Malware Removal and Prevention.doc.docDocument Transcript
Malware Removal and Prevention: Overview
Symantec has developed a detection and removal tool for the Blackworm aka Kama Sutra worm.
For more information and removal links, please visit here . Then return to complete the remainder of
1. Perform a reference (preliminary) HijackThis scan
2. Winfixer / WinAntiSpyware / WinAntiVirus Popups / Virtumundo victims only:
Please follow the Virtumundo Removal Instructions.
3. Windows 2K/XP - Titan Shield / SpySheriff / SpyFalcon / SpywareQuake / SpyAxe victims
Please follow the SpySheriff / SpyFalcon / SpywareQuake / SpyAxe / Smitfraud Removal
Instructions instead of steps 4-8 below.
4. Next stop - The Control Panel - Add/Remove Programs
5. Temporarily Disable Real Time Monitoring Programs
Now please complete the following automatic malware detection and removal steps
6. Clean the Clutter:
o Crap Cleaner
7. Antispyware Scanners - Run at least one, preferably two - if your system is functioning well
o SpyBot S&D
o Windows Defender Beta 2 (Win2K and XP with all service packs applied) - This scanner
will remove the Sony XCP DRM rootkit
8. Antiviral Scans - Run at least one
9. AntiTrojan Scans - Run one:
o ewido Security Suite Trial Download (Win2K and XP)
o TrojanHunter Trial Download
You will have completed the automated malware removal process once you have followed the above
steps. We sincerely hope that your computer problems have been resolved to your satisfaction once
you've reached this point. Even if you think your computer is now 'clean', some additional steps are
advisable to further ensure the security of your computer.
Please consult: How to Prevent Reinfection for further details.
10. Only if your computer problems persist, Consider Getting Expert Help With Your
Once your system is satisfactorily cleaned be sure to follow these guidelines to prevent a reinfection.
XP and ME System Restore Points
If you are using Windows XP or ME, you need to SET A NEW RESTORE POINT with System Restore.
This will prevent the possibility of you becoming reinfected by restoring your system with corrupted files.
To set a new restore point:
WIndows XP Creating a System Restore Point
WIndows ME When to Create and Use Manual Restore Points
The new Restore Point will be stamped with the current date and time. Keep a log of this for your records so
you can find it easily should you need to use System Restore.
To reduce your exposure to infection and ensure your system's security, be sure your computer is set
to update your operating system and Internet Explorer, automatically.
Windows ME, 2000 & XP:
To do that, right-click the My Computer Icon on your desk top. Click properties and then Automatic
To enable automatic updating, check either the first or second box:
1. The first option enables Windows Automatic Updating, meaning it will both download and install
updates automatically. This option requires you to set the time for them to install. Make sure this is a
convenient time when your computer will be ON.
2. The second option, will download, and then let you decide when you want to install them.
Select which ever alternative is best for you.
Ocassionally, even though your computer is set to update automatically, you may experience a problem
having updates download. There are many reasons this can occur, so to be safe, always check that you have
the latest critical updates and patches from the Windows Update Website.
Microsoft releases new updates to patch vulnerbilities that malware may exploit every second Tuesday of
each month. So time your visits to the Windows Update site, accordingly.
The 12/13/2005 Window`s Update release contains a Cumulative Security Update for Internet Explorer for
Windows XP that has the Maximum Severity Rating: Critical.
Remember, Window's Updates will improve your system's overall integrity and security, so be sure to verify
that the update feature is properly functioning on your computer.
Windows Updates Troubleshooting
If you do find you are unable to download updates automatically or manually from the Windows Update
Website, then chances are our Windows Update Fix may remedy that problem. The Fix consists of a few
preparation steps and a DOS script that you can download and run, to automatically correct the most
common problems associated with being unable to download Windows Updates. It will address and rectify
an assortment of documented Windows Update errors, so give it a try.
Windows XP Service Pack 2 is cumulative, meaning it includes Service Pack 1 and all updates predating
SP2's release. Although Service Pack 2, was released over a year ago, some of you may not have updated to
Installing Service Pack 2 should NOT be performed until you have ensured your system is fully cleaned of
all viruses and malware. This is the recommended procedure by Microsoft before installing SP2. Some
computers lock up when SP2 is installed with certain spyware in residence, and spyware programs can
interfere with the new security features that SP2 installs by default. For a complete discussion on all
necessary precautions see: What to Know Before You Download and Install Windows XP Service Pack 2
Updating Your Security Programs
Because new threats are continually introduced, a security application is only effective if it is updated
regularly. Checking for updates can be simplified, by using the calendar provided at the Calendar of Updates
website which is revised daily.
Blocking Unwanted Parasites with a Hosts File:
Read the discussion about installing a blocking host files and download the #1 rated MVPS host file
Another variation on the same theme - What is the Hosts file?
Installing Preventive Security Programs
Although these two programs are mentioned elsewhere in our Tips for Safer Surfing, they are important
enough to deserve special mention here. Since neither of these programs run in the background, they will not
consume valuable system resources, so be sure to install them ASAP:
• SpywareBlaster SpywareBlaster will block bad ActiveX and harmful cookies from getting on to
your PC in the first place. Just download and install the program. Open SpywareBlaster, check for
and download updates, then 'select all' to protect against all items checked. That's it! Just return to
check for updates every couple of weeks.
• IESpyads IE-SPYAD adds a long list of sites and domains associated with known advertisers,
marketers,and hijackers to the Restricted sites zone of Internet Explorer. Doing this will block
these restricted sites. There are a few different versions, so please refer to the information contained
at the developer's website.
Tips for Safer Surfing
1. Read Tony Klein's So how did I get infected in the first place?
2. ALWAYS surf with an active internet firewall. The Windows firewall does not provide outbound
protection, but ZoneAlarm® FREE and Sygate Personal Firewall 5.x - FREE will block both inbound
and outbound traffic.
3. Use only reputable Antispyware and Security Programs: Consult the Rogue/Suspect Anti-Spyware
Progam List first, before you download. Do not click on any random solicitations to "Scan your
system for spyware".
4. Do not download any attachments from unsolicited email or even unexpected attachments from
5. Never provide sensitive personal information (SSN, financial account numbers)in response to an
6. Do NOT click on popups ads or download any anonymous software - google it first and read reviews
7. Download all software from the vendor/developer site whenever possible (3rd party sites may
distribute bundled adware)
8. If you are a Skype user, please read the Tips on how to safely use Skype on the bottom of the page
and pay particular attention to Article 4 - Permission to Utilize section of the EULA (end user license
9. Set Safe Configurations for Internet Explorer and acquaint yourself with the Internet Explorer
10. Read these suggested Safe Configurations for Firefox
11. Read about Cookie Management in The Unofficial Cookie FAQ
12. Wireless Network Security For The Home
13. Browse thru PC Magazine's 80 Super Security Tips
14. Although CastleCops does not condone or recommend the use of peer-to-peer file sharing software, if
you must use it, use it wisely:
1. Please read these recommendations provided by Mike Healan regarding the safest P2P
filesharing programs available.
2. You may also refer to this list compiled by the Malware Removal Forum which details Clean/
Infected P2P Programs
3. Remove any adware/spyware programs which were bundled with your file-sharing program
4. Adjust your file-sharing program settings so it does NOT automatically run at Windows
5. Adjust your file-sharing program settings so it does NOT allow others on the P2P network
openly access downloads from you computer.
6. Close your filesharing program when you are not actively using it
Roll your own Free Security Suite
The most important step, is to secure your system against future malware attacks. And it doesn't have to be
costly. You can actually Roll your own Free Security Suite!
Become an Informed Surfer
There is a very important resource which will help you to avoid becoming a victim of cyber fraud. The latest
Security Labs Trends report will make you fully aware of what cyber scams are out there and what you
should be on the lookout for to protect yourself in 2006.
HijackThis Tutorial - for those who want to know more
Now that you are clean, if you are fascinated with how this powerful tool, HijackThis works, you may read
this excellent HijackThis Tutorial It describes what each of the individual HijackThis log entries mean.
Gaining knowledge is great and there is a lot of information there, but when it comes to actually fixing
entries in your log, it is best to remember that it is a still a job better left to the experts in the HijackThis
Roll your own Free Security Suite
A "system security suite" is one which bundles all the required tools for complete system protection, like
anti-virus, firewall, anti-spyware, file cleaners, registry cleaners, etc. But security suites that you find online
are usually commercial software.
How about making - or rather "assembling" - your own security suite that contains all the required tools? The
tools are very efficient and powerful. But best of all, your security suite is completely FREE!
Well, Viruses need no introduction, do they? To battle them you need an AntiVirus!
AVG 7 Free AntiVirus is one of the few full fledged free anti-viruses. Full fledged AV means that it should
at least have a real-time scanner, on demand scanner and automatic updates.
AVG satisfies all the above condition and has good virus detection, features set, quick updates, and is also
very light on resources. You don't have to worry about any viruses, worms, or Trojans sneaking into your PC
because AVG's powerful real-time background scanner will block it.
Other free anti-virus programs which are equally good are AntiVir and Avast Home Edition.
Spyware, Adware, and Hijackers can do major damage to your system. Notorious malware like
CoolWebSearch is very hard to remove and is not detected or completely removed by anti-virus program.
This calls for a special dedicated tool - anti-spyware!
AdAware and SpyBot Search and Destroy are very good anti-spyware programs which have a large,
frequently-updated malware database.
SpyBot S&D has one cool tool built into it called TeaTimer'. The TeaTimer monitors the system
continuously, protecting system files and the registry from malware. SpyBot S&D also adds a browser
helper object (BHO) to Internet Explorer. By using this, SpyBot S&D blocks the bad downloads (like
installation of ActiveX components or other BHOs installed by spyware without the user's knowledge)
automatically. These two programs are a "must have" on every computer.
Another good tool is Windows Defender, which works on Windows 2000 & XP. This is still in its beta, but
is based on an established Antispyware program known as Giant Antispyware. Windows Defender
(previously Microsoft Antispyware) has an extremely effective realtime protection component which
monitors 58 security checkpoints on your computer to prevent unauthorized changes.
SpywareGuard is a small, real-time bad download protection tool. It actively monitors Internet Explorer, and
blocks any malicious ActiveX components, BHOs, and tracking cookies.
Not all Trojan Horses are detected by anti-virus and anti-spyware programs. So you should have software
that specializes in the removal of Trojans. So-called back door Trojans open up your PC from the inside to
attackers, which enables the person/website who sent the Trojan to monitor your PC. An even worse variant
is the so-called RAT, short for Remote Administration Tool, which enables a hacker to control your PC.
a2 Free is the one of the best free anti-Trojan (and anti-malware) software available. The free version has
only an on-demand scanner, and does not provide real-time protection.
Another good anti-Trojan available for free is Ewido. It comes with a 14-day trial period, after which special
features (automatic updating,real-time protection and premium support) are disabled, but the basic version
can continue to be used for free.
It's advisable to have both these scanners.
The above software detects and removes viruses and malware present in the PC, but they can not prevent
them from sneaking into your system (except a real-time AVscanner, to a certain extent).
SpywareBlaster prevents the installation of malwares onto your system. SpywareBlaster is a tool that is run
once, vs continual running in the background. Its working principle can be described as follows: many
spyware and hijackers make certain registry entries and are identified by CLSIDs. SpywareBlaster has a
database of these bad CLSIDs. When you run SpywareBlaster once, it sets the kill bit of the bad CLSID as
"1". This means the specific CLSID is killed, or not allowed to register, preventing installation of the
spyware. SpyBot S&D has a similar feature. Spywareblaster also has a minor feature of importing a list of
blacklisted cookies into Firefox.
If you need help understanding how to use SpywareBlaster to protect your computer, please refer to this
iespyad puts many bad webpages on your restricted zones list. This means that you can still view the
"bad" webpages, but the webpages run in your restricted zone and are restricted from carrying out dangerous
activities. Spywareblaster also has a similar feature.
If you need help understanding how it works, please refer to the tutorial
Make your Internet Explorer more secure
This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
5. Change the Download signed ActiveX controls to Prompt
6. Change the Download unsigned ActiveX controls to Disable
7. Change the Initialize and script ActiveX controls not marked as safe to Disable
8. Change the Installation of desktop items to Prompt
9. Change the Launching programs and files in an IFRAME to Prompt
10. Change the Navigate sub-frames across different domains to Prompt
11. Change the allow paste operations via script to Disable
12. When all these settings have been made, click on the OK button.
13. If it prompts you as to whether or not you want to save the settings, press the Yes button.
14. Next press the Apply button and then the OK to exit the Internet Properties page.
• All windows systems include an empty host file.
• They were originally meant to speed up mapping of domain names (eg www.hotmail.com) to ip
addresses (eg. 126.96.36.199])
• We can customize a hosts file so that it blocks certain webpages by giving it an illegal address
(actually by sending it to your loopback) so the page doesn't load.
• However, it can slow down slower computers if the list is large. Users of Windows 2000 and XP
should follow the instructions below to avoid slow downs.
HOSTS File Download Sources: here. or here.Make sure you read the instructions on how to install the hosts
file. There is a good tutorial:here. If you decide to download the hosts file, the slowdown problems can
usually be avoided by following these steps:
a. Click the start button (at the lower left hand corner of your screen)
b. Click run
c. In the dialog box, type services.msc
d. hit enter, then locate dns client
e. Highlight it, then double-click it.
f. On the dropdown box, change the setting from automatic to manual.
g. Click ok
There are many (65535!) virtual ports in a computer. These ports are either open, closed, or filtered (often
called blocked or stealthed). Ports are generally open because they are held open by an application that is
listening on that port. Most of these programs are servers. While most home users have little reason to run
servers, by default Windows 2000 and XP runs several services which keep ports open.It must be also be
noted that to run some programs like P2P sharing, some IM services or online gaming ports will also often
have to be open. When such ports are open with applications listening behind them, a hacker has an
opportunity to exploit weaknesses in the application to cause damage to your system. Similarly worms like
Sasser exploit weaknesses found in windows services to spread by port scanning vulnerable machines on
To prevent these port scanning and other malicious attacks, a firewall should be installed. Firewalls act as a
barrier between your PC and the Internet. They filter the data that is being transmitted and received. Also,
unless otherwise configured, firewalls block all the open ports so that port scanning will be unsuccessful.
A popular free firewall is ZoneAlarm. It is considered one of the easiest to use firewalls.Other free firewalls
available are Sunbelt Kerio Personal, Sygate Personal, and OutPost Personal Firewall.
Clean that junk!
After some time of PC usage, junk/temp files accumulate. They use up necessary space. So it's necessary to
clean them up regularly. CleanUp! and CCleaner are very good free cleaners. They clean every bit of junk
out of system. Run them before shutting down your PC or on boot. Another good junk cleaner is GLock
Temp Cleaner. Along with cleaning junk files, this one has an extra feature - it lists all the archives present in
the system, and can delete unwanted archives.
When most software is installed on a PC, it makes registry entries. Registry entries are often created to
remember the user's preferences, like recently opened files. These entries should be removed when its
associated software is removed. But often this doesn't happen, which leads to the accumulation of a large
amount of junk entries in the registry. This degrades system performance. This is where registry cleaners
come into the picture.
RegCleaner is one of the best free registry cleaners available. Apart from cleaning, it has plenty of other
features like startup information, file type editing etc.
Besides the standard antivirus, antispyware etc tools which are mainly but not completely based on signature
based methods and corresponding heuristics , there are other types of security software, that provide even
more protection, but can be somewhat difficult to use. Most of these can be classified as behaviorial blockers
, Sandboxing software , or Virtualization . Please refer to those pages for more information.
Retrieved from "http://wiki.castlecops.com/Roll_your_own_Free_Security_Suite"