QUICK LINKS ON THIS PAGE


This page was getting a little too long to be easy to use, so i've added some links to the sections to try to make life easier for everyone !

Introductory ramble
Rootkits (*important)
A note about filesharing applications
More anti-spyware utilities
Web browser protection
Get yourself a firewall
Free anti-virus software
Emergency anti-virus help
Sysclean
If you can't access anti-virus websites
Peerguardian



INTRODUCTORY RAMBLE


You might like to check out this list of spyware utilities - the majority of spyware utilities you come across on the internet are FAKE, but this site gives you the low-down. If you ever get a popup message warning out of the blue telling you you have spyware, the odds are its the program telling you you're infected thats the problem !

I won't beat about the bush here - Windows is dangerously unsafe to let out onto the internet in its naked form.

If you don't have a firewall (or obvious spyware problems yet), make it your FIRST priority !


If you're on XP or Win2K and finding you're getting popups but only while you're online, there's a good chance they're caused by Windows Messenger. There are actually two programs on Windows called Messenger, and the one causing the popups was designed to allow certain types of error messages to be displayed. For a normal home-based user not in a corporate environment, the odds are you don't need it, so get rid.

The easiest utility i've found to switch this off (and it really is idiot proof !) is by Steve Gibson, of the Gibson Research Corporation (http://www.grc.com) - it can be found here.

You may also want to explore the rest of his site (some of his views on XP are "controversial") and find these other nice utilites - "DCOMbobulator" and "Unplug n' Pray" - both of which are worth using.



ROOTKITS


Let me start by saying rootkits are far more worrying and potentially dangerous than typical spyware because of the way they hide themselves - thankfully rootkits are not the most common way to attack a PC - yet !

** A ROOTKIT IS INVISIBLE TO ANTI-VIRUS / ANTI-SPYWARE PROGRAMS **


A rootkit can control the entire system and falsify what Windows shows you in order to evade detection - as well as maintaining a godlike presence that can do anything spyware could and more - perhaps that gives you an idea of the severity of the problem...

RootkitRevealer from SysInternals http://www.sysinternals.com/Utilities/RootkitRevealer.html is probably about as close as you will come to being able to detect if you have one.

Because of the way a rootkit works you have to be very wary of anything RootkitRevealer detects, as it may be an indication of a problem.

The only sure way to get rid of a rootkit is to completely wipe the PC and reinstall from scratch - including the operating system, and i'm afraid to say I am unable to offer any advice on this other than a few meagre notes below:

Not everything RootkitRevealer finds appears to be malicious - I have one entry which according to the message board for the program seems to be innocuous (but the help file says should never appear !) - as shown below:
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg

Other machines i've scanned show more worrying entries (this was one of several) with strange names such as:
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\ABGRCNQ.RKR

- this is actually an entry encoded in a simple text encryption technique called ROT13, the true entry when decrypted reads:
UEME_RUNPATH:C:\WINDOWS\system32\NOTEPAD.EXE

This might indicate that the NOTEPAD.EXE file is actually a virus, and form part of the rootkit.

If you suspect you have a rootkit or want to know more, try starting here http://en.wikipedia.org/wiki/Rootkits - and if you really do have one, good luck - you're going to need it !

F-Secure, one of the oldest antivirus companies in existence, have a new rootkit detector / cleaner called Blacklight in testing (pre-release tests are commonly known as "beta" versions) at the moment, and you can download it and use it for free until January 2007. Its a *lot* easier to understand than RootkitRevealer, and will hopefully detect all "known" rootkits currently in circulation.

You can download it here http://www.f-secure.com/blacklight

Some computer game companies, and in particular Ubisoft (also Codemasters) have apparently been forcing users to install rootkits along with some of their games (!!!) - you can find more info on one particular type known as Starforce as well as the list of affected games at http://www.glop.org/starforce/ - apparently it can damage system performance by forcing slower hard drive access due to it "losing" data - which in turn affects other areas of work such as writing to CD or DVD.

If this practice continues, you'd probably be safer downloading pirated "cracked" copies of games* that don't include this crap - at least you expect them to come with a virus of some sort, not when you've spent hard-earned cash on it !

Note: I don't condone copying - the last game I bought was Myst 4 (which is not one affected by the above), but I get more kicks out of a free add-on for the original Half-Life called Natural Selection - for which I am also a "constellation member" as I donated money to the developers for coming out with such a fantastic and FREE game.



A NOTE ABOUT FILE SHARING APPLICATIONS


This site will help you understand what is currently "safe" and what contains spyware *link removed as it's now a domain squatter advert site* (Note: the page has been replaced and is only lists a few applications - a copy of the old article can be found here but may be out of date now.

Hint - many of the common / well publicised applications have spyware built in, but there are still plenty of alternatives to choose from.

You may also want to check the section below on Peerguardian, which can help you "hide" from certain parties who try to sue people for file sharing... Of course, you can be 100% safe by not file sharing !



MORE ANTI-SPYWARE UTILITIES


CWSHREDDER - gets rid of the CoolWebSearch hack, which is seemingly resistant to other cleanup programs at present (AKA a b*stard to get rid of by any other means).

CWShredder was maintained by Intermute Software and has been updated and is available from here * Update - Trend Micro have now bought Intermute, which goes to show how effective it us ! (you can go via Trends' site direct via this link)



HIJACKTHIS - allows you to look for and delete various things that hack into the IE web browser - these are called BHOs (browser helper objects). HijackThis can also be used to delete (almost) anything that starts when your system boots up. You need to be a little careful what you delete if you start to remove programs though. If in doubt, google for information on the files it reports on - I only have two BHOs - an Adobe Acrobat plugin, and a Spybot S&D plugin. Many other "nasty" programs can be removed from here too if they aren't detected by anything else, as it lists all programs that run when you boot up.

The last two I helped remove for someone were called "Hot-Tarts" and "Virgins", so i'm sure you'll understand the type of software i'm talking about - you obviously wouldn't want your kids to be sent to the sort of the sites these would foist upon your computer, even ignoring the fact you don't know what else they do, what information they collect, and who they send it to...

HijackThis! now has several official download sites ("mirrors"), and can be found in its latest form here

http://www.hijackthis.de has a nice little text entry form to allow you to paste the results (which can be confusing) to try to help you interpret the results. It isn't always 100% reliable (it reported several known "safe" items on my system) as being potentially risky, but it does a very good job overall.

I also have a copy of HijackThis available direct if you can't get it from the official sites (i'll try to keep it up to date) HijackThis.exe


SMITREM is a program that gets rid of a particularly stubborn line of trojans called SMITFRAUD (I spent over 6 hours trying to sort out a machine with it on 8th February 2006) - it constantly throws up dire warnings like "system critical message - your machine is infected - click here to get an antivirus program".

My usual combination of Sysclean, Spybot S&D, CWShredder and HijackThis simply couldn't remove it - it had two seperate tasks "nvctrl.exe" and "msmsgs.exe" in memory (and for the life of me, I can't figure out what was activating them, and HijackThis logs were clear) - shutting down one would cause the other to instantly re-run the other. Several recent files were evident, and proof that this trojan was constantly updating itself to outwit virus checkers (which it succeeded in doing rather too well for my liking).

SMITREM can be downloaded from http://noahdfear.geekstogo.com/ (its a self-extracting file)

** PLEASE READ THE USAGE NOTES ! **


Note - this *will* alter screen settings and customisations to your desktop, but it works a treat if your machine is afflicted with this particular trojan !



There's a new variant of Smitfraud that might be identified by Spybot Search & Destroy, but not removed - SMITREM seems unable to get rid of at the moment, but a fix is available for that too - SMITFRAUDFIX - download it from http://siri.geekstogo.com/SmitfraudFix.php - if you happen to save it to C:\ you can find it easier for what comes next !

You need to boot into "Safe Mode" to use it (press F8 continually when you reboot until Windows gives a list of options) - note that Safe Mode will take longer than normal to boot, and you'll have restricted functionality (but it's more powerful for fixing problems).

Once you get to the desktop, find the file you saved and double click it to run - then choose option *2* - once it's finished, reboot as normal, and hopefully the popups will be no more :-)

You will notice that it has a DNS fix available too - if you're not sure what it might have done to your machine, it might be worth re-running it and doing the DNS fix too ! (a DNS is like a telephone directory - when you type in a website address, the PC looks at it to find out the IP address where the site is held - if it's been altered by the spyware / malware, they will send back false information so your machine doesn't go where you want it to)



WINFIXER / VIRTUMONDE

How to remove Winfixer, Virtumonde, Msevents, and Trojan.vundo (ATLDistrib Object) - this info taken from here

Download VundoFix.exe to your desktop (the download will start by clicking here http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Hopefully this will get rid of the majority of problems, but if not, try seeking further advice from the site I linked to above (GeeksToGo)



FIXWAREOUT

This can be downloaded from http://downloads.subratam.org/Fixwareout.exe and tackles "Kill & Clean" and "SpyMarshal" which have been linked to the installation of rootkits, malware, fake startup entries - all to encourage the sale of a phony application.

More info on its' use can be found here http://www.bleepingcomputer.com/forums/topic76554.html, but basically, run it, click "install", and make sure "Run Fixit" is ticked - it may take a while, and the computer may reboot more slowly than normal at first.

Note: Fixwareout is no longer being updated as of late 2008



OTHER UTILITIES

Sadly, the Windows platform is becoming harder and harder to maintain and use safely, and as such, it's getting to the point where it's hard for a single package to keep your system clean. Many "new" infections can't be cured (yet) by commercial applications, so it comes down to helpers over at sites like Castlecops and Bleepingcomputer.com to write their own removal programs.

Here are a few programs i've needed to employ recently to try to help people regain control over their computers...

combofix.exe - fixes a few assorted malware infections, and can help identify others. It specifically targets SurfSideKick, QooLogic, Look2Me or any combination of that group. It also finds Vundo infections and can clear some, but not all.

SDfix.exe - unpack it to C:\ then reboot in safe mode (F8). Double click "RunThis.bat" and type Y to start cleaning.

Deckards System Scanner - a system report utility often requested by admins on anti-spyware sites such as Castlecops

You can get a decent overview of some of the steps you might need to cover over here



The current situation with spyware, malware and viruses is now SO bad, you would be wise to consider moving away from Windows completely - go buy yourself a really nice looking Apple Mac, or have a look at a linux distribution like Ubuntu. The drawbacks may include not being able to play certain games, and some applications might not be available, but in the meantime you'll be able to actually use your computer without worrying about who really "owns" it.

You could look at a dual-boot arrangement using a program called Wubi Installer, which allows you to install Ubuntu* onto an existing NTFS partition without affecting anything else. When you boot the PC up, you will be asked if you want to use Windows or Ubuntu - it's that simple !

* a new version of Ubuntu was released in October 2007, but hasn't yet been made available for installation via Wubi as of 28th October

A final note - DO NOT BUY A NEW PC WITH VISTA ON IT ! - unless you want a crippled computer where Microsoft can switch off hardware you've paid money for yourself (seriously, they can), and purposefully degrades movie and audio quality to discourage you from copying ! (that's ignoring the fact it runs like a dog and you're better off with XP - and I never thought i'd be defending XP !)



WEB BROWSER PROTECTION


Change your web browser to something less dangerous - I recommend Opera or Firefox personally - Firefox is very good, and seems more compatible with some sites (I use Firefox for 99% of my web browsing). Firefox also has some very useful "plugins" - try "mouse gestures" and "stumbleupon" !

If you didn't already know, there are no specific problems caused by installing or using more than one web browser, other than being able to share your favourites - Firefox can import and use the favourites from Internet Explorer without any problems though. Some websites are created by idiots and will only work with Internet Explorer - but thankfully most sites are realising how dangerous it is and now allow other browsers to use them. Banks are the worst offenders for this, yet they wonder why they lose so much money from ID Theft !

As a rule-of-thumb, use Opera or Firefox for as much web browsing as you possibly can, and only ever go back to Internet Explorer as a last resort - I even have Internet Explorer blocked by my firewall (ZoneAlarm) so it has to ask permission to get out !

You should also install SpywareBlaster - its a great little app that can lock down thousands of hacks so they can't cause damage - it also provides protection for Firefox

There's a handy little "quick check" site you can use in the search for some IE parasites, but it won't be as comprehensive as a full scan from the likes of Spybot S&D. It can be found here http://www.aumha.org/a/noads.php



!!! GET YOURSELF A FIREWALL !!!


Get a firewall - the following should give you an idea why !

Personally I like ZoneAlarm from www.zonelabs.com/free_za_download (link updated 21/04/06) - as of 27/06/07 this now only points to a small downloader front-end, not the full download which you would need for offline-installation.

For the full download, try checking out the version history (which does offer the full version) http://download.zonelabs.com/bin/free/information/znalm/zaReleaseHistory.html

To try to give you an idea what a firewall is - and why you need one (forgive the lousy analogy coming up !) - imagine your computer is a house on a road somewhere, with a number on the door. This house happens to have over 65,000 doors and windows, known as ports. The house number is your IP address, and identifies your house uniquely on the internet, and anyone on the internet can come knocking on any one of those ports. The IP address is given to your computer by your ISP when you connect to the internet.

Windows (the operating system) - the thing that plays a tune when you boot up (switch on) - will, by default, listen out for someone knocking and open the port and say "come hack me, i'm here" - then walk away leaving that port wide open.

Your computer needs to use some ports to do things on the internet, but what a firewall does is remember which ports you're using, and forces the computer to keep quiet if any unexpected callers come knocking.

Not only that, but a firewall like ZoneAlarm will act like a security guard, and any program that wants to get out of the house has to ask for permission - ZoneAlarm will pop up windows saying things like "Firefox is trying to get out to the internet - do you want to allow it ?" - to which you can answer "yes" or "no" using buttons. If you know what the program is, and you're happy to let it out, you can also tick a little box that says "don't ask me again". This is where a seperate firewall is far better than the one built into Windows, as that will only block stuff coming "in" - it doesn't stop anything being sent "out".

The rule of thumb is simple - if you don't know what the program is that is trying to get out, DON'T LET IT ! - that way you have control over what information is being sent out of your system, so malicious programs like a viruses or keyloggers can be stopped before they get chance to send your bank account details to some dodgy foreigner.

Something I would strongly recommend to anyone looking to get serious about their own security is a "router" - there are essentially two different types, so you will need to take advice to determine which one suits your needs (wireless is in addition to those types). Basically in the UK, if you're connected via a cable company, you need a simple "router" or "cable router" - whereas anyone connecting via a BT phone line will need an "ADSL modem router".

A router does pretty much the same as a firewall using something called NAT (network address translation), and its a clever little box of tricks that connects to your ISP for you. The IP address that your ISP gives you only refers to the connection to the router, and any computer connected to the router is given a different IP address that only the router knows. Because of this, your computer is immediately a lot harder to hack into, as a hacker can only "see" the IP address for the router. The router remembers what your computer asks for, and when the information comes back, it "translates" where it should be going to by pointing it to the right IP address that only "it" knows.

Routers are not a complete replacement for something like ZoneAlarm as it has no idea what the data is its shuffling around, so a keylogger could still "get out" onto the internet unless you had something else in place to stop it. The main beauty of a router is you never even get to know what its blocked (unless you really want to), because anything you didn't want gets ignored completely. The "knock" never gets as far as your PC, so even if a new exotic way of hacking was discovered it wouldn't get past your router unless it was a flaw in the operating system and you happened to go to a web page that took advantage of it.

A router will typically cost from 20 to 80 depending on brand name, and feel free to call me a luddite, but wireless networks are as bad as having no security at all unless you know how to set them up "properly" - and even then they're not reliable. A normal "wired" router is a lot more reliable than a USB modem (which are often given away free by ISPs)

Routers often have more than one "port" (connection socket) which makes internet sharing an absolute piece of cake - a 4-port router can have 4 computers plugged in at once. You connect to a router using a standard cheap network cable - most PCs have a network connector built into them now as standard - and even if it didn't, its the cheapest addition you can make, at around 4-10 for the network card.



FREE VIRUS KILLERS


There are several free virus killers available on the internet, some of which i'll mention briefly below:

** Kaspersky no longer available as of 3rd August 2007 - McAfee offered as a replacement, but I wouldn't bother !!! ** http://www.activevirusshield.com/antivirus/freeav/index.adp?

Avira - http://www.free-av.com has a better detection rate for "suspect" files than Avast, but can be a little over-cautious reporting problems in keygens that weren't malicious.

There is a very useful independant anti-virus software comparison site at http://www.av-comparatives.org (follow the online results link and check out the latest test results)

For reference, in February 2007 AVG scored about 96.37% Avast 93.86%, Avira 98.85%, and Kaspersky 97.89% - this doesn't mean Kaspersky did less well in the tests, but there are a number of categories which skew the results - Avira is better against worms, backdoors and trojans, but fares less well with actual viruses - although only by a little. By the same token, AVG may look better than Avast overall, but its' detection of viruses trails badly at only 89% detection.

Others include:

Avast can be found here
AVG can be found here

Also, another handy website to bookmark is http://virusscan.jotti.org which allows you to scan a file of your choosing (up to 15Mb in size) against FIFTEEN anti-virus products, and show you the results in a table on the website.

Just as an aside to this, there are many rare methods of archiving ("shrinking") a program, and not every virus checker may be able to handle all of them (yet) while they're simply stored on the hard drive - they will probably recognise any virus if you try to run it, but in the meantime, its double-dutch.

When I was using Avast (and it may work for other virus checkers too) I found that by using another free one-off virus checker (for the Kama Sutra virus that was set to wipe machines on 3rd Feb 2006), Avast was able to check more files than it normally would - you can run it at the same time as Avast without a problem, and it can be found here (you can skip the safety check if you like, you're getting it from the right site, and the odds of it being hacked are aproximately zero - just run the damn thing !) w32.blackmal@mm.removal.tool



EMERGENCY VIRUS HELP


Kaspersky Labs (makers of the rather damn fine AntiViral Toolkit Pro) have a nice little utility that can remove most of the big name "showstoppers" from over the last few years - the search is a little limited to the "big" outbreaks but its only small (~300k) so it will fit on a floppy disk easily.

ftp://ftp.kaspersky.com/utils/ - Download the one called CLRAV.COM

Just in case their site is down, i'll try to keep a copy of the latest version for download direct from this site - click here if you can't get it from the official site.

Run it from within Windows, and it has 4 possible outcomes :

0 - nothing to clean
1 - system was disinfected
2 - to finalize removal of infection you should reboot system
3 - to finalize removal of infection you should reboot system and start this program the second time
4 - program error



A seperate utility that handles Zafi, Bagle, Implinker and AdWare.Visiter has been released - it operates in much the same way as CLRAV and is called KLWK. It can be found on the same site as CLRAV above, or here


A much more effective scan can be carried out by downloading SYSCLEAN from Trend Micro - but its a much larger program. There are (now) three parts to the Sysclean package - the virus scanner itself, the virus signatures, and a new addition of spyware signatures.

Due to the size of this download, you might find it easier to download it from an uninfected PC and copying the files to a CD to enable you to move it to the infected PC.

Sysclean (under "If you are not a Trend Micro Customer) is around 4.6Mb
Virus Signatures - usually the first link on the page "lpt[something].zip" - around 14Mb (link location updated 23/08/05)
Spyware signatures (you want the .DA5 third from bottom)

(create a directory somewhere on your HD, and save them both to the same directory - you need to unpack the large file in the "lpt[something].zip" archive, but WinXP has the facility to open zip archives by default - just double click on it, and drag and drop the big file to the directory). Do the same for the spyware signatures if you've downloaded them as well.

Sysclean unpacks other files prior to checking, so its best to save them to the hard drive of the target (infected) machine (just in case you have them burned to CD)

To run it, just double click the Sysclean program, then walk away for about an hour - it can take a while to scan, and does several "passes" over the system, starting with a fast-scrolling DOS style window as it checks the memory for anything nasty.

NOTE: some virus checkers may detect the virus signature file as a virus in its own right - it isn't. I don't often say this, but you may want to temporarily disable your virus checker while you let it work its magic.

Trend Micro *are* legit, and their products are regularly the recommended "best buys" in the computer press.



IF YOU CAN'T ACCESS ANTI-VIRUS WEBSITES


You *may* be able to get around the "block" some viruses / trojans put up to stop you getting to anti-virus websites - it involves a file hidden within Windows called "HOSTS".

The HOSTS file is plain text, but has no file extension - you can still open the file quite happily with something like Notepad as long as you are able to find it on your system, but it may be "hidden". Note that you may need to change the type of files shown within Notepad from "*.txt" to "all files" - if you don't alter this when you try to save the file, it will save it as hosts.txt which will not do what you need !

Under Windows XP it may be here C:\WINDOWS\system32\drivers\etc\ but it may vary depending on which version of Windows you use, so try a search.

The hosts file may contain lines starting with a "#" symbol - ignore these, they tell the computer to bypass that line. The other information may be in this format:

127.0.0.1 ad.yieldmanager.com
127.0.0.1 winneronline.com

Many viruses will add entries (lines) to this file, and the way it works is "127.0.0.1" points to your computer, and the web address following it tells your computer to look for that site on your own computer, not the internet.

Of course - you do not hold the information for that site so it will say page not found...

By clearing the list of entries for anti-virus websites, as soon as you hit "save", try to reload the antivirus page in a web browser - it might just work.

If you are still unable to access anti-virus websites, ask a friend to download the files for you and put them on a CD / USB memory stick etc.

Another work-around would be to use the direct IP address of the site you need to contact - i'll try to compile a small list soon (small update - see below) - you should be able to copy and paste the IP address and put it directly into your browser rather than a website address.

You can also try going to http://www.samspade.org/ and enter the name of the website you need to visit in the "do stuff" search field - it will return the numeric IP address which you can copy and paste as above ;-)



If you want to verify any of the following IP addresses for authenticity visit http://www.samspade.org - put the IP address in the search field next to the "DO STUFF" button, then hit the button. Not all of the anti-virus companies will be readily identifiable (i.e. Symantec / F-Secure) depending on how they host their sites, but some will be pretty easy to recognise as legitimate.

Hopefully you can copy and paste the second line of each entry below and have it take you to the correct website - its hard for me to check, as my machine works !

Where I can (and I hope it works !) i've also given a link to the free online virus scanners they offer :-}

http://www.symantec.com
206.204.52.54

http://www.kaspersky.com
81.176.69.71

http://www.kaspersky.com/virusscanner
81.176.69.71/virusscanner

http://www.pandasoftware.com
194.30.32.194

http://www.trendmicro.com
66.35.255.33

http://housecall.trendmicro.com
66.35.253.32

http://us.mcafee.com/root/mfs/default.asp
216.49.88.118/root/mfs/

http://support.f-secure.com/enu/home/ols.shtml
66.77.218.151/enu/home/ols.shtml



PEERGUARDIAN

Peerguardian works like a firewall, and will prevent your computer from connecting to anything in its "lists" - these lists can be downloaded and updated automatically, and contain information (IP addresses) about places like film companies who may not want you to share their latest blockbuster movie. By stopping your machine connecting to theirs, they'll have a much harder time proving you were doing anything not entirely innocent !

http://peerguardian.sourceforge.net/

When you install it, try adding "ads", "p2p", "government" and "spyware" to block initially, and if it asks if you want to "Block HTTP" you might want to say no - otherwise you may find some websites don't work.

You may find Peerguardian blocks some things you might want to do - i.e. if you run Steam (Half Life / Counter Strike) it may not allow it to connect to log you in to the network. You can either close Peerguardian down while you play, or if you have a little patience you can right-click on the blocked IP addresses and select "allow permanently" (but it will have to rebuild the database each time, and it can take a few seconds).

You can disable Peerguardian completely without quitting the program, and even if you forgot to say no to "Block HTTP" you can enable it with a simple click of a button.

At the time of writing, mine is blocking a staggering 703,766,175 IP addresses.