|
|
This category is dedicated to all malware (short for "malicious software"), including viruses, worms, adware, and spyware. If you think your computer may be contaminated with malware, please follow the twelve step removal process detailed below.
A virus is a malicious program that attaches itself to another program in order to spread itself. This can make them difficult to remove without affecting other programs. Note that for prevention and clean-up purposes, trojans are considered to be in the same category, although they are technically distinct.
The most common source of viruses is free software, both legal and otherwise, downloaded from the internet. You should always be cautious when downloading software. Your anti-virus software may have a feature that scans downloaded files for viruses, but this is usually not turned on by default. On a Windows computer with McAfee, you can right-click on any file or folder and select "Scan for Viruses." However, remember that not all viruses can be detected by anti-virus software.
E-mail attachments are another very common source of viruses. Remember that "From" line in e-mails cannot be trusted. Several viruses in recent years have sent themselves to Carleton students attached to e-mails that claim to be from other Carleton students, or even from ITS. Infected attachments can also disguise themselves; for example, a file that appears to be a picture can actually be a virus. Special viruses called macro viruses can embed themselves in a Word document. The SCIC strongly urges you to only open attachments if you are expecting them. If you are uncertain, the safest thing to do is to reply to the e-mail and ask if the sender really sent that attachment.
Viruses can usually be removed using anti-virus software, although there are exceptions. The most important thing is to update your anti-virus software. Updates give your anti-virus software the information it needs to remove the latest viruses. Carleton strongly urges you to update and run your anti-virus software at least once a week. Even if you do not think you have a virus, it is very possible that you have one. It could be damaging your system, or even using your network connection to disrupt the Carleton network.
If you are using a Windows computer, the McAfee anti-virus software Carleton uses is set up to scan your system every time you boot it. However, it is not set to update automatically; this must be done manually. Instructions for doing this can be found at the McAfee topic. SCIC workers attempting to remove viruses from student computers usually find that McAfee is installed, but has never been updated. If the virus cannot be removed in this way, see the "If you need help" section below.
A worm is a malicious program that can install itself on your computer without being attached to another program. Some worms are able to spread themselves without the user downloading any files. The possibility of worm attacks is a primary reason for requiring registration before a computer can access the network.
Download all critical (security) updates for your operating system and other risk-prone software (browser, e-mail client, media player) on a weekly basis. Both Windows and MacOS have the ability to update themselves automatically, but this feature must be turned on manually, and the system must be rebooted in order for the updates to be applied. These security updates prevent worms from being able to "hack in" to the system. SCIC workers attempting to remove worms usually find that the system has never been updated.
If an especially important update is released, particularly one that is necessary to repel a new worm, you may receive an e-mail from ITS asking you to update your system immediately. Note that such an e-mail will never have an attachment; an e-mail with an attachment claiming to be from ITS is most likely carrying a virus. Instead, any legitimate e-mail will ask you to run your operating system's update program, or to download a patch from a page at Carleton.edu. The reason for putting the patch on Carleton.edu is that downloads from that site travel over the network, rather than over the internet, allowing you to download the update more quickly and without using the college's bandwith?.
If you are infected with a worm, the most important first step is to disconnect your computer from the network. Remove all ethernet cables and deactivate all wireless components. This will prevent the worm from spreading over the network or using up campus bandwith.
Then run your anti-virus program. (On a Windows machine, it is best to run it in safe mode.) If your anti-virus scan failed to remove the worm, do not connect your computer to the network in order to download updates for your anti-virus software. Rather, see the "If you need help" section below.
Spyware is software that may serve some other purpose (commonly file-sharing or a utility) but also collects personal information from your computer and sends it over the internet.
Most spyware is a component of free software downloaded from the internet. Programs that are well-known to cause spyware instalation include Kazaa, Weatherbug and other file-sharing programs. Sometimes it is difficult to tell whether a program is a spyware risk or not. Generally, software from well-known corporations (such as Adobe) and open-source projects (such as those available from SourceForge) can be trusted, while software from individual or small developers, including shareware, is more suspect. For more information on specific programs you can refur to either SpywareInfo.com or SpywareGuide.com. Spyware can also infect your computer if you are using an insecure browser, such as Internet Explorer, without a firewall.
Most users of infected computers are not aware that their computer has spyware on it. Therefore, Carleton recommends that all users update and run an anti-adware program on a regular basis. If this software cannot remove the spyware, see the "If you need help" section below.
Adware is software that displays advertisements to the user of a computer. It is often associated with spyware.
The recommended precautions for preventing adware are similar to those for preventing spyware (see above). Additionally, Carleton recommends using the Mozilla (or Firefox) browser rather than the one bundled with your operating system. Particularly, Internet Explorer is known to have had significant security issues, making it a common vehicle for adware delivery.
The clean-up process for adware is the same as that for spyware (see above), because anti-adware programs are used to remove both.
If your computer is infected and you are unable to remove the malware yourself, you can:
- If you are a student, bring it to the SCIC.
- If you are faculty or staff, bring it to ITS.
They will attempt to manually remove malware that could not be removed by your anti-virus or anti-spyware software. However, in order to do so, they may have to remove installed programs from your computer, particularly if a virus has attached itself to that program.
If all else fails, you may have to wipe your hard drive and do a clean install of your operating system.
Is your computer a Mac? If so, you are probably not suffering from virus problems but something else. There are hardly any known viruses that affect macs, for more info see MacOs?.
As for PC's...
Sometimes it’s pretty hard to tell you have a virus, unless you know what symptoms to look for (just like in the real world!). Here’s a few:
1) You’ve noticed that your computer has been running a lot slower lately, especially during startup, but also just during general usage (browsing the web, checking e-mail, playing music), and you can’t remember installing anything new which might be the cause of this.
2) You’ve received an e-mail from Les LaCroix (llacroix@carleton.edu) telling you that you have a virus and that you need to clean your system or you will be disconnected from the Carleton ResNet (however, if the e-mail has an attachment, it’s probably not really from Les, and you should not open it!).
3) McAfee VirusScan or another virus scan program tells you that it has found a virus.
If you have a virus, clean it.
Is your computer a Mac? If so, you are probably not suffering from virus problems but something else. There are hardly any known viruses that affect macs--for more info, see MacOS.
As for PC's...
If you’re not sure whether you’re infected with either a virus or adware, it’s best just to check for both. Please don't be daunted by the length of the twelve steps below, they are long because they are important, detailed, and thorough.
Step 1: Remove unnecessary, pernicious software. If the computer is bootable in normal mode (if not, skip to step ten), go to the Add/Remove Programs control panel and remove any Norton-related programs (When Norton and McAfee are both installed, they conflict with each other and Carleton only supports McAfee) and any Peer-2-Peer software such as Kazaa, Morpheus, or Audiogalaxy. Furthermore, delete McAfee VirusScan. Why? Perhaps it has become compromised by viruses and needs to be reinstalled to be effective.
Step 2: For XP and ME users, go to Start-->Run and type in msconfig. In the Startup tab, disable all checked off items except for SHSTAT and UpdaterUI.
Step 3: Reinstall the necessary software in normal mode. If you do not have a CD or flashdrive with this software and its updates, then go to http://www.carleton.edu/campus/its/resnet/software and download McAfee VirusScan. If your computer is not registered, https://register.res.carleton.edu should allow you to download McAfee from the above resnet link. To determine whether or not your computer is registered, check its IP Address.
If you cannot receive network access, not even to the registration page, come to the SCIC to get these pieces of software.
Step 4: Click on the link provided in the same page which will direct you to a place where you can download AdAware, a spyware removal program. We also have a program called Stinger, which is basically a stripped-down version of McAfee; it does not require installation (all you have to do is download the file and run it), nor does it scan for all viruses, just the most widespread, current ones. The full version of McAfee is always preferable and Stinger should be used only in cases in which you cannot even successfully install McAfee. If a reinstallation of McAfee cannot occur for some reason, try running Stinger in Safe Mode by pressing F5 or F8 as your computer boots up (see step six).
If you cannot receive network access, not even to the registration page, come to the SCIC to get these pieces of software.
Install McAfee, SpyBot, and [Ad-Aware: Double-click the files you’ve downloaded (you should have made sure to watch where they were saved, and if you did not, you can search for them on your computer or download them again), one at a time, and follow the setup instructions (Note: you do not need to change any of the settings in the setup, so it’s mostly just pressing “Next” a bunch of times). If you do not have a recent SuperDAT file, download it from the McAfee website.
Step 5: Disable System Restore: Skip this step if you have Windows 2000. To disable System Restore in Windows ME: 1. Click Start > Settings > Control Panel. 2. Double-click the System icon (Note: If the System icon is not visible, click "View all Control Panel options" to display it). 3. On the Performance tab click File System. 4. Click the Troubleshooting tab, and then check Disable System Restore. 5. Click OK. Click Yes when you are prompted to restart Windows. To disable System Restore in Windows XP: 1. Click Start > Programs > Accessories > Windows Explorer 2. Right-click My Computer and then click Properties. 3. Click the System Restore tab. 4. Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
Step 6: Reboot into Safe Mode: The basic method for restarting in Safe Mode on every Windows machine is the same, but it requires a bit of cunning and skill. When your computer restarts (don’t worry, if it finished restarting after step 4, you can just restart again), begin tapping the F5 or F8 key (maybe two taps per second) as soon as you see something on the screen, and continue to tap until you see the Advanced Options menu. It looks slightly different in each version of Windows, but all should give you an option to start in Safe Mode. Select “Safe Mode”, and press enter.
Step 7: At this point it is essential that you disconnect your computer from our network to prevent the further spread of possible Viruses from your machine (yes, some Viruses can jump from machine to machine on our network without you doing anything). Install the SuperDAT to have a fully updated McAfee. McAfee should do this during setup (and automatically from then on) when you install the “SuperDAT” part of the program (don’t worry, this happens automatically).
Step 8: Get rid of all that malware!: We’ll start by running Ad-Aware 6.0. Double-click the program icon on the desktop, and click “Start”. Continue to click “Next” (without changing any options) until the program begins scanning. When it has finished, click “Next” or “Finish”, select ALL the items on the following page (by right-clicking on one and selecting “Select All”), click “Next or “Finish”, and close the program. Next, open the Start Menu, go to Programs (or All Programs), move the cursor over “Network Associates”, and select “On-Demand Scanner”. When the program finishes opening, click “Scan Now”. When it’s finished, delete or clean all the malware it finds.
Step 9: Turn System Restore back on: Skip this step if you’re running Windows 2000. To enable Windows Me System Restore 1. Click Start > Settings > Control Panel. 2. Double-click System. 3. On the Performance tab click File System. 4. On the Troubleshooting tab, uncheck Disable System Restore. 5. Click OK. Click Yes, when you are prompted to restart Windows. To turn on Windows XP System Restore 1. Click Start. 2. Right-click My Computer, and then click Properties. 3. Click the System Restore tab. 4. Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box. 5. Click Apply, and then click OK.
Step 10: Install Ad-Aware and SpyBot updates. In Ad-Aware, open the program (usually from a shortcut on your desktop), and click “Check for updates now” in the lower right. Click “Connect” and then OK to download the update. In SpyBot, in the right hand side, choose check for updates and select all that are available and download them. When updates from both programs are finished downloading, click “Finish” and run them both again.
Step 11: Windows Update: Either directly after you press start, or when you highlight “All Programs” or “Programs”, you should see something called “Windows Update”. Click on the button, and follow the included instructions (press Yes at the security window, if necessary, tell it to scan your computer for updates, and install all critical updates). Whereas virus scanners (like McAfee) remove viruses once they are on your computer, installing these updates helps to prevent viruses from ever getting on your computer and spreading to others. IT IS EXTREMELY IMPORTANT FOR YOU TO INSTALL THESE UPDATES.
Step 12: Download a better browser than Internet Explorer, like Mozilla Firefox.
That’s it: If your computer is still having problems, it’s probably time to bring it into the SCIC, where a student computing specialist will take a look at it for you, and depending on the severity of the problem, will have it back to you within 1-3 days.
How do I check the currency of DAT File?
To find this open Programs -> network associates -> virus scan console. Then go to the help menu and go to about. This should list the date of the current DAT File. If it is up to date, they can just run virus scan and it should find and remove the virus.
If your virus scan has found a virus (or any other piece of malware), but it can't remove it, go into Safe Mode before running virus scan.
__Back to: WebHome
|
|
Edit menu
