.: Malware Defined :.

Malware (malicious software) is software designed to infiltrate or damage a computer or network. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware, adware, hijackers and dialers. This internet garbage not only slows your computer down, it can cause operating system errors, random popups, and redirect your browser to websites without your consent. If you are infected with worms your computer can become a mass-mailing zombie. Even worse, keyloggers can grab confidential information that includes chat sessions, usernames, passwords, bank account information, full names, and even addresses that could be used to create fake online identities. Never give out personal info thru email or instant messages and beware of phishing scams.

McAfee, Inc. Reports on Online Identity Theft Trends
Spyware Researchers Discover ID Theft Ring

The sad thing is that "trusted" websites can no longer be trusted. Malware was once restricted to sites offering free music or porn, but today it's being served up by some of the most popular sites on the web. An average of around 8,000 new URL's containing malware emerged each day during April, 2007. That was close to three years ago, and obviously that number has increased ten fold. What's even more alarming is that 70 percent of URL's hosting such malware are found on legitimate web sites that have been targeted by hackers. The outdated notion that malware only resides in the darker corners of the internet is far from the case now. Users are being exposed to malicious content without them being aware of it. Tomshardware.com was unknowingly hosting a banner ad which was redirecting users to a site where driveby malware was automatically downloaded. The Avast! forums were hacked and the injected iframe code was serving up malware. MySpace & Excite.com (search portal) are also serving up malware-laced banner ads. Cybecriminals pumped out more malware in 2009 than they did in nearly 20 years, according to anti-virus vendor Panda Security. During 2009, PandaLabs, the anti-malware lab of Panda Security, identified 25 million new malware samples, according to Panda Security's Annual Malware Report, released Tuesday. Before 2009, PandaLabs had identified a total of 15 million pieces of malware in 19 years.

.: My $.02 :.

To be quite honest all of the guides that I have come across barely touch the surface on thorough removal and prevention. In some cases you may have come across websites that show you how to only remove specific infections. Should you decide to post for help on a security message forum you are usually required to run several applications, post the log files, and wait for the "expert" to arrive which could take a few days; in some cases your post may go unanswered. You will then be asked to perform a number of routines which could end up taking a few more days before your pc is deemed 'clean'. IMO when your computer is hijacked it should be cleaned immediately! While I may not go in depth on how to use or configure the programs most of it should be pretty straight forward other than HiJack This.

Unfortunately, cleaning an operating system that has been infected by malware is no longer as simple as it used to be. Malware has become increasingly more difficult to clean, as malware creators find more ways to avoid removal. They have been known to modify specific files to avoid detection, some files refuse to be deleted using conventional tools, others latch on to critical system files, and in some cases rootkits can mask their detection altogether. I am often asked "What are the best detection and removal tools?" The fact is that no single antivirus or antispyware application can successfully remove all malware circulating around the internet. It's not unusual to resort to an arsenal of security products in an attempt to ensure that everything has been properly removed. Everyone seems to have their own idea of the "best", and this guide will highlight my recommendations. Furthermore, there are many rogue antimalware products, from those that are advertised by malware or those from malware creators who strike deals with antimalware creators to ignore their software. Please take a moment to review the Spyware Warrior's (somewhat outdated) Rogue antispyware list to make sure that you haven't been duped.

Tech advice:

I also realize that there is a lot of information in this guide that may not be considered n00b friendly, or so much information that you may lose focus. Take your time and do not get frustrated. You can use my contact form if you have questions, comments, or need advice.

.: Adware, Spyware & Trojan Removal :.

First we'll start out by installing 7-Zip which is an open-source (free) archiver utility. Before running any of the removal tools below I'd highly recommend that you first uninstall malicious software. If you have any antivirus/spyware applications installed that are not listed in this guide please uninstall them as well. Keep in mind that the System Restore is a protected directory that can trap viruses and other applications inside. Leave it enabled in case your pc fails to boot to the OS after removing infections. Once you are certain that your system is malware free you can toggle the System Restore to delete the contents and set a fresh restore point.

Download the items listed below preferably to a USB flash drive using a 'clean' pc. Now boot to Safe Mode with Networking to complete the installations and start the scanning process. Booting to Safe Mode is important because it disables most drivers, running applications, and is less vulnerable to attack. For these reasons Safe Mode is the optimal setting for performing any sort of malware-related troubleshooting. However in some cases you may be unable to boot into Safe Mode if your pc has some nasty infections. Should this be the case I recommend you run a quick MBAM scan while in Normal Mode. Now you should be able to boot into Safe Mode and run all of the utilities. The Winsock Fix (also in the Rogue removal kit) comes in handy in case you lose your internet access and cannot pull a valid IP from your modem or router.

  1. Rogue removal kit (updated 6-18-10) - A robust kit I put together using some of the finest tools that detect and remove assorted trojans, rootkits (including the nasty CLB & TDL3 variants), and other rogue antivirus/antispyware (Antivirus XP 2008/2009/360, SpywareGuard, Personal Antivirus, Security Tool, etc.). This form of malware includes those with fake security alerts that goad the end user into downloading and/or purchasing rogue software. Please check the README and follow the directions. In addition, do not be alarmed if some programs detect certain executables in this kit as a "Trojan" and/or "RiskTool". AV programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
  2. Malwarebytes' Anti-Malware - Malwarebytes' antimalware monitors every process and stops malicious processes before they even start. The Realtime Protection Module (which does not work in x64) uses advanced heuristic scanning technology which monitors your system to keep it safe and secure. In addition, they have implemented a threats center which will allow you to keep up to date with the latest malware threats. MBAM is not heavy on resource usage, can be installed in Safe Mode, and the quick scan is extremely fast and very thorough. MBAM is in the rogueremoval kit and considered a premier tool.
  3. Hitman Pro - will scan your PC for malware in a few minutes using GData, NOD32, Antivir, Prevx, and A-Squared. If malware is detected during the behavioral scan the actual identification of these potential malware files is then done on the Hitman Pro servers - the "Scan Cloud". Hitman Pro 3 does not leave a program running in the background that continuously checks incoming e-mail and downloaded files for malware. Therefore you need to scan your PC regularly to ensure your PC is not infected. Scanning your PC for malware with Hitman Pro 3 will always be free so if you already have a security suite on your PC, it is an ideal program to make sure your security suite has not missed anything. HMP has updated removal technology to handle TDL rootkit version 3.24 (updated variant of the Google Redirect Virus). Hitman Pro just gained a new feature called: Force Breach. Most people in the security business have come across a couple of fake/rogue anti-malware infections that kills every application you are trying to run, including your favorite removal tool. If you run Hitman Pro (build 88 or newer) from a USB stick and start its EXE while holding down the left Ctrl-key until the Hitman Pro interface opens up < Important: if you receive a Vista or Win 7 UAC prompt you need to keep holding down the Ctrl-key while you click continue > it will kill every non-essential process running under the user's context including the rogue infection.
  4. Hijack This - A free utility which quickly scans your computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan, but it does not determine what is good or bad. Do not make any changes to your computer settings unless you are an expert computer user. Do not run Hijack This from the desktop, a temp folder, or a sub-folder of C:\documents and settings. If you aren't sure about which items to remove you can analyze your own using the automated tool offered by HiJackThis.de Security. If you want to learn how to read your own log then I'd recommend Bleeping Computer's HJT Guide. Of course you can also visit popular support forums such as MajorGeeks, Bleeping Computer, Spyware Warrior, What the Tech (TomCoyote), and SWI for assistance.

Note: You may have noticed that Spy Sweeper, Spyware Doctor, and Spybot are not mentioned in this guide. At one time all of them were considered premier tools. A lot has changed over the years, as malware has become much more complex, and all of the aforementioned programs have inferior detection/removal capabilities compared to the tools listed above. Please do not waste your time using them.

Webroot: Why bad management scared off the Spy Sweeper maker's core team


.: Virus Removal :.

It should be noted that running antivirus applications from a number of different vendors on the same computer may cause problems due to interoperability issues. System issues that can result from running more than one antivirus application in your environment at the same time include:

For these reasons, the use of multiple antivirus applications on the same computer is not a recommended approach and should be avoided if possible. Even if you think you're using a top notch AV package please take a few minutes to read the information below. You might end up uninstalling your current AV and switch to one that offers better real-time & on-demand detection rates, superior heuristics, and possibly lower resource usage. Norton and McAfee are household names since they have been preinstalled on pc's for over a decade, so it's not uncommon for the end user to be using an old version, an expired license (eg. no updates), or a version that eats up a lot of system resources. Should you have trouble uninstalling either product using add or remove programs then I'd recommend the Symantec removal tool or the McAfee removal tool.

Independent antivirus reviews:

Online scanners:

These quality online scanners are a great way to obtain a "second opinion" without having to uninstall your current AV software. You just need to be online and using Internet Explorer (F-Secure now supports Firefox) since these scanners use ActiveX controls to scan your computer for malicious code. All scanners listed below will detect and remove threats.

F-Secure Online Scanner
Eset (NOD32) Online Scanner
Bitdefender Online Scanner

On-demand scanners:

Free AV's:

What about Free AV's? Please keep in mind that these free AV's are not meant for businesses (home users only).

Let's say you only have a couple of suspected file(s) on your computer and you want another opinion to see whether they are clean or not. Head on over to Virustotal to scan using over 41 antivirus engines. You can also try VirSCAN.org since they offer a similar service using 36 engines.

.: Firewalls :.

All broadband users should have a firewall (FW) protecting their system(s). A Cable/DSL router (NAT box) is a very inexpensive hardware solution that most people are familiar with. Brands like Linksys and Buffalo are highly recommended. These NAT Routers typically offer stateful packet inspection (SPI), and certain wireless routers allow DD-WRT firmware to be loaded. This free open-sourced firmware offers increased wifi transmission power, WDS, QOS, website filtering, and so much more. Hardware firewalls are important because they provide a strong degree of protection from most forms of attack coming from the outside world. Additionally, in most cases, they can be effective with little or no configuration, can protect every machine on a local network, and allow you to share your internet with multiple computers. I highly recommend changing the default router login password to thwart DNSChanger trojans in addition to disabling remote management (unless you need it). Wireless routers should enable WEP64 (easy to crack) at a bare minimum for baseline security. WPA or WPA2 is more secure and supported by newer hardware. Be sure to set a unique SSID, disable wireless access web, and disable the radio if you are not using wireless. When you implement these security measures it will deter potential hackers and wardrivers so that they move on to the nearest unsecured network.

It's alarming at the number of individuals and businesses that have unsecured networks. I've seen people connected to a wireless network without even realizing that it belonged to someone else. Another security risk are public hotpots where other computers also connect to unsecured networks. Network attacks can be made through them, and they can possibly connect to your computer and download data from your hard drive. A good rule of thumb is that you should always use a quality (software) firewall whenever you are connected to an unsecured wireless network and promptly disconnect after you've completed your tasks. I'd advise against logging in to any websites that requires a login and password while you're connected to an unsecured network since "hackers" can easily capture network traffic. Another thing to consider is that anyone connected to an unsecured network can download and engage in illegal activities. There is typically a single public IP assigned to the network (hotspot, your home, a business, etc.) and all illegal activities are tracked back to that IP. If you happen to own the unsecured network you are ultimately responsible for the content passing thru it.

The Five Deadly Dangers of Unsecured WiFi Networks

Software firewalls can only protect the machine they're installed on, so if you have multiple computers (which many homes and small offices do) you need to install and configure a software firewall separately on each machine which could be difficult to manage. Another drawback is the software will often popup messages asking you to allow or deny a particular connection. The end user gets in the habit of clicking 'allow' without even reading the details of the window because they are annoyed with the popups. Most commercial software firewalls include a feature to stop all but authorized applications from sending outbound data packets to the internet. This supposedly stops malicious code from sending unauthorized communications, and also prevents PCs from being hijacked and used to send spam or participate in distributed denial-of-service attacks. The built-in Windows XP firewall (updated in SP2) only filters incoming traffic and allows any application to send outbound packets. However once malware is on your system then the security has been compromised. If an application wants to send data out in most cases an outbound filtering firewall running on the infected machine is not going to stop it.

Virus Bulletin: Free firewalls rated best in leak tests
Matousec: Leak test results

Before installing 3rd party firewall software on a Windows XP computer, be sure that the built-in firewall is turned off. Never use two software firewalls at the same time. Test your firewall capabilities at HackerWatch.org, Firewall Leak Tests, Comodo firewall tests or AuditMyPc.

.: Prevention :.

There is no doubt that if you visit the wrong sites then malware can be installed without your consent. How much junk can get installed on a user's PC by merely visiting a single website? One individual wanted to find out so he visited a single web page taking advantage of a security hole (in an ordinary fresh copy of Windows XP) and recorded a video of the events.

Note: The latest version of Internet Explorer 6, as patched by Windows XP Service Pack 2, is not vulnerable to the installations shown in the video. Please update to Internet Explorer 8 for even greater protection. You may also want to consider installing an alternative web browser such as Firefox with the NoScript plug-in. Both IE8 and Firefox add extra layers of protection and provide additional information to users in order to help them make intelligent decisions. However no browser can force a user to make smart or sane decisions; they can only point in the right direction.

Almost all malware is unknowingly installed so please use common sense when you sit down in front of the computer. Accidents can and do happen, so here are other ways to prevent malware from being installed:

>> Most of all I can't stress enough how important it is to use common sense! >>