Friday, June 27, 2008

Malware Removal - Where to draw the line

A little intro first...
As many of you know (or don't know), I guide people with removing malware from their computers, or help them with other Windows issues not related with malware. This mainly happens via forums and newsgroups. I used to guide people via mail as well, but quit that since I don't have the time for that anymore.
"Step by step" instructions are really needed since many people don't know much about computers and without detailed instructions, they could make things worse. Hence, even when detailed instructions are given, with screenshots/whatever included, some still have problems to perform the steps properly.
Yes, a lot of patience is needed in many cases.
Many already asked me why I am doing this, offering almost all of my free time as a volunteer to help other people online. Well, there are several reasons why I am doing this...

1st... My hunger for knowledge. I love to learn and want to learn something new everyday. Fixing computers is like solving a puzzle for me, to find the cause and try different solutions. It's always a challenge to find and understand the cause in the first place. Without a cause, you can't offer a proper solution either.
In case of malware removal - it's a challenge to find the loading points, what it changes/modifies, how it behaves in general - and based on that you can give the proper instructions how to remove it and restore whatever it has broken/modified.
Next time if you see the same problem again, then you already know how to deal with this - something you've learned and remembered.
I don't want to give instructions/solutions if I don't understand them in the first place, because that wouldn't make sense and I learn nothing from this.

2nd... As I said, many people still don't know much about computers. I don't really see this as a problem, as long as they know how to secure their computer. Unfortunately many don't know anything about this. They don't even know what an Antivirus/Firewall is, why it is needed and what the dangers of the internet are. Many don't take this serious either and always think that this won't happen to them - until it happens (sooner as they think).
Another lesson learned I hope. Some will never learn as I explained here - or don't see the need why to secure their computer as explained here.
Prevention is better than removal... and that's what I try to teach these people. If more people would take this more seriously, secure their computers and always be careful where they surf, what links to click and what they download, then I'm sure that the internet would be a bit more safer place for anyone.

3rd... I just love to help people in general. If they ask for help and I know how it can be solved or where to find the solution, why wouldn't I help them then? A simple "Thank You" afterwards, the appreciation you get already means a lot to me. I'm always glad that I could teach something and hope that they will learn from it as well.

Also, Budfred's Rant: Volunteers and Malware Criminals sums it up nicely with more reasons why I am doing this and as you'll also read there, volunteers don't always get the appreciation for what they are doing.

Through the years, malware has become more difficult to find (rootkits etc..), more stubborn to remove and more nastier in general. One click on a file or link can already download and install a huge malware bundle where many different infections are installed.
You see popups all the time, your desktop wallpaper has been changed with a "fake alert", displaying that your computer is infected (well, it IS infected, but these "fake alerts" ask to purchase their own product in order to remove the malware they installed in the first place).
Although the fake alerts and popups/advertisements you get is the most annoying part and look the worst, as a matter of fact, it's the least of your concerns. What is hiding in the background is a more serious issue. Trojans in general, such as backdoors, password stealers, keyloggers etc.. all have their own purposes and may damage a lot!
And as I said, all of the above can be installed via one single click on one link or file! Hence, I've even seen file infectors/worms/bots joining the party as well.
Problem is still, many are not aware what the other malware does, or is capable of - and are already satisfied if the annoying popups don't display anymore, their desktop background has been fixed etc..
Then they don't need further help anymore because they think that their issue is already resolved while the biggest problem is still present, silently doing its job in the background. They are not aware that their computer is still severly infected and badly compromised... and responsible for infecting other computers on top.
And what is worrying me the most is that some don't even care - as long as the annoying popups are gone.

Malware compromises/damages a lot, that's a fact - and especially in case of a severly infected computer, even if I clean the malware off the computer, I cannot guarantee that the computer will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I cannot promise that I can repair all the damage it caused... Even after cleaning the malware, errors may still be present afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution. Although I love to solve puzzles, I'm sometimes wondering if it's really worth it in such cases.

That's the main disadvantage if you guide people via forums etc, because instructions should be followed asap - and this is not always possible. Also, Internet connection is needed to read the instructions and in case of severly infected computers, I recommend that they disconnect from the internet asap and use another computer to read the instructions from. Unfortunately, this is not always possible either since not everyone has a spare computer.
If I guide someone with cleaning a severly infected computer, it is my responsibility to make them aware of what state their computer is in, how severly infected/compromised it is, they should change passwords afterwards etc etc.... and I won't promise them a clean computer afterwards - because that would be a lie.
I've seen cases where volunteers are helping a user with a severly infected computer, this already for weeks....
And that's why in such cases, I throw in the towel more often and ask to backup important data, then format and reinstall Windows. Not because I give up, but rather because it's really not worth it to clean this mess up manually and then on top restore (if possible) whatever the malware has broken/modified. In such cases, a format and reinstall is the fastest and especially the SAFEST solution.
As a matter of fact, I think it would be irresponsible of me to guide people with manual removal in such cases, knowing that removing the malware from severly infected computers takes a lot of time, especially if you're doing this via online instructions and every single minute that this computer is connected with the internet, it may download more malware, spread more malware, collect more info, send more SPAM etc....
Also, if file infectors are game, in 80% of the cases, I recommend a format and reinstall anyway if an AntiVirus scanner is not able to disinfect the files (properly). Unless the person knows what files are corrupted and knows how to replace them with a clean one. But then again, it's no guarantee that everything will work properly again and the infection will be really gone.

Another article regarding this is:
When Should I Format, How Should I Reinstall.

That's why.... Where to draw the line? When to recommend a format and reinstall?

Related Posts by Categories