computer scanner" option a the left. This is where you may begin your weekly scan of your hard drive. Click the Icon to the left of "Scan whole computer" and it will begin.

This is also where you may change your scan schedule by highlighting the scan you want to modify and clicking on "Edit scan schedule". You also get access to the Virus Vault here at the bottom right. I recommend emptying the virus vault just before a new scan. What this does is gets rid of the old warning a week later so you have a chance to see if any of the cookies are necessary for a program. If you have no need for these cookies after a week it should be safe to delete them.

You should be running considerably better now. The last thing to do is click on Start / Run and type in our friend 'msconfig'. Here we need to click the little circle to go back to normal mode. Next click OK but don't restart yet. Next click Start then Right click on My Computer then click on properties. Choose the System Restore tab at the top and uncheck 'turn off system restore'. This will allow you to begin collecting system restore points again now that the system is clean. Shutdown, Restart and you should be back in business.

Summary

These are my favorite four for cleaning out computers. If these don't do it then it is time for someone who does this type thing daily to see if they can recover your system. There are numerous other programs that are good protection or good for recovery. Other professionals may recommend other programs but what it boils down to is "no one program will clean up everything"! All over the Internet you will see people recommending or trying to sell your their one program. I can assure you it won't work for ALL viruses and ALL spyware!

Some of the other good programs are:

AdAware 2008 ( Download )

Spybot Search&Destroy 1.6 ( Download )

Spywareblaster 4.1 ( Download )

If you decide you want any of the above just remember they must be updated like the ones we used above.

One more tidbit: If after getting the viruses and spyware off your computer things are still missing. From the Start menu "help, search, run, control panel or others there is special little file on the web. Do a Google search on 'varestorepolicies.inf' without the quotes. This little file will make changes to your System Registry that will recover many of the lost things in your system that your virus corrupted. You can download it just like we downloaded programs above. After you get it right click on it and choose install. This will update your System Registry.

Thank you for taking the time to read the above. Take your time and try not to feel overwhelmed. A computer is only a tool, like a hammer or saw, it only takes a little more effort to understand. Anyone who claims to know a lot about computers probably does not. Anyone who does know a lot about computers understands how little they really know!

This document was written at the end of November 2008. By the time you get it all the links and screen shots may not be entirely accurate. I will attempt to keep it updated at least monthly so it is not too confusing.

Thanks for your contribution in advance.