Spyware, Trojans and Viruses Sticky

[Mjölnir]

The PC Perspective Spyware, Trojans and Viruses Guide

With the ever increasing threat of spyware, trojans and viruses, we have felt it necessary and beneficial to create a specialized guide for dealing with malware and viruses. Our aim is to provide our members with a dedicated place to discuss issues surrounding spyware, trojans and viruses together with expert information for protecting your computer and removing such malware should you become infected.

It is important to recognise that there is often no simple way to remove malware from your computer. No single anti-virus program is ever going to automatically detect and remove everything, no matter how good it is. Similarly, because of the ever increasingly wide range of threats (viruses, adware, spyware, trojans, keyloggers etc), you may need to employ a range of dedicated scanners to successfully detect everything. For example, you may need to employ a dedicated anti-virus package, an anti-spyware package and an anti-trojan package. Even then, it is also good practice to employ at least 2 dedicated scanners for each area as one will often catch what the other misses.

Note: running 2 AV programs with real time protection/scanning enabled can cause conflicts. We would recommend only running one AV package with real time protection/scanning enabled and using a second AV on demand scanner for catching viruses your main AV program misses.

Luckily, a lot of the tools needed are freely available. Below we have created some short guides designed to help you secure your computer so you don't become infected in the first place, remove infections if you have become infected, and a collections of links to the most popular software and resources available.

If you manage to read, digest and implement the information contained below, you too will become an expert spyware assassin in no time.

Good luck and happy blasting

The PC Perspective STV Team

[Mjölnir]

Secure your computer - Prevention is better than cure

We have put together some basic steps to secure your system and maintain privacy over the Internet. These recommendations will help protect your computer from any unwanted sofware (Viruses, Spyware, Adware, etc). On top of everything you read here, please use common sense.


Software/hardware firewall
One of the best tools for securing your system. A good firewall will hide and secure a computer's vulnerable ports from the internet. Both hardware or software firewalls will work nicely. Most routers have an inbuilt hardware firewall. Windows XP has a software firewall built in - at the very least it should be turned on if you have no other firewall present. For more info on firewalls, read this page.


Install antivirus software
Install and run a good antivirus program. Check for virus definition updates at least once a week or set to 'auto update'. Scan your system on a regular basis. Set your AV software to scan all downloads and incoming emails before they are read and let it quarantine or delete anything it finds suspicious. Memory Resident scanning and protection is also important since some of the most harmful viruses are memory resident. A list of recommended AV software may be found in the Software Links section.


Install antispyware software
Make sure you have at least one good anti-spyware program on your computer and keep it updated regularly. Run regular scans of your system. A list of recommended antispyware software may be found in the Software Links section.


Windows Updates
Keep your operating system up to date. Microsoft normally releases new patches and critical updates on the second Tuesday of each month. Turn on Automatic Updates, or at the very least turn on notification if you don't want Windows installing updates without your approval. In addition, keep other software that connects to the internet updated as well such as MS Office, Acrobat, Firefox, Java, chat clients, and anything else that is easily exploited.


Turn off unwanted/vulnerable services
Identify Services and applications that pose a security threat and take measures to secure them. While we don't recommend disabling Services, some are commonly exploited and are not typically necessary and can be disabled safely or denied access to the internet via a firewall. The main Services that pose risks include Clipbook, Messenger, Netmeeting Remote Desktop Sharing, Remote Desktop Help Session Manager, Remote Registry, SSDP Discovery Service, Telnet, Universal Plug and Play Device Host.

Check in the links section for Shoot the Messenger, DCOMBobulator and UnPlug N' Pray Those are alternatives to shutting off services. Also check out www.portforward.com for a list of known ports that applications use.


Set password on admin account
Set a password for your computer's "Administrator" account. Windows XP does not automatically set a password for the hidden Administrator account during installation. Use a password that is not easily recognizable and write it down in a safe place. You can change the Administrator account password by logging in as "Administrator" (without the "), then pressing CTRL+ALT+DEL and clicking 'Change Password'. Put your new password in and confirm it.

You can also change the name of the "Administrator" account for added security. Click on Start Menu > Run and type lusrmgr.msc. Click the Users folder in the left pane. You should see "Administrator" in the right pane. Click on that once, then press F2. Type in the new name.


Set up restricted user account
Avoid using Administrator level accounts on your computer. The default user account also has admin privileges by default. Set up restricted user accounts as needed and use those accounts for day to day usage. Only use admin accounts when you absolutely need to (like for installing new software) and remember to log out when you've finished. This simple measure can stop or limit lots of viruses and malware in their tracks.


Use alternative browser/e-mail software
Alternative web browsers are typically more secure than Internet Explorer. Some options are Mozilla, Firefox, Opera and Netscape. Alternative email clients may give you more control over spam and your inbox. Some options for these are Thunderbird, Eudora, Pocomail and Outlook 2003.


Set up/lock HOSTS file
Your HOSTS File is used to perform Domain Name System (DNS) to IP address translation (HOSTS File Redirection) for certain sites. For example, a typical HOSTS entry looks like this:
192.168.0.12 www.somesite.com
When you try to go to www.somesite.com, it will check the HOSTS file first, see the entry and convert it to IP address 192.168.0.12 without the need for a full DNS lookup. Some spyware applications attempt to change your HOSTS file to redirect your browsing to another site. So if some spyware added the entry '192.168.0.12 www.google.com' and you tried to go to www.google.com, you would instead get redirected to 192.168.0.12 which is not the correct IP address for Google. A simple way to help prevent this type of spoofing is to set the user and file permissions on your HOSTS file to Admin/Read Only.

Another simple way to use the HOSTS file to help protect you is to have malicious sites redirected to a virtual black hole. Suppose you know of a bad site called www.viruses-R-us.com and you are constantly getting infected from this site, you could make an entry in your HOSTS file that will automatically redirect any attempts to contact this site to the localhost (127.0.0.1), a virtual black hole. Obviously this would be extremely tedious to set up for a large number of malicious sites, so luckily others have already done it for you. You can download a preconfigured HOSTS file that contains entries for 1,000's of malicious websites that is regularly updated. Simply download an updated HOSTS file to replace your existing file.

See this excellent site for more info:
Blocking Unwanted Parasites with a HOSTS File


Disable File and Printer Sharing
If your computer is NOT connected to a Local Area Network (LAN), then you should ensure that File and Printer Sharing is disabled in your network settings. Doing this will close all the commonly exploited NetBIOS ports (ports 137-139, 445) and gives you a bit more protection. If you are on a LAN and have seperate Internet connections (ie. 56K users), make sure you disable File and Printer Sharing for the Internet connections. You can find it under the Networking section for those (modem) connections.


Do not use or be extremely careful about using P2P applications
Most P2P (peer to peer) software has spyware/adware included in the setup of the program, not to mention massive risks of contracting viruses through the use of P2P software. If you do use these applications, be sure to run your AV software at all times.


Only accept ActiveX or Java items from trusted sites
Make sure you have your browser prompt you for the installation of these items and never accept them unless it is from a highly trusted website.


Disable Install on Demand for Internet Explorer
Doing this means you will be prompted if your browser needs to install extra components to view certain webpages. You can find this setting under Control Panel > Internet Options > Advanced.


Never open unknown email attachments
Do not open any email attachment that looks suspicious. Even if the item came from someone you know, it could still be infected with a virus. If you're unsure about it reply to the sender and ask them if they meant to send it. They may be unaware that they are infected. If the suspicious attachment contains an .EXE, .COM or .SCR or you don't know where it came from, delete the email immediately without reading it. Virus writers use many ways to trick you into opening an executable file without realising it by naming it, for example, as stuff.txt.exe or as a screensaver file (stuff.scr). Any attachment that you do wish to open should always be scanned with an udated virus checker first. Many common file formats can also be exploited, such as common graphics formats (jpg, tiff, gif, bmp), Acrobat and Office docs (pdf, doc, xml), and even zip files.


Clear cookies/browser cache/history
Make sure you clear your web browser's Cookies, Cache (Temporary Internet Files) and History on a regular basis.

Testing your system
When you have followed our tips on securing your system, it would be a good idea to test it out and see just how secure you are. A great place to do that can be found here Gibson Research Corporation - Shields Up!


Finally, educate yourself - the more you know about this stuff, the better you'll be at protecting your system. If you browse pron websites or open infected e-mails, you WILL get infected. Use common sense while browsing the web and stay away from questionable websites. Most freebies like free games or free screensavers contain spyware, adware or viruses so be wary. If you insist on visiting questionable sites be sure to clear your cache and run spyware scans when you are done.

If you follow our advice and implement the steps outlined above, you will now have a system that is far more secure than when you first started.

They are all simple steps in isolation, but taken together form the foundation of a secure platform for enjoying the internet without having to worry about the damage that could be caused to your system.

[Ned Slider]

Cleaning your PC

In many cases, simply running scanners virus and spyware/adware scanners will result in the scanners automatically cleaning the unwanted program off your PC for you. This guide is aimed at providing an effective "full service" method of eliminating spyware, adware, viruses and other potentially unwanted software. If you’re unsure of any of the steps in here, please feel free to create a thread about in in this forum. Thanks


1) Download your weapons of choice
The obvious first step. If you have virus/spyware/adware scanners already, you may need to update them with the latest definitions. If you don’t have these scanners, go through our Links section and pick a few out. The common choice for spyware and adware detection/removal would be Spybot Search and Destroy and AdAware. We’ve listed a few options in our Software Links. The more antispyware and antivirus programs you run, the better chance you have of finding everything. You may find it advantageous to boot to Safe Mode with Networking before updating definitions for your choice of adware/spyware tools. The reasoning behind this is the same as the next section's emphasis on only essential services running during the update process. Some malware is capable of monitoring updates to the tools that could remove them and will take steps to negate the work you are doing. Although not as secure as Safe Mode, Safe Mode w/ networking is better than normal mode for this type of work. After updating, you can either stay in this mode (physically disconnect from the network and skip to step 3) or


2) Boot into Safe Mode
The purpose of Safe Mode is to boot Windows with minimal overhead, meaning only essential system files and drivers. This practise helps stop many unwanted programs from starting when Windows starts (when they start as well, they must be stopped before you can delete them). Some unwanted software may still manage to start even in Safe Mode. When you power up your PC, you need to hit F8 just at the end of the initial hardware displays (P.O.S.T.) and before the first Windows loading screen appears. You should see a few options listed, including 'Safe Mode'.


3) View all files and folders
Many viruses and unwanted software will hide in Windows system folders or will be hidden. To delete them, you need to be able to see them. Open Windows Explorer and go to Tools > Folder Options > View (tab) and select 'Show hidden files and folders' and uncheck 'Hide extensions for known file types', 'Hide protected operating system files' and 'Use simple file sharing'. Click 'Apply' then 'OK'.


4) Delete Temporary Files, Cookies and Browser Cache
Doing this serves two purposes. One, it can speed up the process of the scan and two, it can remove some unwanted software before the scans start (tracking cookies for example). If you’ve just installed or uninstalled some software, you should restart your PC before doing this.

In Windows 2K/XP, the folders you should empty are:

C:\Documents and Settings\{username}\Local Settings\Temp
C:\Documents and Settings\{username}\Local Settings\Temporary Internet Files
C:\Documents and Settings\{username}\Cookies

You should do this for each user name - and also for all System accounts (Local Service, Network Service, etc.) In addition, on Windows 2000 and XP, the system has it's own profile where the Cookies, Temp and Temporary Internet Files folders are located in:

%systemroot%\system32\config\systemprofile\cookies
%systemroot%\system32\config\systemprofile\Local Settings\Temp
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files

These should also be emptied. %systemroot% is most often named Windows, but may not be - it is the directory in which Windows is installed.

Additionally, C:\Downloaded Program Files should be emptied as virus installation programs may hide in there. Many of these locations can be conveniently cleared out using the Disk Cleanup feature:



In Windows 9X/ME, the folders to empty are:
C:\Windows\Temp
C:\Windows\Cookies
C:\Windows\Temporary Internet Files


5) Preliminary Report (HijackThis)
HijackThis (HJT) can catch many undesired startup items that may be the cause of your frustrations or may still start in Safe Mode. Do a scan and create a log file. Save the logfile somewhere then analyse it through this website:
www.hijackthis.de (you can also download HJT from here)
Scroll down to see the analysis results. If you're unsure about any of the results it returns, err on the side of caution and leave it alone while you go an search for information on it on Google or here in this forum.

Logfiles from HJT can usually be split into three distinct sections:
• Processes currently running
• Internet Explorer add-ons
• Software initiated through the registry
NOTE: These are merely the most common things that HJT detects. If your problem that is not listed here, please continue through this guide.

If the site returns any “Nasty” results, take note as to whether they have any related files on your hard drive and take note of their exact names and locations. Find and tick those “nasty” entries in HJT, then click ‘FIX’ to remove their startup functions. If you have “Unknown” entries, be wary of removing them. They may in fact be safe or even important entries (like DNS Server Addresses for your Internet connection).

Malicious Processes (eg. EXE files) usually need to be stopped before removing them. You can do this in Task Manager. Press CTRL+ALT+DEL and click the 'Task Manager' button. Open the 'Processes' tab then right-click the "nasty" processes and select 'End process tree'. Once you have done that you can refer to your “nasty” files list and delete those files.
IMPORTANT: RUNDLL32.EXE is an important Windows system file which is also sometimes used to load various viruses, etc. DO NOT DELETE IT!

Once you’re done doing that, restart your PC (be sure to return to Safe Mode) to let changes take effect. If you’re unsure about whether entries in HJT are safe or not, try Googling the files or post you HJT log in a new thread in this forum.


6) Disable System Restore Service
The System Restore Service provides a mechanism to restore your Windows installation to older registry settings and system files. It stores these "backups" under '[Drive]:\System Volume Information' and restricts access to that folder to users of the PC. Consequently, lots of viruses and the like choose to hide in System Restore’s backup folders. Disabling System Restore while you do your scans allows some programs to scan these folders when they otherwise would be denied access. You can disable the System Restore Service by going to Start Menu > Run and typing services.msc. In the right-hand pane, scroll down and double-click 'System Restore Service'. Set the 'Start-up Type' to 'Disabled', then click 'Apply' then 'OK' to set the change. This step is particularly important because, not only can malware and viruses hide in these folders, inadvertantly restoring your system to an earlier point after cleaning your system can result in the reversal of all your work.


7) Scan PC with your weapons of choice
Now you’re ready to run some antivirus and antispyware software. Allow them to clean anything that they deem to be malicious. If one of your weapons finds and cleans anything, you should reboot your PC (don’t forget to get back into Safe Mode!) before running the next program. This makes the changes stick and ensures the next program doesn't try to fix the same problem.

Sometimes programs can't remove (or don't completely remove) nasty software. It can pay to write down the names of unwanted files that were found, so you can do searches on Google for them or use parts of their names in searches on you drives for associated files. Often a Google search for bits of information can turn up full detailed instructions or specialised patches for fixing that particular problem.

Repeat the scanning stage until you are confident that your PC is clean.

If you're still having trouble with particular file, write down as much detail as you can about them then make a thread about it. Useful information includes:
File names, file properties info, file locations, any associated files as well as virus names and strains (a,b,c, etc.) and any websites they may be linking to.


8) Boot To Normal Mode
Once back in Normal Mode, see if the machine is acting the way it should. If not, you may want to repeat step 7 (in Safe Mode).


9) Turn On System Restore
In the same manner that a contaminated System Restore store can work against you, conversely, a clean and well maintained System Restore store can help facilitate the repair of a variety of system errors. When you're sure that your PC is clean, you can follow the instructions above to set System Restore Service’s 'Start-up Type' to Automatic and reboot.

10) Windows Updates
Use Windows Update to update your machine and, at this point, your machine should be running the way it was when you first built/bought it!

[Ned Slider]

Links to AV/Spyware/Trojan Software - Tools of the Trade


AV software

Free real time fully featured packages
Avast! Home Edition
AVG Free Edition
BitDefender Free Edition - On demand scans only

Extended trial real time fully featured commercial packages
Kaspersky AV Personal/Personal Pro

The following companies are currently offering extended trial periods of their AV packages through Microsoft (Note: Please follow the Microsoft link to be eligible for the extended trial periods):
Computer Associates (12-month free trial)
F-secure (6-month free trial)
McAfee (90-day free trial)
Panda Software (90-day free trial)
Symantec (90-day free trial)
Trend Micro (90-day free trial)

Free on demand scanners
MicroWorld MWAV eScan
Trend Micro Sysclean
McAfee AVERT Stinger

Free online scanners
Trend Micro Housecall
Kaspersky
BitDefender
Computer Associates
F-Secure
Panda Antivirus
McAfee Virus Scan


AV review sites
AV-Comparatives


Adware/Spyware/Trojan removal software

Adware scanners
Ad-Aware

Spyware scanners
CounterSpy
Microsoft Anti-Spyware
Spybot S&D!
Webroot Spy Sweeper

Spyware Blockers
SpywareBlaster
SpywareGuard

Trojan Scanners
a-squared (a²)
Ewido

Browser Hijack Tools
HijackThis
CWShredder


Other useful software
SmitRem removal tool for SpySheriff, SypAxe & SpywareStrike
Startup Control Panel
BHODaemon
DCOMBobulator
Shoot The Messenger
Unplug N' Pray
WhoLockMe
CleanUp
Pocket Killbox

Other useful websites and resources

Process Identification Sites
www.liutilities.com/products/wintaskspro/processlibrary
www.fileresearchcenter.com
www.processlibrary.com
www.sysinfo.org/startuplist.php
www.windowsstartup.com

Other Sites
Blocking Unwanted Parasites with a HOSTS File
Mike's Ad Blocking HOSTS file
www.spywareguide.com
www.spywareinfo.com/~merijn
EICAR Test Virus for testing your AV program


Security Related MS Articles
Computer viruses: description, prevention, and recovery - KB129972
Microsoft Windows 2000 Security Hardening Guide - MS TechNet
Spyware solutions: Technology and leadership - MS Strategy Press Release, Jan 2005