Dealing with the Aftermath
If your system/s have been compromised there are a number of further steps you should take once you think you have removed the immediate infection.
Secure the System
Once you have cleaned your system of malware you will need to make sure that you system is secure. Windows is not inherently in-secure so long as it is maintained and some simple usage guidelines are followed.
Full settings and configurations are covered in our page on Securing Windows systems for stand alone or home use. What follows is a brief outline of the things to do.
- Enable the firewall
- Update Windows and Applications
- Apply good passwords to All accounts
- Check all USB devices and Backups for malware
Enable Windows Firewall
The Windows firewall should be enabled if you are not running a third party firewall. Often we find that the firewall has been turned off, either by malware or by a user trying to make something work without realising the implications. You can add exceptions so others can acess your system and you can apply rules to restrict the IP addresses or computers which can access your system. Applications will normally apply any firewall exceptions they require when installed and they can also have access restricted by IP Address or computer name. As a rule you should have no reason to disable the firewall.
Update Windows and Applications
Most of the infected machines we see were not patched, typically they have not had Windows Update run on them recently, if at all. You should make sure that the machine is as up-to-date as possible by using Windows Update. Windows update has two options which you should use, get updates for all Microsoft products and to get recommended updates. You should also ensure that Windows Update is set to regularly check for new updates and to download them automatically, every day for preference. Please review our guide to securing windows for stand alone or home use for full details on this.
Applications need updating as well
Microsoft Update will keep supported Microsoft sofware up todate, such as Office. However all your other software will need to be kept up to date as well. Typically most applications will check for updates automatically, you will often be asked if you want an application to check for updates periodically when you install it. Generally you should allow the software to do this so you do not have to remember to update applications yourself.
Frequently systems with malware also have user accounts without a password, typically the Administrator account. The other problem can be that accounts do not have good passwords.
Change all your passwords. Even if you were using good passwords on your accounts a lot of malware collect this kind of data. NOTE: If a malware type of key logger was found on a system then any users of that system must change all passwords they may have used from that computer as well.
- Change all of your passwords on all systems and on-line accounts which you may have used while the system was infected.
Check all USB devices and Backups for malware
You should do a full scan of any USB devices you have and also scan any backups you have for malware. See our web page on USB devices for more information.
Review how you were infected - and take steps to prevent it happening again
While there are "zero day exploits" which can compromise a fully patched system the majority of malware gets onto a system by the following means;
- Unpatched Software
- Weak Passwords
- Malware attached to other software
- Social manipulation or Phising
Patching and passwords are addressed in the previous sections. The other possible infection routers are covered below. Please review them to help prevent your system getting infected again.
We also have a number of other web pages which provide useful security information.
Malware attached to other software
While P2P has many legitimate uses much of the "free" software available using it is infected with malware, while you install your free copy of photo shop you are also aquiring a passwork stealing program for your bank account. Most product key "generators" are also used to install malware on the system using it. Users need to exercise caution about what they install.
Social manipulation or phising is a way of trying to persuade someone that an infected attachment or webpage is from a legitimate or trsutworthy source and is used frequently to get malware on a system
A common example of this is a "security" message from a bank or on-line store telling users to go to a certain site and enter their username and password or their account will be disabled. A current common web based version is a pop up saying that your system is either infected with malware or has out of date anti virus software and presents the user with a download for a anti-virus product or security suite.
Some of the more basic attempts are easily avoided, no bank or email service will ever ask you for your password in an email. It is also easier to spot phising mails as Phising emails typically are generic i.e. Dear Customer, rather than using your real name or account name. As a rule, unless you are sure you trust the source avoid using hyperlinks sent in emails. If your bank has sent an email with a URL then it should also have a legitimate web site on which you should be able to find the same page. In the end you need to apply some common sense to what has been sent to you and to not click through on web pages, pop-ups or urls sent via email without pausing first to check what it is you are clicking on.