BOOT CAMP

 BootLog.co.uk

 

[2006]

 

[2005]

 

[2004]

 

[2003]

 

[2002]

 

[2001]

 

[2000]

 

[1999]

 

[1998]

BOOT CAMP 364 (15/02/05)

THE MALWARE MENACE, part 2

 

Last week we showed how your PC could become infected with ‘malware’ just by visiting a web site or clicking on a ‘pop-up’ ad. I suggested switching to a safer browser, like Mozilla Firefox, and concluded by recommending a trio of freeware ‘cleaners’, including the impressive new Microsoft AntiSpyware, that between them will safely eradicate the most common parasites.

 

However, the idiots who create this junk are extremely cunning and some malware infestations simply won’t go away, so this week we’ll be looking at the techniques and tools you can use to remove the more deeply rooted intrusions.

 

The majority of malware components either make use of a PC’s Internet connection or attach themselves to Internet Explorer -- hence the advice to change to a less vulnerable browser. The most virulent ones do so by making changes to the Windows Registry and whilst most cleaners scan the Registry they can miss entries that have been subtly altered or disguised.

 

Some, but by no means all malware programs are configured by the Registry to start with Windows so this is the place to begin when dealing with a troublesome pop-up, dialler, homepage hijacker or ‘search assistant’ that the cleaners can’t remove. Go to Run on the Start menu and type ‘msconfig’ (without the quotes) and select the Startup tab. You will then see a list of items that launch at boot up.

 

Some you should recognise from the ‘Startup Item’ filename and it will include things like your virus scanner, firewall, utilities for your printer, scanner, modem and any programs that you have chosen to start with Windows. The rest are either suspect or unnecessary so take a note of the names in the Startup Item column and check them on the list at: www.sysinfo.org/startuplist.php. Deselect the ones you want to get rid of (no more than one or two at a time) reboot and see if the problem has gone away.

 

Even if it hasn’t, and your PC continues to work normally, it’s a good idea to leave unchecked entries disabled as they are not needed and are mostly ‘services’ that waste resources, so your PC should run more efficiently. If you later encounter a problem you can easily reselect them. See also Boot Camp 355 in the archive (address below) for more advice on using the msconfig utility.

 

If a spring clean of the Startup list hasn’t helped the next step is to run a Registry scanner. My personal favourite is Hijack This (HJT to its friends), which specifically looks for Registry entries that affect Internet Explorer and your Internet connection. It’s freeware and can be downloaded from: www.tomcoyote.org/hjt/.

 

HJT is very easy to use and once installed simply click the ‘Scan’ button and a few seconds later it displays a long list of Registry keys, which can be saved as a plain text ‘log’ file; unwanted entries can be deleted by ticking the checkboxes on the list. However that’s all it does, it is left up to the user to interpret the scan results and since most items on the list are probably legitimate, on its own it can be of limited use to novices. It should be used with care since it doesn’t have a backup facility but seasoned Windows users should be able to pick out the dubious entries or use a Google search to track down any they are not sure of.

 

Fortunately for everyone else there is a large and very willing community of ‘helpers’ and experts on the Tom Coyote forums (http://forums.tomcoyote.org/index.php?act=idx) where you can ‘post’ your log and they should be able to identify the dubious entries, which you can then delete.

 

If Hijack This sounds a bit scary don’t worry, there’s a safer alternative called X-Ray PC, (free from: www.x-raypc.com). It’s based on HJT and carries out the same thorough Registry scan but it goes much further. It displays details of every item on the list and checks them against a database of known malware threats, labelling them as ‘Good’, ‘Bad’ or ‘Unknown’. Bad entries can be instantly removed and the Unknowns, which will mostly turn out to be benign, can be investigated at your leisure by delving deeper into the File Details section.

 

Unfortunately a small number of the more persistent malware invaders still manage to evade the most thorough cleansing operations in which case the only option is to seek a remedy on the web. A Google search of the name usually throws up a good number of hits but you need to be selective as a lot of them will be from companies offering to sell you removal tools that probably do not work. The best source of information and possible cures are the many support forums and user groups but be careful to read as many posts as possible and look for solutions that have yielded positive results, before you try anything, especially if it involves editing the Registry (see also Tip of the Week). 

 

Next week – The trouble with AVG…

 

JARGON FILTER

 

HOME PAGE HIJACKER

Malware program that changes your browser’s Home Page, usually to a search, advertising or pornographic web site

 

REGISTRY

A large, constantly changing set of Windows system files containing configuration information for both the PC and programs stored on the hard disc

 

SERVICES

Programs that load with Windows, often used to automatically request updates and upgrades using a PC’s Internet connection

 

 

TIP OF THE WEEK

Before you use either HJT or X-Ray PC I strongly suggest that you make a backup of the Registry and if you are using Windows XP create a new System Restore point.  This is easy, go to Start > Programs > Accessories > System Restore, select ‘Create a Restore Point, then Next and follow the prompts. To backup the Registry go to Run n the Start menu, type ‘regedit’ (without the quotes) then OK. Select Export on the File menu; give the file a name (e.g. today’s date) then click Save. Should anything go wrong double click the saved *.reg file in My Document and your Registry will be automatically restored.

[Home][Software][Archive][Top Tips][Glossary][Other Stuff]


Copyright (c) 2008 Rick Maybury Ltd.