virusI have been spending quite a bit of time recently removing the TDSS trojan and associated malware from client machines. Within the last week, I have had at least fifteen calls that I can directly attribute to TDSS.  While that might not sound like much, its very rare that I run into the same virus more than a few times a month. The fact that I’m seeing this much of the same bug means that its a wide spread problem. It seems that most anti-virus programs don’t detect this bugger until its too late. Many of the infections have been in place for a few weeks before the client even noticed there was a problem. If you arr running any flavor of Windows, I recommend that you take a few minutes to download a removal tool from Kaspersky and test your system(s). Kaspersky is offering a free tool and instructions to scan and remove the TDSS trojan from both your master boot record (MBR) and your windows\system32 folder. It only takes a minute or so to scan and the tool is a small download. I urge you to check your system(s) today. You can download the tool from here: Kaspersky TDSS Removal Tool.

If you find that your system was infected with TDSS, I suggest that you do a full virus/malware scan with your AV program and Malwarebytes and remove the rest of the crap that was silently installed by TDSS.

Lets all do our part to wipe out this nasty little bug.

-Bill

Tags: , , ,

Today I am covering Spyware and the tools I use to remove it. I have been using this stuff so much recently that I figured it would be a good idea to post this for the general (Windows) population.

At least 50% of my work for the last 6 months or so has been removing spyware and viruses. The tools below are all free and with this toolkit, there is very little spyware that can’t be identified, located and removed. There are also tools here that will help prevent future reinfection from much of this crap. That said, I believe that the best tool for prevention is EDUCATION of the end user- but that may just be wishful thinking.

If your system seems a lot slower than normal or if you are getting lots of pop-up ads or if your browser is not going to the right page when you type a known correct address into it, you are most likely infected with spyware. The latest nasty to be making the rounds is a thing called “CoolWWWSearch”. CWS works much like a virus. When you are infected, you may see odd extra tasks listed in your task manager. Your default home page and search pages will be changed and all attempts to change them back will be futile. Killing the extra tasks will get you nowhere unless the entire CWS package is removed. Here is a page detailing the many CWS variants.

Many of these threats now have the capability of dialing your modem (If you still have one) and establishing overseas connections without your knowledge (at least until the phone bill arrives).

Another common trick these days is to modify the hosts file in your system or system32 folder and force attempted connections to popular websites to be redirected elsewhere. This at least is fairly easily fixed without the need for extra tools (Although some of these tools will fix this as well). To fix your hosts file, first you will need to be able to see system and hidden files.

In Windows Explorer (or MyComputer) select Tools/Folder Options (View / Folder Options on older OS’s)
Click the view tab
Place a dot in “Show System and Hidden Files” and uncheck “Hide Protected operating system files”
Click OK
Now press F3 to open the search dialog
Type “hosts” in the search field
Change “Look In” to C: (or whatever drive you Windows OS is installed on)
Under Advanced search options, check “Search System Folders” and “Search hidden files and folders”
Click search
When you find a file called “hosts” with no extention, right click on it and select “open with”
Select notepad from the list of programs
Any line in the hosts file that starts with # is a comment and has no effect on anything. The only uncommented line that needs to be in there is:
127.0.0.1 localhost
Anything else should be removed – unless you have added the Spybot hosts list.  Anything with an address other that 127.0.0.1 should be suspect as the average user would not be creating host entries.
Save the file and exit notepad
My recommendation is that anyone who needs to support a Windows system should download, unzip and burn all of the items below to a CD and keep it handy.

Here is the list as it stands today:

MalwareBytes AntiMalware

MalwareBytes is one of my newest tools and has worked quite well at eliminating some of the newer drive by infections I have been seeing recently.
SpyBot S&D

One of the best Spyware removal tools available. Use SpyBot S&D weekly to scan for and remove nasty spyware/malware entries on your system(s) Check for updates before scanning.

HijackThis & CWShredder

HijackThis, CWShredder and a few other utilities for fixing, removing and preventing browser hijacks. CWShredder is used to eliminate “CoolWebSearch” which has become one of the worst hijacks I have come across. CWS should be classified as a virus as it reinstalls itself each time you launch your browser if even the smallest piece of it is left behind. SpyBot and AdAware will identify and remove most but not all of CWS. CWShredder gets it all. Works quite well.
LSPFIX

Remove and renumber Layered Service Provider entries in your winsock stack (the portion of Windows that connects you to a network or the internet). These entries can cause lack of connectivity or redirection among other nasty problems.
Use LSPfix to inspect and remove problem entries.
Get LSPFIX Here or visit the author’s Homepage for a much more complete description of LSP and what LSPfix does. Be careful with LSPFix. It will list all items in the TCP stack including items that SHOULD be there. Make sure you read the documentation before removing anything from the list.

Ok. There are some of the tools and procedures for fixing things once you have fallen victim to spyware. Now, let’s talk about prevention. The best way to keep your system running in top condition is to never get infected with this crap. Since most of this stuff is installed without your knowledge, this may seem harder than it really is. Here are some general rules that will help you steer clear of spyware:

1) Free software is usually not free. Many freebie programs come bundled with spyware. Before downloading a freebie, do some research. Do a google search for the program and see what other users have to say about it. If it contains spyware, someone will have already discovered this and either complained or in many cases provided removal instructions.

2) DON’T ever click on popup ads.

3) Use a secure browser. Microsoft’s Internet Explorer is the most widely used web browser in existence. For this reason, IE is targeted by the spyware developers since it provides the largest share of systems for their garbage to infect. IE has a number of “features” that allow for scripts to be run when a site is visited. These spyware outfits use these “features” to load their crap onto your computer – usually without your knowledge or permission. There are some very good alternative browsers available that don’t allow these idiots to dump their garbage on your system. My favorite is Mozilla’s FireFox. It’s a wonderful browser with many features that even IE doesn’t have (like tabbed browsing). You can download FireFox free of charge and free of spyware from http://www.mozilla.org. You will still need IE for a few things like, Windows Update and the Microsoft Knowledgebase as they simply will not work with FireFox. Use IE only with trusted sites that actually require IE otherwise use FireFox.

4) Keep up to date with updates for your operating system. Check Windows Update at least once a week. Download and install ALL critical updates and any of the non-critical updates that you feel you need or want. The critical updates are usually patching security holes that spyware, viruses and hackers can use to gain access to your system for whatever they wish to do.

-Bill Ortlieb

Here is a comment from a thread I had started on this topic a few months ago:

Bill, one thing that I’ve found is people don’t understand is the credibility of sites and how to judge that. Off the top of my head, recognizing sites that pick up Google search keywords and somehow display it in their site content. If you’ve ever searched for obscure things you’ll know what I mean. Also using the site URL to determine whether its legit or not. Think of the top three uses for the Internet in the eyes of Average user. Pr0n, gambling and free software. They don’t know any better, they don’t know how to spot a dodgy site, visit it in IE and wonder why they get spyware and popups, and god forbid, dialers. I know its a really hard thing to categorize and drill down, and then explain that to a newbie, but if you were willing to try it’d be very helpful to many… But definitely emphasize the point that many sites WILL try to install things that require your approval, and in most cases, you should deny.

-Blackjack

Tags: , ,

New Site

Welcome to Ortlieb Computer Services.

I am in the process of rebuilding my website and what you see here is just the very beginning.  Check back over the next few weeks as I will be adding content on a regular basis.

-Bill

Tags: