This is a split board - You can return to the Split List for other boards.

--- The Complete Guide to Internet Security (V4.0) ---

#1Qbsean10Posted 6/9/2010 11:19:58 PMmessage detail
=============================================
| The Complete Guide to Internet Security (Version 4.0) |
=============================================
Copyright © 2003-2010 Sean Sharp
First Edition © 2003
Second Edition © 2004
Third Edition © 2006
Fourth Edition © 2010

IMPORTANT DISCLAIMER:
I am not responsible for any system damage caused by the use or misuse of the programs listed within this guide.

A printable version of the guide can be found at:
http://qbsean10.tripod.com/guide.html

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
1. Introduction
2. Common Questions
3. Malware Prevention
4. Malware Detection and Removal
5. Virus Protection and Detection
6. Firewalls
7. Browsers
8. Specific Removal Tools
9. Seeking Outside Help
10. Routine System Maintenance
11. Fake Anti-Malware Listing
12. Anti-Malware Program Index
13. Credits and Thank Yous

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
==============
| 1. Introduction |
==============

I began this guide several years ago to address common reoccurring malware issues found on the Tech Support board here on GameFAQs. Within the first three years of the guide’s original publication, I posted three separate versions, each highlighting new information. Regrettably, the guide has not been altered since 2006 and has been fairly out of date for quite some time. After a recent bout of malware removal of my own, I was persuaded to give this a complete overhaul. Certainly this update has been long overdue, but fear not, for every section of this guide has been rewritten and updated to meet current standards. There has been a multitude of new anti-malware programs released since 2006 and I have included a full user guide for each. Before I begin I would like to offer a sincere thank you to all those who have supported the previous versions of this guide.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
#2Qbsean10(Topic Creator)Posted 6/9/2010 11:20:09 PMmessage detail
====================
| 2. Common Questions |
====================

What is malware?
Malware is an umbrella term for all malicious software intended to cause harm to your computer. Malware can take the form of any malicious program including but not limited to viruses, worms, spyware, adware, and Trojans.

What is spyware?
Spyware is a type of malware that is installed on a system without the consent of the user and used mainly for gathering information about the user. These types of programs can compromise valuable information such as site passwords, credit card numbers, addresses, and bank information.

What is adware?
Adware is in many ways similar to spyware, but tends to focus on advertising rather than collecting information. Symptoms of adware include reoccurring popups, search engine redirects, and browser homepage resets. Though not as compromising as spyware, adware is at the very least a considerable nuisance.

What is the difference between a virus and a worm?
A virus focuses specifically on using your system as a host to run and reproduce. Virus payloads can range from simple joke messages to destructive codes that erase a computer's data. A worm is similar in many respects but has the unique ability to automatically reproduce and spread among networks and connected devices without any user interaction. In general, worms tend to attack networks and internet connections, whereas viruses tend to corrupt data and files, but that is not to say the opposite is never true.

What is a Trojan horse?
A Trojan is simply malware packaged as a useful program to entice a user to run it. Trojans are common among game cracks and key generators, as users are often susceptible to loading the .exe without scanning it for infection.

What is a rootkit?
Rootkits are modifications to the system designed to conceal malware from the user. With a rootkit installed, malware will not show up during anti-virus scans and may not even present itself as a running process.

What is a backdoor?
Backdoor installers leave systems vulnerable to future attacks by exploiting security holes. If backdoors are not properly removed, a system can easily be reinfected even after current threats are removed.

What is a keylogger?
A keystroke logger is a type of software that tracks and relays a user’s keystroke activity to a third party. These programs can easily compromise personal information.

What is phishing?
Phishing is the acquisition of personal information through fake information relays. Examples of phishing scams include browser redirects to fake site login screens, as well as scam emails from fake authority figures requiring personal information. Phishing scams can be included in spyware or virus payloads, such that your browser redirects to fake logins or your email address becomes a staging center for mass emails.

What is pharming?
Pharming, like phishing, is the redirection of internet users to fake websites used to acquire personal information. Pharming is a specific attack on a website, such that every visit to that address is redirected to the bogus phishing scam site.

What is a script?
Client-side scripts are lines of code written into a website that allow the site to function on independent variables. The most common form of client-side scripting is JavaScript. When used properly, scripts allow websites to run interactively, as opposed to straight HTML with minimal inputs ala the early 90s. Unfortunately, malicious scripts are often loaded into shady websites and can cause immediate damage to systems upon their usage.
#3Qbsean10(Topic Creator)Posted 6/9/2010 11:21:04 PMmessage detail
What is a browser cookie?
Cookies are small bits of data that are stored on your computer as you access a website for the first time. When the site is revisited, the cookies will automatically load previous data to allow the page to load faster. A system will store portions of every website visited, and build up a large depository of artifacts in a temporary storage folder. Malware can monitor a browser's cookies to collect personal information. It is in the interest of both the user’s protection and the system’s overall cleanliness that cookies be cleared on a regular basis.

What are tracking cookies?
Tracking cookies are a type of malware that will save data from websites and relay this information to third parties. Tracking cookies effectively allow advertising companies to track a user’s browsing history. As such, spyware and adware will often make use of tracking cookies to tailor advertisements to a user’s search queries.

What is my hosts file?
The hosts file is a list of hostsnames mapped to IP addresses. Malware will often target the hosts file to redirect internet usage to specified sites. For example, certain types of viruses may alter the hosts file in such a way that blocks the user from accessing any website related to anti-virus or computer security. Another example would be adware altering the hosts file to redirect common search terms to advertising websites.

What is the Windows registry?
The registry is essentially the brain of every operating system. It stores a complete database of all settings and options on the system for all applications. The registry is broken down into several hives, or clusters, of values. Malware will act to edit the registry and attach itself to various values. Anti-malware programs are designed to automatically clean the registry of infected files so that the user does not have to. The registry can be edited by opening RegEdit from Start > Run > RegEdit, but should not be edited by anyone with less than expert working knowledge.

How did I get infected?
Malware is an increasingly persistent threat to internet users. In the early stages of the internet, most malware was confined to email viruses that required a user to physically open the attached program. Today, however, malware can penetrate even the most protected systems through a wide array of attack mechanisms. Fortunately with the right protection and careful usage, most malware can be avoided or removed without much issue. The most common forms of malware are found in the following instances:
- Adult sites
- Keygen or game crack websites
- Cracked or unlicensed software
- P2P clients including Limewire, Kazaa, or iMesh
- Free screensaver websites
- Freeware programs
- Bogus email scams

How can I rid my system of malware problems?
Fortunately modern technology has given us a bevy of easy to use anti-malware programs that will automatically clean and protect us from common threats. The popular anti-malware programs will purge your computer of the majority of infections. However, persistent or specific infections may require additional research and specially developed removal tools. But do not fret, for even the most serious infections will rarely require you to manually edit the registry, load up DOS, or root around through system files. Finding the right removal tool will be the most important part of any system clean up. Letting the program work will be the easiest.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
#4Qbsean10(Topic Creator)Posted 6/9/2010 11:21:31 PMmessage detail
====================
| 3. Malware Prevention |
====================

Before we set about cleaning all forms of malware on your system, it will be best to set up prevention mechanisms to block any reinfection.

Set Hosts File to Read Only
http://en.wikipedia.org/wiki/Hosts_file#Content_and_location
Navigate to your systems hosts file (depending on your operating system), right click it and select Properties. In the box that appears, select the Read Only box and click OK. Your hosts file can now no longer be tampered with by malware.

Internet Explorer
Many people are unaware of these simple but effective steps found within the Internet Explorer settings that help cut down on malicious activity.

Disable ActiveX
Open IE and select Tools from the menu. Click on Internet Options, select the Security tab, and click the Default Level button to reset any changes that may have been made. Now, click the Custom Level button and scroll to the ActiveX area. Ensure the following changes are made:
1. Download Signed ActiveX Controls: Prompt
2. Download Unsigned ActiveX Controls: Disable
3. Initialize ActiveX Controls Marked Not Safe: Disable

Adjust Cookie Settings
Open IE and select Tools from the menu. Click on Internet Options, select the Privacy tab, and then move the slider to Low or Medium.

Clear Your Cookies
Open IE and select Tools from the menu. From here, click the Delete Cookies button. Clear your cookies at least once a month to reduce adware and to save harddrive space.

Check for Updates
Open IE and select Tools from the menu. Click on Windows Updates and run the scan. Keep your system up to date to avoid security exploits.

Firefox
Mozilla Firefox is an alternative web browser that offers a multitude of security and customization options. Consider switching from IE if you have not already.

Block Popups
Open Firefox and select Tools from the menu. Click Options and navigate to the Content tab. Ensure “block pop ups” is checked.

Adjust Security Settings
Open Firefox and select Tools from the menu. Click Options and navigate to the Security tab. Ensure the following are checked:
- Warn me when sites try to install addons
- Block reported attack sites
- Block reported web forgeries

Disable Java
Open Firefox and select Tools from the menu. Click Options and navigate to the Content tab. Uncheck the “Enable Java” box.

Install Noscript Add-on
https://addons.mozilla.org/en-US/firefox/addon/722/
This add-on will automatically block all scripts while browsing unless the site is added to the exceptions list. To add an exception, load the page in question (for example your home-banking login screen), and click the small S logo on the Firefox toolbar in the lower right (by default). Then, simply click “allow xxxxxx.com”. Alternatively, you can elect to temporarily allow a website if you feel you do not need to offer permanent access.

Install Adblock Plus
http://adblockplus.org/
In today’s modern technological world, most websites depend largely on advertisement revenue. I empathize with these business models and am generally not annoyed by ads, especially if they help keep my favorite sites afloat. Unfortunately advertisements are becoming increasingly dangerous and packed with browser security exploits to force a company’s own adware onto your system. Though I fully support the revenue model of advertising, no website’s profitability should ever jeopardize your own system’s security. Adblock Plus is a simple browser add-on that blocks the vast majority of known malware advertising domains. The added bonus is cleaner looking websites.
#5Qbsean10(Topic Creator)Posted 6/9/2010 11:22:11 PMmessage detail
Java Runtime Environment
JavaScripts are notorious for malware exploitation. Shady sites will exploit security holes in old Java installations, so it is important to keep this application up to date at all times and remove all old instances of the program.

Download Latest Java Environment
http://www.java.com/en/download/manual.jsp
Visit the preceding link and download the latest Offline update available to your desktop.

Remove All Old Instances
Click Start and navigate to the Control Panel. Click Add/Remove Programs and allow the list to generate. Scroll to Java and remove any instance of the program that includes the words “Java Runtime Environment”. If your system is an older model, you may have several of these old instances to remove. Once these are removed, restart your system and load the Add/Remove Programs list once more to ensure all old versions have been removed. Fortunately all newer versions of Java as of the writing of this guide have been built to automatically remove the previous version.

Install Latest Java Environment
Now, install the latest Offline update by double clicking the saved file on your desktop and following the on-screen instructions.

Clear the Java Cache
Click Start and navigate to the Control Panel. Switch to Classic View and double click the Java icon (under Programs and Features for Vista and W7). Under the General tab, locate the Temporary Internet Files box and click Settings. Ensure all boxed are checked. Click OK and then click Delete Files. Drag the Disk Space slider to a reasonable limit (100mb) and click OK.

Adobe Reader
Like Javascripts, .pdf files are an easy target for malicious coders. As a result, it is essential to keep Adobe Reader up to date and to remove all old instances.

Download Latest Adobe Reader
http://get.adobe.com/reader/
Visit the link to download the most current Adobe Reader version available.

Remove All Old Instances
Click Start and navigate to the Control Panel. Click Add/Remove Programs and allow the list to generate. Scroll to Adobe and remove all instances of the Adobe Reader program. Restart your system and load the Add/Remove Programs list to ensure all instances have been removed.

Install Latest Adobe Reader
Install the latest version by double clicking the saved file on your desktop and following the on-screen instructions.

Spyware Blaster
http://www.javacoolsoftware.com/spywareblaster.html

This excellent program will add over 10,000 nasty sites to your browsers’ block list, ensuring they will not bother you again. Once you have installed the program, run it and click Updates on the left menu. Click the "Check for Updates" on the bottom of the screen. If new updates are added, click Enable All. To ensure everything is blocked, select the Protection tab from the left menu and check the block buttons under the Internet Explorer, Restricted Sites, and Firefox tabs. Once all the boxes have been checked, return to the main Protection screen and click the "Enable All Protection" button near the bottom.

Next, select Tools from the side menu and open the Browser Pages tab. Select the IE Browser Pages tab and change the fist two sites to your homepage and your preferred search engine (ex.msn.com or google.com). Finally, select the Miscellaneous IE Settings from the sidebar and check the box which will disable the changing of your homepage. If you are willing to add extra protection, click the Flash Killer tab on the sidebar and check the “Disable and block Macromedia Flash”. This will prevent most ads and popups, but will also reduce website content dependent on Flash. You can now exit the program, as all the settings are stored on your browser. Be sure to check for updates often and apply protection to all your browsers.
#6Qbsean10(Topic Creator)Posted 6/9/2010 11:22:32 PMmessage detail
Spybot Search and Destroy
http://www.safer-networking.org/en/download/

Immunization
Once downloaded and installed, click the Updates button on the left menu. Spybot will automatically search for any updates. Check any available updates and download them immediately. Be sure to check for new updates often.

Close all web browsers and click Immunize on the left menu. Run a scan for any unblocked sites, and select Immunize once the scan is complete. Be sure to run the Immunization tool every time you download new updates in order to add new sites to the block list.

Resident TeaTimer & SDHelper
Spybot offers two full-time protection monitors to defend your system. Resident TeaTimer monitors all processes and applications to detect malicious activity, while SDHelper disables malicious downloads when running IE. If you did not elect to install either when first installing Spybot, click the Tools menu on the sidebar and navigate to the Resident icon. Ensure both the “Resident SDHelper” and “Resident TeaTimer” boxes are checked, then exit the program and restart your system.

Be forewarned that Resident TeaTimer can be quite a resource hog. If you have a lower end system, you may need to disable this program. If possible, however, it is advised to keep it on.

Spyware Guard
http://www.javacoolsoftware.com/spywareguard.html

This small program will provide real time spyware and adware protection. Once downloaded and installed, open the program and run the LiveUpdate to ensure all new updates are installed. Next, open the Options menu from the side and enable all three protection options. Click Save Settings near the top. Select the Download Protection tab and enable the preference of your choice. Click save, then close the window without exiting the program.

Other Active Monitors
Note that several free removal tools (AdAware, MalwareBytes, SUPERAntiSpyware) do have active monitoring components. However, these require you to register the product and are not free. While not discouraged, these are not necessarily required either. Depending on your comfort level or risk assessment, you may opt to buy the Pro versions of one or more of the aforementioned tools.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
#7Qbsean10(Topic Creator)Posted 6/9/2010 11:23:37 PMmessage detail
==============================
| 4. Malware Detection and Removal |
==============================

Now that you have your prevention programs up and running, it’s time to run several scans and remove any malware infections from your system.

Spybot Search and Destroy
http://www.safer-networking.org/en/download/

Open Spybot and select Advanced Mode under the Mode tab on the top menu. On the side bar, click the Settings tab and open the File Sets menu. Ensure everything here is checked. Now click the "Settings" button under the Settings tab and select Time Critical under the Scan Priority section to achieve the fastest possible scan.

For the most efficient removal, you will need to run Spybot on your systems next start before any other processes are loaded. Under the Settings menu, scroll to the “System Start” section and select the Run program once at next system startup option. Ensure the following adjustments are made:
- Run check on program start: Enabled
- Fix all problems on program start: Enabled
- Close program if everything’s OK: Enabled

Now, restart your system and allow the scan to run. As the Spybot database grows, the time per scan will continue to increase. On older machines, a full scan may take up to an hour.

If you wish to run a scan without restarting, simply click the “Check for Problems” button on the main screen. Be forewarned that if spyware is active on your system, Spybot will prompt for a rescan on the next system restart.

Malwarebytes Anti-Malware
http://www.malwarebytes.org/mbam-download.php

Once installed, the first priority is to rename the Malwarebytes shortcut, as some advanced forms of malware will automatically disable any “Malwarebytes Anti-Malware” process from loading. A simple rename to “mb” should do the trick and allow you to run it under any circumstances. In extreme cases, do not be afraid to rename it a random string of numbers.

Before running a system scan, ensure that the most up-to-date database is loaded by selecting the “Update” tab on the main screen and click “Check for Updates”. MBAM databases are updated multiple times a day, so be sure to check for updates every time you load the program.

Navigate to the “Settings” tab on the main screen and ensure the following changes are made:
- Automatically save log file after scan: Enabled
Under the “Scanner Settings” tab, ensure all options are enabled.

To run the scan, navigate to the “Scanner” tab on the main screen and select either Quick or Full Scan. Full scans are generally not necessary unless your system is badly corrupted. A quick scan will take roughly 30 minutes to complete, while a full scan can take several hours, depending on the size of the drive and the amount of space used.
#8Qbsean10(Topic Creator)Posted 6/9/2010 11:23:58 PMmessage detail
Ad-Aware Free
http://www.lavasoft.de/software/adaware/

Ad-Aware Free simplifies the scanning process from previous versions of the utility. First and foremost, ensure your version is updated to the most recent database by clicking the Web Update icon on the main screen. Next, switch to Advanced Mode by clicking the small toggle switch in the bottom left corner. To run a scan, click the Scan System button in the center of the main screen. You will want to run a full scan here, as the smart scan skips important areas of your system. Once “Full Scan” is selected, simply hit the Scan Now button. Once the scan is complete, remove any infections found. Quarantining infections may not kill their payload, so it is best to delete them entirely. Check your Quarantine list periodically to ensure all threats have been removed.

You may wish to remove the Ad-Aware Windows shell extension on right-click menus. To do this, select Settings on the main screen and navigate to the Customize tab. Deselect the “Add Ad-Aware to Windows right-click menu” option and click OK. You may need to restart for this change to take effect.

SUPERAntiSpyware
http://www.superantispyware.com/download.html

Less shady than the name implies, SUPERAntiSpyware is actually an excellent malware removal tool for detecting relatively unknown infections. Prior to scanning, ensure you have the latest database by clicking “Check for Updates”. Scan settings are optimal by default, so there is no need to adjust anything. Simply click “Scan Your Computer” and select your scan type. Quick scans will generally be enough to detect rogue malware, though extreme cases may require a full system scan.

Windows Defender
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Microsoft’s own spyware prevention and detection tool is a simple install and can be found on the Control Panel menu. Once installed, open it and click the Tools button on the top menu. Open the Options menu. From here, you can set Windows Defender to run on a weekly or daily schedule. I would suggest setting it to run at least once a week during the night so it won't bother your system performance. Check both boxes related to updates under the automatic scan setup. Under the Default Actions section, set all three items to Remove. To run a manual scan, click the scan button and select the scan type. Windows Defender is useful for rooting out lesser known pests that may be overlooked by the more common scanners.
#9Qbsean10(Topic Creator)Posted 6/9/2010 11:24:56 PMmessage detail
HijackThis
http://www.majorgeeks.com/download3155.html

HijackThis can be used to pinpoint specific infections, but is not necessarily the best tool for overall system health.

Before running a scan, you will want to rename the HijackThis shortcut, as advanced forms of malware will automatically disable any “HijackThis” process from loading. Renaming it to simply “hjt” should allow it to work, but in extreme cases, do not be afraid to rename it a random string of numbers.

Each line in the HijackThis log starts with a section reference. The sections references help categorize the results. The following are the descriptions for each section:
R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
F0, F1, F2,F3 - Auto loading programs
N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
O1 - Hosts file redirection
O2 - Browser Helper Objects
O3 - Internet Explorer toolbars
O4 - Auto loading programs from Registry
O5 - IE Options icon not visible in Control Panel
O6 - IE Options access restricted by Administrator
O7 - Regedit access restricted by Administrator
O8 - Extra items in IE right
O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
O10 - Winsock hijacker
O11 - Extra group in IE 'Advanced Options' window
O12 - IE plugins
O13 - IE Default Prefix hijack
O14 - 'Reset Web Settings' hijack
O15 - Unwanted site in Trusted Zone
O16 - ActiveX Objects (aka Downloaded Program Files)
O17 - Lop.com/Domain Hijackers
O18 - Extra protocols and protocol hijackers
O19 - User style sheet hijack
O20 - AppInit_DLLs Registry value Autorun
O21 - ShellServiceObjectDelayLoad
O22 - SharedTaskScheduler
O23 - Windows XP/NT/2000 Services

Use the following link and paste your logfile into the text box:
http://www.hijackthis.de/index.php

This will give you a list of which processes are dangerous and should be removed. If a process is neutral or mixed, check to see if you can identify the process. If not, research the process before removing it completely. If you have accidentally removed an important process, HJT has a recovery feature built in. Simply click the Config tab on the main screen and navigate to the Backups box. Click the process you removed and select Restore. You may need to restart your system for these changes to take effect.

Also note that every tech support board worth its weight will ask you for your HJT log. If you plan on seeking outside help for your malware troubles, keep your HJT log nearby.
#10Qbsean10(Topic Creator)Posted 6/9/2010 11:25:13 PMmessage detail
ComboFix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

ComboFix is a relatively simple tool to use but requires patience and in some cases outside help to be completely effective. Prior to scanning ensure your virus protection is off to prevent processor clashes. To run ComboFix, simply download the .exe from the link above and double click the file. You well see an intro screen to which you should select “Yes” to run. At this point, ComboFix will alert you if you have any anti-virus programs running. It is crucial that these be off during the scan.

From here, ComboFix will create a restore point, backup your registry, and check that you have Windows Recovery Console installed. If you do not, it will download and install it automatically before continuing the scan. It will first check for rootkit activity. If detected, it will require you to restart your system. ComboFix will resume the scan once Windows loads. From here it will run through a series of 50 scan stages that may take up to an hour to complete. During this time you may see your desktop disappear or your clock settings change. This is normal and will be restored at the end of the scan. Once all 50 stages are complete, ComboFix will state it is generating a logfile. This process takes time, as the log is quite large. Let it work. You will know the scan is complete when the logfile opens in a separate notepad window. This logfile can be found by default under C:\ComboFix.txt.

To uninstall ComboFix, click Start, then Run, and type exactly “ComboFix /Uninstall” without the quotes. Note the space between ComboFix and /Uninstall. This process will take a few moments; you will see a notification box stating it has been successfully removed. The ComboFix.exe on your desktop should now be gone.

Interpreting the ComboFix log is crucial. While ComboFix can and will remove a boatload of malware infections, it is just as important to have a qualified technician review your log for other infections. Specifically, the internal GMER rootkit scan will show results towards the end of the logfile if rootkit activity is detected and not removed. See the “Seeking Outside Help” section for more information on assessing your ComboFix logfile.

Remove Old System Restore Points and Create a New One
If at this point in the process you have ran a multitude of scans and have zapped a handful of malware infections, it is best to now remove your old system restore points and create a clean one. This is important because old system restore files can, and most likely will, harbor the removed malware. If you were to restore to one of these points you may risk reinfecting your system and in some cases worsen the problem. If your scanning process netted very few or minor malware instances, this step is probably not necessary.

First, click Start > Control Panel and switch to classic view. Double click the System icon and navigate to the System Restore tab. On this menu, check the box next to “Turn off System Restore” and click OK. This will remove all old restore points. Once finished, double click the System icon again and uncheck the “Turn off System Restore box”. Now is a good time to adjust your disk space usage. 3% is generally enough to offer ample restore points, but if you feel comfortable with more feel free to adjust this.

Now it is time to create a new system restore point. Click Start > All Programs > Accessories > System Tools > System Restore. From here, simply select “Create a restore point” from the menu, rename it “Malware Scan” or something similar, and click create.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------