Malware Removal and Prevention.doc.doc
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Malware Removal and Prevention.doc.doc






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Malware Removal and Prevention.doc.doc Document Transcript

  • 1. Malware Removal and Prevention: Overview From CastleCopsWiki Symantec has developed a detection and removal tool for the Blackworm aka Kama Sutra worm. For more information and removal links, please visit here . Then return to complete the remainder of Malware Removal. 1. Perform a reference (preliminary) HijackThis scan 2. Winfixer / WinAntiSpyware / WinAntiVirus Popups / Virtumundo victims only: Please follow the Virtumundo Removal Instructions. 3. Windows 2K/XP - Titan Shield / SpySheriff / SpyFalcon / SpywareQuake / SpyAxe victims only: Please follow the SpySheriff / SpyFalcon / SpywareQuake / SpyAxe / Smitfraud Removal Instructions instead of steps 4-8 below. 4. Next stop - The Control Panel - Add/Remove Programs 5. Temporarily Disable Real Time Monitoring Programs Now please complete the following automatic malware detection and removal steps 6. Clean the Clutter: o Crap Cleaner 7. Antispyware Scanners - Run at least one, preferably two - if your system is functioning well enough: o Ad-Aware o SpyBot S&D o Windows Defender Beta 2 (Win2K and XP with all service packs applied) - This scanner will remove the Sony XCP DRM rootkit 8. Antiviral Scans - Run at least one
  • 2. 9. AntiTrojan Scans - Run one: o ewido Security Suite Trial Download (Win2K and XP) o TrojanHunter Trial Download You will have completed the automated malware removal process once you have followed the above steps. We sincerely hope that your computer problems have been resolved to your satisfaction once you've reached this point. Even if you think your computer is now 'clean', some additional steps are advisable to further ensure the security of your computer. Please consult: How to Prevent Reinfection for further details. 10. Only if your computer problems persist, Consider Getting Expert Help With Your HijackThis Log From CastleCopsWiki Once your system is satisfactorily cleaned be sure to follow these guidelines to prevent a reinfection. • XP and ME System Restore Points If you are using Windows XP or ME, you need to SET A NEW RESTORE POINT with System Restore. This will prevent the possibility of you becoming reinfected by restoring your system with corrupted files. To set a new restore point: System Reference WIndows XP Creating a System Restore Point WIndows ME When to Create and Use Manual Restore Points The new Restore Point will be stamped with the current date and time. Keep a log of this for your records so you can find it easily should you need to use System Restore. [edit] Windows Updates
  • 3. To reduce your exposure to infection and ensure your system's security, be sure your computer is set to update your operating system and Internet Explorer, automatically. Windows ME, 2000 & XP: To do that, right-click the My Computer Icon on your desk top. Click properties and then Automatic Updates. To enable automatic updating, check either the first or second box: 1. The first option enables Windows Automatic Updating, meaning it will both download and install updates automatically. This option requires you to set the time for them to install. Make sure this is a convenient time when your computer will be ON. 2. The second option, will download, and then let you decide when you want to install them. Select which ever alternative is best for you. Ocassionally, even though your computer is set to update automatically, you may experience a problem having updates download. There are many reasons this can occur, so to be safe, always check that you have the latest critical updates and patches from the Windows Update Website. Microsoft releases new updates to patch vulnerbilities that malware may exploit every second Tuesday of each month. So time your visits to the Windows Update site, accordingly. The 12/13/2005 Window`s Update release contains a Cumulative Security Update for Internet Explorer for Windows XP that has the Maximum Severity Rating: Critical. Remember, Window's Updates will improve your system's overall integrity and security, so be sure to verify that the update feature is properly functioning on your computer. Windows Updates Troubleshooting If you do find you are unable to download updates automatically or manually from the Windows Update Website, then chances are our Windows Update Fix may remedy that problem. The Fix consists of a few preparation steps and a DOS script that you can download and run, to automatically correct the most common problems associated with being unable to download Windows Updates. It will address and rectify an assortment of documented Windows Update errors, so give it a try. Windows XP Service Pack 2 is cumulative, meaning it includes Service Pack 1 and all updates predating SP2's release. Although Service Pack 2, was released over a year ago, some of you may not have updated to it yet. Installing Service Pack 2 should NOT be performed until you have ensured your system is fully cleaned of all viruses and malware. This is the recommended procedure by Microsoft before installing SP2. Some computers lock up when SP2 is installed with certain spyware in residence, and spyware programs can interfere with the new security features that SP2 installs by default. For a complete discussion on all necessary precautions see: What to Know Before You Download and Install Windows XP Service Pack 2 [edit]
  • 4. Updating Your Security Programs Because new threats are continually introduced, a security application is only effective if it is updated regularly. Checking for updates can be simplified, by using the calendar provided at the Calendar of Updates website which is revised daily. [edit] Blocking Unwanted Parasites with a Hosts File: Read the discussion about installing a blocking host files and download the #1 rated MVPS host file Another variation on the same theme - What is the Hosts file? [edit] Installing Preventive Security Programs Although these two programs are mentioned elsewhere in our Tips for Safer Surfing, they are important enough to deserve special mention here. Since neither of these programs run in the background, they will not consume valuable system resources, so be sure to install them ASAP: • SpywareBlaster SpywareBlaster will block bad ActiveX and harmful cookies from getting on to your PC in the first place. Just download and install the program. Open SpywareBlaster, check for and download updates, then 'select all' to protect against all items checked. That's it! Just return to check for updates every couple of weeks. • IESpyads IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers,and hijackers to the Restricted sites zone of Internet Explorer. Doing this will block driveby downloads, cookies, homepage hijacks, and javascript based advertisements associated with these restricted sites. There are a few different versions, so please refer to the information contained at the developer's website. [edit] Tips for Safer Surfing 1. Read Tony Klein's So how did I get infected in the first place? 2. ALWAYS surf with an active internet firewall. The Windows firewall does not provide outbound protection, but ZoneAlarm® FREE and Sygate Personal Firewall 5.x - FREE will block both inbound and outbound traffic. 3. Use only reputable Antispyware and Security Programs: Consult the Rogue/Suspect Anti-Spyware Progam List first, before you download. Do not click on any random solicitations to "Scan your system for spyware". 4. Do not download any attachments from unsolicited email or even unexpected attachments from known contacts 5. Never provide sensitive personal information (SSN, financial account numbers)in response to an email request. 6. Do NOT click on popups ads or download any anonymous software - google it first and read reviews
  • 5. 7. Download all software from the vendor/developer site whenever possible (3rd party sites may distribute bundled adware) 8. If you are a Skype user, please read the Tips on how to safely use Skype on the bottom of the page and pay particular attention to Article 4 - Permission to Utilize section of the EULA (end user license agreement). 9. Set Safe Configurations for Internet Explorer and acquaint yourself with the Internet Explorer Security Zones 10. Read these suggested Safe Configurations for Firefox 11. Read about Cookie Management in The Unofficial Cookie FAQ 12. Wireless Network Security For The Home 13. Browse thru PC Magazine's 80 Super Security Tips 14. Although CastleCops does not condone or recommend the use of peer-to-peer file sharing software, if you must use it, use it wisely: 1. Please read these recommendations provided by Mike Healan regarding the safest P2P filesharing programs available. 2. You may also refer to this list compiled by the Malware Removal Forum which details Clean/ Infected P2P Programs 3. Remove any adware/spyware programs which were bundled with your file-sharing program 4. Adjust your file-sharing program settings so it does NOT automatically run at Windows Startup 5. Adjust your file-sharing program settings so it does NOT allow others on the P2P network openly access downloads from you computer. 6. Close your filesharing program when you are not actively using it [edit] Roll your own Free Security Suite The most important step, is to secure your system against future malware attacks. And it doesn't have to be costly. You can actually Roll your own Free Security Suite! [edit] Become an Informed Surfer There is a very important resource which will help you to avoid becoming a victim of cyber fraud. The latest Security Labs Trends report will make you fully aware of what cyber scams are out there and what you should be on the lookout for to protect yourself in 2006. [edit] HijackThis Tutorial - for those who want to know more Now that you are clean, if you are fascinated with how this powerful tool, HijackThis works, you may read this excellent HijackThis Tutorial It describes what each of the individual HijackThis log entries mean. Gaining knowledge is great and there is a lot of information there, but when it comes to actually fixing entries in your log, it is best to remember that it is a still a job better left to the experts in the HijackThis forum.
  • 6. Roll your own Free Security Suite From CastleCopsWiki A "system security suite" is one which bundles all the required tools for complete system protection, like anti-virus, firewall, anti-spyware, file cleaners, registry cleaners, etc. But security suites that you find online are usually commercial software. How about making - or rather "assembling" - your own security suite that contains all the required tools? The tools are very efficient and powerful. But best of all, your security suite is completely FREE! Read on...... Anti-Virus Well, Viruses need no introduction, do they? To battle them you need an AntiVirus! AVG 7 Free AntiVirus is one of the few full fledged free anti-viruses. Full fledged AV means that it should at least have a real-time scanner, on demand scanner and automatic updates. AVG satisfies all the above condition and has good virus detection, features set, quick updates, and is also very light on resources. You don't have to worry about any viruses, worms, or Trojans sneaking into your PC because AVG's powerful real-time background scanner will block it. Other free anti-virus programs which are equally good are AntiVir and Avast Home Edition. [edit] AntiSpyware Spyware, Adware, and Hijackers can do major damage to your system. Notorious malware like CoolWebSearch is very hard to remove and is not detected or completely removed by anti-virus program. This calls for a special dedicated tool - anti-spyware! AdAware and SpyBot Search and Destroy are very good anti-spyware programs which have a large, frequently-updated malware database. SpyBot S&D has one cool tool built into it called TeaTimer'. The TeaTimer monitors the system continuously, protecting system files and the registry from malware. SpyBot S&D also adds a browser helper object (BHO) to Internet Explorer. By using this, SpyBot S&D blocks the bad downloads (like installation of ActiveX components or other BHOs installed by spyware without the user's knowledge) automatically. These two programs are a "must have" on every computer. Another good tool is Windows Defender, which works on Windows 2000 & XP. This is still in its beta, but is based on an established Antispyware program known as Giant Antispyware. Windows Defender
  • 7. (previously Microsoft Antispyware) has an extremely effective realtime protection component which monitors 58 security checkpoints on your computer to prevent unauthorized changes. SpywareGuard is a small, real-time bad download protection tool. It actively monitors Internet Explorer, and blocks any malicious ActiveX components, BHOs, and tracking cookies. [edit] Anti-Trojan Not all Trojan Horses are detected by anti-virus and anti-spyware programs. So you should have software that specializes in the removal of Trojans. So-called back door Trojans open up your PC from the inside to attackers, which enables the person/website who sent the Trojan to monitor your PC. An even worse variant is the so-called RAT, short for Remote Administration Tool, which enables a hacker to control your PC. a2 Free is the one of the best free anti-Trojan (and anti-malware) software available. The free version has only an on-demand scanner, and does not provide real-time protection. Another good anti-Trojan available for free is Ewido. It comes with a 14-day trial period, after which special features (automatic updating,real-time protection and premium support) are disabled, but the basic version can continue to be used for free. It's advisable to have both these scanners. [edit] Immunize! The above software detects and removes viruses and malware present in the PC, but they can not prevent them from sneaking into your system (except a real-time AVscanner, to a certain extent). SpywareBlaster prevents the installation of malwares onto your system. SpywareBlaster is a tool that is run once, vs continual running in the background. Its working principle can be described as follows: many spyware and hijackers make certain registry entries and are identified by CLSIDs. SpywareBlaster has a database of these bad CLSIDs. When you run SpywareBlaster once, it sets the kill bit of the bad CLSID as "1". This means the specific CLSID is killed, or not allowed to register, preventing installation of the spyware. SpyBot S&D has a similar feature. Spywareblaster also has a minor feature of importing a list of blacklisted cookies into Firefox. If you need help understanding how to use SpywareBlaster to protect your computer, please refer to this tutorial iespyad puts many bad webpages on your restricted zones list. This means that you can still view the "bad" webpages, but the webpages run in your restricted zone and are restricted from carrying out dangerous activities. Spywareblaster also has a similar feature. If you need help understanding how it works, please refer to the tutorial Make your Internet Explorer more secure This can be done by following these simple instructions:
  • 8. 1. From within Internet Explorer click on the Tools menu and then click on Options. 2. Click once on the Security tab 3. Click once on the Internet icon so it becomes highlighted. 4. Click once on the Custom Level button. 5. Change the Download signed ActiveX controls to Prompt 6. Change the Download unsigned ActiveX controls to Disable 7. Change the Initialize and script ActiveX controls not marked as safe to Disable 8. Change the Installation of desktop items to Prompt 9. Change the Launching programs and files in an IFRAME to Prompt 10. Change the Navigate sub-frames across different domains to Prompt 11. Change the allow paste operations via script to Disable 12. When all these settings have been made, click on the OK button. 13. If it prompts you as to whether or not you want to save the settings, press the Yes button. 14. Next press the Apply button and then the OK to exit the Internet Properties page. hosts file: • All windows systems include an empty host file. • They were originally meant to speed up mapping of domain names (eg to ip addresses (eg.]) • We can customize a hosts file so that it blocks certain webpages by giving it an illegal address (actually by sending it to your loopback) so the page doesn't load. • However, it can slow down slower computers if the list is large. Users of Windows 2000 and XP should follow the instructions below to avoid slow downs. HOSTS File Download Sources: here. or here.Make sure you read the instructions on how to install the hosts file. There is a good tutorial:here. If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps: a. Click the start button (at the lower left hand corner of your screen) b. Click run c. In the dialog box, type services.msc d. hit enter, then locate dns client e. Highlight it, then double-click it. f. On the dropdown box, change the setting from automatic to manual. g. Click ok [edit] Firewall There are many (65535!) virtual ports in a computer. These ports are either open, closed, or filtered (often called blocked or stealthed). Ports are generally open because they are held open by an application that is listening on that port. Most of these programs are servers. While most home users have little reason to run
  • 9. servers, by default Windows 2000 and XP runs several services which keep ports open.It must be also be noted that to run some programs like P2P sharing, some IM services or online gaming ports will also often have to be open. When such ports are open with applications listening behind them, a hacker has an opportunity to exploit weaknesses in the application to cause damage to your system. Similarly worms like Sasser exploit weaknesses found in windows services to spread by port scanning vulnerable machines on TCP 445. To prevent these port scanning and other malicious attacks, a firewall should be installed. Firewalls act as a barrier between your PC and the Internet. They filter the data that is being transmitted and received. Also, unless otherwise configured, firewalls block all the open ports so that port scanning will be unsuccessful. A popular free firewall is ZoneAlarm. It is considered one of the easiest to use firewalls.Other free firewalls available are Sunbelt Kerio Personal, Sygate Personal, and OutPost Personal Firewall. [edit] Clean that junk! After some time of PC usage, junk/temp files accumulate. They use up necessary space. So it's necessary to clean them up regularly. CleanUp! and CCleaner are very good free cleaners. They clean every bit of junk out of system. Run them before shutting down your PC or on boot. Another good junk cleaner is GLock Temp Cleaner. Along with cleaning junk files, this one has an extra feature - it lists all the archives present in the system, and can delete unwanted archives. [edit] Registry Cleaner When most software is installed on a PC, it makes registry entries. Registry entries are often created to remember the user's preferences, like recently opened files. These entries should be removed when its associated software is removed. But often this doesn't happen, which leads to the accumulation of a large amount of junk entries in the registry. This degrades system performance. This is where registry cleaners come into the picture. RegCleaner is one of the best free registry cleaners available. Apart from cleaning, it has plenty of other features like startup information, file type editing etc. [edit] Advanced tools Besides the standard antivirus, antispyware etc tools which are mainly but not completely based on signature based methods and corresponding heuristics , there are other types of security software, that provide even more protection, but can be somewhat difficult to use. Most of these can be classified as behaviorial blockers , Sandboxing software , or Virtualization . Please refer to those pages for more information. Retrieved from ""