.: Malware Defined :.

Malware (malicious software) is software designed to infiltrate or damage a computer or network. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware, adware, hijackers and dialers. This internet garbage not only slows your computer down, it can cause operating system errors, random popups, and redirect your browser to websites without your consent. If you are infected with worms your computer can become a mass-mailing zombie. Even worse, keyloggers can grab confidential information that includes chat sessions, usernames, passwords, bank account information, full names, and even addresses that could be used to create fake online identities. Never give out personal info thru email or instant messages and beware of phishing scams.

McAfee, Inc. Reports on Online Identity Theft Trends
Spyware Researchers Discover ID Theft Ring

The sad thing is that "trusted" websites can no longer be trusted. Malware was once restricted to sites offering free music or porn, but today it's being served up by some of the most popular sites on the web. An average of around 8,000 new URL's containing malware emerged each day during April (2007). What's even more alarming is that 70 percent of URL's hosting such malware are found on legitimate web sites that have been targeted by hackers. The outdated notion that malware only resides in the darker corners of the internet is far from the case now. Users are being exposed to malicious content without them being aware of it. Recently Tomshardware.com was unknowingly hosting a banner ad which was redirecting users to a site where driveby malware was automatically downloaded. The Avast! forums were recently hacked and the injected iframe code was serving up malware. MySpace & Excite.com (search portal) are also serving up malware-laced banner ads.

.: My $.02 :.

To be quite honest all of the guides that I have come across barely touch the surface on thorough removal and prevention. In some cases you may have come across websites that show you how to only remove specific infections. Should you decide to post for help on a security message forum you are usually required to run several applications, post the log files, and wait for the "expert" to arrive which could take a few days; in some cases your post may go unanswered. When your computer is hijacked it should be cleaned immediately! While I may not go in depth on how to use or configure the programs most of it should be pretty straight forward other than HiJack This.

Unfortunately, cleaning an operating system that has been infected by malware is no longer as simple as it used to be. Malware has become increasingly more difficult to clean, as malware creators find more ways to avoid removal. They have been known to modify specific files to avoid detection, some files refuse to be deleted using conventional tools, others latch on to critical system files, and in some cases rootkits can mask their detection altogether. I am often asked "What are the best detection and removal tools?" The fact is that no single antivirus (AV) or antispyware (AS) application can successfully remove all malware circulating around the internet. It's not unusual to resort to an arsenal of security products in an attempt to ensure that everything has been properly removed. Everyone seems to have their own idea of the "best", and this guide will highlight my recommendations. Furthermore, there are many rogue antimalware products, from those that are advertised by malware or those from malware creators who strike deals with antimalware creators to ignore their software. Please take a moment to review Spyware Warrior's Rogue antispyware list and to make sure that you haven't been duped.

Tech advice:

I also realize that there is a lot of information in this guide that may not be considered n00b friendly, or so much information that you may lose focus. Take your time and do not get frustrated. You can use my contact form if you have questions, comments, or need advice.

.: Adware, Spyware & Trojan Removal :.

First we'll start out by installing 7-Zip which is an open-source (free) archiver utility (better than Winzip and WinRar). Before you run any of the removal tools below you should go to Add or Remove programs (Vista lists it as Programs or Programs and Features) in order to uninstall malicious software. If you have any antivirus/spyware applications installed that are not listed in this guide please uninstall them as well. Keep in mind that the System Restore is a protected directory that can trap viruses and other applications inside. Leave it enabled in case your pc fails to boot after removing infections. Once you are certain that your system is malware free you can toggle the System Restore to delete the contents and set a fresh restore point.

Download the items listed in steps 1, 2 and 4, preferably to a USB flash drive using a 'clean' pc. Now install SUPERAntiSpyware (SAS) since it is the only tool that requires a normal mode installation since it utilizes the Windows Installer service. In some cases malware will prevent certain anti-malware tools from installing and/or updating. If SAS fails to install try renaming the file to S_A_S.exe and run setup again. If it will not update then you can manually update the definitions. I would then recommend booting to Safe Mode with Networking to complete the other installation and scans. Booting to Safe Mode is important because it disables most drivers, running applications, and is less vulnerable to attack. For these reasons, and IMO, Safe Mode is the optimal setting for performing any sort of malware-related troubleshooting. However in some cases you will be unable to boot into Safe Mode if your pc has some nasty infections. Should this be the case I recommend you run a quick SAS and MBAM scan while in Normal Mode. Now you should be able to boot into Safe Mode and run everything again. The Winsock Fix (also in the Rogue removal kit) comes in handy in case you lose your internet access and cannot pull a valid IP from your modem or router. SAS includes a lot of common repair options including a Winsock repair.

  1. Rogue removal kit (updated 11-9-08) MD5: 44662979ecec45e49e5d644daa5f450b - A robust kit that I put together using some of the finest tools that detect and remove assorted trojans (Vundo, TDSServ, etc.), rootkits (including the nasty Seneka), plus other rogue applications/files. This form of malware includes those with fake security alerts that goad the end user into downloading and/or purchasing rogue software. Please check the README and follow the directions. In addition, do not be alarmed if some AV programs (AntiVir, Dr.Web, Kaspersky, etc.) detect certain executables in this kit as a "Trojan" and/or "RiskTool". AV programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
  2. SUPERAntiSpyware - uses Multi-Dimensional Scanning and Process Interrogation Technology will detect spyware that other products miss! SUPERAntiSpyware (SAS) will remove ALL the Spyware, NOT just the easy ones! It must be installed in normal mode for proper installation of drivers. The pay version offers real-time protection, scheduling, automatic updates, and much more. SAS has virtually zero impact on system performance, and is arguably the best anti-spyware/adware/trojan application on the market.
  3. Malwarebytes' Anti-Malware - Malwarebytes' antimalware monitors every process and stops malicious processes before they even start. The Realtime Protection Module uses advanced heuristic scanning technology which monitors your system to keep it safe and secure. In addition, they have implemented a threats center which will allow you to keep up to date with the latest malware threats. MBAM is not heavy on resource usage, can be installed in Safe Mode, and the quick scan is extremely fast and very thorough. MBAM is in the rogueremoval kit and considered a premier tool.
  4. AVZ - A very powerful standalone anti-malware tool from Oleg (joined the Kaspersky development team in 2007) that detects and removes spyware, adware, dialers, trojans, keyloggers, backdoors, network & email worms, rootkits. It also has a host of other useful features, and you can run the program from a USB flash drive. Before starting a scan you should click the Database Update on the lower right of the GUI. Now look for Actions up above, select “Perform Healing”, and make sure the 3 options above the start button are selected.
  5. Hijack This - A free utility which quickly scans your computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan, but it does not determine what is good or bad. Do not make any changes to your computer settings unless you are an expert computer user. Do not run Hijack This from the desktop, a temp folder, or a sub-folder of C:\documents and settings. If you aren't sure about which items to remove you can analyze your own using the automated tool offered by HiJackThis.de Security. If you want to learn how to read your own log then I'd recommend Bleeping Computer's HJT Guide. Of course you can also visit popular support forums such as MajorGeeks, Bleeping Computer, Spyware Warrior, What the Tech (TomCoyote), and SWI for advice, however be sure to read the stickies at the top of the forum before posting a HJT thread.

Note: You may have noticed that Spy Sweeper, Spyware Doctor, Spybot, and Ad-Aware are not mentioned in this guide. At one time all of them were considered premier tools. A lot has changed over the years, as malware has become much more complex, and all of the aforementioned programs have inferior detection/removal capabilities compared to the tools listed above. Please do not waste your time using them.

Ex: Webroot: Why bad management scared off the Spy Sweeper maker's core team

.: Virus Removal :.

It should be noted that running antivirus applications from a number of different vendors on the same computer may cause problems due to interoperability issues. System issues that can result from running more than one antivirus application in your environment at the same time include:

For these reasons, the use of multiple antivirus applications on the same computer is not a recommended approach and should be avoided if possible. Even if you think you're using a top notch AV package please take a few minutes to read the information below. You might end up uninstalling your current AV and switch to one that offers better real-time & on-demand detection rates, superior heuristics, and possibly lower resource usage. Norton and McAfee are household names since they have been preinstalled on pc's for over a decade, so it's not uncommon for the end user to be using an old version, an expired license (eg. no updates), or a version that eats up a lot of system resources. Should you have trouble uninstalling either product using add or remove programs then I'd recommend the Symantec removal tool or the McAfee removal tool.

Independent antivirus reviews:

Online scanners:

These quality online scanners are a great way to get a "second opinion" without having to uninstall your current AV software. You just need to be online and using Internet Explorer since these scanners uses Microsoft ActiveX technologies to scan your computer for malicious code. All scanners listed below will detect and remove threats.

F-Secure Online Scanner
Eset (NOD32) Online Scanner
BitDefender Online Scanner

On-demand scanners:

Free AV's:

What about Free AV's? Please keep in mind that these free AV's are not meant for businesses (home users only).

Antivir free has industry leading detection rates. The Avira team continues to refine the product by adding rootkit detection to the new version 8. Resource usage is also extremely low (<20MB) and there is very little impact on system performance. The free version lacks webguard as well as pop3 email scanning, however the real time monitor should notify you if you open an infected file. The Q2 2008 update will improve how locked infected files are handled (eg. Vundo). One thing to keep in mind is that you'll encounter a popup after each update soliciting you to purchase the premium version. I've compiled a list of instructions on how to disable the annoying popup nag screen for Windows 2000/XP/Vista if you find it obtrusive.

Avast! free lacks script blocking and built-in scheduled scanning; however it includes rootkit detection, http (web) scanner, P2P & IM shields, and some other gadgets. If you want to set up a scheduled scan then you can use the task scheduler. You'll need to use a valid email address in order to receive the activation key which is good for 14 months before it needs to be renewed. AVG free is probably the most popular free AV, but IMO v8 is a mixed bag and lacks rootkit detection.

Let's say you only have a couple of suspected file(s) on your computer and you want another opinion to see whether they are clean or not. Head on over to Virustotal to scan using over 30+ antivirus engines. You can also try VirSCAN.org since they offer a similar service using 36+ engines.

.: Firewalls :.

All broadband users should have a firewall (FW) protecting their system(s). A Cable/DSL router (NAT box) is a very inexpensive hardware solution that most people are familiar with. Brands like Linksys and Buffalo are highly recommended. These NAT Routers typically offer stateful packet inspection (SPI), and certain wireless routers allow DD-WRT firmware to be loaded. This free open-sourced firmware offers increased wifi transmission power, WDS, QOS, website filtering, and so much more. Hardware firewalls are important because they provide a strong degree of protection from most forms of attack coming from the outside world. Additionally, in most cases, they can be effective with little or no configuration, can protect every machine on a local network, and allow you to share your internet with multiple computers. I highly recommend changing the default router login password to avoid being hacked in addition to disabling remote management (unless you need it). Wireless routers should also set a unique SSID, disable wireless access web, and disable the radio if you are not using the wireless capabilities. You should have basic WEP64 encryption enabled at a bare minimum; use WPA (AES has less overhead than TKIP) or WPA2 if your wireless adapter supports it. When you implement these security measures it will deter potential hackers and wardrivers.

It's alarming at the number of individuals and businesses that have unsecured networks. I've seen people connected to a wireless network without even realizing that it belonged to someone else. Another security risk on public hotpots involves other computers that also connect to this unsecured network. Network attacks can be made through them, and they can possibly connect to your computer and download data from your hard drive. Firewalls guard against these incoming attackers. You should always use a quality firewall whenever you are connected to a "unsecured wireless network" and disconnect after you've completed your tasks. You should never visit secure sites (banking, stocks, etc.) or do anything that requires a login and password.

Software firewalls can only protect the machine they're installed on, so if you have multiple computers (which many homes and small offices do) you need to install and configure a software firewall separately on each machine which could be difficult to manage. Another drawback is the software will often popup messages asking you to allow or deny a particular connection. The end user gets in the habit of clicking 'allow' without even reading the details of the window because they are annoyed with the popups. Most commercial software firewalls include a feature to stop all but authorized applications from sending outbound data packets to the internet. This supposedly stops malicious code from sending unauthorized communications, and also prevents PCs from being hijacked and used to send spam or participate in distributed denial-of-service attacks. The built-in Windows XP firewall (updated in SP2) only filters incoming traffic and allows any application to send outbound packets. However once malware is on your system then the security has been compromised. If an application wants to send data out in most cases an outbound filtering firewall running on the infected machine is not going to stop it.

Virus Bulletin: Free firewalls rated best in leak tests
Matousec: Leak test results

Before installing 3rd party firewall software on a Windows XP computer, be sure that the built-in firewall is turned off. Never use two software firewalls at the same time. Test your firewall capabilities at HackerWatch.org, Firewall Leak Tests, Comodo firewall tests or AuditMyPc.

.: Prevention :.

There is no doubt that if you visit the wrong sites then malware can be installed without your consent. How much junk can get installed on a user's PC by merely visiting a single website? One individual wanted to find out so he visited a single web page taking advantage of a security hole (in an ordinary fresh copy of Windows XP) and recorded a video of the events.

Note: The latest version of Internet Explorer 6, as patched by Windows XP Service Pack 2, is not vulnerable to the installations shown in the video. Please update to Internet Explorer 7 for even greater protection. You may also want to consider installing an alternative web browser such as Firefox with the NoScript plug-in. Both IE7 and Firefox add extra layers of protection and provide additional information to users in order to help them make intelligent decisions. However no browser can force a user to make smart or sane decisions; they can only point in the right direction.

Almost all malware is unknowingly installed so please use common sense when you sit down in front of the computer. Accidents can and do happen, so here are other ways to prevent malware from being installed:

>> Most of all I can't stress enough how important it is to use common sense! >>