Monday, November 28, 2005

Lesson VI - Pick Up The Pieces

The worst mistakes you can make as a computer user have nothing to do with pressing the wrong button, accidentally changing the system settings, or paying too much for soon-to-be-obsolete hardware. As unsettling as these mistakes may be, you can easily fix them or live with the consequences.
No, the worst mistakes you can make as a computer user are failing to have a regular backup routine and not running an up-to-date anti-virus utility. Far too many computer users make these mistakes every day, and far too many computer users end up regretting these mistakes when their hard drives crash or become infected with viruses (self-replicating files designed specifically to vandalize digital data).
The good news in all of this is that you can minimize the damage a virus infection causes (in contrast, you cannot minimize the damage lost data causes; once gone, it’s gone). The key lies in responding quickly and correctly.

Sunday, November 27, 2005

Spot The Symptoms

The first step in solving any problem is discovering that one exists and identifying it. That’s where anti-virus utilities come in handy. These programs, of which Symantec’s Norton Anti-virus6 and McAfee Virus-Scan Home Edition are among the most popular, not only help prevent virus infections from happening in the first place, they also can identify an infection shortly after the virus strikes.
But what if you don’t have an anti-virus utility? Well, then you have to learn how to spot the virus yourself. That’s easy when the virus reveals itself in a way that puts all doubt to rest, but few viruses are so ostentatious. Most of the time, diagnosing a virus requires the ability to detect subtle changes in a computer’s performance or configuration. Virus symptoms vary widely, of course, but you can increase the odds of recognizing an infection simply by knowing about the most common warning signs.

Saturday, November 26, 2005

Other people say you have a virus!

Next to an anti-virus utility, the most reliable source for determining that you have a virus is other people—and you’d better believe they will let you know if you have one. The first time a worm (destructive program designed to propagate itself across a network) seizes your email application and distributes itself to every name in your address book, for instance, you undoubtedly will receive numerous messages and phone calls from friends and colleagues to tell you what happened. The same is true if you try to share a file infected with a macro virus (virus that exists within a data file, such as a text document or spreadsheet).

Friday, November 25, 2005

Unusual computer behavior

Industry sources place the number of known viruses at more than 62,000. In light of that fact, it’s fair to assume your PC will catch one eventually. If it does and your computer doesn’t have anti-virus software protecting it, you better hope the virus announces its presence immediately through obvious displays of unusual behavior. Otherwise, how will you know it’s there?
Common examples of virus-induced behavior include peculiar graphics or messages that appear on-screen when you attempt some sort of action, such as opening a file, closing a program, or moving your on-screen pointer close to an icon (which makes it disappear or move suddenly, thanks to a virus). In addition, you may notice an increase in the number of error messages that appear without any obvious cause, audio files that play suddenly for no apparent reason, as well as pop-up messages that ask you to supply personal information, including your Social Security number or credit card number.
A virus also may be the culprit behind a haunted computer, which you may think you have if the on-screen pointer moves on its own or windows open and close by themselves. Such behavior indicates that someone has remote control of your system. That can happen if a virus or Trojan horse (program that claims to be one thing, while actually doing something else) infected your PC.

Thursday, November 24, 2005

Disabled software and settings

When configured correctly, your anti-virus software should launch automatically each time you start your PC. It also should look for viruses in every file you open or save, every email message you read, and every web page you visit. You should become a little nervous if you notice that the anti-virus utility suddenly stops doing these types of things and you know you didn’t disable the software yourself. Some of the most recent viruses can now disable anti-virus software and spread themselves without detection.
In addition to disabling the anti-virus software, viruses also may disable firewalls and reconfigure key system settings. The only way to recognize these changes is by paying close attention to system performance.

Wednesday, November 23, 2005

Trouble with files

Some viruses will delete files at random; others will add files to the hard drive. Then there are viruses that only vandalize portions of files, corrupting them so you can’t use them anymore. However the virus does its damage, the results are the same: a malfunctioning PC and data loss.
The file-related malfunction can manifest itself in many visible ways, including error messages that indicate the computer cannot find a necessary file; programs that don’t open when you click their shortcuts on the Start menu or Desktop; and program features that don’t work properly, if at all. In addition, files might contain gibberish or nonsense characters instead of the information you expected or files might seem to disappear from folders where you saved them.
You can verify that a file is missing by performing a physical search for it. Open the Start menu and use the Search or Find utility to locate the file on your system. You can verify file corruption by locating the damaged file on your computer (browsing your hard drive via My Computer or Windows Explorer can help you do that) and comparing its size (in bytes) to similar files on your system. Corrupt files often contain significantly more or less data than you would expect.
Finally, you can verify the presence of new files by checking the volumes of folders on your hard drive. A folder that suddenly boasts an inordinately large volume may contain infected files.
Many of these signs are quite subtle, and your ability to recognize them depends largely on your familiarity with what’s on your system.

Tuesday, November 22, 2005

Your email program slows down

One of the fastest ways a virus can spread is by infiltrating an address book and sending itself to all of the email addresses contained therein. A mass mailing of such magnitude can bring the performance of your email program to a near-standstill.
Consequently, if you notice that it takes significantly longer to send and receive email messages, you should check for viruses. Don’t bother looking in your Sent or Sent Items folder for copies of the infected messages, though. Few viruses leave evidence there, indicating their dastardly deeds.

Monday, November 21, 2005

Stop The Virus

Detecting a virus without the help of an anti-virus utility is one thing; eliminating it is another. Because you don’t have an anti-virus utility to identify the virus, disinfect or delete the affected files, and inoculate your system against re-infection, you will have to perform these tasks manually. Here, we’ll discuss the steps involved.

Sunday, November 20, 2005

Identify the culprit

Once you recognize the symptoms of a virus, you should begin to take action immediately in order to mitigate the damage. The longer the virus remains on your system, the greater the harm it can inflict. Jumping on the solution right away may mean the difference between recovering a handful of infected files and reconstructing the contents of an entire hard drive.
The first thing you should do is access one of the web’s free virus-scanning services. These services, which include Symantec Security Check8 and Trend Micro’s House-Call9, scan a PC’s drives for the presence of viruses, worms, Trojan horses, and other examples of code gone badly. The services identify infections but may not remove them from your system. Write down the full name of any virus that the scanning service detects.
The entire process of accessing the service, downloading the scanning applet, and waiting while the service scans your PC may take from 10 to 30 minutes (or more). The length varies depending on the speed of your Internet connection, the type of computer you have, and how much storage space the service needs to review. You should consider using these scanning services regularly (we suggest once per week) if you don’t have anti-virus software installed on your system. Such services will help you identify viruses with undetectable symptoms.

Saturday, November 19, 2005

Look it up and fix it

With the name of the virus in hand, start looking for a fix. The best place to look is a virus directory, such as the Symantec Virus Encyclopedia10, the McAfee Virus Information Library, and the Sophos Virus Analyses. A virus directory is a searchable listing of known viruses. Each virus in the list has an accompanying description that includes such details as what the virus is, what it does to your system, how it spreads, how to treat it, and how you can prevent your PC from getting the virus again. Review this information carefully.
It’s important to perform the resolution exactly as instructed. Some users mistakenly believe they can eliminate viruses simply by deleting the infected files from their systems. This is not true in all cases. Viruses not only infect files, but they also may reprogram system files, contaminate the Registry (database of user preferences and system settings in Windows), violate BIOS (Basic Input/Output System controls PC’s startup process, activates hardware components, and loads the OS (operating system)) settings, and inflict other forms of damage that the DELETE key cannot fix.
In some cases, you’ll have the option to download a removal tool that will automate the process of cleaning up the virus. You can find these removal tools at several sites, including Symantec’s Expanded Tools List13, McAfee’s AVERT Tools14, and SOFTWIN’s Free Removal Tools15. The removal tools are free to download and easy to use.

Friday, November 18, 2005

Install anti-virus software

Now that you’ve gone through the dreadfully inconvenient process of cleaning up a virus infection, we trust you have already made the decision to purchase anti-virus software as soon as possible. If you haven’t, we strongly encourage you to do so. We cannot overemphasize the importance of this step in your virus recovery. Installing anti-virus software after you suffer one infection is the best way to prevent another one. Just think of the $50 (approximately) you spend on anti-virus software as cheap health insurance for your PC.
Some of you might wonder why we didn’t suggest this step earlier in the process. For instance, you might think, “Why isn’t it a good idea to install anti-virus software as soon as you think you have an infection on your PC?” Well, for the same reason you wouldn’t start a new exercise routine while fighting off the flu. Even the smallest virus puts significant stress on your system. Besides, any software you install on an infected PC would have a high likelihood of malfunctioning, and malfunctioning anti-virus software is as good as no anti-virus software. In addition, virus writers design some viruses to disable anti-virus software, and installing an anti-virus utility while such a virus remains active on your PC is like pumping coins into a broken parking meter.
After you install an anti-virus utility, you need to visit the software developer’s web site to make sure the utility is as current as possible. Next, run a scan of your entire system to ensure it’s clean. Make sure you scan your data backup, as well. This is an important step in minimizing the odds of a re-infection.

Thursday, November 17, 2005

Plug the holes

The final step in recovering from a virus is to locate and download the patch (if one exists) that will plug the security weakness that made your PC vulnerable to the virus in the first place. You can get the most important of these patches at the Windows Update site16. This web site will walk you through the process of downloading and installing all of the available OS and Microsoft product updates for your PC. The process will vary depending on your PC configuration, so follow the on-screen instructions carefully.

Wednesday, November 16, 2005

When All Else Fails

Sometimes the preceding recovery steps just don’t cut it. This is certainly the case if an MBR (master boot record) virus infects your PC. The MBR itself is a small program that keeps track of partitions and identifies those that are bootable (capable of launching an OS). It is the first program the computer sees upon accessing the hard drive. Consequently, when a virus infects and corrupts the MBR, the computer cannot launch the OS nor do much of anything else. When this happens, your only option is to rebuild the system from the MBR up. That typically requires formatting (preparing a drive to accept data) the hard drive.
An MBR virus is just one reason you might need to format your hard drive after an infection. Another reason is security. Viruses put your system at risk by changing the system files in ways that expose security vulnerabilities. Formatting the drive and rebuilding the system effectively hide those vulnerabilities from prying eyes. You also may need to format the hard drive if a virus damaged the system so much that you notice significant problems with basic functionality.
Whatever the reason, you cannot take the formatting process too lightly. Formatting a hard drive essentially wipes the drive clean of all data. As a result, you will have to repartition the drive, reinstall an OS, reinstall the programs you frequently use, and restore data files from your most recent backup. You can expect to spend at least half of a day getting your system back in order after tackling the formatting process, but that’s the price you pay for failing to invest in anti-virus software.

Tuesday, November 15, 2005

Windows 98 and Windows Me

To format a hard drive, you must have a bootable disc or diskette. You can create a bootable diskette in Win98 and WinMe by inserting a blank diskette in the floppy diskette drive and then opening the Control Panel, double-clicking the Add/Remove Programs icon, choosing the Startup Disk tab in the resulting dialog box, and clicking the Create Disk button.
When you finish creating the bootable diskette, you should copy the Format.com file to it. Open My Computer, double-click the icon representing the Windows drive (the hard drive or partition where Windows is installed), and burrow through the Windows and Command folders until you find the file. Right-click the Format.com file and select Copy from the pop-up menu. Return to the My Computer window, right-click the icon representing the diskette drive, and select Paste from the pop-up menu.
Now you’re ready to format the hard drive. Start the process by inserting the bootable diskette in its drive and rebooting your computer. When the computer starts again, you will see a Windows startup menu instead of the expected Windows Desktop. Select the Start Computer with CD-ROM Support option and press ENTER. At the prompt, type format c: (where c is the letter assigned to the infected drive), press ENTER, and verify that you want to format the drive.
When the format is complete, you have the option of labeling (naming) the drive if you want to. Then, if you suspect that an MBR virus corrupted your MBR, you should type c: (where c is the letter assigned to the infected drive) to switch to the newly formatted drive, and then type fdisk /mbr to re-create the MBR on the infected drive.
The next step is to reinstall the OS. Insert the Windows installation CD-ROM in the disc drive and type d:\setup.exe (where d is the drive letter assigned to the optical drive). This will start the Windows setup. Follow the on-screen instructions to complete the installation. When it finishes, reinstall your programs and reload your data files (from your most recent backup) to the hard drive.

Monday, November 14, 2005

Windows XP

You may not need a bootable diskette if you use Microsoft’s most recent OS. As long as your PC is configured to boot from an optical drive (and most are these days), you can use the WinXP installation CD-ROM to launch the formatting process.
And if your PC doesn’t boot from an optical drive, you can create a set of bootable WinXP diskettes by accessing the Microsoft Help and Support site17, typing 310994 in the Search the Knowledge Base field (see the upper-left pane), and pressing ENTER. Click the Obtaining Windows XP Setup Boot Disks link and follow the instructions Microsoft provides in this Knowledge Base article to download a zipped file that will help you create a set of six bootable diskettes.
Next, insert the disc (or diskettes) and start the computer. If prompted, press any key to boot from the disc (or diskettes). When you see the Welcome to Setup screen, you have two options. If you suspect an MBR virus, you can reconstruct the MBR by pressing the R key. On the resulting screen, select the drive that contains the damaged MBR and press ENTER. Type the administrative password, press ENTER, and then type fixmbr at the prompt. Press ENTER to repair the MBR.
After completing this process, reboot the computer into WinXP to see whether the repair was enough to put your system back on track. If so, you may not need to format the hard drive, and that’s definitely good news.
If you don’t suspect an MBR virus or if you decide that formatting the hard drive is the best way to fix your PC, you should press ENTER when prompted at the Welcome to Setup screen. Press F8 to accept the EULA (End-User Licensing Agreement) when it appears on-screen. The next screen contains a list of the partitions on your computer’s hard drive. Highlight the infected partition and press ENTER.
Follow the on-screen instructions until you reach a screen that presents options for formatting the drive. You will have to decide whether to format the drive as an NTFS (NT file system) or FAT32 (32-bit file allocation table) drive. WinXP supports both of these file systems (systems which organize data on a hard drive). Because we don’t have room in this article to explain the differences among the file systems, we suggest that you select whichever file system governed your computer previously. If you don’t know which one that was, choose the FAT32 file system.
Regardless of which file system you choose, don’t select a quick format. Highlight your selection and press ENTER to continue. Verify that you want to format the drive and then wait while your PC completes the task. From there, the installation CD-ROM takes over. Follow the on-screen instructions while the disc initializes setup, restarts your PC, and installs WinXP. After that, you can reinstall your programs and reload your data files (from your most recent backup).

Sunday, November 13, 2005

Never Too Late To Recover

Although early detection and recovery is certainly the preferable way to deal with a virus infection, keep in mind that it’s never too late to clean up an infected system. In addition, it’s never too late to change your modus operandi and make sure a virus doesn’t catch you by surprise again.

Saturday, November 12, 2005

Eliminate the Usual Suspects

As likely as it may be that your unprotected PC will someday contract a virus, it is even more likely that your system will encounter numerous other problems that have nothing to do with malicious self-replicating code. The next time your computer acts up, rule out these common problems before assuming it’s infected.

Friday, November 11, 2005

Drive Errors

Any problem that crops up on the hard drive is a drive error. Among the most common are bad sectors (sectors that cannot hold data) and cross linked files (files the OS cannot locate because of an addressing error). Whatever the type, drive errors can result in file corruption and data loss. To minimize the likelihood of drive errors, you should run the drive-checking utility once per week. You can access it by opening My Computer, right-clicking the hard drive icon, and selecting Properties. On the Tools tab of the resulting dialog box, locate the error-checking area and click the Check Now button.

Thursday, November 10, 2005

Malfunctioning Software

Error messages! System crashes! Erratic application behavior! Are these the symptoms of a virus? Yes, but they’re also symptoms of malfunctioning software. One way to tell the difference is by looking at when the symptom(s) occurs. If the symptom(s) happens after installing a particular program, then that piece of software probably caused the problem. Reinstalling the program should do the trick.

Wednesday, November 09, 2005

Improperly Installed Hardware

Don’t jump to conclusions if your PC won’t start. If the problem occurs shortly after moving or upgrading your PC, it’s more likely the result of an improperly installed hardware component than an MBR (master boot record) virus. Double-check the cable connections, make sure the expansion cards fit snugly in their slots on the motherboard, and confirm that the power cords plug into a working power source. That ought to fix the problem.

Tuesday, November 08, 2005

Changed System Settings

Viruses can do strange things to your PC. Then again, so can other people. Unexpected PC behavior is fairly common for users who share their PCs with co-workers or family members. Before assuming the worst, ask your fellow PC users whether they made any changes to the system settings; you might just find the answer is “yes.”