logo
background
 Home and Links
 Your PC and Security
 Server NAS
 Wargames
 Astronomy
 PhotoStory
 DVD making
 Raspberry Pi
 PIC projects
 Other projects
 Next >>

Avoiding virus etc. infection

Avoiding infection

How might I / did I get infected (by a virus etc) ?

There are only 2 physical ways for an infection to enter your PC = via it's network connection (WiFi or Ethernet cable) or via some plug-in 'removable' media, such as CD, DVD, floppy disk or any USB device (which includes not just 'memory sticks' and 'thumb drives' along with removable drives, but also all types of 'memory card' (MMC, CF, SD, SDHC etc), Cameras and even iPod's & mp3 music players).

The virus writers No. 1 friend and co-conspirator is a joint 'first' = YOU and MICROSOFT

... so it's a 'race' between you and the Operating System to see which can infect your computer first :-)

You are the one who 'opens' SPAM eMail, who clicks on links in 'phishing' emails (and double clicks attachments), and who visits dubious web sites and downloads and installs their 'special viewers' or 'anti-virus' (ha ha) software and downloads all sorts of 'Free Trials' that can NEVER, EVER, be completely un-installed when the trial ends (of course you can't completely remove a 'free trial' = if you could, you could just install it again for another 'Free Trail' every time you wanted to use it ..).

If you are also the sort of person who uses Torrents to obtain 'cracked' commercial software then there really is no hope for you = you might as well post your Bank and Credit Card details on eBay right now

The Torrent user who fondly imagines that those ripping off commercial software are somehow doing them a favour 'out of the goodness of their heart' is the most deluded

Plainly anyone with the necessary software programming expertise and with good intentions will contribute to the Open Source community. It is only the expert with criminal intentions who 'kraks' commercial software .. and they do so for gain, and no other reason. So why anyone would be naive enough to believe that a Key Logger and Root Kit are NOT embedded in the 'krak' they just installed is beyond me.

However it's Microsoft Windows that 'auto-runs' every removable device it can find and is happy to provide access to System Services to any random piece of unknown software that asks (this is done to allow business users Net Admins access to the company computers without the users either knowing anything about it or being able to stop it).

MSIE (which MS once claimed was 'part of the Operating System'**) is also happy to run scripts and commands found on any dubious web site and perform actions 'in the background' at System level, thus bypassing all your firewall and AV software, without bothering to tell you (why ? so it can download Microsoft Updates).

**There is nothing more guaranteed to provide a path for infections than offering hackers and script kiddies on the Internet access to 'part of the Operating System'.

What can I do myself to avoid becoming infected ?

A1. The first step to protecting your PC is to stop opening SPAM, stop double clicking eMail 'attachments' and to NEVER, EVER, download any software from a site that is not a well known and recognised repository of Open Source material.

NEVER run any software directly from the Internet - no matter what it claims to be. A website with a fake 'Virus checking software' page is one of the hackers favorite ways into your system ..

A2. Enable Windows Updates. Whilst any software will have 'bugs' and 'holes' that a virus writer can exploit Microsoft designed Windows to operate in a 'corporate environment' behind a hardware firewall where the Sys Admins could take remote control of the PC via it's network connection. Windows is thus riddled with code that allows remote access and full of 'holes' that don't matter when there is no Internet. It takes Microsoft long enough to find & 'close' security holes, so you should never waste any time in accepting MS Updates.

Go to Start / Settings / Control Panel / Automatic Updates. Set to 'Automatic' (download and install) 'everyday'.

The newer and more 'complex' the software, the more 'holes' it's going to have. Those using Windows 7 'Ultimate' edition or any 'flavour' of Windows 8 are the MOST vulnerable to security holes, whilst those using Windows XP have had the benefit of 10 years of bug fixes from Microsoft and will be the 'least vulnerable'.

A3. Stop offering hackers access to 'part of the operating system' - dump MSIE** and adopt 'safe browsing' habits using eg. Firefox with a Java Script 'blocker' such as 'NoScript'. To minimise the intrusive adverts that keep 'popping up' and the multimedia garbage that plays 'in the background' you might also like to use uBlock (my previous choice, AdBlock Plus, has sold out to the advertisers who now pay them to allow their garbage through) and Flash Block

**Unfortunately, if you want MS Updates, you can't totally uninstall all MSIE components

Stop the Press: MS no longer issues Updates for XP = so you can at last strip out MSIE (your number one security 'hole') and 'stop' all the associated 'services' that spend their time trying to fetch and install random stuff from the network. Stripping out MSIE is not easy = the 'best way' involves using tools such as XPLite to re-install without MSIE in the first place

A4. In making their software 'for the corporate user', Microsoft has built an Operating System that is DESIGNED to be controlled from the network ! Thus every home user has a system with multiple built in 'paths' that the virus writer can exploit. If you want to avoid becoming infected and handing over control of your computer to a criminal 'bot-net' (to be used as a spam generator etc.) you need to shut down as many of these 'remote control' paths as possible.

If you followed my recommendations in How to disable unwanted Services you will have closed the most obvious 'remote control' paths. If not, go back and do it now.

A5. Finally, Microsoft has a very clever Windows function that seems specifically designed to support virus infections from removable media. A feature known as "auto-play" polls all the Hardware that could support removable media about 10 times a second looking for 'something new'

Windows then examines any new 'media' it finds and ... wait for it ... executes instructions found in 'autorun.inf' BEFORE informing the user. Yep == this insane trick will result in the immediate and uncontrolled infection of your system as soon as any virus ridden removable media is inserted. So, having disabled most of the Windows 'Services', the next thing to do is put a stop to 'Auto-play'. This, of course, is easier said then done.

Stop MS Windows auto-playing / auto-running a virus from 'removable media'

By default, when you insert any type of removable media (CD, DVD, USB device of any type) or connect to a network 'share', Windows immediately accesses it, checks the 'type' and starts performing 'useful actions' in the background.

This means Windows will process any 'autorun.inf' file it finds. Instructions found in any Autorun.inf are then run at 'system' level (one step higher than Administrator). Needless to say, this is a virus writers wet dream.

It is actually possible to prevent USB devices of any type being recognised by Windows, however this may be a 'step too far' (Memory sticks are just way too useful, as is your web-cam for Skype). If you really want to disable USB, see Microsoft kb823732

It appears to be impossible to stop Windows looking for (and opening) a new CD/DVD disc without also stopping it recognising the existence of a new USB device (such as a memory stick etc). However you can prevent Windows from taking any 'action' based on what it finds

If you have kids, the following is a vital precaution (unless you disable & super-glue shut all USB sockets on all computers to prevent their 'mates' plugging in their undoubtedly virus infected USB sticks)

A1. Having 'disabled' the Shell Hardware Detection 'service' you should also set the 'NoDriveTypeAutoRun' registry key (see below)

For XP, launch regedit. Locate or create the following key :-
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutorun

Right-click 'NoDriveTypeAutoRun', click Modify, and in the Value data box, type 0xFF
This will to disable autorun for all types of drives. Click OK, exit the Registry Editor. You will have to restart your PC before it will take effect.
For more information, including how to selectively disable autorun on drive types, see Microsoft kb967715

To Disable Auto-play in Windows XP & earlier

To Disable Autoplay in Vista

A2. Whilst you may think this prevents auto-play, you would be wrong, since Windows allows the NoDriveTypeAutoRun Registry Key to be overridden !

Microsoft 'fixed' the ability to 'override' the setting by adding another new Key to the Registry, at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, 'HonorAutorunSetting', REG_DWORD value = 1.
If the key is overridden, the only way to prevent any 'instructions' found in an 'autorun.inf' file from having an effect is to specifically add autorun as a 'file type' and set (or 'map') all the contents ('@') to "do nothing" by directing the contents to a handler that does not exist (such as 'DieAutoRunDie'). This is done by another Registry key (as per below or detailed here).

To prevent autorun instructions having any effect, use Notepad or similar to create a file called eg. 'kill-arun.reg' containing the following 3 lines of text :-

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DieAutoRunDie"
If you download the 'kill-run.reg.txt' file and remove the '.txt', when you 'double click' the 'kill-run.reg' file your Registry will be updated (the new settings will be applied when you re-boot).

Whilst this puts a stop to Windows running any 'new' autorun instructions, it does not stop any that Windows has already found. To do that, you need to delete the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 key (this is a list of 'existing' autorun 'mount points' that Windows will allow to run).

Of course this means that 'legitimate' software installation from CD/DVD is no longer automatic. You will have to 'browse' the CD/DVD and find the 'install.exe' - and if this is not in the 'root' you will have to 'open' the autorun.inf yourself (eg. in Notepad) to discover how to start the install.

A3. All CD/DVD drivers 'interface' with the Microsoft Windows built in 'Digital Rights Management' (DRM) code. This prevents you browsing 'copy protected' DVD movie disks - and yes, virus writers are quite capable of taking advantage of this 'feature' to prevent you discovering the existence of their nasty little surprises.

To prevent Windows discovering if the disc is a type that 'should not be browsed', you can install the 'DVD43' utility. The drawback is that movies will no longer play automatically - instead you have to launch VLC Media Player and choose 'Open Disc' from the Media menu.

A4. Finally, you can track down and remove the software 'handlers' that perform the 'auto-play' actions. These are listed (for the various 'events') in two Registry keys mentioned below. Since any software you install can add itself as an 'auto-play' handler, you will have dozens of unwanted 'handlers', some of which may have been partially un-installed and no longer 'work' (of course auto-play will still try to run them 'behind your back')

Where to find (and kill) the auto-play 'handlers' :- HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ AutoplayHandlers \ Handlers \ <handler>HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ AutoplayHandlers \ EventHandlers \ <Event Name>

How do I prevent infection from the Internet ?

The first step is to STOP USING MSIE (any version). MSIE provides web sites access to Windows at a 'system' level. Other browsers (eg FireFox) DO NOT provide any such access.

Unfortunately, 'system level' access is REQUIRED for Windows Updates (of course). Since no other browser will allow a web site to modify your system, if you totally remove MSIE, you will no longer be able to perform Automatic Updates. If you keep MSIE for Updates, you should set it so that it CAN NOT BE USED for any other purpose

What web browser should I use ?

Firefox. It's 'Add-ons' turn it into the best possible defence against web-born infections (as well as removing all those unwanted 'splash screen' mini-movies, background music, pointless 'ads' and annoying 'pop-ups' that plague almost every web site these days). So, after installing FireFox, get the uBlock, Flashblock 1.5.15.1 and NoScript 2.4.2 (or later) Add-ons. Whilst you are at it, get the British English Dictionary. If you install "avast!" anti-virus it will add the 'avast! WebRep' plug-in to Firefox automatically

It would be 'nice' to be able to block entire national domains (such as "*.ru", "*.cn" and "*.kp") since there is no good reason for you to ever visit any Russian, Chinese or North Korean web-site and the first indication that a 'legitimate' site has been 'hacked' may well be when you are 'redirected' to some criminals server running in one of these countries

Whilst the Firefox 'BlockSite' add-on shows promise, in version 0.7.1.1 if you block '*.cn' it actually has the effect of blocking all URL's containing .cn (so '.cnet.com' is also blocked), which is hardly what you would expect & makes it next to useless :-)

Clever criminals place their servers in China etc. but register them to a '.com' (or .net or .co.uk etc) Domain. Fortunately the 'good guys' sniff out the criminals pretty fast and add them to the lists of known bad guys Domains. The really clever ones don't even 'register' their servers - they just have an IP address .. but they can still be 'found out' and added to the Abusive Hosts IP list

NB. 'Modern' browsers (such as Apples Safari) have forgotten all about the 'remote execution' problems of MSIE and have returned to the old approach of simply executing anything found on a hackers web site that you stumble across

How can I block MSIE from reaching any but the MS-Update site ?

A1. MS Updates use components of MSIE (and not iexplore.exe itself). So one way to prevent actual 'browsing' is to set MSIE to 'connect' via a dummy 'proxy server'. You could also add C:\Program Files\Internet Explorer\iexplore.exe to the Comodo Firewall (Firewall tab, 'Define new blocked application')

Blocking iexplore.exe does not block it's 'components' (which are used for MS Updates, and, unfortunately, by the not-totally-dumb virus writer to 'phone home') but does prevent 'casual' attempts to make use of MSIE eg. by some script-kiddie 'friend' of your own children

A2. If you are using Windows 2000 or (since end 2014) Windows XP, you won't get any more 'updates' from Microsoft anyway, so you might as well remove all MSIE components, including the DLL's supporting "Active X" (the 'scripting' system Microsoft provided that allows the hackers web pages to infect your system just by visiting them)

XPLite will remove MSIE & all it's components (if you let it) - note to be safe you have to kill ALL of MSIE (which means no more MS Help** or Outlook Express (no big loss) nor some 3rd party app's (such as 'Quicken') which uses the MSIE 'HTML rendering' engine)

**To support the MS Help '.chm' files, you can install CHM Reader for Firefox

Other than killing MSIE, what else can I do ?

You must adopt a 'defence in depth' approach. The first step is to avoid attention = if you "don't exist" on the Internet, the script kidders won't be able to find you, so you will be left alone. You can keep infections off your computer by adopting 'safe browsing' and 'safe email' habits and you can configure your internal network to prevent infections spreading from other computers to yours. Finally you can make sure you have installed tools that can detect and remove infections BEFORE you get caught.

It is not unusual to find a virus that is designed to prevent you browsing the Internet and learning how to remove it. Many also try to prevent you installing anti-virus software and will 'disable' Microsoft Firewall (as well as many of the more common packages such as AVG and Norton). So if you get infected you had better have up-to-date anti-virus software already installed - or expect to spend hours learning how to bypass the virus 'blocking' without the benefit of access to the Internet

How can I be 'invisible' on the Internet ?

Your first line of defence against remote 'attacks' is your Routers' firewall. This must be enabled and set to 'stealth' mode. One thing you must NEVER do is 'open a port' for any stupid games software - any decent legitimate games software will 'connect' to the Internet via port 80 = standard http (i.e. same as your browser). Any software that demands you 'open a Port' should be avoided like the virus vector it is.

You have kids ??? == then your Router has to be under lock and key. Every kid knows how to do a 'factory reset' on the home router so they can login using the default admin. password, turn off the firewall and open a few ports for their latest and greatest game (aka 'hunt the admin password' or 'join the bot-net')

To check how 'invisible' you are, visit the Shields Up web site

How do I prevent a 'trojan' taking over my computer ?

A1. Pre-install Anti-malware software. I suggest the free version of Malwarebytes. Run it immediately (so it fetches it's latest updates from the web) and add it to your 'Startup' folder (so it runs every time you power cycle the PC). It's a good idea to run it before performing each System Backup (not only does this confirm your backup will be virus free but it also keeps Malwarebytes up-to-date).

The free version of Malwarebytes does not offer 'real time' protection nor 'Scheduled' scanning (you have to manually scan). If your PC is in a 'high risk' environment (i.e. you allow other users access or have kids in the house and your PC is not physically locked away) you might want to consider paying for the 'Pro' version.

A2. Prevent unwanted Registry modifications. Needless to say, it's not just trojans and virus infections that attempt to modify your Registry in order to 'RUN' themselves at power on. Lots of commercial software try the same trick (the idea is to make it look as if they are 'launching' faster than, in fact, they are). Of course the last thing you need is MS Office, Adobe apps and even 'Java' wasting your time and resources (RAM) by loading during power-on.

To detect (and deny) arbitrary attempts by software to add themselves to the 'start up' sequence, I recommend WinPatrol (aka 'Scotty').

How do I detect a virus / trojan / root-kit ?

A1. No matter how careful you are, sooner or later you will run into a virus. Not everyone is as careful as you and I, so sooner or later a friends eMail system will have it's address book compromised and you will receive a virus attached to something you are expecting from a trusted source.

To detect & block a simple virus, use Avast! free anti-virus.

WARNING - you will see mention of Google Chrome at the bottom of the installer 'splash screen' along with 2 small pre-set 'selection' buttons. If you fail to 'deselect' these, Avast! will download and install 200Mb+ of Google Chrome which will then 'take over' your Internet connection.

The 'splash screen' is the ONLY chance you have to avoid being 'Chromed' - the choice is NOT offered anywhere in 'custom install' (which is annoying), and although you can remove it afterwards (via 'Add or Remove Programs') the file associations 'stolen' by Chrome are NOT reset back to their original settings (although it does offer you the chance reset Firefox as your 'default browser')

You have to 'Register' Avast! within 30 days using an eMail address (so you might want to set-up a 'throw away' address now, although it will accept any address, such as 'spam@gmail.com')). DO NOT be tempted to 'Register' for the '1 year free trial' version (it will stop working after a year and your will tear your hair out trying to get back to the 'free' version - remember 'Free Trials' CAN'T BE UNINSTALLED !!)

Note - if you have kids, it's worth paying the fee that allows you to use Avast! to be set to 'automatically scan removable media' (you might not plug your USB sticks into other (infected) PC's but your kids will).

There was a time when I would have recommended AVG, however for some unknown reason they stopped updating their 'signatures' for a month or so, whilst Avast! has always updated every day or so.

A2. If something does manage to 'get in', it will typically set itself up as a 'service' to 'run' every time you reboot. To discover (and control) what's allowed to RUN as a Service use HijackThis.

You should have installed HiJackThis and saved a 'scan' as soon as you finish setting up your new computer. This allows you to take a 'snap shot' of what Windows itself 'runs' so you can spot and focus on any differences later.

A3. Use Task Manager (Alt-Ctrl-Del) to 'spot' unexpected Processes. Unfortunately, Windows runs a number of processes under the generic "svchost.exe" harness .. so any half clever virus will use the same trick. Your first clue that you have been infected may be an 'extra' svchost process .. so you will need to know how many are running 'normally' ...

DTaskManager is a Task Manager application with some extra fields. The Process tab 'started' field is extremely useful since it reveals which Services started at boot time and which started later (the unexpected starting of a service is another 'give away' that you have just caught a virus).

To discover what process is hiding behind svchost.exe, open a command prompt (DOS Box) and type 'tasklist /svc'

To discover what DLL's are hiding behind a process name, use Microsoft Process Explorer.

A4. To detect Root-kits, use Microsoft RootKitRevealer.

Again, download it now and tuck it away on your server. Writers of Root-kits don't want to be discovered, so the clever ones will prevent you accessing the MS site (and downloading RootKitRevealer) by feeding you 'innocent' seeming 'error' messages.

How do I prevent a virus infection spreading ?

A1. By default, Microsoft will setup your computer network to allow each and every one of your computers to access each and every other one. This is yet another disaster waiting to happen = yes, it's a 'good idea' if you want to share files between computers, but if YOU can 'share files' between computers, then so can any virus, key-logger or root-kit (and so can any 'intruder' that gets access to your WiFi)

If you need to share files between computers, by far the safest approach is to define one computer (let's call it 'the backup Server' or 'Network Attached Storage' (NAS)) as your 'file store' and use this as a 'intermediate' step (common folder) to 'copy&paste' the files you want to share. You then setup that computer so it's only function is to act as a file store (i.e. so it CAN NOT reach, nor be reached from, the Internet).

If you are in a home with kids, taking away the Server / NAS monitor, keyboard and mouse is an essential first step to ensuring it can not be used to browse the Internet & download infections 'because my other computer has a virus'. See here for my suggestions on Setting up a home Server (a very good idea if you want to save your photo's / music etc.)

A2. Don't forget that, by default, each time you 'connect' to a 'mapped' network drive 'share', Windows will attempt to 'run' any 'auto-run.inf' file it finds there. This can be prevented as detailed above, however you should also 'lock down' your Servers 'user accounts' (to limit who can 'map' to it's shares and who can then 'write' files into the share).

The simple way to limit access is to ensure every user has to use their own personal 'account' = this lets you set 'access permissions' (on the Server) individually

A3. Each of your computers MUST be protected from each of your other PC's - the last thing you want is for one PC that becomes infected to then infect all the others ! This means installing a software firewall onto each and every PC. I recommend the Comodo Free Firewall.

Comodo comes with some garbage called 'Geek Buddy'. This is not an option, but you can always remove it after it installs (go to C:\Program Files\COMODO\COMODO GeekBuddy & double-click 'uninstall.exe' before restarting after installing Comodo)

NB. In Comodo's 'More' tab, 'Preferences', 'General', you might want to turn off the 'Enable Comodo Message Center' to stop the slightly annoying 'See us on Facebook' etc. messages

There was a time when I recommended ZoneAlarm. However after the unwanted (but installed anyway) Zone Alarm 'Tool-bar' proved incompatible with Firefox and it started to throw up 'in my face' (centered on the desktop) 'pop-up' windows with a message inviting me to 'Join the community' and 'Upgrade to Pro', I no longer use it nor recommend it (the final straw was when it locked-up my hard drive during boot, however that's another story)

To protect your computer, you should set Comodo to 'allow' as 'untrusted' traffic to & from SPECIFIC addresses ONLY. These would be your 'Default Gateway' and (if you have one) your Server / NAS. Since you will add these as single individual addresses, the Subnet Mask must be '255.255.255.255' (NOT 255.255.255.0 which 'allows' all 256 addresses in the same 'range' and not just the one !).

On your PC, you only need to make another address 'Trusted' if you want to give (the computer at that address) 'permission' for the other machine to write something directly onto your computer.
 
In order to 'backup' your PC onto your Server, the Server has to 'trust' your computer and not the other way around.
 
So, whilst you must put your PC address in the Server's Trusted 'zone', there is no reason at all why your PC should trust the Server = after all, the Server might get infected by some other PC it is 'trusting', and the last thing you want is for that infection to be spread from the Server to all your other computers !
Remember - a computer has to 'Trust' one that wants to WRITE to it .. the one doing the writing DOES NOT HAVE TO TRUST the one it's writing to (or reading from) !

Next page :- Cleaning up - (after a virus infection)

[top]