Computer Virus Info

Off-Site Links

Overviews:
Security and Abuse
10 immutable laws

Anti-Spyware:
2-Spyware
Stop Badware
Malwarebytes (download)
PC Pit Stop
(top 25 spyware)
Rogue anti-spyware
Super AntiSpyware
(portable)
Test (2004-10)

Virus Checkers
AV Test (comparison)
Trend Micro
Avira
(boot)
AVG
(download,
linkscanner fix)
Avast
Clam AV
(ClamWin for Windows
Clam Sentinel,
ClamXav for Macs)
Comodo
EZ Armor
Kaspersky ($)
Nod32 $ (trial)
Norton ($)
(Removal tools 1,
Removal tools 2)
MicroWorld scanner
Virus Bulletin~

Firewalls
AuditMyPC firewall checker
Comodo
My-etrust
SmoothWall.org
Sygate
Zone Alarm

Rootkit Detectors
Sec Tools
Windows Ref.
Win Processes
CLSID/BHO list
Process Library
Startup List
Task List
Windows Startup

Virus info
BitDefender
removal tools
CyberCrime
DataFellows
F-Secure
MS
Symantec
V/bugs
V/db

Misc:
DNS Checker
Mike's HOSTS file
Nirsoft (password & network utils)
Panopticlick
Phishing sites
Port Scanner
View Passwords
What is that file

Avoid
Snopes
Truth or Fiction
Rapport Trusteer

Security Sites:
AntiPhishing
Attrition
Bugnet
BugTraq
CERT
CEXX
Computer Security Now
Counterpane
CVE cr.yp.to
Data Loss DB
DSL Reports
dsniff (network tools)
Government Security
The Hacker's Choice
IE holes
Insecure (tools)
Lance's Security
l0pht
Microsoft Technet
(malware portal)
milw0rm
NIPC
NTbugtraq
Offensive Computing
PacketStorm
PC Hubs
Phrack
Rootsecure
rootprompt
rootshell
SANS
Security Tools
SecuriTeam (blog)
SecurityFocus
SecurityPortal
Security-Protocols
SiteTruth (phishes)
SpyKing
Spyware investors
2600
Wilders security forums
Win95/98
W3
0-day initiative
Astalavista
Security Certs: CISSP
CISA
SANS GIAC

Top Tools:

RiseUp: email, VPN, chat, and document collaborating services
ComboFix: run in Safe Mode (start pressing F8 a few times before Windows boots; may have to be renamed for certain viruses)
Malwarebyte's Anti-Malware: run in Safe Mode (see above; for a few malware versions this may have to be renamed before installing; cnet displays tempting banner ads so look for the link that says "Download Now")
Microsoft Security Essentials: decent antivirus program (free); also: Avira (free for home use), Comodo (free for home or business), as is Avast (free for home); if you're buying then Nod32 is quite good; AVG's auditing is not so good)
Antivirus comparisons
If you're paying for a yearly subscription: don't upgrade until a week before the antivirus ends.

Recent Outbreaks:

Social and technical engineering of Amazon, Gmail, Apple, and Twitter; accounts accessed and data erased, brief case study
Fake “System Restore” virus: Removal Instructions
Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon); fix: Kaspersky's anti-rootkit
Ransomware is back, analysis of ransomware (Vundo, GpCode)
Many viruses are targeting Adobe Reader, instead try:
- Evince: a free and open source PDF reader
- Foxit Reader
MyDoom
- Symantec's fix
Cornficker, Downadup, Kido (botnet):
- Quick eye-chart: to see if you have Cornficker
- Bitdefender's fix
- F-Secure's fix
Virus Heat:
- Removal instructions
- also: Remove puresafetyhere: annoying taskbar icon
Botnets - how they work
- Invasion of the Computer Snatchers
Windows .WMF - Image viewing (trojan, worm):
- Affects .WMF and .JPG and potentially other media files; infection occurs from just viewing web sites or opening emails; affects computers running Windows. (SANS.org story, Washington Post)
- Fix 1: Ilfak Guilfanov's unofficial patch
  - wmffix_hexblog13.exe - Windows MetaFile (WMF) fix for Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003
  - more at Hex blog and ISC.SANS.org
- Fix 2: Start Run regsvr32 /u shimgvw.dll
DRM Virus
- Notes on the removal difficulty
Zotob
- Symantec's removal tool
- Internet Storm Center's Handler's diary
About:Blank
- About Buster
- Instructions for Removal
- RegLite - Registry editor (freeware)
JPG Vulnerability
- GDI Scan - freeware to scan for vulnerable DLLs
Korgo
- Symantec: advisory, removal tool
- Microsoft: KB835732 Security Update
Sasser
- Microsoft: info on Sasser, patches
- Symantec: Sasser removal tool

Some pretty good programs to run on a regular basis:
(Note: The following are not a substitute for a virus checker.)

Spybot Search & Destroy - check for spyware
- Homepage
- After installing, click the "Search for updates" button to get the latest update
- (not to be confused with the similarly named worm)
Spyware Blaster & Spyware Guard - spyware blocker & real-time monitor

Blaster inoculates Internet Explorer, Guard prevents installation of spyware

Hijack This - check for hijackers
- Checks for programs that change your browser's homepage, and other nuisances
- Log file analyzers (you can copy and paste your HijackThis log into one of the following):
  - HijackThis.de
  - I Am Not a Geek
Cassandra: checks your software for security updates, including Secunia
ComboFix
Housecall - online check for viruses and spyware
Stinger (McAfee) - check for viruses
- check for the 40 or so most popular/recent viruses
KillBox: terminate and delete any running process and it's file
MS Defender spyware/adware blocker
Super AntiSpyware (?)
How to disable Windows 8 smartscreen: reports your program installations

iOS6

Cut down on targeted ads:
1. visit: oo.apple.com
2. select: OFF
3. click: Opt Out
Cut down on some ad tracking:
1. go to: Settings
2. click: General
3. click: About
4. scroll down and click: Advertising
5. choose: On (limit ad tracking)
Reduce monitoring of your location:
1. go to: Settings
2. click: Privacy
3. click: Location Services
4. select: OFF
5. note: this can interfere with GPS and other apps, use at your own discretion

Spyware Checkers, Hijackers, Parasites, Anti-Spyware, Adware, & Malware

Software:
1. Spyware Blaster
2. WinPatrol - anti-hijacker
3. Ad Aware (Lavasoft) - check for adware
  - After installing, click on the Globe/magnifying-glass icon in the upper-right, to get the latest web update
4. Bazooka - adware and spyware scanner
  - walks you through manual removal of problem programs
5. BHO Demon - checks your IE for Browser Helper Objects
6. RK Detector - root kit detector
7. Trinity Rescue Kit: Linux boot disk, to check Windows for problems
8. AIM Fix - virus removal tool for AIM
9. CCleaner: deletes temporary files and unused registry entries
Disabling:
- AutoRun - CD AutoRun in Windows
- Macromedia Flash privacy tracking
Documents and tips:
1. Microsoft tech's advice if you get hacked?
  - “The only way to clean a compromised system is to flatten and rebuild. That's right. If you have a system that has been completely compromised [rootkit or similar], the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).”
2. DSL Reports' spyware tips, Security discussion
3. Enable privacy option by default in IE8
4. Expert's Exchange anti-malware list
5. Doxdesk's parasite removal tips
6. Counter Exploitation - info, tips, and hints; adware section
7. Browser Hijackers Ruin Lives - Wired article
8. Evidence For The Microsoft WinXP Pro Bugging Device
9. See a comparison chart of how much various antivirus and anti-spyware programs slow down your computer.

Spyware Lists and Tools:

SpyChecker.com
Spyware Warrior: testing & comparison guide
GlobalNet
Steve Gibson's Shields Up and Spyware checker
- Be sure to check: File Sharing, Common Ports, and All Service Ports
Trapware's Who's Watching Me?
Pest Patrol
CW SHredder

Adware & Anti-Adware, Malware

Ad Muncher - ad and popup blocker
Scumware.com

Home Router/Firewall:

PracticallyNetworked.com
Firewalls:
- Expert:
  1. Kerio Personal Firewall version 2.1.5 (AKA TPF) with BZ's rule set
    - FAQ
- Novice:
  1. Zone Alarm
  2. My-etrust (free for 1 year?)
  3. SmoothWall.org
  4. Sygate personal firewall, (download sites)

Hardware:

Configuring routers

Passive ethernet trap: to monitor for rootkits

Slashdot discussion (old) Tips:

Disable autorun:
- for CDs: or Annoyances.org or Engadget
- for USB: About.com
Minimizing Windows 2K & XP network services
MS on spyware; also: Enhanced Mitigation Experience Toolkit
Disable Malicious Software Reporting Tool (MRT) phone home: (scroll down to FAQ Q3)
Password recovery for XP & NT
PhishNet, Phishing IQ test
Preventing ssh dictionary attacks with denyhosts (unix variants)
Securing Windows XP
SpyLawg - spyware and the law
Security CD from Microsoft
Places that Viruses and Trojans hide on startup
Internet Cafe:
- SSH tunneling
- Metafilter tips
Securing against key loggers (keystroke monitors)
- On-screen keyboard use
- Metafilter tips
- Or use charmap in Windows
Windows XP:
- Bart's PE Builder - “...helps you build a BartPE (Bart Preinstalled Environment) bootable Windows CD-Rom or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks.”
- Event ID 4226 Patcher
- Hardening WinXP
- Installing WinXP (slightly humorous)
- Running as limited user
- Running as Non Admin
- XP2 file sharing bug fix
- Problem with XP running extremely slowly?
  - Could be a problem with the 811493 (MS03-013) Package
- Lost password:
  1. Network users:
    - Contact your system administrator
  2. Personal computer:
    - Reboot the computer and before the operating system loads, press F8 every second or so
    - Choose Safe Mode from the menu, then press Enter
    - At the login screen, choose Administrator
    - Go to Start, and then Run
    - In the little text box, type:
      - control userpasswords2
    - Select the user whose password needs changing, then click Reset
    - In the New and Confirm boxes, type in the new_password, then click “OK”
    - Reboot the computer normally (Start, Shutdown, Restart)
  3. Alternate:
    - Reboot the computer and before the operating system loads, press F8 every second or so
    - Choose Safe Mode with command prompt from the menu, then press Enter
    - At the mostly blank screen with the black background, type:
      - net user user_name_to_be_changed *
        (Note: don't really type user_name_to_be_changed, instead type in the user name with the lost password, don't forget the space asterisk “*”)
      - Type in the new_password, then press Enter
      - Type in the new_password a second time, then press Enter
    - Reboot the computer normally (press and hold down the Control and Alt keys, then press the Delete key
Tips from Slashdot users on removing stubborn spyware and are for experienced users only. Use at your own risk.
1. Warning: some steps are risky and may cause damage to your system; most can be repaired by reinstalling. Always backup vital data before making big changes to your system.
2. Go through each Users directory in Documents and Settings
  - Delete the contents of the Cookies directory
  - Delete every directory in the Local Settings except Application Data.
3. Go to the Windows directory:
  - Delete the contents of: Downloaded Program Files, Prefetch, and Temp.
  - Pay very close attention to any DLL and EXE files in the Windows directory. With a few important exceptions, only malware places libraries and executables in the Windows directory. Generally, if you right click the file and choose Properties and it shows detailed copyright info for a legitimate company, the file is safe; if not, change the extension to .BAD and remember to change it back if your software has problems.
4. Go to the root directory and delete the contents of System Volume Information and Recycle folders.
  - This will clear out the majority of the places malware hides and code that reactivates on bootup.
5. Start Regedit PE and load the remote registry files including all user hives. It will launch regedit after they are loaded.
  - Remove all spyware keys in the Software subkeys
  - Remove the Autorun strings from Run, RunOnce, and RunOnceExec locations.
  - Do NOT close regedit when you're done or it will save the changes. While regedit is still running, run a complete system scan with Ad Aware. When adaware is done, close it then close regedit.
6. Run your virus checker of choice (e.g. Avast, AVG, McAfee, Symantec) to get trojans and viruses.
7. Run ChkDsk.
8. Reboot in Safe Mode No Network Support
  - Run LSPfix and remove any bad LSP entries (such as newdotnet)
    - Google suspicious entries, but be aware that deleting the wrong entry could destroy your network layer.
  - Run WinSockFix to repair WinSock.
  - To see what's running, run AutoRuns and perhaps ProcessExplorer, then research (Google) suspicious applications. Do not remove antivirus, antispyware, or firewall entries.
  - LogOut then LogIn as each User (don't just Switch Users) and run HijackThis in each User's account.
9. Reboot in Safe Mode With Networking:
  - Install, update, and run Spybot and AdAware.
  - Update any installed antivirus software, and run a final scan.
10. Reboot in Normal Mode
  - Run scans again to verify you don't have any persistent malware.
  - If the scans come up clean, your work is done; if not, remove them, reboot, scan again, and if they still come back, it's probably time to restore the machine to a pristine condition (i.e. install Windows from scratch).

Windows XP Startup & Services:: Update: These instructions are mostly no longer needed since the release of Service Pack 2.; Warning! The following is quite terse, and may or may not apply or be useful on your machine. Use at your own risk.

Startup: Go to Start » Run » msconfig - Use msconfig to remove all non-essential startup items
1. Go to the Services tab and check (√) "Hide All Microsoft Services"
2. Leave checked everything related to your antivirus and firewall (e.g. McAfee, Norton, Symantec, and such)
3. Uncheck any unnecessary services.
  - (How can you tell what's necessary and what's unnecessary? That's what we're trying to find out.)
4. If some software or hardware doesn't work properly after doing the above, revisit start»run»msconfig and uncheckmark items associated with the particular software/hardware.
5. Repeat steps 3 & 4 above under the Startup tab.
Services: Go to Start » Run » services.msc and disable a few (1-5) unnecessary items at a time, then test your computer for a while. Disabling a few at a time makes tracking down problems much easier. Some commonly unnecessary services:
1. Alerter - Announces administrative alerts to network users
2. Automatic Updates - Instead visit windowsupdate.microsoft.com on a regular basis for any updates
3. ClipBook - Used to share clipboard info (cut/copy/paste) with other PCs
4. COM+ Event System (MANUAL?) - Few apps use COM+, put on manual and it'll start if needed
5. COM+ System Application (MANUAL?) - See above
6. Computer Browser - List to share files on a network
7. Distributed Link Tracking - Maintains NTFS file links on your PC or domain
8. Distributed Transaction Coordinator - Multiple resource transactions (e.g. databases)
9. Error Reporting Service - Alerts Microsoft when software fails
10. Fax Service - Send/receive faxes
11. FTP Publishing Service - runs the FTP Server
12. Help and Suport - This will re-activate if you access Start/Help or press F1
13. Human Interface Device Access (AUTOMATIC?)- Set to AUTO if peripherals have problems
14. IIS Admin - Local web server or FTP
15. Indexing Service - Makes searches quicker, but makes PC slower when not searching
16. IPSEC Services - Leave on AUTO if you like security
17. Logical Disk Manager - Only required for Disk Management MMC dynamic volume console
18. Logical Disk Manager Administrative Service - See above
19. Messenger - Send messages between network clients and servers
20. MS Software Shadow Copy Provider - Used with Volume Shadow Copy Service
21. Net Login - Used to login to a Domain Controller on a network
22. NetMeeting Remote Desktop Sharing - Shares your desktop with others (yikes!)
23. Network DDE - Facilitates Clipbook (see above) sharing
24. Network DDE DSDM - See above.
25. NT LM Security Suport Provider - Used for Message Queueing or Telnet server
26. Performance Logs and Alerts - Maintains performance info and logs
27. Portable Media Serial Number - Maintains serial numbers of music players; may not be required
28. QoS RSVP - Does some monitoring of network usage
29. Remote Access Auto Connection Manager (MANUAL?) - Creates an internet connection for some apps, put on MANUAL for dial-up
30. Remote Access Connection Manager (MANUAL?) - See above
31. Remote Desktop Help Session Manager - Lets others control your computer (yikes!)
32. Remote Procedure Call (RPC) Locator - Logs RPCs
33. Remote Registry Service - Lets others edit your Registry (yikes!)
34. Routing and Remote Access - LANs and WANs
35. Secondary Logon - Old method for logging in
36. Security Accounts Manager - Stores security info (yikes?)
37. Server - Share files, printers, etc.
38. Shell Hardware Detection - For most memory cards
39. Smart Card - For Smart Cards
40. Smart Card Helper - See above.
41. SSDP Discovery Service - UPnP device finder (yikes!)
42. System Event Notification - Used with COM+ (see above), for power on/off or log on/offs; probably not required.
43. Task Scheduler - Runs scheduled events, probably not required
44. TCP/IP NetBIOS Helper Service - Only required if you use NetBIOS
45. Telephony - For dial-up
46. Telnet - Lets others use your computer (yikes!)
47. Terminal Services - Allows multiple users to connect this or other machines (yikes?)
48. Uninterruptible Power Supply - Useful if you have a UPS
49. Upload Manager - Old file transfer manager
50. Volume Shadow Copy - MS-Backup utility
51. Software Shadow Copy Provider Service - See MS Software Shadow above.
52. Webclient - Edit internet files on another server
53. Windows Time - Gets correct time from network
54. Wireless Zero Configuration - For wireless devices
55. WMI Performance Adapter - Logs HiPerf performance info
Some XP and 2K privacy, services, and security resources:
- Aumha (XP MS links)
- Security Policy - Security Options:
- Markus Jansson's privacy and securing tips
- XP Antispy - disables some privacy-related settings
- Black Viper's services list (alternate link)
- Z123 services list

Older Trojans, Virus, & Worm Outbreaks
:: Mostly Microsoft-specific Outbreaks ::