howto-security

Root out hidden infections with HijackThis

Editors' note: This article was first published on February 27, 2008, and was titled, "Clean your PC with Trend Micro HijackThis." It was updated on May 21, 2009.

Malware has gotten more sophisticated at hiding its tracks compared with a few years ago. Adware, it seems, with its pop-ups and unwanted browser toolbars, has taken a backseat to the sly, ever-dangerous, and much more lucrative realm of the botnet, also known as that class of malware that conscripts your computer into an army of spam-spewing zombies, or worse.

If you suspect your Windows computer may be compromised, you should always try running standard adware-removal programs first. Ad-Aware and Avira AntiVir Personal Free are two good starts. If they can't seem to keep the nasties at bay, Trend Micro HijackThis digs deep. For most, HijackThis will be diagnostic software for Windows XP (with high compatibility for Vista) that creates a log of your Windows Registry and file settings. It is not a spyware removal tool. However, its capability to identify commonly abused methods of altering your computer can help you (and the Internet community) determine your next course of action.

Step 1: Install it

Version 2.0.2 of HijackThis contains an installer, unlike the previous version that launched from a ZIP file or EXE. If you're using that legacy version, be sure to update. You'll find that this build also downloads a desktop icon for quick-launching.

Step 2: Scan your system

Trend Micro HijackThis opens with a simple interface that offers limited instruction. Running the program and interpreting its results can be confusing. Click either of the two "system scan" buttons to bring up a list of registry and file entries. Expect to see a mess of entries--even a Firefox plug-in on a completely healthy computer can produce multiple listings. If you choose to scan the system only, you can still save a record after the scan by selecting the "Save log" button on the bottom left. This will save the log as a plain text document that you'll be able to open in Notepad.

Step 3: Identify problems

Here's the rub--now that you've got a long list of your computer's contents, how do you determine which results are critical, and which benign?

There are a few determining factors. Some entries may be obviously tied to a legitimate program you installed. A browser helper object like Adobe PDF Reader Link Helper is clearly harmless and installs with the Adobe Reader application. Listings like these you can ignore or can add to the Ignore List to bypass in future scans. To excuse any entry from showing up in the results list in the future, click the adjacent box to add a check mark and choose the button reading "Add checked to ignorelist." See it in action in this video (Note: The video accurately demonstrates using the ignore list on a previous version of HijackThis.)… Read more

9 tips for avoiding suspicious Web sites

Editor's Note: This article was updated on 5/8/09 from a previous version published on 3/3/08, and the original, published on 12/15/06.

No matter how you arrive at an unsafe Web site, it's all downhill from there. Phishers will attempt to coerce you into disclosing your address, credit card number, or social security number. Or maybe adware engines will start sprouting pop-ups over your screen like a field of clover. Worse, your computer may become part of a botnet, its processing power used to send spam and infections to others, possibly even in … Read more

New scareware sends you to fake Download.com reviews

Last week, BleepingComputer.com reported on how to remove a new variant of an old scareware. This new nasty, known most commonly as Antivirus2010 or Anti-Virus-1, points you to spoofed versions of Download.com, ZDNet, PCMag.com, and other software sites, demanding that you download their program to clean your computer. Of course, it does nothing of the sort, merely perpetuating the infection.

However, the manner and methods Anti-Virus-1 uses to get you there are extremely clever. The infection part of the malware does whatever it's been designed to do, so you can see that you've been infected … Read more

How to use AVG Anti-Virus Free Edition 8.0

If you're thinking of switching to free antivirus protection, or are looking for a different program to try, AVG Anti-Virus Free Edition is a rock-solid choice. Incidentally, it's also the most-downloaded security application on CNET Download.com.

Yet, it's not enough to follow the crowd. What if you dislike the interface? Or decide that the free edition doesn't give you as comprehensive a protection package as you'd like? These things happen, you know.

Hence this slide show, which attempts to take the guesswork out of scouting for a new application or starting up AVG Anti-Virus … Read more

How to remove Antivirus XP 2008

Update: Revised instructions to include folder deletion.

Antivirus XP 2008 is back, unfortunately. It's not an antivirus app, but a cleverly disguised rogue security application that tries to get you to buy the non-existent "security" it's selling. Advertised using the common tricks of Trojans and faux security alerts, this nasty piece of malware can take over your desktop settings to mimic safe mode, display fake virus detections, and opens a faux Internet Explorer window stating that Google has detected a malware infection.

Yeah, Google.

Apparently, though, the virus is now being spread in more insidious ways, … Read more

Quick Tip: Closing pop-ups the safe way

Confronting a pop-up is one of those times when your gut reaction might lead you down the path of frustration and tears. If the "X" is spring-loaded with malware, anywhere you click on the pop-up could trigger that virus.

This is the path less traveled--the majority of pop-ups truly are the ads they appear to be--but when a pop-up does deliver malware, undoing the damage could be a tense, jittery journey. We get enough panicky Spyware Horror Story submissions to know that so-called button flips and booby-trapped Close buttons continue to deliver malicious payloads.

So what is the … Read more

How to use Spybot-Search & Destroy

Editor's note: This article, originally published by Brian Satterfield, was republished on 3/5/08.

These days, using only one antispyware program is like playing with fire: sooner or later, you're going to get burned. Since not all spyware-combat tools share identical databases, we recommend running as many tools as you can get your mitts on--and Spybot - Search & Destroy, a time-tested and free application, should be part of your arsenal. The program might not have as pretty a face as some of its competitors, but it's certainly adept at eradicating spyware. It also offers a wide variety of settings and tools for maintaining your security and privacy that might not be immediately obvious. Read on to get the lowdown on removing spyware with Spybot, and to get tips for using some of the program's most important features.

Step 1: Set it up Some antispyware programs aren't highly customizable, but Spybot caters to the user by offering a number of tweaks. The app's primary screen emphasizes scanning your machine for threats and updating spyware definitions. If you switch from the default to the advanced mode from the Mode menu, though, you open up a world of options. The unobtrusive Settings button, located way down in the lower-left corner of the advanced window, contains tons of ways to fine-tune Spybot's behavior. This screen may at first appear overwhelming, but the Settings window lets you customize the app so it works for you.… Read more

Beat back that Trojan horse

Editor's note: This article was updated on February 21, 2008. The original was published on February 28, 2007.

Like its mythical namesake (dramatized in Lego), whatever crawls out of a digital Trojan horse will be a nasty surprise. A Trojan horse usually takes the form of an innocuous software program that unleashes a flood of malware or viruses after it's installed and run. Since attacks and ease of removal vary--an ad generator is easier to remove than a stealth rootkit--there's no one-size-fits-all solution. However, there are some common spyware removal techniques that can help you pick your way through the wreckage.

Reboot Windows in Safe Mode

What is Safe Mode? Safe Mode is a diet version of the Standard Mode of Windows that your computer ordinarily runs. Rebooting in Safe Mode loads minimal programs and disables most device drivers that manage hardware like CD drives and printers. The result is a more stable iteration of the Windows operating system that's better suited for disabling malware while you perform a system scan.

How do you use it? If you can, follow the necessary steps for a safe shutdown process and then reboot. When you restart Windows, as the screen begins to load, press F8 repeatedly until the Windows booting options appear. Select "Boot in Safe Mode" from the menu of options. Once in Safe Mode, you should be able to run your installed antispyware software with less interference from the malicious software that the Trojan brought onto your system.

System Restore

What is System Restore? System Restore strings out a safety net if everything goes kaput. Under default Window settings, System Restore saves a snapshot of your computer configuration once a day and on major upgrades that can be used to replace corrupted files. In the event of a Trojan attack, System Restore can revert Windows to a previous, uninfected state. It won't restore everything, like changes to your user profile, but it does reinstate biggies like your Registry and DLL cache.

When do you use it? When purging your computer of spyware, System Restore has an optimal time and place. You wouldn't want your computer including corrupted files as the reference point of the day, so it's important to disable System Restore before you start cleaning. You can reactivate it once your system is spick-and-span.

How do you use it? The paths for accessing System Restore differ by operating system. In Windows XP, disable System Restore by right-clicking My Computer and selecting Properties. Under the Performance tab, select File System, then the Troubleshooting tab, and finally check Disable System Restore. You'll be prompted to reboot. Follow these steps to uncheck the box before restoring your system.

To use System Restore after scrubbing your computer, choose Accessories from the program list in the Start menu. You'll find System Restore under System Tools.

This comprehensive article from TechRepublic demonstrates how to create and use System Restore in Windows Vista.

Scan with antivirus/antispyware apps Downloading diagnostic and removal tools with an infected computer is a huge time sink--spyware can cripple your speed and Internet access. The Trojan's payload could prevent EXE files from downloading or launching. Also, malware can affect the performance of installed security software on your PC. If you store your antivirus/antispyware programs on a CD or flash drive, however, those malware-busting apps can commence their swashbuckling unhindered.… Read more

Insider Secrets: Don't get scammed by phishers

Responding to an urgent e-mail about your compromised bank account is tempting, almost involuntary. That's exactly what phishers are counting on when they link you to a false site and pump you for personal details. Learn how to skirt their tricks in this Insider Secrets video, and remind yourself of other ways to avoid suspicious Web sites that might not have your best intentions in mind.

How to use Ad-Aware 2007

Despite a notable backlash from some Ad-Aware SE fans, Ad-Aware 2007 is still a very powerful weapon in the fight against malicious software. Ad-Aware 2007 is bigger than its previous editions and it tends to use up more system resources. Most unfortunately, all of Ad-Aware 2007's premium (paid) features, and even applications such as Ad-Watch 2007 and the Host File Editor, are included with the free version, but are nonoperational. Despite those minor complaints, the new program did add valuable features, including support for multiple browsers, a Web privacy tool, and multilingual support (although French is the only available … Read more