Certain types of attacks, such as those performed by spyware and phishing, collect data about the user that can be used by an attacker to gain confidential information.
You should run virus and spyware scanning programs to detect and remove unwanted software. Many browsers now come equipped with special tools and settings that prevent the operation of several forms of malicious software. It may take several different programs and multiple scans to completely remove all malicious software. Run only one malware protection program at a time.
- Virus protection - An antivirus program typically runs automatically in the background and monitors for problems. When a virus is detected, the user is warned, and the program attempts to quarantine or delete the virus, as shown in Figure 1.
- Spyware protection - Antispyware programs scan for keyloggers, which capture your keystrokes, and other malware so that it can be removed from the computer, as shown in Figure 2.
- Adware protection - Anti-adware programs look for programs that display advertising on your computer.
- Phishing protection - Antiphishing programs block the IP addresses of known phishing websites and warn the user about suspicious websites.
NOTE: Malicious software can become embedded in the operating system. Special removal tools are available from security software development companies that clean the operating system.
Rogue Antivirus
When browsing the Internet, it is common to see advertisements for products and software. These advertisements can be a method for infecting a user’s computer. Some of these ads display messages that indicate the user’s computer is infected by a virus or other malware. The ad or pop-up may look like an actual Windows warning window stating that the computer is infected and must be cleaned, as shown in Figure 3. Clicking Remove, Clean, OK, or even Cancel or Exit may begin the download and installation of the malware. This type of attack is called rogue antivirus.
When faced with a warning window that is suspect, never click inside the warning window. Close the tab or the browser to see if the warning window goes away. If the tab or browser does not close, press ALT+F4 to close the window or use the task manager to end the program. If the warning window does not go away, scan the computer using a known, good antivirus or adware protection program to ensure that the computer is not infected.
Remediating Infected Systems
When a malware protection program detects that a computer is infected, it removes or quarantines the threat. But the computer is most likely still at risk. The first step to remediating an infected computer is to remove the computer from the network to prevent other computers from becoming infected. Physically unplug all network cables from the computer and disable all wireless connections.
The next step is to follow any incident response policies that are in place. This may include notifying IT personnel, saving log files to removable media, or turning off the computer. For a home user, update the malicious software protection programs that are installed and perform full scans of all media installed in the computer. Many antivirus programs can be set to run on system start before loading Windows. This allows the program to access all areas of the disk without being affected by the operating system or any malware.
Viruses and worms can be difficult to remove from a computer. Software tools are required to remove viruses and repair the computer code that the virus has modified. These software tools are provided by operating system manufacturers and security software companies. Make sure that you download these tools from a legitimate site.
Boot the computer in Safe Mode to prevent most drivers from loading. Install additional malware protection programs and perform full scans to remove or quarantine additional malware. It may be necessary to contact a specialist to ensure that the computer has been completely cleaned. In some cases, the computer must be reformatted and restored from a backup, or the operating system may need to be reinstalled.
The system restore service may include infected files in a restore point. After the computer has been cleaned of any malware, the system restore files should be deleted. If system restore is used to restore the computer, restore points that contain infected files will not be listed and therefore; will not re-infect the computer.
To delete the current system restore files in Windows 7, follow these steps:
Step 1. Right-click Computer > Properties > System Protection tab.
Step 2. Select the drive that contains the restore points you wish to delete.
Step 3. Click Configure….
Step 4. Click Delete next to Delete all restore points (this includes system settings and previous versions of files).
In Windows Vista and Windows XP, follow these steps:
Step 1. Create a restore point.
Step 2. Right-click the drive that contains the restore points you wish to delete.
Step 3. Select Properties > General tab > Disk Cleanup.
Step 4. Windows will analyze the disk.
Step 5. In the Disk Cleanup for (C:) window, click the More Options tab > Clean up….
Step 6. Click Delete in the Disk Cleanup window to delete all but the most recent restore point.