Find & use the tools you need to remove viruses and spyware, and prevent a new infection

Contents of this guide:

1. About this guide
2. The scale of the problem
3. Is it legal?
4. Important terms to know
5. Tools to use (overview)
6. Removing spyware: Using, updating anti-spyware tools
7. Removing viruses: Using, updating antivirus software
8. Preventions (critical!)
9. General tips
10. Checkup and conclusion – get help in our forum!

About this guide

“Need your Help! PLEASE!!!”
“Help please!?!?!”
“Need help!”
“Lots of problems!!!”

Those are titles of real threads in our forum, and we see threads like this every single day; all of them carry the same tone: Someone’s PC is crashing, freezing, sluggish, unresponsive, littered with toolbars, popups and browser-breakers, and they don’t know where to start. We at Short-Media recognized this problem in the late months of 2004, and have since become a large resource for knowledge on how to assess, remove and prevent spyware. When we opened the doors on our Spyware/Virus/Trojan (SVT Forum) on December 26th, 2004, none of us imagined just how prevalent the problem was and how rapidly it was going to inflate; since the date of the SVT Forum’s opening, we’ve received more than 7,600 individual request for help with infestations. In every case that we can, we help the person to recognize the problem, clean the problem, and prevent it from happening again. More than 20 individuals a day post the results of their scans for our analysis, but this is merely the tip of the iceberg; many websites larger than Short-Media do the same.

Our hope is to provide you with a complete, end-to-end solution for detecting, identifying and removing spyware with comprehensive personal support. We’re not just going to throw a guide at you and hope for the best! We’ll be here to answer any questions along the way, as well as look over the results you’ve achieved to see if anything was missed. We hope you’ll find this guide valuable and perhaps even indispensible on your road to repairing your Windows 2000 or Windows XP installations, and alleviating the threat you’re currently facing. (top)

The Scale of the Problem

Spyware is no small threat, and certainly not something to be trifled with. According to Symantec Corporation, authors of the successful Norton series of security software, spyware is quickly growing into the number one threat our PCs face; by the end of 2007, it is predicted that spyware will be more prevalent than viruses. Similarly, the rate of growth spyware exhibits is exponential both in terms of the amount of PCs infected, and the volume of malware in the wild to do the infecting. In a study conducted on more than three million of their clients, successful ISP Earthlink states that the average PC has twenty-five or more instances of spyware. Richard Stiennon, Chief Threat Analyst at Webroot, predicts that the spyware-production business is worth over $2.5 billion just with the top seven spyware programs, which means there are hundreds if not thousands of individuals out there writing malicious code to get a piece of the pie.

As malware authors significantly outweigh (pdf) the anti-malware writers, the threat to all of us has been estimated at more than $40 in direct financial damage for every adult in the US alone* and is only going to get bigger. Lastly, a study conducted by the National Cyber Security Alliance (NCSA) proved that more than 61% of people failed to recognize harmful or illegitimate websites and emails, despite 87% of their research candidates saying that they were capable of doing so. This proves a very potent point regarding the production of viruses and spyware: People overestimate their protection and underestimate the threat, which is why malware is so successful. [*Extrapolated from US Census Data by subtracting children under 18 years from US population, dividing by the $7.8 billion figure cited]

Spyware is quickly growing more advanced than ever before. The industry centered around the production of Spyware/Adware/Malware has gone beyond the days of simple applications that hijacked a web browser to serve advertisements, or install a toolbar. Instead, applications like Spyfalcon, Winfixer and WinAntiVirus are all malicious programs that masquerade as legitimate removal applications; they’re so insidious because they look authentic, right down to imitating scans performed by other legitimate applications.

Behind the scenes, they’re hooking into your operating system, collecting generalized demographic information, monitoring cookies, slowing down your PC, and making money for someone else at your expense. Some strains of Spyware are even worse in that they outrightly encrypt files on your PC, demanding payment to an off-shore firm for the unlock code. Other strains of spyware that are elusive but available in the wild have been known to steal credit card and social security numbers as well as logins and passwords to banking websites. (top)

Is it legal?

If these prospects aren’t scary, it may disturb you to know that Spyware is still not illegal in the United States. Despite best efforts such as the Federal SPYBLOCK and I-SPY acts of 2005, and numerous bills at the state level in places such as California and Utah, Spyware still remains a “Legitimate” business practice unless the software violates some other law such as electronic fraud. Your generic popup-producing, computer-slowing, toolbar-installing, Windows-breaking Spyware is as legal today as it was the day it was conceived. What bills have passed, including additional enforcement rights for the FTC have generally been spineless and symbolic gestures. However, even if thoroughly-aggressive legislation were to be signed into law, the arm of that law would stop at our shores.

This is problematic in that most spyware authors operate in third-world countries, such as Sub-Saharan Africa, the Middle East, and especially former Soviet satellite states. Without negotiating complex extradition rights, these laws could never be applied, and it is unlikely that foreign governments would ever agree to the United States pursuing such a procedure. The European Union has also sought similar avenues as early as 2002 with Brussels introducing a directive to its constituent states, which subsequently outlawed spam, and some forms of cookies within the EU[10]. Additionally, the OECD (Organization for Economic Co-Development) which includes both the US and the EU states have launched into talks this year regarding the collateral enforcement of anti-spam and anti-spyware laws, but the talks have not yet come to resolution.

So where does that leave us? To our own devices, sadly. Brave software authors have stepped up over the years to produce fine pieces of software dedicated to the removal of these malicious programs, and many of them include code which can prevent reinfection, even going so far as to analyze and recognize threats that we are not yet aware of. It is important to realize that the scope of spyware is so vast that just one or even two programs are not enough to detect and cure serious spyware infections. Each program’s detection routines and spyware detection definitions are slightly different, and while many of them agree upon and detect the major offenders, it is through the supporting community for each program that some of the smaller and more obscure pieces of spyware are detected, reported, and supported for removal. Therefore we find that all of the applications overlap somewhat, but many of them detect things that are unique unto themselves. (top)

Important terms to know

Words That Define the World of Malware

It is important, as with any job, to know the lingo it uses. Being comfortable with the phraseology is one step closer to understanding the problem, as each and every day I ask people if they “Know what spyware is,” and the most common answers lie within the realm of bewildered looks or firm negative responses. Our goal at Short-Media is not only to address the symptoms of your issue, but to fix the cause and help you understand what sort of problem you were really facing. As in the realm of medical science, we often appreciate it when doctors explain what is really going on when we are sick or injured, and we at Short-Media want you to know and understand what’s really going on when your PC is sick and injured. Let’s jump to the terms and see what they all mean.

Spyware: So named because these sorts of applications were initially developed to record demographics information (Age/Geographic Location/Browsing habits), the term has since expanded to include any type of unwanted program that is not deliberately destructive of any single file or group of files on your PC.

Adware: Most typically this word is used to describe any type of Spyware that produces advertisements, either in the form of popups at any time your PC is in operation, or in the form of an obtrusive toolbar nestled at the top of your internet browser. This word is falling out of prevalence as the word “Spyware” rises into the common dialect of society.

Malware: A portmanteau of malicious and software, malware is an umbrella term that includes viruses, trojans, worms, adware and spyware. If you were to talk about a PC that had both viruses and spyware, you would say that it had a malware infection.

Peer2Peer: Short-handed down to P2P, a peer2peer program is an application that allows users to directly share full files between one another. Common types of peer2peer applications include Kazaa, Grokster, BitTorrent and Limewire. While Peer2Peer programs are convenient, and even enjoyable in their use, many of them come bundled with adware or spyware. If they are of the type that do not come pre-packaged with adware or spyware, many of the files harbored on the network the P2P application runs on do contain either viruses or spyware.

Virus: A virus is any application that is self-replicating. A self-replicating code is code that is explicitly designed to make copies of itself and propagate, or spread, in the manner the author intends. Typically through P2P applications, eMail or IM applications. While many viruses are destructive, in that they delete or destroy data, most viruses are fairly benign and qualify as an annoyance or a great frustration. The difference between a virus and a worm, however, is extremely important. The virus requires host files to infect to migrate at all. If you were to write a virus, but never author any code that tells the virus how to insert itself into other applications for propagation, it would sit inertly on your PC and never do a thing.

Trojan: Deriving its name from the Homeric epic wherein the Trojans offer the gift of a massive wooden horse to the city of Troy, whereupon the city is ransacked at dusk when Trojan soldiers emerge from the horse once safely behind the city walls of Troy, so operates a Trojan Horse in the PC world. These malicious little devices sneak through the defences of a PC and leave holes in said defences, so an individual may come by later and obtain complete access to your PC.

Worm: Unlike a virus which requires a host file to replicate, the worm is self-contained and can spread at its own will. It is a stand-alone, independent application capable of performing its task regardless of what is on your PC. Be it file destruction, or obtrusive and obnoxious side-effects of infection, the Worm is probably the most insidious type of malware that exists on the internet.

Anti-Spyware: Typically used in terms of an application, an anti-spyware application is an app that is designed to detect and remove, and perhaps even prevent spyware on your PC.

Anti-Virus: Again, typically used in terms of an application, an anti-virus application is an app that is designed to detect, remove and always prevent viruses, trojans and worms. Some of today’s anti-virus programs also include rudimentary protection and removal of spyware but no anti-virus application on the market performs a thorough job of removing spyware.

Definitions: Just like a dictionary definition is a lexicon of words commonly accepted in a language and explanations of what they mean, a set of definitions for the PC is a listing of all the different types of malware that particular program is able to detect, in addition to how it goes about removing it. Depending on the application, definitions may be downloaded automatically, or must be downloaded by the user. Definitions are usually released every three to seven days, depending on the program. Having the newest definitions is the most important step in malware removal, just behind having the right tools for the job.

Windows Registry: A database of settings stored on your computer. Cataloguing virtually everything on your PC, including some passwords, license numbers for applications, Windows settings, application settings and links to where every file is on your PC, the Windows registry is a place malware typically likes to fuss with. Whether by installing links into the registry to force reinstallation of a piece of spyware after you have removed it, or by deleting large portions of it outrightly, malware often directs many of its attacks in this direction. Because it is an obscure section of a Windows-based PC, it often goes untreated when there is a problem, even though it is a very crucial step.

Safe Mode: Accessed by hitting F8 rapidly as your computer is turning on, a menu presents itself giving you the option to launch into “Safe Mode with Networking” as a hidden option of the Windows 2000 and Windows XP operating systems which this guide is intended for. Safe mode is a pared-down version of Windows which disables many spyware applications temporarily by failing to load startup applications, huge portions of the Windows Registry, and numerous device drivers. It is important that any and all scans done with anti-spyware applications, and virus applications (If supported) be conducted in Safe Mode so the threats can be removed. Spyware and viruses often like to run in your computer’s system RAM/Memory, so when you go to delete the infection as a routine step, it can not be deleted. Safe Mode typically resolves this problem.

Hijacker: A type of spyware designed to take control of your browser in the form of toolbars, popups, or by changing the buttons and even the homepage on your browser. They produce advertisements based on your browsing habits in hopes that you will click their links to generate revenue.

Tracking Cookie: When you go to websites, many of them install a small file called a “Cookie” on your machine in a single folder for either Internet Explorer or the Mozilla family of browsers. Typically, these are innucuous things such as remembering settings for your account, or remembering password information you entered. Some cookies however are designed to track where you go on the internet, gathering browsing habits, and when you navigate back to a site owned and/or operated by the originator of that tracking cookie, the full details of your browsing history are shared.

Popups: You’ve seen them! Small Internet Explorer windows opening with advertisements regardless of the site you’re visiting, or if you even have your browser open at all. Most people simply download a popup blocker (Most of which are spyware also), curing the symptom but not the larger problem.

Dialer: Something of an old hat in spyware is the dialer, a small program that encourages you to dial a 1-900 number to access “Special” or “Important” content. The internet equivalent of phone cramming. These only work on dial-up users or owners of DSL lines, as they connect to the phone system at the end of the day. People who have fallen for these have racked up thousands in charges on their phone bill. While they seem easy to avoid, they’re often fraudulent or hard to discern at first glance simply because the intent of the program is thoroughly misrepresented.

ActiveX: A Microsoft technology originally envisioned and designed as a platform for distributing safe and legitimate applications over the web for end users. Unfortunately, due to the ease of use and distribution in ActiveX, it has been hijacked numerous times to install harmful software. The scant security protections that it has, combined with poor user practices can easily lead to the software being installed silently on a computer system. Conversely, however, ActiveX when used in the manner in which it was intended can be very helpful; the free virus scans we’re going over today explicitly use ActiveX technology to send their clients to the end user so scans can be run. (top)

The Right Tools for the Right Job

Tools that Detect, Remove and Prevent malware

As noted above, the most important point in any malware removal process is having the right tools for the job. If you are not careful in your selection, you may end up with applications that only address a portion of the problem, or otherwise omit crucial elements of whatever may be afflicting your PC, and perhaps you might even be using applications that are malware themselves. It is also important to note that one virus application and one spyware application is not enough to detect and remove a serious infestation, even though it may be quite enough to prevent future infections. This dichotomy is analogous to the idea that it is pointless to change your oil when your pistons have seized, even though changing the oil while your car was functional may have been enough to keep your car functioning properly. We can then draw the conclusion that you should use one or two best tools for preventative maintenance, while using a wide variety of tools for reactionary maintenance.

As far as preventative maintenance is concerned, we will return to that issue further on in this guide. For now, we will list the tools that we recommend to fix a malware outbreak, as well as where to find the newest versions at any time you happen upon this article again. It is important to note that the first five anti-spyware tools are free, and the other two programs are only free to scan with. Use the free applications first, and then see if the pay-for programs detect anything the free ones did not; if the free ones missed some infections, perhaps the pay-for services might be worth the investment to you. Short-Media recommends Kaspersky Anti-Virus Personal 6.0 if you opt to purchase a service.

Click to enlarge

Click to enlarge

Click to enlarge

Click to enlarge

Click to enlarge

Now that you’ve successfully run Lavasoft’s AdAware SE Personal edition, and removed anything that it found, it’s time to run Spybot S&D. Feel free to close the AdAware application at this time.

Spybot Search & Destroy (free)

Step 1 – Ignore the Startup Boxes: Spybot fires off a long string of question and settings when you launch the program for the first time. Simply click next on all the boxes, and then hit “Start using Spybot S&D.”

Step 2 – Update the Program: Start by clicking the “Search for Updates” button.

Click to enlarge

Step 2a – Update the Program: At this new screen, make sure you check the four boxes we have checked if they are available. If some are not, don’t worry, it simply means your version of the program was newer than mine when you downloaded it. But make sure that you check any of these boxes if they’re there. Also, make sure to set the download source to “BN FileForum (Global)” as the other download repositories often have errors. When you’ve met these stipulations, simply click “Download Updates.”

Click to enlarge

Step 3 – Start the Scan: Hit the “Search & Destroy” box after you have updated the definitions, and then select “Check for problems” at the top of the new window.

Click to enlarge

Step 4 – Remove Infections: Make sure that all of the check boxes in the “Problem” column are checked. As you can see, we had a computer that had many tracking cookies on it. Remove it by hitting “Fix selected problems.”

Click to enlarge

Now that you’ve successfully run Spybot Search & Destroy, and removed anything that it found, it’s time to run Grisoft’s Ewido Anti-Malware. Feel free to close the Spybot application at this time.

Grisoft’s Ewido Anti-Malware (free)

Step 1 – Update the Program: Start by clicking the “Update” button and then “Start update.”

Click to enlarge

Step 2 – Start the Scan: Hit the “Scanner” button, and make sure you select “Complete system scan.”

Click to enlarge

Step 4 – Remove Infections: Sometimes Ewido will prompt you with a box such as you see below. It typically produces this box for pieces of spyware it has detected running in memory, or are newly-installed while the application is running. In this case, the computer we were using to write this article on picked up a tracking cookie while an Ewido scan was being conducted. If you find that you run into this box uncheck “Create encrypted backup in the quarantine” as this simply archives the unwanted spyware; no one wants an archive of pure garbage. Make sure that the “Remove” is the action to be performed, that you have “Perform action with all infections” checked, and then hit okay.

Click to enlarge

Step 4a – Remove Infections: Once you have eliminated any pressing matters brought to your attention by Ewido, the program conveniently eradicates any and all spyware that it finds without even bothering us. It knows spyware is garbage, we know spyware is garbage, so Ewido doesn’t even fool around. As you can see, this PC had a lot of what turned out to be tracking cookies on it. Notice that the other scanners didn’t pick these up? You’re beginning to see the value of running multiple applications.

Click to enlarge

Now that you’ve successfully run Grisoft’s Ewido Anti-Malware, and removed anything that it found, it’s time to run Microsoft’s Defender (Beta 2). Feel free to close the Ewido program at this time.

Microsoft Defender (Beta 2) (free)

Step 1 – Update the Program: Start by clicking on the “Check now button.” The definitions will be downloaded and installed automatically.

Click to enlarge

Step 2 – Start the Scan: Hit the down arrow next to the “Scan” button and select “Full Scan.”

Click to enlarge

Step 3 – Remove Infections: Fortunately, this computer didn’t have any spyware on it when the scan was run, however infected objects would appear in this window much like any other spyware program. If any piece of harmful software is detected, just make sure each one of them is checked and then remove it.

Click to enlarge

Now that you’ve successfully run Microsoft’s Windows Defender (Beta 2), and removed anything that it found, it’s time to run HiJackThis. Feel free to close the Windows Defender application at this time.

HijackThis (free)

HijackThis is not your typical anti-spyware program; while other programs are fully-automated, in that they have a list of definitions to process, and systematically locate/remove malware, HijackThis requires manual intervention. All the program does is produce a list of executables, DLL files, registry entries, and browser plugins that are set to load with the computer or Internet Explorer. The complexity of the tool is in knowing what to look for, what is safe to delete and what is not. For the purpose of this section, we’re going to teach you how to start a scan and save its resulting log file for later use. The log file will come into play at the end of the guide, so hold on to it!

Step 1 – Scan and Create a Log: Start by clicking “Do a system scan and save a logfile.” This will scan for items that load with Windows or Internet Explorer, and list them for you. Don’t delete or check anything.

Click to enlarge

Step 2 – Save the Log File: Click on the notepad window that Hijack This creates automatically and navigate to File -> Save As. Give it a name you can remember and store it in a location where you’ll be able to retrieve it for later use. We’ll come back to this file towards the end of the article.

Click to enlarge

Now that you’ve successfully run HiJackThis and saved the log file, it’s time to move on to Pareto Logic’s Xoftspy.

Pareto Logic’s Xoftspy (free)

Step 1 – Update the Program: Start by clicking the “General Settings” button and then “Check for updates.” It’ll prompt you to confirm the download if there are new spyware definitions available, simply confirm the download and the updates will be downloaded and applied.

Click to enlarge

Step 2 – Start the Scan: Hit the “Start” button and the scan will continue.

Click to enlarge

Step 4 – Remove Infections: All the spyware infections are checked by default in Xoftspy, so it’s simply a matter of hitting “Remove.”

Click to enlarge

Webroot’s Spyseeper (pay-for)

Step 1 – Update the Program: Start by clicking the “General Settings” button and then “Check for updates.” It’ll prompt you to confirm the download if there are new spyware definitions available, simply confirm the download and the updates will be downloaded and applied.

Click to enlarge

Step 2 – Start the Scan: Hit the “Start” button and the scan will continue.

Click to enlarge

Step 4 – Remove Infections: If any of the spyware is unchecked, make sure to check it. Webroot has never given us a false positive, and though there’s a first time for everything, we’re not in the business of worrying ourselves sick about a file or two Spy Sweeper dredged up. As you can see, this is an unregistered version of Spy Sweeper, however if this were the registered version you’d need only click “Continue,” “Remove,” or “Next” (Depending on your version) to go ahead with the removal.

Click to enlarge

Kaspersky Labs Online Virus Scanner (free) or buy the full version

Step 1: Accept the statement of benefits, privacy and licensing.
Step 2: At this point, the scanner is going to prompt you to download an ActiveX control, confirm the download by clicking the vanilla bar at the top of your Internet Explorer window.
Step 3: Click accept again when you’re taken back to the starting webpage.
Step 4: When prompted to install kavwebscan_unicode.cab, click the install button.
Step 5: Once you install that, Kaspersky will download 8MB of definitions to your PC so it can scan for viruses.
Step 6: When the status window announces that the update is finished, and you’re ready to scan, click next.
Step 7: On this new page, click the advanced settings button and make sure your scan mode is set to extended.
Step 8: Click ok!
Step 9: Back on the main screen, click on My Computer to have your PC scanned.
Step 10: Wait for scan to complete
Step 11: If any viruses are found, either remove them with the web interface if they were not already removed or go to those directories in windows explorer to delete them manually.

Panda Software’s ActiveScan (free)

Step 1: Click “Scan your PC.”
Step 2: Click “Check now.”
Step 3: Select your country of origin from the dropdown list.
Step 4: Select your general locale within the country you chose.
Step 5: Enter a bogus email (“ccc@ccc.com” – no spam for us!)
Step 6: Click “Scan now.”
Step 7: At this point, the scanner is going to prompt you to download an ActiveX control, confirm the download by clicking the vanilla bar at the top of your Internet Explorer window.
Step 8: Click “Retry” when prompted.
Step 9: When asked to install “asinst.cab,” do so.
Step 10: Wait for their software and definitions to finish downloading.
Step 11: When done, select “My computer.”
Step 12: Wait for the scan to complete.
Step 13: Click “See report” when the web app is done
Step 14: Viruses are automatically removed by Active Scan!
Step 15: Spyware is not removed by this application, however you can navigate to the directories cited and delete the files manually. Use the report to guide you in Windows Explorer.

Symantec Security Check (free)

Step 1: Click go.
Step 2: Under the virus detection column, click “Start.”
Step 3: Check the box next to “I accept” for the EULA, and click next.
Step 4: Confirm that you consent to Symantec’s privacy policy and click next.
Step 5: At this point, the scanner is going to prompt you to download an ActiveX control, confirm the download by clicking the vanilla bar at the top of your Internet Explorer window.
Step 6: Wait for plugin to finish downloading.
Step 7: When prompted to install the detection engine, click install.
Step 8: When prompted to install the definitions, click install.
Step 9: Once all necessary files have been downloaded, a scan will be run on all drives.
Step 10: Wait for the scan to finish.
Step 11: Once done, it will list any viruses. If it finds them, make sure you remove them.

BitDefender Online Scanner (free)

Step 1: Scan online.
Step 2: I agree.
Step 3: At this point, the scanner is going to prompt you to download an ActiveX control, confirm the download by clicking the vanilla bar at the top of your Internet Explorer window.
Step 4: Wait for plugin to finish downloading.
Step 5: Click here to scan.
Step 6: Wait for the definitions to download.
Step 7: Wait for the scan to finish, wherein all the harmful files will be deleted. If it can’t delete them, navigate to the directory listed and remove them manually.

McAfee FreeScan (free)

Step 1: Click “Scan now.”
Step 2: At this point, the scanner is going to prompt you to download an ActiveX control, confirm the download by clicking the vanilla bar at the top of your Internet Explorer window.
Step 3: When prompted to install a software from McAfee, Inc. click install.
Step 4: Click “Drive C” then the scan button.
Step 5: When the scan is complete, the web tool will tell you where infected files are located. Navigate to the appropriate directories in Windows explorer and delete the files manually.

Once all the scans for malware have been completed, it’s time to reboot your computer back into Windows Safe Mode With Networking and follow the steps in the “Verifying Our Results” portion at the end of this article. In the mean time, read up on some great practices and software for your anti-malware arsenal. (top)

Preventative Maintenance

Kick Spyware and Viruses For Good

Now that we’ve addressed any spyware and viruses that may be on our system, we have a clean slate with which we can implement an effective solution to prevent viruses and spyware from ever coming back. It is important that you make sure your computer is in pristine condition before installing and practicing preventative solutions. To provide an analogy, consider a swimming pool that has a filthy motor on the filter. You can replace the filter, but the motor is going to stay dirty, and your pool will never truly get clean; first you clean the motor, then you can institute the preventative maintenance of a new water filter. We’re going to practice the very same thing here, and we’re going to start by giving you the proper tools for the job.

The number one tool for preventing spyware and viruses is wisdom. I can’t overstate the importance of wisdom when using the internet; having the keen discretion to know where malware is most likely to reside is a valuable tool for any computer user. Consider these 10 tangible things to avoid and practice:

1. Free screensaver websites are a hotbed of malware activity. People really like free screensavers, but they’re riddled with bundled spyware, not only on the screensaver installer itself, but on the website too. Avoid these websites like the plague. Don’t even search for them.
2. As a rule of thumb, try to use a webmail client whenever possible. While it’s very convenient to have email downloaded into a client on your PC, it presents a two-fold risk. The first is that any harmful content has already been downloaded to your PC the moment you open your client. The second risk is data integrity; what if your hard drive crashes? All your precious emails and contacts are stored on your PC, often irretrievably corrupt or lost when Windows goes belly up. Google Mail is one of the best web mail clients to date, and is something we at Short-Media heavily advise. If you simply must use a client that stores mail locally, use Thunderbird, from the Mozilla Foundation. It’s many times over more secure than Outlook or Outlook Express are.
3. When it comes to email attachments, a good rule is this: Imagine you can only open 10 email attachments in your entire life. Period. Consider the attachment you’re about to open… Is it important enough to be one of those 10? If you don’t know the sender, or are familiar with the sender’s name but the email’s content seems suspicious, delete it without so much as a second thought. Email and attachments can always be re-sent if you happen to delete a legitimate one. The original sender will let you know if a valid email got caught in the crossfire; it’s not too hard to explain that you were just looking out for your PC as an expensive investment. It’s wise to risk some valid emails for the security of your PC.
4. Let’s face it, people want to share files over P2P, sadly it’s one of the top ways you can get infected with malware. Bogus files flood the P2P nets every single day by the thousands. Virus writers have deliberately released their viruses onto the P2P networks first, because they knew very well that the uptake and propagation of their virus would be huge. Don’t be a sucker, stay away from file sharing.
5. If you absolutely have to share files, don’t get caught using a client that in and of itself comes bundled with spyware. Short-Media SVT Forum moderator Trogan_1000 has a few suggestions for malware-free file sharing programs.
6. Generally speaking, if you can’t find it on the first three pages of Google, your search terms are erroneous and you’re wading dangerously into malware territory. Five or six pages deep in a search engine query and you’re stumbling upon websites that are probably packed with junk that can harm your PC. It’s far better to try a couple search strings to get the right result than plodding along stubbornly and paying the price.
7. If you are ever prompted to download a file that ends in .WMF, .PIF or .VBS, DO NOT DOWNLOAD IT. The Sobig, Netsky and Bestfriends viruses/trojans, to name a few, use the .WMF and .PIF extensions because they seem inoccuous and they can deliver viruses quite easily. .PIF files usually get delivered as eMail attachments, and .WMF files are delivered through hijacked advertising on websites with infected servers. .VBS files are Visual Basic scripts which can execute any one of the following tasks: File deletion, virus infection, browser hijacking and more. Just avoid them.
8. Always make sure you have active virus and spyware protection running on your PC at all times. Further down in this section, we’ll detail some excellent choices to protect yourself with.
9. Always make sure that you run Windows Update atleast once a week. Failing to do so is one of the easiest ways to leave yourself vulnerable to viruses. Consider the recent debacle on MySpace where an infected server (As seen in #7) was delivering .WMF viruses to users of the website. Over a million people were infected, but if they had patched their Windows operating system via Windows Update more than seven months prior to the incident, none of them would have been infected. That’s right, more than a million people never ran Windows Update for close to a year, and they paid the price. Consider also that the United States Department of Homeland Security feels so strongly about patching PCs that it makes press releases urging citizens to do the right thing, and update Windows. Be responsible! Failure to update Windows not only affects you, but makes you a potential carrier and distributer of harmful content. Viruses and malware can propagate off of your PC just because you were vulnerable.
10. A good anti-virus package produces new definitions every three to seven days. If you don’t have your program set to download definitions for you when new ones become available, update your AV program every three days.

Now, beyond wisdom, it’s important that you’re using the right applications so as to reduce or eliminate the chance of infection on your machine. This includes the right internet browser, the right eMail client (If you must), the right Anti-Virus and the right Anti-Spyware programs. Your first line of defence comes in the form of a proper browser and web mail client, so let’s quickly go over those.

The Right Browser: Mozilla Firefox (Download: Here)
As we mentioned in the terminology section, ActiveX controls are one of the easiest ways to get infected with stuff you don’t want. Firefox has no support for ActiveX controls, so you can’t accidentally download one, nor can you accidentally have one installed on your system. Beyond proper patching and practices, using Firefox as a browser is one of the best ways you can prevent malware from ever getting on your PC in the first place, and doesn’t that sound nice? Additionally, look at all the patched security flaws that Internet Explorer has been susceptible to over the last few years. Count them: There are more than 60 flaws, and that page doesn’t have a full listing. Firefox was never susceptible to any of these exploits.

If you’re not convinced from the standpoint of security, consider that many of the features that Firefox introduced to the wide audience, including tabbed browsing, HTML standards compliance, integrated CSS and broad support for new web languages are things that Microsoft has adopted for Internet Explorer 7. Firefox must be pretty nice if a multi billion dollar company is picking up features from a small open source outfit. Put simply: Firefox is more secure, faster, cuts down on advertisements and displays the internet as it was supposed to be displayed.

The Right Email: Google Mail (Website: Here)
Like we mentioned earlier, the best defence against getting infected with malware via email is to never let those emails touch your computer. We strongly recommend Google Mail, which features a clean and robust interface, great speed, a wide variety of features, and a great anti-spam engine. The GMail service is still in beta, but existing members often have more than 30 invites to the service available to them. Chances are that someone on a forum you frequent has an invite they can extend to you so you can get in on this secure service. If you simply must use a client you can store on your PC, Thunderbird from the makers of Firefox features many of the same security features that Firefox does. It can even import mails from existing mail clients so you can be on your way towards a more secure computer.

Now that you’ve instituted your first and second lines of defence, good browsing habits and the right clients, it’s time to make sure you have the tools to deal with an infection if your wits and your clients fail you. Notice that we’re establishing a line of defence, first being good habits so you can avoid malware, second being the right web clients so you’re not susceptible to malware if you stumble across some, and the third being the right programs to prevent their installation or facilitate a quick cleanup if your first two measures fail you. Having great spyware and virus protection is key, because even if you’re very diligent, most people manage to pick up some viruses or spyware along the way.

The Right Anti-Virus Suite: Grisoft AVG Free (Website: Here)
On July 21st of this year, a writer for ZDNet Australia wrote about a study conducted by the Australian Computer Emergency Responce Team (AusCERT); the study concluded that the “Big Three” in the anti-virus industry (That is McAfee, Norton and Trend Micro) missed more than 80% of all viruses that can be contracted today. So if the big names in the industry with multi-million dollar R&D budgets don’t work, what does? AVG does. It uses less system resources than any of the Big Three AV products, takes less time to install, receives more frequent definition updates, has email, memory and HDD scanning just like they do, but best of all? It’s FREE. That’s right, AVG Anti-Virus is a 100% free product provided by Grisoft because they don’t want viruses in the wild any more than you do.

Their business model is such that they believe in delivering you a fully-functional product, because the product is so good that you’ll want to give back to them for the increased features of their professional product. I’ve upgraded my copy of AVG to the professional edition, and I hope you will too. The malware industry needs more companies like Grisoft throwing their weight around, because the faster we can get our hands on protection, the harder it will be for malware authors to get to our computers.

Don’t trust free? Silly you, however we have some other great options including Kaspersky Anti-Virus 6.0 and NOD32 For Windows. Both of these products, in addition to AVG, continually get nods of strong approval from security research and implementation firms the world over. You’ve probably never heard much about them, and that’s exactly what makes them so successful; malware authors target the products people are most likely to have, cripling them or stealthing by them so they can get their code onto your machine in a hurry. Sticking with lesser-known Anti-Virus products just makes sense, because the malware isn’t designed to traipse by them. Abandon the popular Anti-Virus solutions today.

The Right Spyware Protection: Webroot Spy Sweeper (Website: Here)
We know we promised that we’d do things as cheaply as possible, but in the world of preventative spyware protection, no one does it better than Webroot. Their prevention and detection engine is the best in the industry, receiving accolades from PC World, PC Magazine, Smart Computing, ZDNet and Maximum PC. It’s hard to argue with a program that receives weekly definition upgrades to detect more than 147,000 different types of malware including keyloggers, trojans, popups and unwanted toolbars. It’s a great program, and is one of the few I as an author trust to prevent spyware infections, and I would definitely recommend you have it in your arsenal if you’re cleaning a problem up.

The Right Firewall:
If you think the Windows firewall is enough to protect you and you don’t have a router, you need to turn it off right now, go to the store and purchase a real firewall. The ZoneAlarm Pro firewall is generally regarded as the best, but like all software firewalls, it requires some hand-holding until you’ve fully configured the access settings for your incoming and outgoing network connections. Don’t just click “Accept” every time it prompts you to allow traffic; though it might get annoying after a while, thoroughly investigate what it’s prompting you to allow/deny, and make your choice. Doing so could literally be the difference between your computer falling to shambles, or running neat and clean. After you’ve installed the firewall, run all the tests available at ShieldsUp to assure that the firewall isn’t revealing any information or leaving any ports open. If, with the firewall on and running, ShieldsUp can connect to, see, or gather any information other than a browser request/ID, your firewall isn’t configured properly. Firewall protection is fussy, but it’s worth it in the long run.

If you do have a router, congratulate yourself because you’ve got the best protection a home user can really buy. A feature of all routers is something called Network Address Translation, or NAT. NAT’s job is to take the unique identifier given to you by your internet service provider (An IP address), and give it to the router itself; in so doing, anyone who scans your network, if they can see anything at all, will see nothing more than a dumb terminal sitting at the end of a network cable. It’s very hard to get around NAT, and most hackers and malware have better/easier things to do anyways. By default routers hide all the ports your computer can connect through unless you deliberately specify that a specific port or range of ports be opened. (top)

Other Security Tips

More Best Practices

We can’t underscore this enough: Change every password you have on a regular basis. That’s your Windows password, your forum passwords, your online banking passwords, your email passwords. All of them. Never use a birthday, a name or a date in your password as people looking to get into your user accounts via keyloggers and trojans are looking for very obvious things such as that. Whenever you create a new password, make sure no one password matches another, for example make sure that your online banking password doesn’t match your email, which doesn’t match Windows, which doesn’t match your New York Times password. Is it a hassle? Yes, yes it is, but if you write all your passwords down and store them in a safe location, you’ll never lose track of them, and that’s a good thing. Furthermore, when creating a password, make sure it does not consist entirely of letters nor entirely of numbers. If you can think of any letters that can be replaced by numbers without looking too terribly silly, do that. For example, a very old password of mine that I no longer use was: fckgwrrzdyqq. Looking back, if I had to do that password again, I’d use this: fck9w22zdyqq1337. Why? Because I know that the number “2″ often stands in for “R” in 1337-speak, as is the same for the number “9″ for the letter “G.” The numbers on the end are a humorous reminder of the wide wibbly web I so adore, but it’s also extra protection, and that password is as obscure as it comes. The whole point of making your password complicated for yourself is that it makes it even worse for someone to track it, log it and use it if your PC is infected as they know nothing about you

Secondly, Windows has this simply awful feature that hides the file extension (.JPG, .GIF, .EXE) of files with known extensions. What if the file is a .WMF file as we discussed above, but someone has named the file “Windows Vista.jpg?” The file name is “Windows Vista.JPG” but the real file extension, completely hidden to you is .WMF, so the real file name is “Windows Vista.JPG.WMF.” You open that file and you’ve got yourself a virus, worm, trojan or more. Sadly, all of this could have been avoided if you could see the real extension of the file. So let’s quickly turn that off by opening Windows Explorer and navigating to the “TOOLS >> FOLDER OPTIONS” menu. A new screen will be produced, as you can see here:

Click to enlarge

As you can see, by default, Windows enables this ghastly feature. Disable it by unchecking the box, and breathe easy, because now you can’t make a mistake in executing a virus masquerading as a real file.

Lastly, there are some programs that are explicitly bundled with spyware, and you should avoid them at all costs. Here is a list:
Kazaa, iMesh, Morpheus, eDonkey, BonziBuddy, Weatherbug, SpyFalcon, STOP Spyware Removal Tool, WinFixer, WinAntiVirus, WinAntiVirus Pro, Real Jukebox, Alexa, WebHancer, AudioGalaxy Satellite, OneMX, Freewire, eXeem, Internet Optimizer, WinTools, Grokster, Radlight, ErrorGuard, Starware News Toolbar, Italian Soccer, Zwinky, Zango Easy Messenger, SpyAxe and UnSpyPC.

Some of these aren’t just bundled with spyware, they are spyware, masquerading as real programs! If you run across any of them, don’t download or install them. (top)

Verifying Our Results

Putting That HJT Log to Work!

Remember that log file from HiJackThis we saved earlier? It’s time to make sure your computer is clean as a whistle, with no little things left over in your computer’s startup that could potentially reinstall viruses or spyware, thereby foiling all of our hard work. Open the log and highlight all of the documents contents and go to EDIT >> COPY in any word-editing program (Office, Word or Notepad especially). Now, follow the instructions at THIS link to register an account at Short-Media if you haven’t already done so. Once you’re prompted to create a new thread by that guide, give it a very short but specific title, then paste the contents of your HJT log in the post box, describe your problem in a little more detail, and let one of our anti-malware experts walk you through any residual cleanup. More than likely, you’re going to get a clean bill of health!

After you’ve done that, stick around our forum for a while. We’re a friendly crew with a lot to offer someone at any level of expertise, as we ourselves vary wildly in our knowledge with computers. Soak up the atmosphere, grab a pint in our pub or skip straight to helping people with their newest issues. All we ask is that you give back as we’ve given to you!

Putting Everything Together

Our Kung-Fu is Strong… Their Style Weak

After all the work we’ve done, we’ve gone through atleast six anti-spyware programs, five free virus scans, listed ten things to avoid or practice, outlined a very secure web client, a secure email client, suggested two great ways of getting a firewall, and listed some really great ways to further protect yourself while working inside Windows. The most important thing, above all things listed in this article, is that you actually practice the tips we’ve outlined. Without downloading the right programs and doing the right things, you’ll be back to square one in no time flat, and that’s just an unhappy scenario. Make these habits and programs a part of your every day computing experience, and you’ll find that your rate of infection will drop, if not be entirely eliminated.

Permit me a moment to regale you with a small tale of a malware-free life! For a very long time, I ran with many earlier versions of the programs I’ve outlined in this guide, but I never seemed to attract any viruses or spyware no matter how many times I ran scans, and no matter how hard I tried to attract this malicious software for the sake of excitement. Even while using Internet Explorer, I made sure to keep it and Windows up to date, I followed the advice I listed in the “Ten Practices” section, and not in 10 years have I had anything more than a tracking cookie. That’s right! No viruses, no spyware, nothing but lowly cookies that I can do away with the click of a button. In the last two years I’ve taken to running no active virus or spyware protection at all to free up precious system resources; even though I have the programs on hand, and scan with them weekly, I always come up empty-handed, and that’s because I’ve made proper browsing, email and patching habits a part of my daily computing experience. You can quickly see how your actions dictate your infection above and beyond any tools you may have, and that is really the essence of this guide. While you can have all the tools in the universe at your disposal, you can keep your system under your control just by being wise about what you browse with, where you browse, and what you read email with. Discretion is key to a malware-free life, and I’m proud to be malware-free.

The malware industry is always changing, of course, and I’ll never completely do away with my anti-malware programs. I will continue to scan with them weekly until malware is rendered obsolete, or I’m six feet under, the latter being more probable. Protect yourself, and don’t explicitly rely on other programs to do it for you. Let them aid you when your vigilance has been thwarted! Remember that the Short-Media SVT Forum is always at your service, twenty-four hours a day, seven days a week, year ’round to provide you with complimentary cleanup services if things have gone south in a real hurry.

It’s a dangerous internet – stay safe.

by Robert Hallock

Discuss this article on our forum

(top)

The author would like to thank Symantec, Earthlink, the NCSA, AusCERT, McAfee and eMarketer for generously publishing the conclusions of their malware and infection studies.
He would also like to thank Merijn, Lavasoft, SaferNetworking, Microsoft, Grisoft, Panda, Symantec, McAfee, Kaspersky, and SOFTWIN for providing excellent security tools free of charge.
Lastly, he would like to thank Pareto Logic and Webroot for making excellent products widely available and well-marketed, so people can have and know about the protection they need to stay safe.