BOOT CAMP 364 (15/02/05)
THE MALWARE MENACE, part 2
Last week we showed how
your PC could become infected with ‘malware’ just by visiting a web site or
clicking on a ‘pop-up’ ad. I suggested switching to a safer browser, like
Mozilla Firefox, and concluded by recommending a trio of freeware ‘cleaners’,
including the impressive new Microsoft AntiSpyware, that between them will
safely eradicate the most common parasites.
However, the idiots who
create this junk are extremely cunning and some malware infestations simply
won’t go away, so this week we’ll be looking at the techniques and tools you can
use to remove the more deeply rooted intrusions.
The majority of malware
components either make use of a PC’s Internet connection or attach themselves to
Internet Explorer -- hence the advice to change to a less vulnerable browser.
The most virulent ones do so by making changes to the Windows Registry and
whilst most cleaners scan the Registry they can miss entries that have been
subtly altered or disguised.
Some, but by no means
all malware programs are configured by the Registry to start with Windows so
this is the place to begin when dealing with a troublesome pop-up, dialler,
homepage hijacker or ‘search assistant’ that the cleaners can’t remove. Go to
Run on the Start menu and type ‘msconfig’ (without the quotes) and select the
Startup tab. You will then see a list of items that launch at boot up.
Some you should
recognise from the ‘Startup Item’ filename and it will include things like your
virus scanner, firewall, utilities for your printer, scanner, modem and any
programs that you have chosen to start with Windows. The rest are either suspect
or unnecessary so take a note of the names in the Startup Item column and check
them on the list at: www.sysinfo.org/startuplist.php. Deselect the ones you
want to get rid of (no more than one or two at a time) reboot and see if the
problem has gone away.
Even if it hasn’t, and
your PC continues to work normally, it’s a good idea to leave unchecked entries
disabled as they are not needed and are mostly ‘services’ that waste resources,
so your PC should run more efficiently. If you later encounter a problem you can
easily reselect them. See also Boot Camp 355 in the archive (address below) for
more advice on using the msconfig utility.
If a spring clean of the
Startup list hasn’t helped the next step is to run a Registry scanner. My
personal favourite is Hijack This (HJT to its friends), which specifically looks
for Registry entries that affect Internet Explorer and your Internet connection.
It’s freeware and can be downloaded from: www.tomcoyote.org/hjt/.
HJT is very easy to use
and once installed simply click the ‘Scan’ button and a few seconds later it
displays a long list of Registry keys, which can be saved as a plain text ‘log’
file; unwanted entries can be deleted by ticking the checkboxes on the list.
However that’s all it does, it is left up to the user to interpret the scan
results and since most items on the list are probably legitimate, on its own it
can be of limited use to novices. It should be used with care since it doesn’t
have a backup facility but seasoned Windows users should be able to pick out the
dubious entries or use a Google search to track down any they are not sure of.
Fortunately for everyone
else there is a large and very willing community of ‘helpers’ and experts on the
Tom Coyote forums (http://forums.tomcoyote.org/index.php?act=idx) where you can ‘post’
your log and they should be able to identify the dubious entries, which you can
If Hijack This sounds a
bit scary don’t worry, there’s a safer alternative called X-Ray PC, (free from:
www.x-raypc.com). It’s based on HJT and
carries out the same thorough Registry scan but it goes much further. It
displays details of every item on the list and checks them against a database of
known malware threats, labelling them as ‘Good’, ‘Bad’ or ‘Unknown’. Bad entries
can be instantly removed and the Unknowns, which will mostly turn out to be
benign, can be investigated at your leisure by delving deeper into the File
Unfortunately a small number of the more persistent malware
invaders still manage to evade the most thorough cleansing operations in which
case the only option is to seek a remedy on the web. A Google search of the name
usually throws up a good number of hits but you need to be selective as a lot of
them will be from companies offering to sell you removal tools that probably do
not work. The best source of information and possible cures are the many support
forums and user groups but be careful to read as many posts as possible and look
for solutions that have yielded positive results, before you try anything,
especially if it involves editing the Registry (see also Tip of the Week).
Next week – The trouble with AVG…
HOME PAGE HIJACKER
Malware program that changes your browser’s Home Page,
usually to a search, advertising or pornographic web site
large, constantly changing set of Windows system files containing configuration
information for both the PC and programs stored on the hard disc
Programs that load with Windows, often used to automatically
request updates and upgrades using a PC’s Internet connection
TIP OF THE WEEK
Before you use either HJT or X-Ray PC I strongly suggest that
you make a backup of the Registry and if you are using Windows XP create a new
System Restore point. This is easy, go
to Start > Programs > Accessories > System Restore, select ‘Create a
Restore Point, then Next and follow the prompts. To backup the Registry go to
Run n the Start menu, type ‘regedit’ (without the quotes) then OK. Select Export
on the File menu; give the file a name (e.g. today’s date) then click Save.
Should anything go wrong double click the saved *.reg file in My Document and
your Registry will be automatically restored.