KDB Systems

These past two weeks have been crazy for mal­ware. I’m get­ting sev­eral phone calls a day about rogue secu­rity pro­grams. These pro­grams hijack your com­puter. The lat­est ver­sion is extremely hard to remove from XP. If Win­dows is run­ning it’s near impos­si­ble. The mal­ware gets into the sys­tem files and doesn’t let other pro­grams run. I have to remove the hard drive and scan it with another com­puter. Then I re-install the hard drive and run more scans. This mal­ware is con­stantly chang­ing. The anti-malware scan­ners are always behind. I find it’s best to wait for two or three busi­ness days after receiv­ing an infected com­puter before work­ing on it so the anti-malware scan­ners will hope­fully have the mal­ware in their sig­na­tures. Yes­ter­day I received an infected com­puter that was run­ning Win­dows 7. Win­dows 7 was run­ning with the default secu­rity set­tings. All the user accounts had pass­words. The mal­ware was the exact same as I’d had all the trou­ble with on XP com­put­ers. It took about five min­utes to remove it in Win­dows 7. Because of the bet­ter secu­rity in Win­dows 7 the mal­ware could not get out of the user account that clicked on the wrong web site. I had set this com­puter up. When I set up a com­puter I always set up a sec­ond admin­is­tra­tor account with a strong pass­word. This is espe­cially impor­tant in Vista and Win­dows 7. If you only have one account and it gets cor­rupted it’s very hard to fix it. I logged in with the sec­ond account, loaded the infected users reg­istry hive, deleted a cou­ple of entries, and deleted the files those entries pointed to. I was then able to reboot into the infected users account with no signs of the mal­ware. I waited a cou­ple of days then ran sev­eral dif­fer­ent scan­ners just to make sure. They did find a cou­ple of drop­per files in some temp fold­ers. If those files had inad­ver­tently been run the com­puter would have been infected again. I was very impressed with how well Win­dows 7 pro­tected the com­puter. It’s impos­si­ble to stop every social engi­neer­ing attack. Some peo­ple will always click on the wrong thing. Win­dows 7 with the default secu­rity set­tings did a great job of lim­it­ing the infec­tion and mak­ing it easy to remove.