This Blog identifies some steps to take and various Internet locations and software that may be useful in protecting your computer system from "malware" and in cleaning it up if you become infected. It is divided into the following sections: ● INFORMATION YOU SHOULD KNOW ● PRELIMINARY STEPS ● PROGRAMS TO RUN REGULARLY ● PREVENTIVE MEASURES TO TAKE

Sunday, April 15, 2007

Defending Your Machine

Last updated 25 Oct 2007

If you want to take steps to defend your machine, there are a number of things which need to be considered. I would suggest the following:

INFORMATION YOU SHOULD KNOW

The minimum necessary to start with are a good hardware or software firewall and an AV, and by bringing your OS up-to-date with ALL Critical updates.You can find some useful comparative AV information here: http://www.virusbulletin.com/vb100/about/index.xml (This is a secure site which will require you to register; however, they are reputable, and I've had no reports of any privacy violations.) and here:
http://www.av-comparatives.org/index.html?http://www.av-comparatives.org/seiten/comparatives.html

There's a useful comparative review of firewalls here: http://www.informationweek.com/story/showArticle.jhtml?articleID=173402915&pgno=1

You can minimally test your firewall here:
https://www.grc.com/x/ne.dll?bh0bkyd2 and here:
http://www.auditmypc.com/freescan/scanoptions.asp

A useful survey of existing program vulnerabilities and missing Microsoft security updates is available on line here:
http://secunia.com/software_inspector/
"Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required."
Recommended.

A very comprehensive (though still Beta as of this writing) comparison of online malware scans is available here:
http://wiki.castlecops.com/Online_malware_scans_-_Comparison
It covers Virus and Trojan scanners, single file scanners, multiple engine scanners, etc. as well as providing links to other online malware scanners in addition to those I list below. Highly Recommended. This Castlecops site also provides links to a number of other lists of freeware anti-virus and anti-malware software, scanners, etc. Recommended.

There are on-line parasite scans available here:
http://www.kaspersky.com/virusscanner - Recommended
http://www.pandasoftware.com/products/spyxposer/com/spyxposer_principal.htm (Detection only)
http://www.pandasoftware.com/activescan/ - Recommended
http://www3.ca.com/securityadvisor/ - Recommended This site also offers an on-line virus scan and search access to both malware and virus databases
http://housecall.trendmicro.com/ - Recommended
http://www.ewido.net/en/onlinescan/ (Recommended, but scan is only for Win2K and XP operating systems and utilizes a downloaded ActiveX client program.)
http://www.my-etrust.com/products/pestscan/pestscan.cfm
http://www.webroot.com/services/spyaudit_03.htm
http://download.zonelabs.com/bin/promotions/spywaredetector/index_za.html
and here:
http://www.doxdesk.com/parasite/
(NOTE: You will need to disable Ad Blocking in Zone Alarm 3.x or later, if present or any other Ad Blocking software which interferes with Java Scripting or Delayed Popups (e.g. in AdShield) for this scan to work on this site. You should get a message in a box at the top giving the results of the scan.)

When using any of these scanners or the other cleaning tools referenced below, you should remain cautious about false positives. For example, they may find Registry entries for IE6's Related Sites function which by default utlizes Alexa. IMO this isn't malware; however, the Alexa Toolbar which you're invited to download in the Related Sites sidebar certainly is, again IMO. Likewise, certain perfectly legetimate resouce kits contain utilities which perform some of the same functions that can be found in certain malware, and therefore may be erroneously identified as such. Later in this Blog I'll provide links to sites where you can further check out things that are found by them.


I would recommend reading:

Start with this Highly Recommended overview US-CERT document by Aaron Hackworth, "Spyware", http://www.us-cert.gov/reading_room/spyware.pdf. (You will need Adobe Reader or Foxit Reader for this file.)

And another Highly Recommended look at the subject, "Home Computer Security", here: http://www.cert.org/homeusers/HomeComputerSecurity/

Then read STOP ● THINK ● CLICK - 7 Practices for Safer Computing, here: http://onguardonline.gov/stopthinkclick.html

There's very good information available at this UK government site:
http://www.getsafeonline.org/nqcontent.cfm?a_id=1

A useful series of four articles by Microsoft, "What you can do about spyware and other unwanted software", starting here:
http://www.microsoft.com/athome/security/spyware/spywarewhat.mspx

10 Immutable Laws of Security, here: http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

Remember first of all that you have a responsibility not to aid those trying to hurt you. See this article by MVP Lawrence Abrams, "The Art of Social Engineering", here: http://www.bleepingcomputer.com/securityblog/2006/09/12/the-art-of-social-engineering/ (Also some good links on the right to very useful tutorials and spyware removal guides, BTW.)

Some very cogent observations by MVP Sandi Hardmeier, "I'm not pulling your leg, honest", http://www.microsoft.com/windows/IE/community/columns/pulling.mspx

"How did I get infected in the first place", here:
http://forums.techguy.org/t208517.html

Improve your family's Web security in 4 steps", here: http://www.microsoft.com/athome/security/children/childrenonline.mspx and
"Are Your Children Safe from Spyware?", here:
http://www.pcpitstop.com/spycheck/kids.asp and
"Safe Surfing", here:
http://www.pcpitstop.com/spycheck/safesurfing.asp. See the "Spyware Resources" frame at this site for a number of other very helpful articles also.

How to Help Protect Kids Online, a .pdf file available for download here: http://www.microsoft.com/downloads/details.aspx?familyid=e8bb8dc5-cbaa-4f0c-b5f0-2619b886c8b6&displaylang=en (You will need Adobe Reader or Foxit Reader for this file.)

A good general "malware" overview/removal site FAQ's with pretty good step-by-step instructions is available for review here: http://www.spywarenation.com/modules.php?name=FAQ

Then read these about Dealing with Hijackware:
http://mvps.org/winhelp2002/unwanted.htm - One particularly important point from this document: "Beware of Imposters - before you use, install or purchase an "Anti-Spyware" product, read this first:
Rogue/Suspect Anti-Spyware Products & Web Sites"
You'll see more on this below.

One Special Note from the Anti-Spyware Coalition Tips document here, http://www.antispywarecoalition.org/documents/documents/ProtectingYourComputerflyerletter.pdf:

"Please note: If you are a victim of domestic violence or stalking and suspect that someone has installed spyware to monitor your activities, talk to a victim advocate before attempting to remove the spyware. Law enforcement may be able to assist you and would want to preserve evidence. In the United States, call the National Domestic Violence Hotline for more information at 1800799SAFE (7233)."

And these three sites particularly if you think you may already be infected:
http://inetexplorer.mvps.org/tshoot.html
http://aumha.org/a/parasite.htm
http://rgharper.mvps.org/cleanit.htm

(As an aside - while viruses and "spyware" are different in some fundamental ways

- see ZDNet's Whiteboard Videos, here:
http://news.zdnet.com/2036-2_22-5604863.html -

and this Blog is primarily concerned with "malware" infestations, both can affect you, and both need to be addressed. Your principal tool against viruses will be your Anti-Virus program of course, but the following page contains links to specific virus and trojan removal tools from most of the major Anti-Virus vendors in addition to the more general virus and malware scanners I'll identify later:
http://www.claymania.com/removal-tools-vendors.html.
See here for some specific virus removal tools also:
http://www.grisoft.com/doc/112/lng/us/tpl/tpl01)

Symantec also provides a number of malware-specific removal tools here: http://securityresponse.symantec.com/avcenter/security.risks.tools.list.html

There's a good introduction to a particularly destructive form of "stealth" malware called rootkits by Microsoft's Kurt Dillard here:
http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1086476,00.htmland another from F-Secure here:
http://www.europe.f-secure.com/blacklight/rootkit.shtml and from SysInternals here:
http://www.sysinternals.com/Utilities/rootkitrevealer.html and from McAfee here:
http://vil.nai.com/vil/stinger/rkstinger.aspx

Also, see the discussion below of Microsoft's Malicious Software Removal Tool. The following edited links to a number of free and trial Anti-Rootkit Detection and Removal systems and to systems to help prevent Rootkit infestation were originally posted by 'wasbit' 7/26/07 in the alt.comp.freeware newsgroup:

Rootkit scanners:
Anti-Hook - http://www.security.org.sg/code/antihookexec.html
AntiVir antirootkit (beta requires registration) - http://betatest.avira.com/pages/index.php and http://betatest.avira.com/beta/index.php?lang=en
Archon Scanner - http://www.antirootkit.com/software/Archon-Scanner.htm
Aries (Sony) Rootkit Remover - http://www.lavasoftusa.com/support/securitycenter/aries_rootkit_remover.php
AVG Anti-Rootkit Free - http://free.grisoft.com/softw/70free/setup/avgarkt-setup-1.1.0.42.exe
Avzguard - http://z-oleg.com/secur/avz/download.php (second download on the right avz4en.zip is English)
Bazooka - http://www.kephyr.com/spywarescanner/index.html
BitDefender 8 (Linux or Windows) - http://www.bitdefender.com/site/Main/view/Download-Free-Products.html
Catchme - http://www.gmer.net/catchme.php
DarkSky - http://www.fyyre.net/~cardmagic/index_en.html
Detectproc - http://www.kd-team.com/
F-Secure BlackLight - http://www.f-secure.com/blacklight/
Gmer - http://www.gmer.net/index.php
Helios - http://www.antirootkit.com/software/Helios.htm
HookAnalyzer - http://www.resplendence.com/hookanalyzer
Hookexplorer - http://labs.idefense.com/files/labs/releases/previews/HookExplorer/
IceSword - http://www.antirootkit.com/software/IceSword.htm
McAfee Rootkit Detective Beta - http://www.majorgeeks.com/download5447.html
Microsoft - Malicious Software Removal Tool http://www.microsoft.com/security/malwareremove/default.mspx or http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
Panda Antirootkit (beta) - http://research.pandasoftware.com/blogs/research/archive/2007/04/02/Panda-AntiRootkit-Released.aspx
RAIDE - http://www.rootkit.com/project.php?id=33
RegReveal - http://www.geocities.jp/kiskzo/regreveal.html
RKDetector v2.0 - http://www.rkdetector.com/
rootchk - http://www.uploads.ejvindh.net/rootchk.exe
Rootkit Buster (Trend) - http://www.trendmicro.com/download/rbuster.asp
RootkitRevealer - http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
Rootkit uncover (BitDefender) - www.bitdefender.com/site/Main/view/Download-Free-Products.html
Rootkit Unhooker - http://rkunhooker1.narod.ru/
SafetyCheck - http://yyuyao.googlepages.com/home
(untested)Seems System Eyes & Ears Monitor - http://3psilon.info/-Seem-System-Eyes-and-Ears.html
Sophos Anti-Rootkit - http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html - req name & email address
Stinger (McAfee) - http://vil.nai.com/vil/stinger/
Swat it - Http://www.swatit.org/
SysProt AntiRootkit - http://antirootkit.com/software/SysProt-AntiRootkit.htm
Xclean micro - http://www.facetime.com/productservices/xcleanermicro.aspx

NOTE: Be a little cautious. I haven't personally validated all of these. In addition, not all will work with all Operating Systems, some may be foreign language only at this time, and some which are listed as 'free' may really be 'trial' versions.

From Microsoft: Take the following steps to help prevent infection on your system:
- Enable a firewall on your computer.
- Get the latest computer updates.
- Use up-to-date antivirus software.
- Use caution with unknown attachments.
- Do not respond to requests for personal information via e-mail or IM.
- Remove unneeded network shares.
- Use strong passwords.

(Added by JB: Or better yet use pass phrases. Here's my standard posting about this:

"Most passwords that users select are relatively weak and can be compromised rather easily. I would suggest instead that you switch over to using easily remembered pass phrases (never write them down) of: 1) some reasonable length 2) using both capital and lower case, 3) without spaces and 4) preferably incorporating some instances of both numeric and special characters. (For example, if you happen to be a Jane Austen/Mansfield Park fan, you might think up something relatively simple like - !0RunMadAsYouPlease)1 - which tests very strongly at places like these and which could be made even stronger and still remain as easy or easier to remember as a typical pseudo-random or user chosen 8 or 9 character password, IMO:
http://www.securitystats.com/tools/password.php
http://www.microsoft.com/athome/security/privacy/password_checker.mspx
Other alternatives could be easily remembered book or song titles of appropriate length modified to fit the rules outlined above. You get the idea, I think. :) " )

There is a good technical discussion of pass phrases vs passwords in the following three articles by the head of the Security Program at Microsoft:

http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx
http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx
http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx


Now, the $64,000 question! Are you possibly infected? The following is courtesy of MVP Steve Winograd, here, http://www.bcmaven.com/spyware/:

"Here are some signs of spyware. Run spyware removal programs immediately if they appear:

- Your computer runs slowly, hangs, crashes frequently, or won't shut down normally.
- Your computer spontaneously dials out and connects to the Internet.
- When you try to visit a web site, your web browser takes you to a different site.
- Your Internet Explorer home page changes unexpectedly, undesired toolbars appear, or undesired items appear in Favorites.
- Undesired windows open on the screen, advertising fraudulent or illegal products.
- Unknown icons appear on the desktop.

These steps will protect your computer from new spyware infections. Make sure that everyone who uses your computer understands and follows them:

- Don't download or install programs from unknown sources.
- If a window appears asking you to install a program, close the window immediately, without answering Yes, No, or OK, unless you're sure that the program is legitimate. If you think it's OK but aren't sure, call me and ask, or search for information about the program on the web.
- Don't trade music and video files on the Internet. Peer-to-peer file trading programs like Kazaa are a prime source of infection. Paid services like iTunes, MusicMatch, and Rhapsody are OK.
- Don't visit questionable web sites. They're often designed to install spyware.- Configure Windows Update to run automatically, and install critical updates and security patches immediately.
- Keep your antivirus program up to date.
- Firewall your Internet connection with a broadband router and/or a firewall program."


If you share a computer, particularly with young people, you may wish to investigate the Windows® SteadyState™ for XP in order to exercise some parental controls over access to help protect your machine. http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
From Windows SteadyState at Home, http://www.microsoft.com/windows/products/winfamily/sharedaccess/seeit/athome.mspx:

"Parents can use Windows SteadyState to help control and enhance their children's computer experience. They can customize the computer to be safer and easier to use. Internet access can be carefully controlled. Different levels of restriction can be applied for different children. In cases where a single machine is used by children and parents, the parents' configurations, programs, and files can be completely isolated from access by the children.

Control the Web
Parents may have concerns about their children viewing inappropriate content on the internet. Windows SteadyState helps give parents the control they want over their children's web access. All websites can be prohibited except for those the parent specifies as acceptable.

Control the programs
Windows SteadyState helps make it easy to control the programs and Windows features a child can access on a family computer. A parent can prevent a child from using Internet Explorer, Windows Messenger, or any other program installed on the computer. Windows management features such as Control Panel can also be restricted.

Control the experience
Parents can take full control of the family computer with Windows SteadyState. A few more examples are:

- Simplify the interface by removing options from the Start Menu that your child doesn't need.

- Apply a time limit to your child's computing sessions.

- Block access to any hard drive, partition, or removable media you don't want your child to access."

A Demo is also available on this page.


The following are additional free Parental Control software/information resources, again courtesy of 'wasbit' on 8/24/07 in alt.comp.freeware. Note that I haven't personally investigated all of these nor validated all of the URL's, so you might want to be a little cautious with them:

AmiWeb - http://www.freedownloadscenter.com/Games/Educational_Games/AmiWeb__the_secure_browser_made_just_for_kids_.html
B Gone -
http://support.it-mate.co.uk/index.asp?mode=Products&p=bgone - review - http://freewarewiki.pbwiki.com/BGone
Chat Control - Child Safe Internet - http://www.snapfiles.com/Freeware/misctools/fwparents.html
Content Advisor - http://www.microsoft.com/windows/ie/using/howto/security/contentadv/config.mspx
Crawler Parental Control - http://www.yesitsfree.co.uk/julymonth.htm
Crayon Crawler - http://www.crayoncrawler.com/
Empower parents to protect children from potentially harmful material - http://www.icra.org/
Enough Is Enough - http://www.enough.org/
Family Browser - http://www.filelibrary.com:8080/cgi-bin/freedownload/New_Files/n/150/tfb.zip
Hidden Administrator - http://www.hidadmin.ru/index_en.html
iProtectYou - http://www.snapfiles.com/get/iprotectyou.html
K9 - http://www.k9webprotection.com/
Keeping Children Safe Online - http://kids.getnetwise.org/trouble/
Kiddie Surfer - http://www.russellsplace.com/variantx/
Naomi - http://www.radiance.m6.net/ - http://www.naomifilter.org/
Open DNS - http://www.opendns.com/
Parental Filter - http://users.tpg.com.au/adslgoej/
Parental Lock - http://www.broadcaster.com/tools/?p=plock
Parental Lock Guard - http://www.riasc.net/plg.aspx
Safe Surfer - http://www.smartpctools.com/safesurfer/
SmartParent - http://www.smartparent.com/
We-Blocker - http://www.we-blocker.com/



*******************************************
Run the following programs regularly; I recommend at least once a week or immediately if you suspect that you've been infected. And MOST IMPORTANTLY, if possible download a fresh copy for each use of the spyware tools below for which this is specified and ALWAYS UPDATE ALL of them.

WARNING: There are a lot of purported anti-malware commercial products available attempting to get your hard earned cash. Many of these are "Rogue/Suspect" which means that "these products are of unknown, questionable, or dubious value as anti-spyware protection." Eric Howes maintains a list of these here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm#products.
To quote him:

"Some of the products listed on this page simply do not provide proven, reliable anti-spyware protection or may be prone to ridiculous false positives. Others may use unfair, deceptive, high pressure sales tactics to scare up sales from gullible, confused users. A very few of these products are either associated with known distributors of spyware/adware or have been known to install spyware/adware themselves."

This site also maintains a feature comparison list for the better known anti-spyware products, both free and paid here:
http://spywarewarrior.com/asw-features.htm as well as a list of "trustworthy" products here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm#trustworthy.
I Highly Recommend this site.

There's additional information on this subject available at these sites - Recommended:
http://www.symantec.com/enterprise/security_response/weblog/2007/08/misleading_applications_faking.html and
http://www.symantec.com/norton/theme.jsp?themeid=mislead

All of the software mentioned in this Blog is free for the purposes for which I cite them; however, some programs do offer some additional capabilities when registered and paid for. Such programs are identified as such when discussed below.
*******************************************


PRELIMINARY STEPS

#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm

AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here:
http://www.tacktech.com/display.cfm?ttid=257

or here for Win2k/XP
http://files.webattack.com/localdl834/WinsockxpFix.exe
Info and download here:
http://www.spychecker.com/program/winsockxpfix.html
Directions here:
http://www.iup.edu/house/resnet/winfix.shtm

The process of removing certain malware may kill your internet connection. If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you to regain your connection.

For XP SP2, you can also use the Run command:

netsh winsock reset catalog

to fix this problem without the need for these programs.

For XP pre-SP2, you can use this Run command:

netsh int ip reset resetlog.txt

Also, one MS technician suggested that the following sequence of Run commands for XP may help in some cases:

netsh int reset all
ipconfig /flushdns

See also:
http://windowsxp.mvps.org/winsock.htm
for additional XPSP2 info/approaches using the netsh command. An alternative approach with necessary .reg files which will often work even when the above doesn't is defined here, courtesy of MVP Bob Cerelli: http://www.onecomputerguy.com/ie_tips.htm#winsock_fix Recommended.

Remember - you need to do any downloads ahead of time BEFORE you do any malware cleaning.
#########IMPORTANT#########


#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode or preferably a "Clean Boot" when possible (which will let you use the Windows Installer, access the Internet safely, etc., while still avoiding interfering programs or malware), logged on as an Administrator. BEFORE running these tools, be sure to clear all Temp files and your Temporary Internet Files (TIF) (including offline content.) Reboot and test if the malware is fixed after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
How to boot to Safe mode
http://spyware-free.us/tutorials/safemode/ and
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Clean Boot - General Win2k/XP procedure, but see below for links for other OS's (The procedure does differ by OS, so be sure to check for yours. The following is for Win2k w/msconfig - you can obtain msconfig for Win2k here: http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):

1. StartRun enter msconfig.
2. On the General tab, click Selective Startup, and then clear the 'Process System.ini File', 'Process Win.ini File', and 'Load Startup Items' check boxes. Leave the 'boot.ini' boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button. If you use a third party firewall then re-check (enable) it. For example, if you use Zone Alarm, re-check the True Vector Internet Monitor service (and you may also want to re-check (enable) the zlclient on the Startup tab.) Equivalent services exist for other third party firewalls. An alternative to this for XP users is to enable at this time the XP native firewall (Internet Connection Firewall - ICF). Be sure to turn it back off when you re-enable your non-MS services and Startup tab programs and restore your normal msconfig configuration after cleaning your machine.
4. Click OK and then reboot.

For additional information about how to clean boot your operating system, click the following article links to view the articles in the Microsoft Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP, http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000 http://support.microsoft.com/kb/281770/EN-US/ (Procedure not using msconfig)
267288 How to Perform a Clean Boot in Windows Millennium Edition http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98 http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95 http://support.microsoft.com/kb/243039/EN-US/

(BTW, it's not pertinent to the 'Clean Boot' operation, but FYI you can add a very useful 'Tools' tab to msconfig if you wish. See here:
http://support.microsoft.com/?kbid=906569)
#########IMPORTANT#########


● Sometimes the tools below will find files which they are unable to delete because they are in use.

- A program called Locked Files Wizard (LFW), formerly CopyLock, here,
http://noeld.com/programs.asp?cat=misc
"is a simple assistant that allows you to either replace, move, delete or rename one or more files or folders which are in use by the system or any running process. Additionally, you can display and possibly stop the processes or services that lock a file, and manage files flagged to be processed by the system on next reboot (e.g. after an installation or an uninstallation.) The Locked Files Wizard can also help to select some worms and trojans from the Registry and to quickly remove them from the system." Copylock2 (now Locked Files Wizard) does request a $12 registration fee in order to activate some additional _new functions_ in the new version and/or for installation on multiple computers or commercial usage. However, that version is available for download at the link on that page without registration and with full utility of the original capabilities of Copylock after installation without registration. If you prefer, you can alternatively download the older v. 1.09 version which involves no registration at all (but, of course doesn't include the possibility of upgrade to the paid version) here:
http://copylock.noel-danjou.qarchive.org/_download2.html

- Another is Killbox by Option Explicit, Beta version available here: http://www.killbox.net/downloads/beta/KillBox.exe
Overview directions are available here:
http://www.killbox.net/help.html#Top
Read carefully - this tool is quite powerful. A Beta version is also available.

- A third which is a bit different but often very useful is Delete Invalid File, here:
http://www.purgeie.com/delinv.htm
which handles invalid/UNC file/folder name deleting, rather than the in use problem. The situation with Delete Invalid Files is similar to that with Copylock. The latest version adds additional capabilities which are aimed at the commercial marketplace (but would be useful to an individual user also.) However, all of the _original file removal functions_ are still freely available in the download version without registration or payment.

From http://www.purgeie.com/delinv/index.htm:

"As the "Free" version of DelinvFile had become so popular and has been referenced on many download sites, web forums and newsgroups as being "Free", the current version does not require a fee to access the original program functions. The commercial version of DelinvFile makes available additional functions which require licensing (registration) for them to work. The additional functions include "Open With..", Renaming Files, Renaming Folders, and Deleting Files and Folders at Boot."

- A fourth useful program is Unlocker, here:
http://ccollomb.free.fr/unlocker/
" Simply right click the folder or file and select Unlocker. If the folder or file is locked, a window listing of lockers will appear. Simply select the lockers and click Unlock and you are done!" Works as advertised and is particularly helpful in identifying malware components which are 'protecting' each other.

- A fifth is FileASSASSIN, here:
http://www.malwarebytes.org/fileassassin.php
"FileASSASSIN can delete locked malware files on your system. It uses advanced techniques to unload modules, close remote handles, and terminate processes to allow the removal of the file."


PROGRAMS TO RUN REGULARLY

● As of 23 Oct 06 Microsoft has released the final stable version of Windows Defender (which I can now recommend.) You can download it from here:
http://www.microsoft.com/athome/security/spyware/software/default.mspx
(It will automatically remove any old Beta versions, BTW.)
I recommend that you set it up in Tools and SettingsOptions to do an Automatic Update prior to scanning, and to do both a regular background 'Quick Scan' at some convenient time daily, and to monitor for potentially harmful system changes. In addition, manually do a 'Full System Scan' weekly.

● Either run on-line or download (thus saving for future use) and run the Microsoft Malicious Software Removal Tool, here (see the box on the right):
http://www.microsoft.com/security/malwareremove/families.mspx
A detailed 'tour/description' including Guided Help is available here:
http://support.microsoft.com/kb/890830/
This tool addresses a number of the worst virus and worm families/variants including a number of the Hacker Defender rootkits. (If this tool reports Hacker Defender, W32/HackDef, then see here:
http://support.microsoft.com/?kbid=890830#XSLTH3152121122120121120120
for some additional steps you need to take - see the **). It is updated on the second Tuesday of the month and should be re-downloaded and re-run then each time as well as when you suspect problems. It is normally included then with the regular Windows Update 'Hotfix Tuesday" releases. There's a very informative paper by Matthew Braverman, Program Manager, Microsoft Antimalware Team giving the "Progress Made, Trends Observed" as of 11/10/2006 available for download here:
http://www.microsoft.com/downloads/details.aspx?familyid=47ddcfa9-645d-4495-9eda-92cde33e99a9&displaylang=en
The Executive Summary is available there, but if you choose to download the entire paper in .pdf form, you'll need Acrobat Reader or Foxit. Highly Recommended.

● Download and run a FRESH COPY of Stinger.exe, from the link on this page:
http://vil.nai.com/vil/stinger/default.aspx
(McAfee has in the past sometimes renamed Stinger to s_t_i_n_g_e_r.exe to protect it against certain malware, so download the actual program from the appropriate link on that page.)

● Download and run a FRESH COPY of the Damage Cleanup Engine / Template, here:
http://www.trendmicro.com/ftp/products/tsc/tsc.zip
Unzip to a dedicated folder at root, for example, C:\tsc. Run with Show Hidden Files enabled (as above) and from Safe mode or from a Clean Boot (as above).

● Download and run a FRESH COPY of CWShredder, here:
http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe or here:
http://www.majorgeeks.com/download3019.html
Open it, UPDATE it and then run it and let it fix what it finds. A word about Cool Web Search - this family of malware exploits the ByteCodeVerifier vulnerability of the MS Java VM. You probably should consider switching to Sun Java J2SE 6.0, Update 1 JRE or later here: https://sdlc2a.sun.com/ECom/EComActionServlet;jsessionid=99724592BDDEC4093A99B8CEBF662D52
(What I use, BTW), especially since MS will apparently no longer be distributing Java or providing any support for Java including security fixes after Dec 31, 2007. BE SURE that you uninstall ALL prior versions (JRE v.1.5.0, Update 9 or earlier) of Sun Java as some, specifically at least JRE v. 1.4.2 and earlier, contain a security bug which certain malware, notably Winfixer/Vundo, are suspected of exploiting, as well as other known possible Java exploits. See here for more information and a list of the affected versions:
http://www.frsirt.com/english/advisories/2006/0467, and here:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1,
as well as the Sun advisory here:
http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1.
If you wish to remain with the MS Java VM, then as a minimum install the patch called out here:
http://www.microsoft.com/technet/security/bulletin/MS03-011.asp.
There is an additional Java problem, the
JS.Exception.Exploit,
which should also be patched per
http://www.microsoft.com/technet/security/bulletin/ms00-075.asp.

● SysClean - Boot to Safe mode with Network Support (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
or do a Clean Boot as above. Recommended Approach for SysClean - Ian Kenefick's site here:
http://www.ik-cs.com/got-a-virus.htm
contains information and links to a number of useful programs concerned with virus removal including some not listed in this Blog. One in particular of several there written by David H. Lipman, Multi AV, is a "malware removal utility incorporating multiple command line scanners including McAfee, Sophos, Kaspersky and Trend engines" which can be selectively downloaded. See Procedure #2, here: http://www.claymania.com/removal-trojan-adware.html
Note that it must be extracted to C:\AV-CLS, and I strongly recommend that you read the Help before using it. Some of the downloads (Sophos, for example) may be quite slow depending on the server involved, so be patient. This approach has the virtue, of course, of giving you access to a number of excellent AV products from one interface in addition to SysClean with which we are concerned here. There's additional information about Multi AV here: http://www.elephantboycomputers.com/page2.html#Multi-AV Take note of the special Vista provisions there.

Alternative Approach #1 - Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp
along with the latest released pattern file, here:
http://www.trendmicro.com/download/pattern.asp
Be sure to read the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt
Place them in a dedicated folder after appropriate unzipping.

Alternative Approach #2 - You might also want to get SYSCLEAN_FE, also written by David H. Lipman , available here:
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe.
There's a brief description here:
http://www.ik-cs.com/more_information.htm.
(If you download and use the updater from the beginning, it will automatically handle downloading the other files. Note: If you use Sysclean_FE, then it MUST be in the C:\sysclean folder in order to work correctly.) SYSCLEAN_FE offers the option of restarting in order to run SysClean in Safe mode; however, I would recommend that you use a Clean Boot to actually run both the SYSCLEAN_FE and SysClean programs when using the updater. (Note BTW that SYSCLEAN_FE will make a copy of your HOSTS file [see the end of this Blog for more about the HOSTS file], if any, renaming it hosts.bak, and then delete the original HOSTS file. To restore it when you've finished cleaning your machine, just rename hosts.bak back to HOSTS.)

NOTE: For all of the approaches, you can get a somewhat more current interim pattern file, the Controlled Pattern Release, here and manually unzip it to your SysClean folder:
http://www.trendmicro.com/download/pattern-cpr-disclaimer.asp
Look for the lptxxx.zip file after you agree to the terms. (Sorry, but Multi AV or the SYSCLEAN_FE Updater won't go get this one for you. However, if you manually download the CPR first and then use the updater, SysClean will automatically use these CPR definitions when it starts. Just be sure you put it in the appropriate SysClean folder.)Show hidden and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339) then go to Safe mode or, prefereably, do a Clean Boot.

If you're using WindowsME or WindowsXP, SysClean (and the other cleaning tools below) may find infections within Restore Points which it will be unable to clean. You may choose to disable Restore if you're on XP or ME (directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm)
which will eliminate ALL previous Restore Points, or alternatively, you can wait until cleaning is completed and then use the procedure within the *********'s below to delete all older, possibly infected Restore Points and save a new, clean one. This approach is in the sprit of "keep what you've got" so that you can recover to an at least operating albeit infected system if you inadvertently delete something vital, and is the approach I recommend that you take. See here:
http://aumha.net/viewtopic.php?t=15265
Here are MVP Jim Eshelman's specific recommendations from that document (with which I'm in agreement):
(1) Know the risk of reinfection if you SystemRestore before it is cleaned.
(2) Until it is cleaned, don't use it unless you absolutely have to.
(3) Leave SR cache in place during cleaning since a leaky boat in a storm is better than no boat in a storm, and returning to an infected computer state is better than losing everything.
(4) Clean the machine.
(5) After the machine is clean, make a new SR point and purge all the old ones.
(6) Rescan to make sure things remain clean.

I recommend that you run SysClean with "Automatically clean or delete detected files" UNchecked and look in the log after the scan is complete (View Log) to determine what was found in order to handle any false positives and/or any malware found in your email databases. Read tscreadme.txt carefully, then do a complete scan of your system and clean or delete anything it finds EXCEPT EMAIL DATABASES OR FILES. These need special handling. See here:
http://ik-cs.com/v2/virus-emaildatabase.htm
If anything is found (non-false positive or non-email - see below for some links which can help you identify these), then rerun SysClean with "Automatically clean . . ." checked this time. Reboot and re-run SysClean and continue this procedure until you get a clean scan or nothing further can be cleaned/removed. Now reset things in msconfig if necessary and reboot to normal mode and re-run the scan again. These scans likely will take a long time, as Sysclean is VERY extensive and thorough. For example, one user reported that Sysclean found 69 hits that an immediately prior Norton AV v. 11.0.2.4 run had missed. Note that sometimes you need to make a judgement call about what the programs below report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
They can also sometimes generate "false positives" so look carefully before you delete things. There's a good list of categorized "unknown, safe, optional, spyware/adware, virus" programs to check against here:
http://www.pcpitstop.com/spycheck/SWList.asp Recommended
Some additional very useful lists are available here:
http://castlecops.com/StartupList.html (Recommended) and here:
http://www.windowsstartup.com/wso/browse.php (Recommended), and here:
http://www.processlibrary.com/about/ (Recommended) and here:
http://www.computer-support.nl/Computerhulp/taken.htm and here:
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm and here: http://www.3feetunder.com/krick/startup/list.html and here:
http://startup.networktechs.com/
There are online tests of possible malware components available here:
http://virusscan.jotti.org/ and here:
http://www.kaspersky.com/virusscanner

● Download and run the free or trial version of A² Personal, here: http://www.emsisoft.com/en/software/free/
UPDATE, then run from a Clean Boot or Safe Mode with Show Hidden Files enabled as above. Two things to note about this program - First, there's also a Detection Only on-line scan available here:
http://www.emsisoft.com/en/software/ax/
and Next, since there's currently a good deal of interest in rootkits because of Sony's malfeasance, A² detects and removes dozens of them and their variants.

● Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/
Tutorial here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=48,
UPDATE, set it up in accordance with this:
http://forum.aumha.org/viewtopic.php?t=5877
or the directions immediately below and UPDATE and run this regularly from Safe mode or a Clean Boot to get rid of most "spyware/hijackware" on your machine. (If it has to fix things, be sure to re-boot and rerun AdAware again and repeat this cycle until you get a clean scan. The reason is that it may have to remove things which are currently "in use" before it can then clean up others.)IMPORTANT: If you are running AdWatch from the paid version of AdAware, then BE SURE to set its options to Active, Disabled for the duration of your cleanup activities. After cleanup is COMPLETELY finished, read the warnings carefully before you re-enable it. Configure Ad-aware for a customized scan as follows, and let it remove any bad files found.....Courtesy of NonSuch at Lockergnome):

Open Ad-aware then click the gear wheel at the top and check these options to configure Ad-aware for a customized scan:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry," "Scan my IE Favorites for banned sites," and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start." Make sure "Activate in-depth scan" is ticked green, then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed. Right click the pane and click "Select all objects" - This will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?"

Courtesy of http://www.nondisputandum.com/html/anti_spyware.html:
HINT: If Ad Aware is automatically shut-down by a malicious software, first run AWCloak.exe,
http://www.lavasoftnews.com/downloads/AAWCloak.exe,
before opening Ad Aware. When AAWCloak is open, click “Activate Cloak”. Then open Ad Aware and scan your system.If your Operating System is Win2k, XP or other system using the NTFS file system, once you get a clean scan, restart AdAware, click on Start, then check "Scan volume for ADS" and run this scan also to check the Alternate Data Streams supported by this file system. (Be careful about what you chose to "fix" - get help if you're in doubt about whether something may be "malware".)

● Another excellent program for this purpose is SpyBot Search and Destroy available here:
http://security.kolla.de/
SpyBot Support Forum here:
http://net-integration.us/forums/index.php?s=10d290fe9d1c54a26feca22c5b965df0&showforum=28.
Tutorial here:
http://www.safer-networking.org/en/index.html
I recommend using both normally. Be sure and use the Default (NOT Advanced or Beta) Mode in Settings.After UPDATING, running from Safe mode or a Clean Boot and fixing ONLY RED things with SpyBot S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle until you get a clean "no red" scan. The reason is that SpyBot sometimes has to remove things which are currently "in use" before it can then clean up others.Both of these programs should normally be UPDATED and run after doing any other fix such as CWShredder and, as a minimum, normally at least once a week.


*******ONLY IF you've successfully eliminated the malware, you can now make a new, clean Restore Point and delete any previously saved (possibly infected) ones. The following suggested approach is courtesy of Gary Woodruff: For XP you can run a Disk Cleanup cycle and then look in the More Options tab. The System Restore option removes all but the latest Restore Point. If there hasn't been one made since the system was cleaned you should manually create one before dumping the old possibly infected ones.
Also, be aware courtesy of MVP Bert Kinney, here:
http://bertk.mvps.org/html/tips.html
"Note: When restoring a system in Safe Mode, an automatic "UNDO" restore point will NOT be created and will not allow a restoration to the current state." To create a new "Restore Point" go to StartRun then type:%SystemRoot%\System32\restore\rstrui.exeYou'll find full directions here: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpsysrst.mspx*******


PREVENTIVE MEASURES TO TAKE

● Next, courtesy of MVP Mike Burgess, edited by me:

"--Recommended Minimum Security Settings--Close ALL instances of IE and OE. In Control PanelInternet Options click on the "Security" tab. Highlight the "Internet" icon, click "Custom Level". Set the following:

1) "Download signed ActiveX scripts" = Prompt
2) "Download unsigned ActiveX scripts = Disable
3) "Initialize and script ActiveX not marked as safe" = Disable
4) "Installation of Desktop items" = Prompt
5) "Launching programs and files in a IFRAME" = Prompt (Added by JB - See more below about this.)

Click on the "Content" tab, then click the "Publishers" button
Highlight and click "Remove" for any unknowns, then click OKClick on the "Advanced" tab, then uncheck: "Install on demand (other)", click Apply\OK

Prevent your "HomePage" setting from being Hijacked http://www.mvps.org/winhelp2002/ietips.htm
Mike Burgess
Information isn't free if you can't find it!
http://www.mvps.org/winhelp2002/"

Note the Publisher setting - this infection vector is often overlooked. See here: http://mvps.org/winhelp2002/restricted.htm#Setting

Then, from me:

Disable BOTH "Install on Demand" options on the IE6 Advanced tab.
Disable BOTH "Launch Programs and Files in an IFRAME" and "Navigate sub-frames across different domains" in IE6SecurityInternetCustom Level in the Misc section. (Be sure that you install hotfix 889293, also.)

Another set of not unreasonable (although much more severe) security setting recommendations is available here:
http://www.infinisource.com/techfiles/surf-safe.html And here: http://www.techbargains.com/hottips/hottip13/index.cfm
Also, see here for a comprehensive discussion of this (very highly recommended): http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm,
specifically here:
http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#summ


● There's a reasonable test of your Browser's secuity here:
Jason Levine's Browser Security Tests http://www.jasons-toolbox.com/BrowserSecurity/
and another extensive and Recommended one here:
http://bcheck.scanit.be/bcheck/
You can obtain additional information about your browser at these sites: http://www.gemal.dk/browserspy/http://www.cyscape.com/showbrow.asp?all=1&bhcp=1


● You might want to consider installing Eric Howes' IESpyAds, SpywareBlaster and SpywareGuard here to help prevent this kind of thing from happening in the future:

IESPYAD - http://www.spywarewarrior.com/uiuc/resource.htm
"IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Once you merge this list of sites and domains into the Registry, the web sites for these companies will not be able to use cookies, ActiveX controls, Java applets, or scripting to compromise your privacy or your PC while you surf the Net. Nor will they be able to use your browser to push unwanted pop-ups, cookies, or auto-installing programs on your PC." Read carefully since Eric has recently changed IE-SPYAD's approach to utilize a free utility called ZonedOut. There's an older tutorial here; however it no longer completely applies:
http://www.bleepingcomputer.com/forums/tutorial53.html


SPYWAREBLASTER - http://www.javacoolsoftware.com/spywareblaster.html
(Prevents malware Active X installs, blocks spyware/tracking cookies, and restricts the actions of potentially dangerous sites) (BTW, SpyWareBlaster is not memory resident ... no CPU or memory load - but keep it UPDATED) The latest version as of this writing will prevent installation or prevent the malware from running if it is already installed, and, additionally, it provides information about and fixit-links for a variety of parasites. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial49.html
One additional feature of SpywareBlaster is the ability to add your own supplemental Custom Blocking CLSIDs. Some directions for manually adding these can be found here:
http://www.wilderssecurity.com/showthread.php?t=13684

You can use the ChangeDetection service here:
http://www.changedetection.com/monitor.html
to monitor and notify you of changes/updates to all of the above programs (or other programs, for that matter, including this Blog which is updated fairly frequently).

SPYWAREGUARD - http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to install malware) Keep it UPDATED. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial50.html

All three of these programs are Very Highly Recommended,


● IESPYAD and SpywareBlaster (and the other malware-ActiveX blocking lists) are probably the best preventive tools currently available, expecially if supplemented by using the Immunize function in SpyBot S&D and a good HOSTS file (see next).


● Next, install and keep updated a good HOSTS file. It can help you avoid most adware/malware. See here: http://www.mvps.org/winhelp2002/hosts.htm
(Be sure it's named/renamed HOSTS - all caps, no extension.) Additional tutorials here:
http://www.spywarewarrior.com/viewtopic.php?t=410 (overview) and here:
http://www.bleepingcomputer.com/forums/tutorial51.html (detailed)

(Note: Whenever you change or update your HOSTS file in XP or Win2K, you might want to either reboot OR open a Cmd Window and enter:

ipconfig /flushdns

to ensure that the DNS Client resolver cache correctly reflects the new HOSTS file content. It should do this automatically whenever the HOSTS file is saved, but in the past some failures have been noted. If you've disabled your DNS Client service [Highly Recommended - See here: http://www.mvps.org/winhelp2002/hosts.htm], this step is unnecessary.)


● Lastly, with regards to cookies: The following overview of the approach I recommend (XML-Menu for IE6 - http://www.spywarewarrior.com/uiuc/main.htm, click on IE6 Tools on website) is courtesy of Mel's Spyware Tools:

"This package contains a full menu of custom Import XML files that can be used to manipulate IE6's handling of cookies in the Internet and Trusted zones (the Privacy tab controls only the Internet zone). The files are divided into three sets: one "short list" of recommended files, and two "advanced" lists containing a wide range of possible Privacy configurations. The ReadMe covers the basics of using custom XML Import files and details all the files that are available. A .REG file that can be used to restore the default Privacy tab settings is included." This is the technique that I use and, while I do very infrequently have to override on some sites that don't have a Privacy Policy in place, I've found it almost infallible in stopping bad cookies (I use 1-e, BTW.) FWIW,

MVP Eric Howes' site here:
http://www.spywarewarrior.com/uiuc/main-nf.htm
is one of the very best on the net with regard to anything having to do with security. Very Highly Recommended.


I hope folks will find this useful.
Jim Byrd

Copyright © 2006 James R. Byrd. All Rights Reserved.

3 comments:

Anonymous said...

Everything you need to know all in the one area - fantastic.

Tarek Ismail said...

it is seems good notes
thanks

Anonymous said...

This information is awesome, Jim! I've linked to it from my site. :)

ATB!

About Me

Former Microsoft MVP 2003 - 2007