Malware

You are currently browsing articles tagged Malware.

Today I am covering Spyware and the tools I use to remove it. I have been using this stuff so much recently that I figured it would be a good idea to post this for the general (Windows) population.

At least 50% of my work for the last 6 months or so has been removing spyware and viruses. The tools below are all free and with this toolkit, there is very little spyware that can’t be identified, located and removed. There are also tools here that will help prevent future reinfection from much of this crap. That said, I believe that the best tool for prevention is EDUCATION of the end user- but that may just be wishful thinking.

If your system seems a lot slower than normal or if you are getting lots of pop-up ads or if your browser is not going to the right page when you type a known correct address into it, you are most likely infected with spyware. The latest nasty to be making the rounds is a thing called “CoolWWWSearch”. CWS works much like a virus. When you are infected, you may see odd extra tasks listed in your task manager. Your default home page and search pages will be changed and all attempts to change them back will be futile. Killing the extra tasks will get you nowhere unless the entire CWS package is removed. Here is a page detailing the many CWS variants.

Many of these threats now have the capability of dialing your modem (If you still have one) and establishing overseas connections without your knowledge (at least until the phone bill arrives).

Another common trick these days is to modify the hosts file in your system or system32 folder and force attempted connections to popular websites to be redirected elsewhere. This at least is fairly easily fixed without the need for extra tools (Although some of these tools will fix this as well). To fix your hosts file, first you will need to be able to see system and hidden files.

In Windows Explorer (or MyComputer) select Tools/Folder Options (View / Folder Options on older OS’s)
Click the view tab
Place a dot in “Show System and Hidden Files” and uncheck “Hide Protected operating system files”
Click OK
Now press F3 to open the search dialog
Type “hosts” in the search field
Change “Look In” to C: (or whatever drive you Windows OS is installed on)
Under Advanced search options, check “Search System Folders” and “Search hidden files and folders”
Click search
When you find a file called “hosts” with no extention, right click on it and select “open with”
Select notepad from the list of programs
Any line in the hosts file that starts with # is a comment and has no effect on anything. The only uncommented line that needs to be in there is:
127.0.0.1 localhost
Anything else should be removed – unless you have added the Spybot hosts list.  Anything with an address other that 127.0.0.1 should be suspect as the average user would not be creating host entries.
Save the file and exit notepad
My recommendation is that anyone who needs to support a Windows system should download, unzip and burn all of the items below to a CD and keep it handy.

Here is the list as it stands today:

MalwareBytes AntiMalware

MalwareBytes is one of my newest tools and has worked quite well at eliminating some of the newer drive by infections I have been seeing recently.
SpyBot S&D

One of the best Spyware removal tools available. Use SpyBot S&D weekly to scan for and remove nasty spyware/malware entries on your system(s) Check for updates before scanning.

HijackThis & CWShredder

HijackThis, CWShredder and a few other utilities for fixing, removing and preventing browser hijacks. CWShredder is used to eliminate “CoolWebSearch” which has become one of the worst hijacks I have come across. CWS should be classified as a virus as it reinstalls itself each time you launch your browser if even the smallest piece of it is left behind. SpyBot and AdAware will identify and remove most but not all of CWS. CWShredder gets it all. Works quite well.
LSPFIX

Remove and renumber Layered Service Provider entries in your winsock stack (the portion of Windows that connects you to a network or the internet). These entries can cause lack of connectivity or redirection among other nasty problems.
Use LSPfix to inspect and remove problem entries.
Get LSPFIX Here or visit the author’s Homepage for a much more complete description of LSP and what LSPfix does. Be careful with LSPFix. It will list all items in the TCP stack including items that SHOULD be there. Make sure you read the documentation before removing anything from the list.

Ok. There are some of the tools and procedures for fixing things once you have fallen victim to spyware. Now, let’s talk about prevention. The best way to keep your system running in top condition is to never get infected with this crap. Since most of this stuff is installed without your knowledge, this may seem harder than it really is. Here are some general rules that will help you steer clear of spyware:

1) Free software is usually not free. Many freebie programs come bundled with spyware. Before downloading a freebie, do some research. Do a google search for the program and see what other users have to say about it. If it contains spyware, someone will have already discovered this and either complained or in many cases provided removal instructions.

2) DON’T ever click on popup ads.

3) Use a secure browser. Microsoft’s Internet Explorer is the most widely used web browser in existence. For this reason, IE is targeted by the spyware developers since it provides the largest share of systems for their garbage to infect. IE has a number of “features” that allow for scripts to be run when a site is visited. These spyware outfits use these “features” to load their crap onto your computer – usually without your knowledge or permission. There are some very good alternative browsers available that don’t allow these idiots to dump their garbage on your system. My favorite is Mozilla’s FireFox. It’s a wonderful browser with many features that even IE doesn’t have (like tabbed browsing). You can download FireFox free of charge and free of spyware from http://www.mozilla.org. You will still need IE for a few things like, Windows Update and the Microsoft Knowledgebase as they simply will not work with FireFox. Use IE only with trusted sites that actually require IE otherwise use FireFox.

4) Keep up to date with updates for your operating system. Check Windows Update at least once a week. Download and install ALL critical updates and any of the non-critical updates that you feel you need or want. The critical updates are usually patching security holes that spyware, viruses and hackers can use to gain access to your system for whatever they wish to do.

-Bill Ortlieb

Here is a comment from a thread I had started on this topic a few months ago:

Bill, one thing that I’ve found is people don’t understand is the credibility of sites and how to judge that. Off the top of my head, recognizing sites that pick up Google search keywords and somehow display it in their site content. If you’ve ever searched for obscure things you’ll know what I mean. Also using the site URL to determine whether its legit or not. Think of the top three uses for the Internet in the eyes of Average user. Pr0n, gambling and free software. They don’t know any better, they don’t know how to spot a dodgy site, visit it in IE and wonder why they get spyware and popups, and god forbid, dialers. I know its a really hard thing to categorize and drill down, and then explain that to a newbie, but if you were willing to try it’d be very helpful to many… But definitely emphasize the point that many sites WILL try to install things that require your approval, and in most cases, you should deny.

-Blackjack

Tags: , ,