Home and Links
 Your PC and Security
 Server NAS
 DVD making
 Raspberry Pi
 PIC projects
 Other projects
 Next >>

Preventing your PC being 'taken-over' by crap software

Prevent takeover

What 'threats' do I face ?

a1. The biggest threat are the "minor annoyances" (such as unwanted 'trialware' and 'adware' software and time limited 'anti-virus' packages which are 'shipped' with every new computer) that build up over time to gradually overwhelm your system making it slower and slow until it becomes unusable. Whilst often hard to remove, by paying attention during the install phase ('de-selecting' unwanted 'options' and reading your Winpatrol warnings) it is usually easy to prevent such software 'taking over' in the first place. This starts by booting your new computer in 'Safe Mode' (in order to prevent all the 'trialware' installing itself)

a2. Malicious eMails - spam, phishing and mail with virus attachments. These are all easy to avoid and if you keep your wit's about you, you will never suffer adverse effects from any email

a3. Low level nuisance 'hacking' - 'scrip kiddies' and their 'port scanners' - will be stopped by your Routers firewall, especially if you set 'stealth mode' (which means your Router never 'responds' to any unexpected 'request') to make your computer 'invisible' on the Internet

a4. Serious, automated, targeted, hacking - Root Kits, Key Loggers and Bot Net recruitment. The worst of these is Bot Net 'recruitment' - here your computer will be specifically targeted using known vulnerabilities in an effort to 'take it over'. Whilst the criminal can read details of all your accounts, passwords and thus get access to your on-line banking etc. more often than not they are only interested in 'selling' access to others (so your PC can be used to generate Spam or take part in DDoS 'attacks').

In each cases the criminal has to find a way to get their (Trojan infected) software onto you machine and either have Windows run & install it automatically or have you install it. Their methods are many and varied - so avoiding infected emails, avoiding MSIE and turning off Java Script when 'surfing' the web are just the first level of defence.

However the fastest known way of handing over control of your computer to criminals is by DOWNLOADING AND INSTALLING 'DUBIOUS' SOFTWARE

One of the MOST COMMON tricks is a web site that 'pretends' to run a Virus scan on your computer when you visit the page and then displays fake 'malware detected' messages in a bid to trick you into downloading a Trojan program that pretends to be an Anti-Virus or Infection Removal tool. The web page may even 'pop-up' a fake Windows Explorer window with a "Windows Security Alert" dialogue box in it. So NEVER, EVER pay any attention to web sites that claim you are 'infected' and do not, under any circumstances, be tempted into downloading and running a 'virus detection tool'(whilst most are just advertising malware packages, sooner or later you will trip over one that's not)

If you followed my recommendations on how to Disable useless and dangerous Services most attempts to automatically download and run a criminals malicious software will be prevented. But nothing can stop you deliberately downloading and running their malicious software yourself !

For more on Bot Nets, see later

What unwanted software will I find on my new PC ?

These days, almost all new PC's will come ready filled with what I can only call crapware. These are the most useless, bloated, part-functional, intrusive and expensive commercial packages on the market.

Don't think any of this rubbish has been included to make the PC 'more attractive' to the buyer. How can it, when few sellers dare actually reveal what 'free trials' are infecting your hard disk ? = no, the one and only reason why your PC is filled with this garbage is because the software vendors have PAID the computer manufacturer to include it !

Vendors hope that after you have invested hours of your time and made huge efforts learning how to use their hopeless menu layouts for the vital hidden options that might allow the software to do half of what you are trying to achieve, you will feel you have no choice but to 'pay up' when the free trial expires. To 'encourage' you to pay, some will hold your data hostage (by defaulting to their own proprietary formats when you click 'Save') whilst others will 'nag' you at regular intervals.

One of the worst will be the 'anti-virus' / 'firewall' (typically Norton) that will start to generate an 'in your face' 'Warning !!' that 'You are not protected' after the free trial expires.

How do I stop the commercial crapware when I first turn on my new PC ?

Fortunately, 'free trials' typically start from the "installation" date and not the date of actual first use. This means that the garbage can not actually be 'pre-installed' = instead entries are added to the PC Registry that will automatically run the 'garbage installers' at first power on. You can prevent the installers running by first starting up in 'Safe Mode' - and then track down the 'run' instructions (using HiJackThis or the built in 'msconfig' (launched via Start / Run) tool) and manually remove them.

You need to distinguish between licenced software that's actually useful and the 'free trial' crapware. For example, if you find MS Office 'full edition' (and didn't pay an extra $200+) it will be a time limited 'free trial', whilst MS Office Lite (which WILL have been advertised as a desirable extra) may be a fully licensed (but cut down version of Office) that is better than nothing (but not as good as the Open Source equivalent, Open Office)

Note that not all crapware hides their installers in the Registry (look for 'RunOnce' and 'Run' commands) - often they can be found in the 'Programs / Startup' folder (as a simple 'shortcut' to the installer)

Remember - it's impossible to completely remove a 'free trial' = if you could, there would be nothing to stop you getting as many 'free trials' as you liked ! So your MUST stop it installing in the first place

How do I avoid my 'file types' being taken over ?

All commercial software will attempt to 'take over' your file 'types' (in order to force you to use that vendors software) and will infect your Registry with instructions to RUN parts of themselves and launch 'Services' at power-on (this is usually so it can 'phone home' at regular intervals, even when you are not using the software, just in case an update is available)

If you must use commercial software, always choose 'custom install'. During 'custom install', as well as un-ticking the inevitable attempt to take over your browser Home Page & install some useless 'Search Tool-bar', you will typically have a choice of what file types to 'associate' with the software

NOTE You should ALWAYS make a 'Restore Point' before installing anything. That way, when the commercial crapware 'breaks' your PC, you can (mostly) 'go back' to where you were before

How can I avoid software that can't be un-installed ?

A1. By avoiding 'paid for' packages !

The best way to avoid problems is to avoid anything commercial .. and the number one source of software for the security conscious is Open Source . Whatever you need to do, first check for an Open Source alternative (and ALWAYS download ONLY from a recognised repository eg http://sourceforge.net)

A2. By using a 'Sandbox' or Internet cafe style 'System Freeze' software

The 'sandbox' provides a 'virtual' environment in which software can be run without it making any actual changes to the rest of the system. This is an extremely useful way to run an Internet Browser for those with kids (kids will download all sorts of virus infected rubbish from 'torrents' etc.). When they exit the 'sand-boxed' Browser (or, more likely, when it eventually crashes) anything done using it will disappear.

System 'freeze' is similar but operates on the whole computer. When the computer is rebooted, it is automatically 'restored' to the initial state. This is even more useful for those with kids, since whatever they (or their 'friends') do to the family computer it will always revert to it's initial state on a reboot.

System 'freeze' software works by intercepting all access to the hard disk. Existing hard disk data is never over-written - instead any new 'write' data is recorded to a temporary 'cache'. When a 'read' occurs, cached data is substituted as necessary. The cache is simply 'dropped' when the computer is rebooted = there is no need to actually 'restore' anything to the hard drive because it was never changed (which makes this approach virtually 'crash proof').

A2a. Sandbox software

No doubt a number of Open Source Sandbox utilities exist, with some easier to use than others. Needless to say, you want one that can be 'glued' to specific software (eg MSIE, Firefox) by the Administrator and not 'detached' by your kids or their friends using a normal 'User' or 'Guest' account.

Sandboxie (aka 'SBIE') is quite popular. Despite what some may suggest, this app. is not 'free' = after a 30 day 'trial' it 'nags' you on each launch. However the Sandboxie home life time licences will remove the 'nagging' and covers all the computers you own for only Euro 29.

A2b. System freeze software

Almost all Internet cafe and public computers use the commercial 'Deep Freeze' - a home version is also available, however they ask for your ID (name, email) before allowing you to download the 'free trial' (so give them your disposable 'spam magnet' email address). The 'home' version seems to have been made available 'for free' from other sources (such as magazine front cover disks ?) so it's not at all obvious from their web site if you need (or how to obtain) a Licence.

Microsoft once offered a free utility (for Win2000 and XP users) called "Windows Steady State" that performed the same function as 'Deep Freeze'. Unfortunately they withdrew it from download at the end of 2010 = you may still be able to find it on a server outside the reach of Microsoft, however any such source should be treated with extreme suspicion (unless you want a root-kit or key logger).

Fortunately, another Microsoft solution, the EWF 'filter' from 'Windows XP embedded' (XPe) is still available. When a drive is 'protected', any changes will remain in RAM instead of being written to the hard disk. This can be installed onto Windows XP pro and used to protect any drive (not just c:) before installing anything

For a full description of how to install EWF, see my CF card and USB boot page

What does this mean for 'free trials' ?

The astute among you will immediately realise what this means for time-limited 'demo' software .. yes, on each reboot, all trace of the 'demo' you had installed evaporates from your system, so (assuming you saved the download) you can simply re-install it and obtain another 'free trial' (which may explain why Microsoft discontinued "Windows Steady State")

The drawback is, of course, that any work you 'save' to the c: disk is also lost (unless you can save it to a 'non-frozen' destination (eg second / networked hard drive, USB stick, CD/DVD etc.).

How else can I protect my system ?

One rather drastic alternative to 'sandbox' and 'freeze' software is to remove your C: drive and boot your computer from a 'Windows Live' CD (or DVD). This may be a viable approach if you wish to make a totally 'hack proof' computer available for visitors to use e.g. for web browsing.

However whilst a Windows Live system CD may be 'hack proof', other computers on your network are not and these would be vulnerable to infections downloaded by the 'Live' system computer. This suggests you are better off ensuring that all computers used for web browsing are as well protected as possible (with all the latest MS Windows, anti-virus and firewall updates installed as soon as they become available = which won't happen if your system has to be updated and written to CD).

How do I prevent software updates wreaking my PC ?


Be especially aware that your 'favorite' media player can suddenly stop working following an 'update' forced on it eg. by US Lawsuit

All commercial applications should be prevented from 'auto-updating' themselves (since the MOST likely result of an 'auto-update' is that it will stop working). Only if you find a problem should you go looking for an update.

Other than your anti-virus (and Firewall), the only exceptions to the "don't update" rule is Windows itself and, perhaps, your Browser. MS Updates should be set (via Settings / Control Panel / Automatic Updates) to 'download and install', since any MS 'critical' update is almost always a fix to a gaping security hole that hackers are already driving a coach & horses through.

To stop commercial software updating itself, use 'HiJack This' to find anything that appears as "RUN:" or "Service:" (not all Services have icons in the Control panel / Admin Tools / Services window) and see if you can match up the names / folders to your newly installed junk-ware.

If you run a 'lean & mean' system, you will have very few entries in RUN / SERVICE and will be able to 'spot' any intruders immediately. Having identified them, just remove the RUN / SERVICE entry. Note that some annoying software (eg Adobe) checks the Registry at each launch and tries to restore any 'missing' commends = you will, of course, have installed 'WinPatrol' to alert you to any such behaviour (and allow you to put a stop to it)

Not everything that is RUN is an 'update checker'. Many applications try to get parts of themselves 'pre-loaded' into memory after power-on during start-up. The 'justification' is that they will 'launch quicker' when needed. However this behaviour not only wastes time by extending your start-up delay, but, by grabbing huge chunks of memory they force your computer to actually SLOW DOWN (as the unwanted components have to be 'swapped out' of real memory into Virtual Memory (i.e. to the 'swap file' on disk)). When (or if) you use the application, all the components that loaded themselves from hard disk at start-up then have to be loaded from the hard disk (swap file) instead. One of the worse culprits of this memory grabbing swap file filling behaviour is Microsoft themselves, with their over-bloated resource hog, MS Office.

Removing an unwanted RUN at start-up time is generally safe - when you first launch the application, it will just load all of itself from hard disk. Of course many applications (especially Adobe ones) also try to leave parts behind in memory to 'speed up the next use'. Unless you have 'lots' of RAM (i.e. at least 4Gb on an XP machine, 8Gb on Windows 7/8) what actually happens is that this slows down your computer as the 'left behind' components are 'swapped out' to hard disk. The only way to stop this is to reboot your computer after using the offending product

What software tries to auto-update ?

These days, almost all of them. Here is a partial list of those I've had to stop auto-updating via Run: or Service:

qttask = QuickTime update checker (you should be using the QuickTime Alternative anyway)
iTunesHelper = the iTunes Helper (you should not be using iTunes ..)
GoogleToolbarNotifier = makes sure Google always knows what you are doing
Realsch = Real Player update checker (which also 'pops up' an annoying window)
ISUSPM.exe = InstallShield UpdateService, a 'generic' module, used by many apps to check for updates.
*Adobe* = always kill any RUN attempts from Adobe (typically these are hidden in your Registry) as a matter of course.

How do I avoid being recruited to a 'Bot Net' ?

A1. First follow my recommendations on how to Disable useless and dangerous Services. This will prevent most attempts to automatically download and run malicious software 'behind your back'.

A2. Next, NEVER, EVER, use ANY version of MSIE to 'surf' the web. All versions of MSIE support Microsoft Updates i.e. allow automatic background (i.e hidden from the user) download and installation of software at the Operating System level ! This means MSIE is QUITE CAPABLE of doing the same with some criminals Bot Net software !

Also, note that other browsers (such as Firefox) are not somehow magically 'immune' to a criminals web site that attempts to 'con' you into running their software - although if you surf with Firefox plus the uBlock, NoScript and FlashBlock 'plug-ins' you will avoid MOST of the fake 'virus warning' pop-ups etc. Unlike MSIE, whilst Firefox itself may be INCAPABLE of automatically installing software, but there is nothing to prevent YOU from downloading, running and installing malicious software yourself)

A3. NEVER run ANY software from any 'unknown' web site. Be aware that the Bot Net 'recruiters' routinely 'hack' and change hundreds of thousands of web pages to direct users to their Trojan downloads. They also attempt to 'impersonate'** legitimate download sites (such as SourceForge & CNet etc) - so pay careful attention to the address that appears in your browser address bar before downloading !

** If you disable your computers own DNS Service you are less likely to get 'caught' like this - it's relatively simple to change the URL mapping by modifying the contents of your computers DNS 'cache', however it's a LOT harder for the criminal to modify the contents of your ISP's DNS Servers

A4. Make sure MS Updates are enabled and set to auto-download and install. Microsoft is very active** in the 'anti-Bot Net' arena and often sends out 'malicious software removal tool' updates

** Although Windows XP is 'out of support', Microsoft is still (as of Aug 2015) issuing the occasional "Malicious software removal tool" auto-update for XP systems

A5. When WinPatrol, Zone Alarm/CoMoDo or AVG/Avast! etc. pops up a 'Warning', DON'T just click 'OK' and forget about it .. investigate WHY = it may be the only indication you get that your have been 'hacked' !

Updating your Router firmware

Most Bot Net software will incorporate a TCP/IP 'stack' allowing it to bypass a software firewall (such as Zone Alarm) and obtain direct access to your network link. This means that your ROUTER is your only real defence against Bot Net (or Key Logger) software 'phoning home' = so NEVER EVER 'open' any 'Ports' for some useless 'game' or other software that might ask (all legitimate software will communicate on the 'standard' ports - anything that does not should be removed !).

So is it worth updating your Router firmware ? The quick answer is 'yes', however be aware that this is fraught with difficulties.

First you must make sure you have the 'real' firmware (and not some criminals crippled version designed to let them in), so it must come from the Manufacturers own web site (and not a 'copy' that has been helpfully 'posted' to some innocent public 'repository' - yes, the crooks 'post up' crippled / root kitted software all the time and sit back waiting for the 'newbie' user to fall into their trap).

Next, you will have to make a note of all your Router settings (some allow you to 'back-up' the settings to a file on your PC - if yours is one such, do it now :-) ) - especially the account 'name' and 'password' used by the Router to access your ISP (the firmware update may wipe all this).

Finally, chances are you will need a physical Ethernet cable to access the router after the update (since, chances are, even if it lets you 'update' over WiFi, the firmware update will have reset the access password and all the WiFi settings to the 'factory default' = which might even be 'WiFi disabled').

The pages in this topic are :-

  + Avoiding virus infections == Latest changes (modified 24th Jan 2017 06:55.)

  + Cleaning up - (after a virus infection)

Next page :- Avoiding virus infections