by Steven J. Owens (unless otherwise attributed)
Despite the fact that I hate Microsoft Windows and don't run it and would rather not know anything about it, I have to help friends unfuck their machines often enough that I've decided to keep a cookbook around and just refer them to it.
Note: This was originally written on 03/29/05. If you're reading this significantly later, some of the details below might be out of date, but the general principles will be accurate.
Note 05/01/07: I've had enough conversations where I had to explain a few more things that I've decided to add a few explanations about things that can fuck up your PC without the involvement of viruses and spam trojans.
Note 09/19/09: I still haven't seriously updated the details, but a forum I'm on recently discussed the question of which current antivirus package is preferable. I've added the details at the bottom, under 09/09 update.
Microsoft recently released their all-new, all-singing, all-dancing upgrade, Vista. In a turn of events that was a shocking surprise to nobody except the marketing people at Microsoft, Vista has turned out to suck in various major ways. Google on this if you're interested, but I'll just leave at saying that Vista is deliberately designed to not work with the vast majority of high-end audio and visual equipment.
Besides being incredibly poorly implemented from a security standpoint, Microsoft Windows also has some problems that can come up in the course of normal (hah!) operation. So, check for these before you assume it's an actual virus or spam trojan.
A computer basically has four resources; cpu, memory, disk space, and the connection between all three, generally referred to as "bus speed" or "i/o" (input/output).
I/O speed gets slightly complicated, because the different pieces of the puzzle each have their own speed issues, as well as the connection between them. Generally speaking, the hard drive is the slowest component in your system. While you might think of the I/O as your assistant who fetches things from the warehouse (hard drive) to the desk (memory), the assistant isn't allowed to actually go into the warehouse, he has to stop at the front counter and ask the warehouse guy to get it, and the warehouse guy isn't as fast.
Most CPUs in computers sold these days are quite fast enough for your typical user, but for some reason they tend to be understrength in the memory department.
Of course, that's a relative term. It'd be too easy to heap vitriole on Microsoft Windows for sucking so hard that it can barely function without ridiculous amounts of memory, so I'll cut right to the chase and say, you shouldn't even think about running Windows without at least 256MB of memory, and you're much better off with 512MB. Memory's relatively cheap these days; a quick glance at pricewatch.com shows you can easily get an extra 256MB for $25, and a 512MB DIMM is nearly the same:
You should be able to check how much memory your PC has by right-clicking "My Computer" and looking at the hardware tab. If you have less than 512MB, spend the $30 and get more memory. Spend an extra $5 on a twelve-pack of coke to get the neighbor's kid to show you how to install it.
If your machine seems to occasionally (or frequently) bog down, right-click on the "My Computer" icon, then right-click on your primary hard disk (usually C:) and it should show you a pie chart with how much space is used and how much space is free. Make sure your hard drive has at least two gigabytes of free hard disk space.
Even if you have 512 (or more) memory, Microsoft has a knack for using it all, and then some. When you have too much stuff running to all fit in memory at once, Microsoft Windows will try to compensate by using virtual memory. Virtual memory means Windows temporarily saves your data to the hard disk when you're not using it, to make room for something else you're working on.
Remember the story about your desk and file cabinets, above? Virtual memory means, when your desk starts getting full, your secretary starts quietly snagging the stuff that has been ignored the longest, and sticking it in a spare file cabinet until you need it again. In other words, you're using hard disk to fake memory.
Remember when I said, above, that memory is much, much faster than disk? Virtual memory is as slow as hell.
You'll see this in action if you have too many files open and windows moves some stuff to virtual memory (this is called "swapping" or "paging" data out to disk). When you switch back to the original application, the application window will be much slower at redrawing. It may even freeze up for 20-60 seconds (or more) while it redraws.
So, of course you want to avoid using Virtual Memory; don't keep applications open unnecessarily.
But as bad as Windows performance gets when Virtual Memory kicks in, it gets ridiculously worse if you need to use virtual memory and you don't have at least a couple gigabytes of free disk drive available. Ya see, to do all of this virtual memory stuff, you need a certain amount of disk space reserved for the virtual memory to use. Serious operating systems use disk partitioning to make sure a chunk of disk is never used by something else. Windows is not a serious operating system.
If you've ever seen a Three Stooges routine, then you've already got a pretty good idea what happens when Windows tries to use virtual memory and your hard disk is all full up. So check and make sure you have at least a couple of gigabytes of disk space free.
If you have enough memory and you have enough free disk for virtual memory, then there's a small possibility that your problems may be because you need to defragment your hard disk. It's not likely the source of your real pain, but it's a good idea to do it anyway.
Make sure you have plenty of free disk space before doing this. Like several gigabytes, ideally. Select Start/Programs/Accessories/System Tools/Disk Defragmenter. Now go away.
Check back in a half an hour to an hour and see if the analysis step is done. If it is, click on the appropriate button to actually defragment the disk. No go away again.
The actual defragmenting will take at least several hours, probably overnight. If you don't have enough disk space free for Defrag to operate properly, it may take forever and never actually get done.
Computer disks are less like a big, open warehouse and more like a big warehouse full of little storage units. Stuff has to be stored somewhere, and the system has to keep track of what lockers are full, what lockers are empty, and so forth. Just like in your closet, eventually you have to stop and clean things up, rearrange stuff and pack it all away neatly, or you have too much disorganization and wasted space. Defragging is the computer's way of cleaning up.
Okay, so the hardware advice above didn't help. Now the odds are far more likely that your problems are caused by a virus, a spam trojan or a spyware trojan. (Geeks sometimes refer to these and any other malicious software in general as "malware'.)
Step one, install a real firewall - in other words a hardware firewall - between your PC and the rest of the Internet.
Strictly speaking, you really should do this before you bother to do anything else, otherwise you're just wasting your time and your PC will be reinfected almost as fast as you disinfect it. I have little doubt that most people are going to ignore this advice (sigh).
There are plenty of cheap hardware firewalls out there. So-called software firewalls (they're not firewalls) may be useful, and are certainly better than nothing, but they're no substitute for a real firewall.
TrendNet makes a nice, cheap firewall ($34 as I write this). Like the rest of the internet these days, it has a short attention span, so it has an annoying habit of disconnecting long-lived ssh sessions every half-hour or so. But for most of the people I wrote this for, you'll never encounter that problem, since 99% of your network use will be web browsing and other stuff that involves only momentary connections.
Lots of people speak highly of NetGear's products, but so far the only NetGear product I've tried has turned out to be a nightmare; the WTG624 firewall/router/wireless access point, which has a nasty habit of crashing every twenty minutes when the moon isn't full.
Likewise, lots of people speak highly of Linksys.
I've had problems with Dlink and I don't think I've ever met anyone who didn't have some similar story.
None of the following steps are risk-free.
None of the following steps are risk-free.
None of the following steps are risk-free.
None of the following steps are risk-free.
Viruses and spyware work by interfering with your normal system operation, often replacing critical parts of your system software with their own code. Removing these subverted versions of your system software can theoretically leave your system in a non-functioning state. I've never run into this problem, personally. Maybe the anti-virus/anti-spyware developers have got it down to a science by now.
Strictly speaking, the "right" way to handle this sort of problem is to back up all of the data you care about onto floppies (these days you could burn a CD, or use a USB thumbdrive), reformat the drive (which wipes it clean of all software) and reinstall the operating system from scratch. (Someday I'm going to publish my "Four Rs of Windows Support" book - Restart, Reboot, Reinstall, Reformat). If you don't reformat and reinstall, then no matter what you do, you can never be really sure that there isn't some subtle virus or spyware you missed.
But, of course, almost nobody does this.
Strictly speaking, every time you're about to do something tricky and possibly-catastrophic to your PC, you should save backup copies of any critical data - documents you've written, email addresses, favorite bookmarks, photos, etc - to a floppy or CD. That way, no matter what happens, at least you have your data. Operating systems and software can be reinstalled, the only thing that's truly irreplacable is your personal data.
But, of course, almost nobody does this.
Also note that... thanks to the wonders of Microsoft's shoddy design, these days word processor documents and email boxes can contain viruses, so it's no longer a sure thing that your data can't reinfect your PC.
There are several clean-up programs that will remove viruses and spyware from your computer. For all of these steps, your best bet is to go find a different, healthy PC, download each clean-up program, copy it onto a floppy, and then run the program from the floppy on the broken PC.
Your broken PC may seem to have a functional network connection, so you may be tempted to download the program from the net to the broken PC, and run it from the hard drive. You may be able to do this, you may not.
If you do manage to do it, depending on exactly what virus or spyware you're dealing with, this may fix your problem, or it may not. It's not unheard of for viruses to actually scan incoming downloads and subvert them. In fact, in the good ol' days, we used to actually boot off a special disk with the virus scanner, rather than trying to run the scanner in the infected operating system (which is sort of like asking the fox to guard the henhouse).
Note: Spyware is a particular sort of virus that some unscrupulous businesses try to trick you into installing. In fact, some of them install it without bothering to ask you. Some of them ask you, but then ignore what you say and install it anyway. And some of them install it just like a virus. Why the heck the FBI isn't prosecuting these companies, I don't know.
Note: These days a lot of computers don't come with floppies, particularly laptops. However, most computers have CD-ROMs and quite often CD burners. So you can burn a bootable CD with the virus checker software, then figure out how to get your computer to boot off the CD. It's also possible to boot off a USB thumb drive, but this is less common. In any event, the particulars of how to get yor PC booting off your CD-ROM are specific to your flavor of PC, so I can't help you there. Sometimes you have to get into CMOS setup by holding down ESC or F1 during bootup, and change your CMOS to boot from CD. Sometimes there's a magic key combination to hold down during boot specifically to make it boot from CD.
CW Shredder is a special purpose program that will kill the Cool Web virus. Cool Web is a painfully clever virus that may actually interfere with the other programs I'm going to tell you to run. Maybe by the time you read this, AdAware, Spybot and HijackThis will be updated to deal with Cool Web. Maybe not. Maybe they'll be updated, but Cool Web will be updated too.
Hm... when I went to dig up Hijack This, I found a note about the most recent variant of CoolWeb, so I guess it's still a problem:
"There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them. If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly (as well Spybot S&D, Ad-aware and several anti-spyware forums)."
AdAware is a program that searches for spyware. It's real purpose is actual to stop adware, most of which is also spyware. Adware is basically just like a virus or spyware, except that besides (or in addition to) spying on you, it does things like slip extra pop-up adds in, or replace normal banner ads with its own banner ads.
AdAware is from Lavasoft (lavasoftusa.com). You can go to lavasoft's site and follow the download link (at the bottom of the page) to download the free version.
One thing to be, uh, aware of, with AdAware, is that it doesn't bother to distinguish between evil adware, evil spyware, and evil tracker cookies. This can be quite alarming when you run AdAware and it tells you it found hundreds of problems. When you check, most of them are tracker cookies -- which are still evil and an invasion of your privacy that businesses use to track what you do online, but they're not likely to be directly screwing up your PC.
Cookies are a standard web thing.
A web site can include a little bit of data with a page you request, and your browser will hang onto that bit of data and include it with future requests. This can be incredibly useful, for example it's what most retail sites (like Amazon) use to keep track of what shopping cart in the site database belongs to your browser. Problem is, cookies can also be incredibly useful to somebody who wants to track your browsing habits, learn all sorts of interesting things about you and figure out what to sell you.
A company called Doubleclick, for example, is essentially a banner ad broker. Doubleclick is just like those billboards you see on the side of the road - usually most of the billboards belong to one big company, that rents each spot from whoever owns it, puts up a billboard, then rents the billboard to whoever wants to advertise. But Doubleclick also requires each of the websites who they rent billboard -- er, banner ad -- space from to report back to them on who uses their site. So now Doubleclick has reports on you from all over the Internet.
Spybot Search & Destroy is another spyware removal program. People who spend a lot more time than I do unfucking other peoples' broken PCs tell me that sometimes AdAware misses things that Spybot gets, and vice versa, so you need both.
But be aware that sometimes these programs trip each other up - because they have to have enough information to recognize a virus or spyware, they have enough information that the other program may mistake that information for signs of a virus or spyware.
And sometimes both AdAware and Spybot miss things that HijackThis gets (and presumably vice-versa). Hey, I didn't realize until I dug up the URL, this is the same guy who wrote CoolWeb Shredder.
This looks like a good quick start guide to running Hijack This:
Okay, now you're back, you've downloaded all of the above on a functioning, clean PC, copied them onto floppy and run them on your messed up PC. Hopefully your PC should be functional now and your network should be functional, and you'll be able to run Trend Micro's Housecall scanner, which runs via the net (no install, yay!). All you have to do is point your browser at the URL below, there'll be a button there to click, and then you leave it alone for a while as it looks for viruses:
Never run Outlook. Instead, download and install Thunderbird.
Never run Internet Explorer. Instead, download and install Firefox.
It's the number two cause of viruses (right behind the number one cause, the Microsoft operating system). It's such a horribly designed piece of software that it's responsible for an entire class of viruses, Outlook Viruses (which some people call email viruses - but there's no such thing as an email virus that spreads through non-Outlook email programs).
Besides the risk of infecting your machine, Outlook also makes you look really stupid when you get infected and it sends emails to everybody you've ever sent or received email to/from, trying to infect them.
Outlook is also a cause of major network congestion from all of the attempts to send emails infected with Outlook viruses to everybody, because if you're not using Outlook, the email viruses pretty much look like somebody sending you a note saying
"Hi, please follow these instructions:"
You look at that and think "How stupid do they think I am?"
Then you get a few dozen more messages like that and you think "Apparently they think I'm very stupid."
Then you get a few hundred more messages like that, and you think, "Apparently there are quite a lot of very stupid people out there."
Then you get a hundred messages a day like that, and you think, "I wish these very stupid people would stop using this very stupid program that is allowing spammers and viruses to fill up my mail box."
Internet Explorer isn't quite as bad as Outlook, but that's sort of like saying a hole in your torso isn't quite as bad as a hole in your head. Why "Internet Exploiter"? "Exploit" is computer jargon, short for "an exploitable security bug." There have been literally thousands of exploits discovered and reported for Internet Explorer (for Outlook too). You can start up Internet Explorer, visit three web pages, and be infected with a virus or spyware.
You probably didn't take my advice about getting a hardware firewall, so download and install the free version of ZoneAlarm.
ZoneAlarm is a software firewall, which is a contradiction in terms but it's still a useful program to have. Even if you do have a firewall, if you use a wireless card, it's a good idea to have ZoneAlarm installed. It will monitor your internet connection and will pop up a dialog box every time a program on your system attempts to send internet requests or to listen for internet requests. Then you have to either approve or disapprove of that request.
Generally speaking, most of the time normal PC usage will involve sending internet requests; you should almost never approve a program listening for incoming internet requests. For some reason that I cannot fathom, Microsoft has a few components that listen for internet requests (SERVICES.EXE comes to mind). I've never found a coherent explanation of why this is necessary, and I've gotten into the habit of just disapproving SERVICES.EXE.
My mother had a friend spec out and purchase a new system for her. She went from a 32MB system running Win95 to a 256MB system running WinXP - and her new system performed like mud. Supposedly XP just needs to be configured properly to run half-decently, and supposedly the best way to do that is to visit TweakXP.com and figure out how to tune up XP for better performance.
Some friends were recently discussing the current state of anti-virus and virus removal. Here's a summary of the discussion.
First, everybody has an opinion on the free tools versus the commercial tools, some folks distrust one, some distrust the other, many advocate using several different packages so one will catch what the other misses. However, there's no silver bullet.
Second, Google Pack, these days, is probably a good place to start for the free versions of Norton Security Scan and Spyware Doctor Starter Edition.
In general, the better defenses keep the virus from getting onto your PC by scanning your email or your browser. Antivirus apps that scan your hard drive for stuff already on are at a disadvantage, but at least they'll help you clean it up.
Spybot Search & Destroy appears to still be keeping up with the joneses, but update it weekly.
Spybot has a nifty "tea timer" feature that attempts to catch malware as it attempts to make registery changes, but from the sound of it, it's not something you should use if you don't know what the first half of this sentence means, because you have to configure which changes are allowed and which are not.
ClamWin Antivirus also appears to still be keeping up with the joneses, likely because it gets used a lot in linux email gateways to detect windows viruses in incoming emails.
Microsoft these days includes filesystem integrity checking applications, like autochk.exe:
I haven't worked with these at all, but an acquaintance who seemed to know what he was talking about said that a current malware trick is to subtly corrupt files to prevent virus checks from finding the malware, a sort of "who shaves the barber" paradox.
Running all of the above every week will make your PC kind of useless for about 6 hours (well, more useless than Windows already is :-) but it's necessary. Don't go overboard... after 3 or 4 apps you'll see diminishing returns and your PC will be too busy defending itself from Microsoft's incompetence to be any less useless than it already is.