This page was getting a little too long to be easy to use, so i've added some links to the sections to try to make life easier for everyone !
Introductory ramble
Rootkits (*important)
A note about filesharing applications
More anti-spyware utilities
Web browser protection
Get yourself a firewall
Free anti-virus software
Emergency anti-virus help
Sysclean
If you can't access anti-virus websites
Peerguardian
You might like to check out this list of spyware utilities - the majority of spyware utilities you come across on the internet are FAKE, but this site gives you the low-down. If you ever get a popup message warning out of the blue telling you you have spyware, the odds are its the program telling you you're infected thats the problem !
I won't beat about the bush here - Windows is dangerously unsafe to let out onto the internet in its naked form.
Let me start by saying rootkits are far more worrying and potentially dangerous than typical spyware because of the way they hide themselves - thankfully rootkits are not the most common way to attack a PC - yet !
This site will help you understand what is currently "safe" and what contains spyware *link removed as it's now a domain squatter advert site* (Note: the page has been replaced and is only lists a few applications - a copy of the old article can be found here but may be out of date now.
Hint - many of the common / well publicised applications have spyware built in, but there are still plenty of alternatives to choose from.
You may also want to check the section below on Peerguardian, which can help you "hide" from certain parties who try to sue people for file sharing... Of course, you can be 100% safe by not file sharing !
CWSHREDDER - gets rid of the CoolWebSearch hack, which is seemingly resistant to other cleanup programs at present (AKA a b*stard to get rid of by any other means).
CWShredder was maintained by Intermute Software and has been updated and is available from here * Update - Trend Micro have now bought Intermute, which goes to show how effective it us ! (you can go via Trends' site direct via this link)
How to remove Winfixer, Virtumonde, Msevents, and Trojan.vundo (ATLDistrib Object) - this info taken from here
Download VundoFix.exe to your desktop (the download will start by clicking here http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Hopefully this will get rid of the majority of problems, but if not, try seeking further advice from the site I linked to above (GeeksToGo)
This can be downloaded from http://downloads.subratam.org/Fixwareout.exe and tackles "Kill & Clean" and "SpyMarshal" which have been linked to the installation of rootkits, malware, fake startup entries - all to encourage the sale of a phony application.
More info on its' use can be found here http://www.bleepingcomputer.com/forums/topic76554.html, but basically, run it, click "install", and make sure "Run Fixit" is ticked - it may take a while, and the computer may reboot more slowly than normal at first.
Sadly, the Windows platform is becoming harder and harder to maintain and use safely, and as such, it's getting to the point where it's hard for a single package to keep your system clean. Many "new" infections can't be cured (yet) by commercial applications, so it comes down to helpers over at sites like Castlecops and Bleepingcomputer.com to write their own removal programs.
Here are a few programs i've needed to employ recently to try to help people regain control over their computers...
combofix.exe - fixes a few assorted malware infections, and can help identify others. It specifically targets SurfSideKick, QooLogic, Look2Me or any combination of that group. It also finds Vundo infections and can clear some, but not all.
SDfix.exe - unpack it to C:\ then reboot in safe mode (F8). Double click "RunThis.bat" and type Y to start cleaning.
Deckards System Scanner - a system report utility often requested by admins on anti-spyware sites such as Castlecops
You can get a decent overview of some of the steps you might need to cover over here
Change your web browser to something less dangerous - I recommend Opera or Firefox personally - Firefox is very good, and seems more compatible with some sites (I use Firefox for 99% of my web browsing). Firefox also has some very useful "plugins" - try "mouse gestures" and "stumbleupon" !
If you didn't already know, there are no specific problems caused by installing or using more than one web browser, other than being able to share your favourites - Firefox can import and use the favourites from Internet Explorer without any problems though. Some websites are created by idiots and will only work with Internet Explorer - but thankfully most sites are realising how dangerous it is and now allow other browsers to use them. Banks are the worst offenders for this, yet they wonder why they lose so much money from ID Theft !
As a rule-of-thumb, use Opera or Firefox for as much web browsing as you possibly can, and only ever go back to Internet Explorer as a last resort - I even have Internet Explorer blocked by my firewall (ZoneAlarm) so it has to ask permission to get out !
You should also install SpywareBlaster - its a great little app that can lock down thousands of hacks so they can't cause damage - it also provides protection for Firefox
There's a handy little "quick check" site you can use in the search for some IE parasites, but it won't be as comprehensive as a full scan from the likes of Spybot S&D. It can be found here
http://www.aumha.org/a/noads.php
Get a firewall - the following should give you an idea why !
Personally I like ZoneAlarm from www.zonelabs.com/free_za_download (link updated 21/04/06) - as of 27/06/07 this now only points to a small downloader front-end, not the full download which you would need for offline-installation.
For the full download, try checking out the version history (which does offer the full version) http://download.zonelabs.com/bin/free/information/znalm/zaReleaseHistory.html
To try to give you an idea what a firewall is - and why you need one (forgive the lousy analogy coming up !) - imagine your computer is a house on a road somewhere, with a number on the door. This house happens to have over 65,000 doors and windows, known as ports. The house number is your IP address, and identifies your house uniquely on the internet, and anyone on the internet can come knocking on any one of those ports. The IP address is given to your computer by your ISP when you connect to the internet.
Windows (the operating system) - the thing that plays a tune when you boot up (switch on) - will, by default, listen out for someone knocking and open the port and say "come hack me, i'm here" - then walk away leaving that port wide open.
Your computer needs to use some ports to do things on the internet, but what a firewall does is remember which ports you're using, and forces the computer to keep quiet if any unexpected callers come knocking.
Not only that, but a firewall like ZoneAlarm will act like a security guard, and any program that wants to get out of the house has to ask for permission - ZoneAlarm will pop up windows saying things like "Firefox is trying to get out to the internet - do you want to allow it ?" - to which you can answer "yes" or "no" using buttons. If you know what the program is, and you're happy to let it out, you can also tick a little box that says "don't ask me again". This is where a seperate firewall is far better than the one built into Windows, as that will only block stuff coming "in" - it doesn't stop anything being sent "out".
The rule of thumb is simple - if you don't know what the program is that is trying to get out, DON'T LET IT ! - that way you have control over what information is being sent out of your system, so malicious programs like a viruses or keyloggers can be stopped before they get chance to send your bank account details to some dodgy foreigner.
Something I would strongly recommend to anyone looking to get serious about their own security is a "router" - there are essentially two different types, so you will need to take advice to determine which one suits your needs (wireless is in addition to those types). Basically in the UK, if you're connected via a cable company, you need a simple "router" or "cable router" - whereas anyone connecting via a BT phone line will need an "ADSL modem router".
A router does pretty much the same as a firewall using something called NAT (network address translation), and its a clever little box of tricks that connects to your ISP for you. The IP address that your ISP gives you only refers to the connection to the router, and any computer connected to the router is given a different IP address that only the router knows. Because of this, your computer is immediately a lot harder to hack into, as a hacker can only "see" the IP address for the router. The router remembers what your computer asks for, and when the information comes back, it "translates" where it should be going to by pointing it to the right IP address that only "it" knows.
Routers are not a complete replacement for something like ZoneAlarm as it has no idea what the data is its shuffling around, so a keylogger could still "get out" onto the internet unless you had something else in place to stop it. The main beauty of a router is you never even get to know what its blocked (unless you really want to), because anything you didn't want gets ignored completely. The "knock" never gets as far as your PC, so even if a new exotic way of hacking was discovered it wouldn't get past your router unless it was a flaw in the operating system and you happened to go to a web page that took advantage of it.
A router will typically cost from £20 to £80 depending on brand name, and feel free to call me a luddite, but wireless networks are as bad as having no security at all unless you know how to set them up "properly" - and even then they're not reliable. A normal "wired" router is a lot more reliable than a USB modem (which are often given away free by ISPs)
Routers often have more than one "port" (connection socket) which makes internet sharing an absolute piece of cake - a 4-port router can have 4 computers plugged in at once. You connect to a router using a standard cheap network cable - most PCs have a network connector built into them now as standard - and even if it didn't, its the cheapest addition you can make, at around £4-£10 for the network card.
There are several free virus killers available on the internet, some of which i'll mention briefly below:
** Kaspersky no longer available as of 3rd August 2007 - McAfee offered as a replacement, but I wouldn't bother !!! ** http://www.activevirusshield.com/antivirus/freeav/index.adp?
Avira - http://www.free-av.com has a better detection rate for "suspect" files than Avast, but can be a little over-cautious reporting problems in keygens that weren't malicious.
There is a very useful independant anti-virus software comparison site at http://www.av-comparatives.org (follow the online results link and check out the latest test results)
For reference, in February 2007 AVG scored about 96.37% Avast 93.86%, Avira 98.85%, and Kaspersky 97.89% - this doesn't mean Kaspersky did less well in the tests, but there are a number of categories which skew the results - Avira is better against worms, backdoors and trojans, but fares less well with actual viruses - although only by a little. By the same token, AVG may look better than Avast overall, but its' detection of viruses trails badly at only 89% detection.
Others include:
Avast can be found here
AVG can be found here
Also, another handy website to bookmark is http://virusscan.jotti.org which allows you to scan a file of your choosing (up to 15Mb in size) against FIFTEEN anti-virus products, and show you the results in a table on the website.
Just as an aside to this, there are many rare methods of archiving ("shrinking") a program, and not every virus checker may be able to handle all of them (yet) while they're simply stored on the hard drive - they will probably recognise any virus if you try to run it, but in the meantime, its double-dutch.
When I was using Avast (and it may work for other virus checkers too) I found that by using another free one-off virus checker (for the Kama Sutra virus that was set to wipe machines on 3rd Feb 2006), Avast was able to check more files than it normally would - you can run it at the same time as Avast without a problem, and it can be found here (you can skip the safety check if you like, you're getting it from the right site, and the odds of it being hacked are aproximately zero - just run the damn thing !) w32.blackmal@mm.removal.tool
Kaspersky Labs (makers of the rather damn fine AntiViral Toolkit Pro) have a nice little utility that can remove most of the big name "showstoppers" from over the last few years - the search is a little limited to the "big" outbreaks but its only small (~300k) so it will fit on a floppy disk easily.
ftp://ftp.kaspersky.com/utils/ - Download the one called CLRAV.COM
Just in case their site is down, i'll try to keep a copy of the latest version for download direct from this site - click here if you can't get it from the official site.
Run it from within Windows, and it has 4 possible outcomes :
0 - nothing to clean
1 - system was disinfected
2 - to finalize removal of infection you should reboot system
3 - to finalize removal of infection you should reboot system and start this program the second time
4 - program error
You *may* be able to get around the "block" some viruses / trojans put up to stop you getting to anti-virus websites - it involves a file hidden within Windows called "HOSTS".
The HOSTS file is plain text, but has no file extension - you can still open the file quite happily with something like Notepad as long as you are able to find it on your system, but it may be "hidden". Note that you may need to change the type of files shown within Notepad from "*.txt" to "all files" - if you don't alter this when you try to save the file, it will save it as hosts.txt which will not do what you need !
Under Windows XP it may be here C:\WINDOWS\system32\drivers\etc\ but it may vary depending on which version of Windows you use, so try a search.
The hosts file may contain lines starting with a "#" symbol - ignore these, they tell the computer to bypass that line. The other information may be in this format:
127.0.0.1 ad.yieldmanager.com
127.0.0.1 winneronline.com
Many viruses will add entries (lines) to this file, and the way it works is "127.0.0.1" points to your computer, and the web address following it tells your computer to look for that site on your own computer, not the internet.
Of course - you do not hold the information for that site so it will say page not found...
By clearing the list of entries for anti-virus websites, as soon as you hit "save", try to reload the antivirus page in a web browser - it might just work.
If you are still unable to access anti-virus websites, ask a friend to download the files for you and put them on a CD / USB memory stick etc.
Another work-around would be to use the direct IP address of the site you need to contact - i'll try to compile a small list soon (small update - see below) - you should be able to copy and paste the IP address and put it directly into your browser rather than a website address.
You can also try going to http://www.samspade.org/ and enter the name of the website you need to visit in the "do stuff" search field - it will return the numeric IP address which you can copy and paste as above ;-)
Peerguardian works like a firewall, and will prevent your computer from connecting to anything in its "lists" - these lists can be downloaded and updated automatically, and contain information (IP addresses) about places like film companies who may not want you to share their latest blockbuster movie. By stopping your machine connecting to theirs, they'll have a much harder time proving you were doing anything not entirely innocent !
http://peerguardian.sourceforge.net/
When you install it, try adding "ads", "p2p", "government" and "spyware" to block initially, and if it asks if you want to "Block HTTP" you might want to say no - otherwise you may find some websites don't work.
You may find Peerguardian blocks some things you might want to do - i.e. if you run Steam (Half Life / Counter Strike) it may not allow it to connect to log you in to the network. You can either close Peerguardian down while you play, or if you have a little patience you can right-click on the blocked IP addresses and select "allow permanently" (but it will have to rebuild the database each time, and it can take a few seconds).
You can disable Peerguardian completely without quitting the program, and even if you forgot to say no to "Block HTTP" you can enable it with a simple click of a button.
At the time of writing, mine is blocking a staggering 703,766,175 IP addresses.