.: Malware Defined :.
Malware (malicious software) is software designed to infiltrate or damage a computer or network. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware, adware, hijackers and dialers. This internet garbage not only slows your computer down, it can cause operating system errors, random popups, and redirect your browser to websites without your consent. If you are infected with worms your computer can become a mass-mailing zombie. Even worse, keyloggers can grab confidential information that includes chat sessions, usernames, passwords, bank account information, full names, and even addresses that could be used to create fake online identities. Never give out personal info thru email or instant messages and beware of phishing scams.
The sad thing is that "trusted" websites can no longer be trusted. Malware was once restricted to sites offering free music or porn, but today it's being served up by some of the most popular sites on the web. An average of around 8,000 new URL's containing malware emerged each day during April, 2007. That was close to six years ago, and obviously that number has increased ten fold. What's even more alarming is that 70 percent of URL's hosting such malware are found on legitimate web sites that have been targeted by hackers. The outdated notion that malware only resides in the darker corners of the internet is far from the case now. Users are being exposed to malicious content without them being aware of it. Cybecriminals pumped out more malware in 2009 than they did in nearly 20 years, according to anti-virus vendor Panda Security. During 2009, PandaLabs, the anti-malware lab of Panda Security, identified 25 million new malware samples, according to Panda Security's Annual Malware Report, released Tuesday. Before 2009, PandaLabs had identified a total of 15 million pieces of malware in 19 years.
.: My $.02 :.
Unfortunately, cleaning an operating system that has been infected by malware is no longer as simple as it used to be. Malware has become increasingly more difficult to clean, as malware creators find more ways to avoid removal. They have been known to modify specific files to avoid detection, some files refuse to be deleted using conventional tools, others latch on to critical system files, and in some cases rootkits can mask their detection altogether. I am often asked "What are the best detection and removal tools?" The fact is that no single antivirus or antispyware application can successfully remove all malware circulating around the internet. It's not unusual to resort to an arsenal of security products in an attempt to ensure that everything has been properly removed. Everyone seems to have their own idea of the "best", and this guide will highlight my recommendations. Furthermore, there are many rogue antimalware products, from those that are advertised by malware or those from malware creators who strike deals with antimalware creators to ignore their software.
- One thing to keep in mind is that you should run scans on each user account that has Administrator priviliges.
- Remember to backup (export) the registry before you edit it manually.
- Ok, I'm infected. What about a fresh Windows install? If you reinstall the operating system then you'll need to reinstall Windows updates (unless you have a slipstreamed copy), drivers, assorted software, tweaks, and all of your other peripherals which could easily take take several hours. You'll then need to figure out how you were infected in the first place in order to prevent it from happening in the future. This is one of the main reasons that I rarely recommend a clean install. As long as you take the time to learn how to clean an infected system a fresh Windows install should be a last resort (unless you have a recent known good image of your drive). If you're looking for a quality backup/imaging program I'd recommend Acronis True Image or Karen's Replicator.
.: Malware, Adware & Trojan Removal :.
First we'll start out by installing 7-Zip which is an open-source (free) archiver utility. Keep in mind that the System Restore is a protected directory that can trap viruses and other applications inside. Leave it enabled in case your pc fails to boot to the OS after removing infections. Once you are certain that your system is malware free you can toggle the System Restore to delete the contents and set a fresh restore point.
Download the items listed below, preferably to a removable disk, using a 'clean' pc, and run all of the tools in Normal Mode. Only boot to Safe Mode with Networking as a last resort.
- Hitman Pro - will scan your PC for malware in a few minutes using multiple scan engines. If malware is detected during the behavioral scan the actual identification of these potential malware files is then performed at the Hitman Pro "cloud" servers. Hitman Pro 3 does not leave a program running in the background that continuously checks incoming e-mail and downloaded files for malware. It is on-demand only. Scanning your pc for malware with Hitman Pro 3 will always be free, so it is an ideal program to make sure that your security cuite is not allowing legitimate malware to infect your system. Should detections arise you have the option to remove them which activates a 30-day trial. Hitman Pro has updated removal technology to handle TDL rootkit version 3.xx (updated variant of the Google Redirect Virus). Hitman Pro just gained a new feature called: Force Breach. Most people in the security business have come across a couple of fake/rogue anti-malware infections that kills every application you are trying to run, including your favorite removal tool. If you run Hitman Pro from a USB stick and start its EXE while holding down the left Ctrl-key until the Hitman Pro interface opens up < Important: if you receive a Vista or Win 7 UAC prompt you need to keep holding down the Ctrl-key while you click continue > it will kill every non-essential process running under the user's context including the rogue infection. You also have the ability to make a Kickstart USB disk to combat against FBI ransomware and other persistent malware that has taken your computer hostage or prevents normal computer use.
- Malwarebytes' Anti-Malware - utilizes Malwarebytes powerful technology to detect and remove all traces of malware including worms, trojans, rootkits, rogues, dialers, spyware and more. Download and run MBAR while you are at it.
- RogueKiller - a security tool that can be used to terminate and remove malicious processes and programs from your computer. RogueKiller has the ability to remove infections such as ZeroAccess, TDSS, rogue anti-spyware programs, and Ransomwares. When you run RogueKiller, you can perform a scan of your computer for malicious programs and entries. Once the scan is complete it will display a list of found issues and allow you to fix them. RogueKiller also contains individual fixes that include repairing missing shortcuts due to the FakeHDD program, fixing your HOSTS file, and fixing Proxy server hijackers.
- AdwCleaner - AdwCleaner is a program that searches for and deletes Adware, Toolbars, Potentially Unwanted Programs (PUP), and browser Hijackers from your computer. By using AdwCleaner you can easily remove many of these types of programs for a better user experience on your computer and while browsing the web.
- Junkware Removal Tool - Junkware Removal Tool is a security utility that searches for and removes common adware, toolbars, and potentially unwanted programs (PUPs) from your computer. A common tactics among freeware publishers is to offer their products for free, but bundle them with PUPs in order to earn revenue. This tool will help you remove these types of programs.
If your desktop icons, documents, start menu folders, or other critical system files appear to be missing you should run Unhide. In some cases you may need to use Rkill if you are infected and unable to launch executables. After you've finished all of the scans you can run CCleaner to clean all areas of your computer.
.: Virus Removal :.
It should be noted that running antivirus applications from a number of different vendors on the same computer may cause problems due to interoperability issues. System issues that can result from running more than one antivirus application in your environment at the same time include:
- Memory overhead. Many antivirus applications use active agents that stay resident in memory, reducing the amount of available system memory.
- System crashes or stop errors. Such crashes and errors can be caused by antivirus applications attempting to simultaneously scan the same file.
- Performance loss. As antivirus applications scan files for malicious code, system performance may decrease. Scans are repeatedly performed when multiple applications are used, which may lower your system performance to an unacceptable level.
- Loss of system access. Antivirus applications attempting to run concurrently may cause the system to halt during startup. This problem is more common in older versions of Windows, such as Microsoft Windows NT and Windows 9x.
For these reasons, the use of multiple antivirus applications on the same computer is not a recommended approach and should be avoided if possible. Norton and McAfee are household names since they have been preinstalled on pc's for over a decade, so it's not uncommon for the end user to be using an old version, an expired license (eg. no updates), or a version that eats up a lot of system resources. Should you have trouble uninstalling either product using add or remove programs then use the Symantec removal tool or the McAfee removal tool.
Independent antivirus reviews:
- AV-Comparatives is a credible antivirus review site that tests popular AV packages. For understanding how the detection rates of the antivirus products look with updated signatures and programs, have a look at their regular on-demand detection tests. The retrospective test is performed on-demand using a 3 month old virus definition database and compares the detection rate over the viruses that have appeared within the last 3 months. Users shouldn't be afraid if products have, in a retrospective test, low percentages. If the antivirus software is always kept up-to-date it will be able to detect most of the samples. IBK is now performing real-world tests instead of using a static sample set.
- AV-Test.org - 23rd November 2012 - 24 of the latest anti-virus programs for home users were recently put to the test by the independent experts in the AV-TEST laboratory. The conclusion: only 23 were awarded the AV-TEST certificate when used with Windows 7.
- Virus Bulletin - To some the VB100 award suggests that the tested products are capable of detecting 100% of all viruses. This is simply not true since no product is able to detect all viruses. These vendors have come to realize the marketing significance of these tests, and the effort they put into their products to pass the VB100 tests (ITW only and no FP's) may not reflect the effort they put into detecting viruses outside of those included in the VB100 test set. It's possible for an AV product to pass all the VB100 tests but still have mediocre virus detection.
Eset (NOD32) Online Scanner
Let's say you only have a couple of suspected file(s) on your computer and you want another opinion to see whether they are clean or not. Head on over to Virustotal to scan using over 46 antivirus engines.
I've listed a few of the popular ones below.
- Avast! (lowest resource usage and excellent detection/removal capabilities)
- Microsoft Security Essentials
- AVG Free
.: Firewalls :.
All broadband users should have a firewall protecting their system(s). A Cable/DSL router is a very inexpensive hardware solution that most people are familiar with. Brands such as Linksys, Asus, TP-Link, and Buffalo are highly recommended. These routers typically offer stateful packet inspection (SPI) and most models will allow DD-WRT firmware to be loaded. This free open-sourced firmware offers increased wifi transmission power, WDS, QOS, website filtering, guest access, and so much more. Hardware firewalls are important because they provide a strong degree of protection from most forms of attack coming from the outside world. Additionally, in most cases, they can be effective with little or no configuration, can protect every machine on a local network, and allow you to share your internet with multiple computers. I highly recommend changing the default router login password to thwart DNSChanger trojans in addition to disabling remote management (unless you need it). Wireless routers should enable WEP64 (easy to crack) at a bare minimum for baseline security. WPA & WPA2 are more secure and supported by newer hardware. Be sure to set a unique SSID, disable wireless access web, and disable the radio if you are not using wireless. When you implement these security measures it will deter potential hackers and wardrivers so that they move on to the nearest unsecured network.
It's alarming at the number of individuals and businesses that have unsecured networks. I've seen people connected to a wireless network without even realizing that it belonged to someone else. Another security risk are public hotpots where other computers also connect to unsecured networks. Network attacks can be made through them, and they can possibly connect to your computer and download data from your hard drive. A good rule of thumb is that you should always use a quality (software) firewall whenever you are connected to an unsecured wireless network and promptly disconnect after you've completed your tasks. I'd advise against logging in to any websites that requires a login and password while you're connected to an unsecured network since "hackers" can easily capture network traffic. Another thing to consider is that anyone connected to an unsecured network can download and engage in illegal activities. There is typically a single public IP assigned to the network (hotspot, your home, a business, etc.) and all illegal activities are tracked back to that IP. If you happen to own the unsecured network you are ultimately responsible for the content passing thru it.
Software firewalls can only protect the machine they're installed on, so if you have multiple computers (which many homes and small offices do) you need to install and configure a software firewall separately on each machine which could be difficult to manage. Another drawback is the software will often popup messages asking you to allow or deny a particular connection. The end user gets in the habit of clicking 'allow' without even reading the details of the window because they are annoyed with the popups. Most commercial software firewalls include a feature to stop all but authorized applications from sending outbound data packets to the internet. This supposedly stops malicious code from sending unauthorized communications, and also prevents PCs from being hijacked and used to send spam or participate in distributed denial-of-service attacks. The built-in Windows XP firewall (updated in SP2) only filters incoming traffic and allows any application to send outbound packets. However once malware is on your system then the security has been compromised. If an application wants to send data out in most cases an outbound filtering firewall running on the infected machine is not going to stop it.
Before installing 3rd party firewall software on a Windows XP computer, be sure that the built-in firewall is turned off. Never use two software firewalls at the same time. Test your firewall capabilities at HackerWatch.org, Firewall Leak Tests, Comodo firewall tests or AuditMyPc.
.: Prevention :.
Almost all malware is unknowingly installed so please use common sense when you sit down in front of the computer. Accidents can and do happen, so here are other ways to prevent malware from being installed:
- Always install the latest service pack for your OS and make sure that automatic updates are enabled. Microsoft releases updates on the second Tuesday of each month. When a major exploit has surfaced MS will occasionally release a patch ahead of schedule.
- The Microsoft Baseline Security Analyzer will scan for common security misconfigurations and missing patches/updates.
- The Secunia PSI checks for insecure versions of browsers, plugins, media players, office apps, security apps, and much more.
- Microsoft no longer updates Java VM, which is full of security holes, so you should install the latest version of Sun Java. Keep in mind that a lot of current Trojans exploit old versions of Sun Java, so be sure to uninstall all old versions since they pose a security risk.
- It's critical that you keep Adobe Flash player, Adobe Acrobat reader, Quicktime, and any other web browser plug-ins updated.
- One way to tighten up the security of your OS is to set up a non-administrator user account. In Windows 2000 it's called a restricted account, Windows XP calls it a limited account, and Windows Vista refers to it as a standard account. mechBgon has a how-to guide that walks you thru the configuration process. If you're using Windows XP Pro, Vista Business/Ultimate/Enterprise. or Server 2003 then you may want to also implement a Software Restriction Policy, so here's another configuration guide that mechBgon put together. The fact of the matter is that if your computers are manned by unsavvy users a non-administrator user account and/or SRP is highly recommended.
- Switch your DNS servers to OpenDNS. No software required. OpenDNS blocks phishing websites that try to steal your identity and login information by pretending to be a legitimate website. Surf the Web with confidence.
- If you're running an old version of Internet Explorer (eg. version 6 thru 9), and use XP or Vista, I highly recommend that you switch to Google Chrome or Firefox for enhanced security.
- Keep your email client updated (eg. Microsoft Office Updates) if you use one, view messages in plain text mode, and always scan email attachments before opening them! Reduce spam by using Thunderbird or Outlook 2003 or newer since they have a regularly updated junk filter. Otherwise you can install SPAMfighter.
- Exercise extreme caution when downloading any files. Always scan the file(s) first before you execute them! Do not trust anyone! Don't fall for the fake "abuse" emails that appear to come from your ISP or own domain. In addition you need to be aware of fake greeting ecards. They'll usually include a link for you to download a Trojan. If you use Skype, MSN Messenger, or other IM clients beware of links that ask or prompt you to download something. When your friends get infected they spam people on their buddy list.
- Be cautious about installing free software (screen savers, games, etc.) since they can be laced with malware.
- Avoid rogue P2P software since a majority of them include both adware and spyware to generate revenue. If you aren't careful on the way you configure your file sharing then you could end up with a case of identity theft.
- Avoid warez, cracks, game cheats, and pornography websites. I know it's a lot to ask but we're talking about prevention. :-)
- Beware of websites (eg. MySpace & Facebook come to mind) suggesting that you install plug-ins and codecs in order to view videos.
- Ignore and close (Alt+F4) popups that claim your pc has been infected , that you need to fix computer problems, or any other "you need/should fix this problem" because 99.9% of them are scams and will compromise your pc.