Editors' note: This article was first published on February 27, 2008, and was titled, "Clean your PC with Trend Micro HijackThis." It was updated on May 21, 2009.
Malware has gotten more sophisticated at hiding its tracks compared with a few years ago. Adware, it seems, with its pop-ups and unwanted browser toolbars, has taken a backseat to the sly, ever-dangerous, and much more lucrative realm of the botnet, also known as that class of malware that conscripts your computer into an army of spam-spewing zombies, or worse.
If you suspect your Windows computer may be compromised, you should always try running standard adware-removal programs first. Ad-Aware and Avira AntiVir Personal Free are two good starts. If they can't seem to keep the nasties at bay, Trend Micro HijackThis digs deep. For most, HijackThis will be diagnostic software for Windows XP (with high compatibility for Vista) that creates a log of your Windows Registry and file settings. It is not a spyware removal tool. However, its capability to identify commonly abused methods of altering your computer can help you (and the Internet community) determine your next course of action.
Step 1: Install it
Version 2.0.2 of HijackThis contains an installer, unlike the previous version that launched from a ZIP file or EXE. If you're using that legacy version, be sure to update. You'll find that this build also downloads a desktop icon for quick-launching.
Step 2: Scan your system
If you scan without a log file, you can always create one later on.
Trend Micro HijackThis opens with a simple interface that offers limited instruction. Running the program and interpreting its results can be confusing. Click either of the two "system scan" buttons to bring up a list of registry and file entries. Expect to see a mess of entries--even a Firefox plug-in on a completely healthy computer can produce multiple listings. If you choose to scan the system only, you can still save a record after the scan by selecting the "Save log" button on the bottom left. This will save the log as a plain text document that you'll be able to open in Notepad.
Step 3: Identify problems
Add safe entries to the Ignore List to speed up future scans.
Here's the rub--now that you've got a long list of your computer's contents, how do you determine which results are critical, and which benign?
There are a few determining factors. Some entries may be obviously tied to a legitimate program you installed. A browser helper object like Adobe PDF Reader Link Helper is clearly harmless and installs with the Adobe Reader application. Listings like these you can ignore or can add to the Ignore List to bypass in future scans. To excuse any entry from showing up in the results list in the future, click the adjacent box to add a check mark and choose the button reading "Add checked to ignorelist." See it in action in this video (Note: The video accurately demonstrates using the ignore list on a previous version of HijackThis.)
... Read more
(Credit:
CNET Networks)
Editor's Note: This article was updated on 5/8/09 from a previous version published on 3/3/08, and the original, published on 12/15/06.
No matter how you arrive at an unsafe Web site, it's all downhill from there. Phishers will attempt to coerce you into disclosing your address, credit card number, or social security number. Or maybe adware engines will start sprouting pop-ups over your screen like a field of clover. Worse, your computer may become part of a botnet, its processing power used to send spam and infections to others, possibly even in your name. Here are nine telltale signs you're swimming in dangerous waters, with tips to help keep you firmly in the safety zone.
Before we dive in, take note of two tools to help warn you of dangerous sites. McAfee SiteAdvisor for Internet Explorer and Firefox and AVG LinkScanner assess the hazards of sites you visit, and are available for Firefox or Internet Explorer. Online Armor is one firewall that scans sites in real time based on traceable patterns of malicious software behavior. Also check out our Security Starter Kit for an excellent set of tools that defend against potential threats.
Sign 1: Pop-up city
You click a search result and are suddenly bombarded with no fewer than 10 porn pop-ups. Back out immediately by right-clicking the pop-up in your task bar and selecting 'close' or by killing the EXE in your Task Manager. It might also help to press Alt-F4 to close your browser. Then run a malicious software scanner and remover to assess and fix the damage--Malwarebytes Anti-Malware is a good start.
It's a mouthful, but EULAlyzer's ease of use makes up for its awkward pronunciation.
(Credit: CNET Networks)Sign 2: Where's the EULA?
Rogue antivirus apps often scare you into parting with your credit card number by informing you it's found bogus spyware on your machine (it!) If you're about to sign up for or purchase a service and aren't prompted to accept an end-user license agreement, nor are you offered a privacy policy to view. Shady site proprietors often disclose their intentions in the privacy policy or EULA, so you should always read carefully! The free tool EULAlyzer (from the makers of SpywareBlaster) is a great help because it analyzes license agreements and notes any unusual or possibly dangerous language. An upgrade to the professional version is available for about $20.
Sign 3: Excessive firewall alerts
Your firewall repeatedly alerts you to file extensions you don't recognize and other suspicious anomalies. Once you've set your firewall to allow your most common programs, any alert should be taken seriously, and a number of warnings should be a red light something is amiss. If you're not running a firewall, get one right now.
Sign 4: E-mail and instant message links phish for information
You follow a link embedded in an e-mail and arrive at a site that asks you to provide security information for an "important update." Misleading links are increasingly sent through instant messages under the guise of a contact's friendly tip. This variety is especially easy to fall for. If the page is asking for data or looks like a different destination than the link implied, pull yourself out of autopilot and start taking screenshots. Contact the company for verification before taking any action, and check the Federal Trade Commission's alert board.
Sign 5: The site's URL and e-mail don't match
Any case in which a site's URL doesn't match the contact's e-mail address should raise an alarm. Most legitimate companies provide their employees with a corporate e-mail account. This doesn't mean, however, that you can automatically trust sites where the two align. Illegitimate companies can purchase domain names as easily as legitimate companies.
Phishing link sent through Yahoo IM.
(Credit: CNET Networks)Sign 6: Are you secured?
If a site prompts you to enter personal information, such as a username, password, or credit card number, check the browser window. Unless the site is secure--that is, unless the address starts with https:// and a closed padlock appears at the bottom of the window--your information is ripe for theft.
Sign 7: Check teh speling
Developers and engineers may have a bad reputation when it comes to grammar, and that's why most companies hire wordsmiths. Be wary of a site chock-full of grammatical and spelling errors. That includes the Web address--there's a world of difference between www.yahoo.com and www.yhoo.com.
Sign 8: Nested links
Does the site forward you to a completely unrelated site when you land on it? If nested links progressively take you to other sites, the host may be trying to pull a fast one.
Sign 9: Ridiculously large sums
If a free gift offer seems too good to be true, it probably is. You don't get a $500 gift certificate for doing nothing. Most often you'll have to provide personal information, download something compromising, engage your friends in a pyramid scheme, or all of the above. And how about those well-known scams that offer to pay out, but only after you wire someone a chunk full of a change? In this case, the surest preventative measure is your delete button.
Editor's Note: Article updated on May 8, 2009. Original article published September 8, 2006.
Every family has at least one member whose risky computer behavior is asking for trouble. You know whom we mean: the kid brother who can't resist those dodgy downloads; the spouse who clicks on suspicious pop-up ads and updates without a second glance; or the cousin who returns a borrowed laptop riddled with malicious software. You have two options: become a paranoid misanthrope with motion-sensor alarms rigged to your PC, or take a few minutes to establish these four security precautions. They're not foolproof against the most persistent of malicious software magnets, but these basic tips should give novices some ideas.
Step 1: Create multiple user accounts
A no-brainer, perhaps, but creating multiple user accounts is one of the surest ways of restricting a guest's risky activities without breathing down their neck while you supervise each mouse click. Families can generate an account for each member, an especially proactive move if there have been problems in the past. Enact it thus and you, the uber-administrator, can limit others' capabilities to install programs and make systemwide changes, a move that could prevent your errant relations from executing tainted programs. To sweeten the deal, each account-holder's capability to customize their own desktop could help mow down weedy sibling rivalry. Consider adding a password-protected log-in to help maintain privacy.
User accounts make it easy to restrict guest privileges.
Make sure the "password at login" feature is enabled, so everyone who accesses the computer will be required to provide their username and password. The nuisance of compelling returning users to log in after each idle period is easily outweighed by the security benefits of maintaining multiple accounts. Besides, you can always adjust your idle-time settings to minimize the frequency of logging in anew. Here's another tip--setting up an unpassword-protected guest account on a laptop means your friends can borrow it to easily get online or use core Office functions, while the password protection on your account acts as a deterrent.
... Read moreLast week, BleepingComputer.com reported on how to remove a new variant of an old scareware. This new nasty, known most commonly as Antivirus2010 or Anti-Virus-1, points you to spoofed versions of Download.com, ZDNet, PCMag.com, and other software sites, demanding that you download their program to clean your computer. Of course, it does nothing of the sort, merely perpetuating the infection.
Antivirus2010, Anti-Virus-1, and other variants of the AntivirusXP infection have never been hosted on Download.com.
(Credit: Seth Rosenblatt/CNET Networks)However, the manner and methods Anti-Virus-1 uses to get you there are extremely clever. The infection part of the malware does whatever it's been designed to do, so you can see that you've been infected with malware. What you don't realize at this point is that it's hacked your hosts file, too, so that when you go to a software site you don't ever make it to the site you're trying to get to.
You wind up on a skinned Web site that looks like the site you're expecting, but isn't. With the Download.com spoof, you can see that they're using our old design, which CNET abandoned last summer. Clicking on any link besides the download button will take you to the same page that the legitimate site would've taken you to. Hit the download button, though, and you get their fake malware remover, which in fact does the opposite, perpetuating the infection.
Removing the infection is tricky because of the differences between the variants. Some people have complained that they get locked out of their Task Manager, for example, but not all reports include that complaint. The fix that I cited for Antivirus XP 2008 may work, but users who have Windows XP Home Edition don't have a gpedit.msc. Home Edition users will have to edit their Registry directly.
Malwarebytes' Anti-Malware has proven to be one of the few malware killers that can effectively remove Antivirus XP 2008 and its variants, and it should work against the latest ones, too. The First Look video of Malwarebytes' Anti-Malware on the right will help you get started with the program.
Keep in mind that there is no substitute for cautious browsing. Don't install every Facebook app that comes your way, don't click on ads on unfamiliar sites or sites that are known vectors for attacks, and don't install software from anybody that's not a vouchsafed source.
I've pasted below the entire list from BleepingComputer of changes to your hosts file for your edification. Be warned that it may change as variants are developed.
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.comO1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
(Via Ars Technica)
If you're thinking of switching to free antivirus protection, or are looking for a different program to try, AVG Anti-Virus Free Edition is a rock-solid choice. Incidentally, it's also the most-downloaded security application on CNET Download.com.
Yet, it's not enough to follow the crowd. What if you dislike the interface? Or decide that the free edition doesn't give you as comprehensive a protection package as you'd like? These things happen, you know.
Hence this slide show, which attempts to take the guesswork out of scouting for a new application or starting up AVG Anti-Virus Free Edition 8.0 for the first time. It will walk you through installation tips and the feature set to help new users get started with AVG Anti-Virus Free Edition, and to give security-seekers a sense of what to expect from the application.
See also:
First Look video: AVG Free Edition 8.0
First Look video: Avira Antivir 8.0
Security Starter Kit
All antivirus downloads
Antivirus XP 2008 is back, unfortunately. It's not an antivirus app, but a cleverly disguised rogue security application that tries to get you to buy the non-existent "security" it's selling. Advertised using the common tricks of Trojans and faux security alerts, this nasty piece of malware can take over your desktop settings to mimic safe mode, display fake virus detections, and opens a faux Internet Explorer window stating that Google has detected a malware infection.
Antivirus XP 2008's Web site looks legit, but caveat emptor.
Yeah, Google.
Apparently, though, the virus is now being spread in more insidious ways, and numerous people who claim safe browsing habits and up-to-date security definitions are being infected--including two of my friends.
In helping them remove it, I discovered an excellent post on the CNET Forums that explained a detailed and accurate method of removal. I've retyped it below with more detail in case you're not able to get to the forums. It's not particularly complicated, but if you're not comfortable with advanced settings, I'd recommend proceeding cautiously or get a friend to help.
The scan window from Antivirus XP 2008 also looks legit. It's also not.
A warning before we begin: do not boot your computer into safe mode. Leave it running as you normally would. I tried restarting into safe mode, and the malware was prepared for that--its folders and files became undetectable.
First, in the Start menu, click on Run. If you can't find the Run option, hit WIN+R. (That's the key with the Windows icon on it.)
Type in msconfig, and go to the Startup tab. You're looking for two files. One begins with the string of letters "lph," and the second begins with "rhc". The examples provided are longer strings, "lphc35dj0e1an" and "rhc75dj0e1an", but after the first three letters, the strings are known to change on different computers. Uncheck the boxes next to both of them, then click on Apply and OK or Close at the bottom of the window.
The scan window from an older version of Antivirus XP 2008.
Restart your computer, and then delete the main files the spyware uses. In Windows Explorer, navigate to C:\windows\system32 and delete the lph*.exe file. Then go to your Program Files folder, C:\program files, and delete the rhc folder and everything in it. Keep in mind that these strings are known to change.
Restart your computer normally. You'll notice that the background hasn't changed. To restore your desktop settings, you'll need to go to Start > Run again, or Win+R. This time, type in Gpedit.msc. On the left nav, look for User Configuration near the middle. Navigate through Administrative Templates, then Control Panel, and finally Display. When you click on display, you'll see a list of options open in the central pane. Right click on "Remove Display in Control Panel," and click "Properties." Then choose "Disabled."
Repeat those same steps for the following attributes: Hide Desktop, Prevent changing wallpaper, Hide Appearance and Themes, Hide Settings, and Hide Screen Saver. Change all to "Disabled," then hit Apply, OK, and restart your computer.
You will still see the Antivirus XP 2008 desktop "theme", but now you can change it. Anywhere on your desktop, right-click and select properties. The first tab that opens should allow you to change your theme. If you also suffer from massive icons, use the last tab on the right, Settings. In the middle of that tab's window you'll see a Screen Resolution option, most likely set to 800x600. Move the slider to the left to choose a more aesthetically appealing resolution.
Confronting a pop-up is one of those times when your gut reaction might lead you down the path of frustration and tears. If the "X" is spring-loaded with malware, anywhere you click on the pop-up could trigger that virus.
This is the path less traveled--the majority of pop-ups truly are the ads they appear to be--but when a pop-up does deliver malware, undoing the damage could be a tense, jittery journey. We get enough panicky Spyware Horror Story submissions to know that so-called button flips and booby-trapped Close buttons continue to deliver malicious payloads.
So what is the best practice for closing a pop-up? CNET Executive Editor Tom Merritt demonstrates in this Quick Tip video.
Editor's note: This article, originally published by Brian Satterfield, was republished on 3/5/08.
These days, using only one antispyware program is like playing with fire: sooner or later, you're going to get burned. Since not all spyware-combat tools share identical databases, we recommend running as many tools as you can get your mitts on--and Spybot - Search & Destroy, a time-tested and free application, should be part of your arsenal. The program might not have as pretty a face as some of its competitors, but it's certainly adept at eradicating spyware. It also offers a wide variety of settings and tools for maintaining your security and privacy that might not be immediately obvious. Read on to get the lowdown on removing spyware with Spybot, and to get tips for using some of the program's most important features.
Step 1: Set it up
Some antispyware programs aren't highly customizable, but Spybot caters to the user by offering a number of tweaks. The app's primary screen emphasizes scanning your machine for threats and updating spyware definitions. If you switch from the default to the advanced mode from the Mode menu, though, you open up a world of options. The unobtrusive Settings button, located way down in the lower-left corner of the advanced window, contains tons of ways to fine-tune Spybot's behavior. This screen may at first appear overwhelming, but the Settings window lets you customize the app so it works for you.... Read more
Editor's note: This article was updated on February 21, 2008. The original was published on February 28, 2007.
Like its mythical namesake (dramatized in Lego), whatever crawls out of a digital Trojan horse will be a nasty surprise. A Trojan horse usually takes the form of an innocuous software program that unleashes a flood of malware or viruses after it's installed and run. Since attacks and ease of removal vary--an ad generator is easier to remove than a stealth rootkit--there's no one-size-fits-all solution. However, there are some common spyware removal techniques that can help you pick your way through the wreckage.
Reboot Windows in Safe Mode
What is Safe Mode?
Safe Mode is a diet version of the Standard Mode of Windows that your computer ordinarily runs. Rebooting in Safe Mode loads minimal programs and disables most device drivers that manage hardware like CD drives and printers. The result is a more stable iteration of the Windows operating system that's better suited for disabling malware while you perform a system scan.
How do you use it?
If you can, follow the necessary steps for a safe shutdown process and then reboot. When you restart Windows, as the screen begins to load, press F8 repeatedly until the Windows booting options appear. Select "Boot in Safe Mode" from the menu of options. Once in Safe Mode, you should be able to run your installed antispyware software with less interference from the malicious software that the Trojan brought onto your system.
System Restore
What is System Restore?
System Restore strings out a safety net if everything goes kaput. Under default Window settings, System Restore saves a snapshot of your computer configuration once a day and on major upgrades that can be used to replace corrupted files. In the event of a Trojan attack, System Restore can revert Windows to a previous, uninfected state. It won't restore everything, like changes to your user profile, but it does reinstate biggies like your Registry and DLL cache.
When do you use it?
When purging your computer of spyware, System Restore has an optimal time and place. You wouldn't want your computer including corrupted files as the reference point of the day, so it's important to disable System Restore before you start cleaning. You can reactivate it once your system is spick-and-span.
How do you use it?
The paths for accessing System Restore differ by operating system. In Windows XP, disable System Restore by right-clicking My Computer and selecting Properties. Under the Performance tab, select File System, then the Troubleshooting tab, and finally check Disable System Restore. You'll be prompted to reboot. Follow these steps to uncheck the box before restoring your system.
To use System Restore after scrubbing your computer, choose Accessories from the program list in the Start menu. You'll find System Restore under System Tools.
This comprehensive article from TechRepublic demonstrates how to create and use System Restore in Windows Vista.
Scan with antivirus/antispyware apps
Downloading diagnostic and removal tools with an infected computer is a huge time sink--spyware can cripple your speed and Internet access. The Trojan's payload could prevent EXE files from downloading or launching. Also, malware can affect the performance of installed security software on your PC. If you store your antivirus/antispyware programs on a CD or flash drive, however, those malware-busting apps can commence their swashbuckling unhindered.... Read more
Responding to an urgent e-mail about your compromised bank account is tempting, almost involuntary. That's exactly what phishers are counting on when they link you to a false site and pump you for personal details. Learn how to skirt their tricks in this Insider Secrets video, and remind yourself of other ways to avoid suspicious Web sites that might not have your best intentions in mind.
