EliteKiller.com - are you Elite?

.: Malware Defined :.

Malware (malicious software) is software designed to infiltrate or damage a computer or network. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware, adware, hijackers and dialers. This internet garbage not only slows your computer down, it can cause operating system errors, random popups, and redirect your browser to websites without your consent. If you are infected with worms your computer can become a mass-mailing zombie. Even worse, keyloggers can grab confidential information that includes chat sessions, usernames, passwords, bank account information, full names, and even addresses that could be used to create fake online identities. Never give out personal info thru email or instant messages and beware of phishing scams.

McAfee, Inc. Reports on Online Identity Theft Trends
Spyware Researchers Discover ID Theft Ring

The sad thing is that "trusted" websites can no longer be trusted. Malware was once restricted to sites offering free music or porn, but today it's being served up by some of the most popular sites on the web. An average of around 8,000 new URL's containing malware emerged each day during April (2007). What's even more alarming is that 70 percent of URL's hosting such malware are found on legitimate web sites that have been targeted by hackers. The outdated notion that malware only resides in the darker corners of the internet is far from the case now. Users are being exposed to malicious content without them being aware of it. Recently Tomshardware.com was unknowingly hosting a banner ad which was redirecting users to a site where driveby malware was automatically downloaded. The Avast! forums were recently hacked and the injected iframe code was serving up malware. MySpace & Excite.com (search portal) are also serving up malware-laced banner ads.

.: My $.02 :.

To be quite honest all of the guides that I have come across barely touch the surface on thorough removal and prevention. In some cases you may have come across websites that show you how to only remove specific infections. Should you decide to post for help on a security message forum you are usually required to run several applications, post the log files, and wait for the "expert" to arrive which could take a few days; in some cases your post may go unanswered. When your computer is hijacked it should be cleaned immediately! While I may not go in depth on how to use or configure the programs most of it should be pretty straight forward other than HiJack This.

Unfortunately, cleaning an operating system that has been infected by malware is no longer as simple as it used to be. Malware has become increasingly more difficult to clean, as malware creators find more ways to avoid removal. They have been known to modify specific files to avoid detection, some files refuse to be deleted using conventional tools, others latch on to critical system files, and in some cases rootkits can mask their detection altogether. I am often asked "What are the best detection and removal tools?" The fact is that no single antivirus (AV) or antispyware (AS) application can successfully remove all malware circulating around the internet. It's not unusual to resort to an arsenal of security products in an attempt to ensure that everything has been properly removed. Everyone seems to have their own idea of the "best", and this guide will highlight my recommendations. Furthermore, there are many rogue antimalware products, from those that are advertised by malware or those from malware creators who strike deals with antimalware creators to ignore their software. Please take a moment to review Spyware Warrior's Rogue antispyware list and to make sure that you haven't been duped.

Tech advice:

One thing to keep in mind is that you should run scans on each user account that has Administrator priviliges.
Remember to backup the registry before you edit it manually.
Sometimes it's also necessary to repair your Windows XP or Vista installation after you've removed malware from your system. If you do not have SP3 in your original XP disc you can use the Windows XP SP3 network install package and slipstream it using AutoStreamer or nLite.
In some cases your onboard ethernet or wireless card may not work in safe mode with networking, so I highly recommend purchasing a USB Ethernet adapter with native driver support in XP. It's also useful when troubleshooting a pc without a NIC installed.
Ok, I'm infected. What about a fresh Windows install? If you reinstall the operating system then you'll need to reinstall Windows updates (unless you have a slipstreamed copy), drivers, assorted software, tweaks, and all of your other peripherals which could easily take take 2-4 hours. You'll then need to figure out how you were infected in the first place in order to prevent it from happening in the future. This is one of the main reasons that I rarely recommend a clean install. As long as you take the time to learn how to clean an infected system a fresh Windows install should be a last resort (unless you have a recent known good image of your drive). If you're looking for a quality backup/imaging program I'd recommend Acronis True Image or Cobian.

I also realize that there is a lot of information in this guide that may not be considered n00b friendly, or so much information that you may lose focus. Take your time and do not get frustrated. You can use my contact form if you have questions, comments, or need advice.

.: Adware, Spyware & Trojan Removal :.

First we'll start out by installing 7-Zip which is an open-source (free) archiver utility. Before running any of the removal tools below I'd highly recommend that you first uninstall malicious software. If you have any antivirus/spyware applications installed that are not listed in this guide please uninstall them as well. Keep in mind that the System Restore is a protected directory that can trap viruses and other applications inside. Leave it enabled in case your pc fails to boot to the OS after removing infections. Once you are certain that your system is malware free you can toggle the System Restore to delete the contents and set a fresh restore point.

Download the items listed below preferably to a USB flash drive using a 'clean' pc. Now boot to Safe Mode with Networking to complete the installations and start the scanning process. Booting to Safe Mode is important because it disables most drivers, running applications, and is less vulnerable to attack. For these reasons Safe Mode is the optimal setting for performing any sort of malware-related troubleshooting. However in some cases you may be unable to boot into Safe Mode if your pc has some nasty infections. Should this be the case I recommend you run a quick MBAM scan while in Normal Mode. Now you should be able to boot into Safe Mode and run all of the utilities. The Winsock Fix (also in the Rogue removal kit) comes in handy in case you lose your internet access and cannot pull a valid IP from your modem or router.

Rogue removal kit (updated 1-26-10) - A robust kit I put together using some of the finest tools that detect and remove assorted trojans (Vundo, TDSServ, etc.), rootkits (including the nasty CLB), and other rogue antivirus/antispyware (Antivirus XP 2008/2009/360, SpywareGuard, Personal Antivirus, etc.). This form of malware includes those with fake security alerts that goad the end user into downloading and/or purchasing rogue software. Please check the README and follow the directions. In addition, do not be alarmed if some programs detect certain executables in this kit as a "Trojan" and/or "RiskTool". AV programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Malwarebytes' Anti-Malware - Malwarebytes' antimalware monitors every process and stops malicious processes before they even start. The Realtime Protection Module (which does not work in x64) uses advanced heuristic scanning technology which monitors your system to keep it safe and secure. In addition, they have implemented a threats center which will allow you to keep up to date with the latest malware threats. MBAM is not heavy on resource usage, can be installed in Safe Mode, and the quick scan is extremely fast and very thorough. MBAM is in the rogueremoval kit and considered a premier tool.
Hitman Pro - will scan your PC for malware in a few minutes using GData, NOD32, Antivir, Prevx, and A-Squared. If malware is detected during the behavioral scan the actual identification of these potential malware files is then done on the Hitman Pro servers - the "Scan Cloud". Hitman Pro 3 does not leave a program running in the background that continuously checks incoming e-mail and downloaded files for malware. Therefore you need to scan your PC regularly to ensure your PC is not infected. Hitman Pro 3 can be used in combination with any other security suite. Scanning your PC for malware with Hitman Pro 3 will always be free so if you already have a security suite on your PC, it is an ideal program to make sure your security suite has not missed anything.
Hijack This - A free utility which quickly scans your computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan, but it does not determine what is good or bad. Do not make any changes to your computer settings unless you are an expert computer user. Do not run Hijack This from the desktop, a temp folder, or a sub-folder of C:\documents and settings. If you aren't sure about which items to remove you can analyze your own using the automated tool offered by HiJackThis.de Security. If you want to learn how to read your own log then I'd recommend Bleeping Computer's HJT Guide. Of course you can also visit popular support forums such as MajorGeeks, Bleeping Computer, Spyware Warrior, What the Tech (TomCoyote), and SWI for assistance.

Note: You may have noticed that Spy Sweeper, Spyware Doctor, Spybot, and Ad-Aware are not mentioned in this guide. At one time all of them were considered premier tools. A lot has changed over the years, as malware has become much more complex, and all of the aforementioned programs have inferior detection/removal capabilities compared to the tools listed above. Please do not waste your time using them.

Webroot: Why bad management scared off the Spy Sweeper maker's core team

.: Virus Removal :.

It should be noted that running antivirus applications from a number of different vendors on the same computer may cause problems due to interoperability issues. System issues that can result from running more than one antivirus application in your environment at the same time include:

Memory overhead. Many antivirus applications use active agents that stay resident in memory, reducing the amount of available system memory.
System crashes or stop errors. Such crashes and errors can be caused by antivirus applications attempting to simultaneously scan the same file.
Performance loss. As antivirus applications scan files for malicious code, system performance may decrease. Scans are repeatedly performed when multiple applications are used, which may lower your system performance to an unacceptable level.
Loss of system access. Antivirus applications attempting to run concurrently may cause the system to halt during startup. This problem is more common in older versions of Windows, such as Microsoft Windows NT and Windows 9x.

For these reasons, the use of multiple antivirus applications on the same computer is not a recommended approach and should be avoided if possible. Even if you think you're using a top notch AV package please take a few minutes to read the information below. You might end up uninstalling your current AV and switch to one that offers better real-time & on-demand detection rates, superior heuristics, and possibly lower resource usage. Norton and McAfee are household names since they have been preinstalled on pc's for over a decade, so it's not uncommon for the end user to be using an old version, an expired license (eg. no updates), or a version that eats up a lot of system resources. Should you have trouble uninstalling either product using add or remove programs then I'd recommend the Symantec removal tool or the McAfee removal tool.

Independent antivirus reviews:

AV-Comparatives is a credible antivirus review site that tests popular AV packages. For understanding how the detection rates of the antivirus products look with updated signatures and programs, have a look at their regular on-demand detection tests. The retrospective test is performed on-demand using a 3 month old virus definition database and compares the detection rate over the viruses that have appeared within the last 3 months. Users shouldn't be afraid if products have, in a retrospective test, low percentages. If the antivirus software is always kept up-to-date it will be able to detect most of the samples. IBK just posted the March 2008 On-Demand tests.
AV-Test.org has released the results of a major comparative of suite products, with many vendors' 2009 editions included in the results. The test covers a range of metrics, including detection rates over various types of malware including adware and spyware, false positive rates, scanning speed, proactive detection, and response times to outbreaks.
Virus Bulletin tested 35 different antivirus products for their detection rates, lack of false alarms, and speed of scanning on Windows XP Service Pack 3. In August 2008, 35 products were tested, 26 of them won a VB100 award and 9 antivirus products failed. To some the VB100 award suggests that the tested products are capable of detecting 100% of all viruses. This is simply not true since no product is able to detect all viruses. These vendors have come to realize the marketing significance of these tests, and the effort they put into their products to pass the VB100 tests (ITW only and no FP's) may not reflect the effort they put into detecting viruses outside of those included in the VB100 test set. It's possible for an AV product to pass all the VB100 tests but still have mediocre virus detection.

Online scanners:

These quality online scanners are a great way to obtain a "second opinion" without having to uninstall your current AV software. You just need to be online and using Internet Explorer (F-Secure now supports Firefox) since these scanners use ActiveX controls to scan your computer for malicious code. All scanners listed below will detect and remove threats.

F-Secure Online Scanner
Eset (NOD32) Online Scanner
Bitdefender Online Scanner

On-demand scanners:

Dr.Web's CureIt is a free antivirus and antispyware utility based on Dr.Web antivirus scanner, which will help you quickly scan and cure, if necessary without installation of the Dr.Web antivirus software. The utility contains the most up-to-date add-ons to the Dr.Web virus databases going up to twice per hour frequency at periods of high malware submissions. This utility can quickly clean an infected system, but it is not a permanent tool to cure your computer in case of infection. Its distribution on our web-site is always armed with the hottest add-ons to the Dr.Web virus database, but it does not include the Dr.Web Automatic Updating utility. Dr.Web CureIt! stays actual until the next release of the add-on. To scan your computer with the most up-to-date Dr.Web virus databases next time you should download a new Dr.Web CureIt! package right before you are ready to scan your pc.
The Kaspersky Virus Removal Tool is a free application that was designed to be another virus scanner and detection software from Kaspersky. The product will scan the specified locations for any virus threats, remove them, or send to the quarantine folder. There is no real-time protection or update function, but the databases are updated multiple times each day so be sure to download a new copy before you are ready to scan your pc.
Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, rescue data, and scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Free AV's:

What about Free AV's? Please keep in mind that these free AV's are not meant for businesses (home users only).

Antivir free has industry leading detection rates. Resource usage is also extremely low (<20MB), and there is very little impact on system performance. The free version lacks webguard as well as pop3 email scanning, however the real time monitor should notify you if you open an infected file. One thing to keep in mind is that you'll encounter a popup after each update soliciting you to purchase the premium version. I've compiled a list of instructions on how to disable the annoying popup nag screen for Windows 2000/XP/Vista if you find it obtrusive.
Avast! free lacks script blocking and built-in scheduled scanning. However it includes rootkit detection, http (web) scanner, P2P & IM shields, and some other gadgets. If you want to set up a scheduled scan then you can use the task scheduler. Keep in mind that you'll need to use a valid email address in order to receive the activation key which is good for 14 months before it needs to be renewed.
AVG free is probably the most popular free AV. The new version 9 offers basic rootkit detection. One caveat is the Linkscanner which has been known to slow down your web browsing. You can do a custom install and deselect it during setup, you can disable it in the AVG GUI, or go to your browser add-ons and disable it.
Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software. MSE replaces Windows Live OneCare and Windows Defender. Keep in mind that as of Nov. 2009 there is a problem with receiving regular automatic updates. Sometimes it may take a day or two for them to trickle down, but you may be able to perform a manual update.

Let's say you only have a couple of suspected file(s) on your computer and you want another opinion to see whether they are clean or not. Head on over to Virustotal to scan using over 41 antivirus engines. You can also try VirSCAN.org since they offer a similar service using 36 engines.

.: Firewalls :.

All broadband users should have a firewall (FW) protecting their system(s). A Cable/DSL router (NAT box) is a very inexpensive hardware solution that most people are familiar with. Brands like Linksys and Buffalo are highly recommended. These NAT Routers typically offer stateful packet inspection (SPI), and certain wireless routers allow DD-WRT firmware to be loaded. This free open-sourced firmware offers increased wifi transmission power, WDS, QOS, website filtering, and so much more. Hardware firewalls are important because they provide a strong degree of protection from most forms of attack coming from the outside world. Additionally, in most cases, they can be effective with little or no configuration, can protect every machine on a local network, and allow you to share your internet with multiple computers. I highly recommend changing the default router login password to thwart DNSChanger trojans in addition to disabling remote management (unless you need it). Wireless routers should enable WEP64 (easy to crack) at a bare minimum for baseline security. WPA or WPA2 is more secure and supported by newer hardware. Be sure to set a unique SSID, disable wireless access web, and disable the radio if you are not using wireless. When you implement these security measures it will deter potential hackers and wardrivers so that they move on to the nearest unsecured network.

It's alarming at the number of individuals and businesses that have unsecured networks. I've seen people connected to a wireless network without even realizing that it belonged to someone else. Another security risk are public hotpots where other computers also connect to unsecured networks. Network attacks can be made through them, and they can possibly connect to your computer and download data from your hard drive. A good rule of thumb is that you should always use a quality (software) firewall whenever you are connected to an unsecured wireless network and promptly disconnect after you've completed your tasks. I'd advise against logging in to any websites that requires a login and password while you're connected to an unsecured network since "hackers" can easily capture network traffic. Another thing to consider is that anyone connected to an unsecured network can download and engage in illegal activities. There is typically a single public IP assigned to the network (hotspot, your home, a business, etc.) and all illegal activities are tracked back to that IP. If you happen to own the unsecured network you are ultimately responsible for the content passing thru it.

The Five Deadly Dangers of Unsecured WiFi Networks

Software firewalls can only protect the machine they're installed on, so if you have multiple computers (which many homes and small offices do) you need to install and configure a software firewall separately on each machine which could be difficult to manage. Another drawback is the software will often popup messages asking you to allow or deny a particular connection. The end user gets in the habit of clicking 'allow' without even reading the details of the window because they are annoyed with the popups. Most commercial software firewalls include a feature to stop all but authorized applications from sending outbound data packets to the internet. This supposedly stops malicious code from sending unauthorized communications, and also prevents PCs from being hijacked and used to send spam or participate in distributed denial-of-service attacks. The built-in Windows XP firewall (updated in SP2) only filters incoming traffic and allows any application to send outbound packets. However once malware is on your system then the security has been compromised. If an application wants to send data out in most cases an outbound filtering firewall running on the infected machine is not going to stop it.

Virus Bulletin: Free firewalls rated best in leak tests
Matousec: Leak test results

Before installing 3rd party firewall software on a Windows XP computer, be sure that the built-in firewall is turned off. Never use two software firewalls at the same time. Test your firewall capabilities at HackerWatch.org, Firewall Leak Tests, Comodo firewall tests or AuditMyPc.

.: Prevention :.

There is no doubt that if you visit the wrong sites then malware can be installed without your consent. How much junk can get installed on a user's PC by merely visiting a single website? One individual wanted to find out so he visited a single web page taking advantage of a security hole (in an ordinary fresh copy of Windows XP) and recorded a video of the events.

Note: The latest version of Internet Explorer 6, as patched by Windows XP Service Pack 2, is not vulnerable to the installations shown in the video. Please update to Internet Explorer 8 for even greater protection. You may also want to consider installing an alternative web browser such as Firefox with the NoScript plug-in. Both IE8 and Firefox add extra layers of protection and provide additional information to users in order to help them make intelligent decisions. However no browser can force a user to make smart or sane decisions; they can only point in the right direction.

Almost all malware is unknowingly installed so please use common sense when you sit down in front of the computer. Accidents can and do happen, so here are other ways to prevent malware from being installed:

Always install the latest service pack for your OS and make sure that (Windows) automatic updates are enabled. If automatic or windows update fails to download and install updates then Dial-A-fix should rectify the problem. Microsoft releases updates on the second Tuesday of each month. When a major exploit has surfaced MS will occasionally release a patch ahead of schedule. If you are using Windows XP and have not updated to SP2 please do so immediately! Service Pack 2 for Windows XP has more than 150 changes designed to improve the security and stability of our operating system. SP3 was released in Q2 2008. Although some of the improvements are not security related, most of them are. Vista is now at SP2.
The Microsoft Baseline Security Analyzer runs on Windows 2000 SP4/XP/Vista/Server 2003/2008 systems and will scan for common security misconfigurations and missing patches/updates.
The Secunia Software Inspector checks for insecure versions of browsers, plugins, media players, office apps, security apps, and much more.
Microsoft no longer updates Java VM, which is full of security holes, so you should install the latest version of Sun Java. Keep in mind that a lot of current Trojans exploit old versions of Sun Java, so be sure to uninstall all old versions since they pose a security risk. JavaRa is a simple tool that will automate the task.
One way to tighten up the security of your OS is to set up a non-administrator user account. In Windows 2000 it's called a restricted account, Windows XP calls it a limited account, and Windows Vista refers to it as a standard account. mechBgon has a how-to guide that walks you thru the configuration process. If you're using Windows XP Pro, Vista Business/Ultimate/Enterprise. or Server 2003 then you may want to also implement a Software Restriction Policy, so here's another configuration guide that mechBgon put together. The fact of the matter is that if your computers are manned by unsavvy users a non-administrator user account and/or SRP is highly recommended.
Switch your DNS servers to OpenDNS.
Enable DEP for all programs. Data execution prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits. In Windows XP SP2, DEP is enforced by both hardware and software. If your CPU doesn't support hardware DEP you'll see a message at the bottom of the window.
Switch to Firefox. Firefox 3 integrates elegantly with your antivirus software. When you download a file, your computer's antivirus program automatically checks it to protect you against viruses and other malware, which could otherwise attack your computer. [available in Windows only]. I'd highly recommend the NoScript plug-in to allow active content to run only from sites you trust in addition to protecting yourself against XSS and Clickjacking attacks.
Keep your email client updated (eg. Microsoft Office Updates) if you use one, view messages in plain text mode, and always scan email attachments before opening them! Reduce spam by using Thunderbird, Outlook 2003/2007 since they have a regularly updated junk filter, or you can install SPAMfighter.
Use quality antimalware tools such as the ones that are listed at the top of this guide. Use a firewall even if you're on dial-up.
Exercise extreme caution when downloading any files. Always scan the file(s) first before you execute them! Do not trust anyone! Don't fall for the fake "abuse" emails that appear to come from your ISP or own domain. In addition you need to be aware of fake greeting ecards. They'll usually include a link for you to download a Trojan. If you use Skype, MSN Messenger, or other IM clients beware of links that ask or prompt you to download something. When your friends get infected they spam people on their buddy list.
Be cautious about installing free software (screen savers, games, etc.) since a lot of freebies have strings attached.
Avoid rogue P2P software since a majority of them include both adware and spyware to generate revenue. If you aren't careful on the way you configure your file sharing then you could end up with a case of identy theft.
Avoid warez, cracks, game cheats, and pornography websites. I know it's a lot to ask but we're talking about prevention. :-)
Beware of websites (eg. MySpace & Facebook come to mind) suggesting that you install plug-ins and codecs in order to view videos. These zlob and DNS Changer Trojans will wreak havoc on your pc! Check out this video from Sunbelt that shows a Trojan DNS Changer in action. Update: New MySpace Trojan discovered
Beware of rogue advertising banners on websites and messaging programs. The Register recently reported that MySpace had a problem with their ad servers displaying ads for rogue programs such as WinAntivirus and DriveCleaner. Microsoft recently had an issue with their messenger ad servers displaying banners for Winfixer / ErrorSafe. Please take a moment to review Spyware Warrior's Rogue antispyware list to make sure that you haven't been duped.
Ignore and close (Alt+F4) popups that claim your pc has been infected , that you need to fix computer problems, or any other "you need/should fix this problem" because 99.9% of them are scams and will hose your pc.
Spyware Blaster prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It does not have to remain running in the background since it adds sites to your web browsers restricted sites area. Use the hpHosts or MVPS HOSTS file to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. Spybot has an immunuzation feature, but do not rely on the detection/removal capabilities of the program.
Returnil virtualization technology clones a computer's System Partition and boots the PC into this system rather than native Windows, allowing users to run your applications in a completely isolated environment. Hence the session and all activity, malicious or otherwise, will happen in the virtual environment, not in the real PC environment. If the PC is attacked or gets infected, all you need to do is to simply reboot the PC to erase all changes. After reboot, the system will be restored to its original state, as if nothing ever happened.
Online Armor protects your computer's internet connection (inbound connections and outbound connections), stops unknown programs from running and detects keyloggers - plus lots more! Online Armor includes powerful "HIPS" functions, which give you the ability to stop all unrecognised programs from running on your computer unless you say so, making it possible to protect yourself against these new attacks. Of course, programs Online Armor knows are safe will be allowed to run, no problem.
Threatfire does not rely on signatures, but instead constantly analyzes your computer's behavior to detect and block any malicious activity. Protects against both known and zero-day viruses, worms, trojans, buffer overflows, rootkits and even some spyware. It also works with your existing AV, antispyware, and firewall. Threatfire is known as a "quiet" HIPS program, rarely popping up a warning screen unless a possible malicious attack is at hand. One drawback is that it has become a little heavy on system resources.
SandBoxie allows you to install and run programs in a virtual sandbox environment without writing to the hard drive. When you browse the Web, changes occur to your computer system. Some harmless, like recording the addresses of Web sites you have visited, so the browser can help you complete a Web address that you type in. Some more harmful, like the unsolicited installation of malware. When you use Sandboxie to protect your browsing session, it catches all these changes just as the browser is about to apply them into your computer system. Sandboxie does record these changes on behalf of the browser, but it records them in a special isolated folder, called the sandbox. Thus, with Sandboxie, you can browse the Web securely while still keeping all your browser's functionality for active and dynamic content, such as Javascript and ActiveX. All undesired side effects, including the removal of malware, can be easily undone.

>> Most of all I can't stress enough how important it is to use common sense! >>