|
 Let's try and keep this about security, etc. If you need help, please start a new thread Since Alereon and I pretty much say the same thing in every thread about malware/virus infections, I decided to supplement the sticky FAQ with a quick rundown on what to do when you have an infection (or what to do to prevent them). shsc.info has some useful information as well. SpywareFAQ and Useful Windows Software. There's also the main SH/SC Windows and Windows Software Megathread --I don't already have an infection--  Congratulations on remaining virus free so far. Read this anyway  [Relevant to A/V scanning] Useful Utilities I'm a huge fan of CCleaner (formally known as Crap Cleaner) when it comes to clearing up temp garbage, etc. By default it nukes browser cookies, session, and history so watch out (you can uncheck those). I happen to like my logins and history thankyouverymuch. For a more comprehensive list, check out the shsc.info FAQ Useful Windows Software. Single File Scanning I gave this its own section so it would be highlighted. Virus Total lets you upload single files and scans them against 40-something scanners. Great if you're questioning an attachment from someone, etc. Antivirus Protection Antivirus is rather critical for proper system health and should be used proactively rather than in reaction to an infection. Microsoft's offering is now considered the baseline for AV-Comparatives, and as such doesn't have a direct grade anymore. The tides have slowly been changing and Microsoft isn't the star player that it once was. OSI bean dip has started up a new thread that goes over the details for A/V. Malware Protection It's important to note that you shouldn't have more than one "on-access" scanner because it'll cause all sorts of headaches. When shopping around for anti-malware be sure to make sure it's only "on-demand" (ie when you want it). I prefer MalwareBytes Antimalware, but others have varying opinions. Operation System Info If you're running XP, get Windows 7, preferably 64-bit if supported. There are so many opportunites for inexpensive licenses that it's stupid not to get it. If you're a student, go to https://www.win741.com for an academic copy of Win7 Pro for $40. Some campuses even have free access (I know I did in the UofO Business School). If you're on Vista, I'd still suggest considering a license to Win7. It's more secure, feels snappier, and it has some nifty little additions. System Patching Run your Windows Updates, people. Also be sure it's checking for "additional updates" via Microsoft Update. For XP: Upgrade to Win7. Seriously. If you're stubborn, then you can active Microsoft Update by going to http://update.microsoft.com/ and installing Microsoft Update. Then order Windows 7 For Vista/Win7:  Application Patching aka USE Secunia PSI A ton of viruses come via exploits in Java and Adobe products (Flash, Reader, Shockwave, etc). Don't ignore these updates! It might be worth looking into alternative software (addressed later) for Reader. Start with removing all versions of Java and Adobe Flash via Add/Remove Programs. Then get the latest versions here (watch out for the McAfee bundle checkbox): Oracle Java Adobe Flash Adobe Reader To help with keeping this software up to date, the best way is via a super awesome program by Secunia. It's called Secunia PSI and scans your system for unpatched software. In many cases it will actually update them automagically too! It makes it rather idiot proof otherwise. They have an online Java-based one called Secunia OSI if you don't want to install anything; you lose all the auto-update awesomeness though. Browser Safety Upgrade Internet Explorer!: IE9 is no longer the awful browser from the IE6/IE7 days, but most people don't really use it anymore. If you're using IE6, you should probably question why you're allowed near a computer. If you're on 7 or 8, upgrade to 9. Adblock Plus Ad-blocking software: Adblock Plus is installable on Chrome and Firefox quite easily, Opera also has it and I'm sure IE9 has an equivalent. Web of Trust: If you're often just mashing the mouse on the first Google result for "free wallpapers", WoT is good for you. It's a linkscanner that (based on community feedback) determines the reputation of a website. Alternate Software Adobe Reader -> Foxit Reader Foxit Reader has an annoying flaw right now in its latest version but it'll only affect you if you print multiple pages on one page. Otherwise it's lightweight and doesn't have as many issues as Adobe Reader (I'm guessing mostly because they aren't as large a target to code for) --Generally Good Ideas(tm)-- Backing up important files: Be sure to keep regular backups that are NOT connected to your system. Dropbox is all well and good, but if a virus corrupts your files and they sync to Dropbox, you're still hosed. Lots of viruses now (especially ransomware) will delete your shadow copies and disable system restore. If the files are particularly sensitive, you may benefit from a burned DVD, designated thumb drive, or an external HDD. You can always encrypt your files and toss them up into Google Drive, OneDrive, Dropbox, etc. Just remember my note above about auto-sync. Don't open attachments you aren't expecting: A still all-to-common attack vector for viruses is via attachments. If you're not expecting a photo from Aunt Judy, ask her about it. This doesn't guarantee that it's not a virus, but it's still a good idea. Don't propagate Facebook spam: My flatmate did this yesterday. The site forces you to "Share" the video before you can watch it. The video's title was something stupid like "YOU'LL NEVER WANT TO USE SHAMPOO AFTER YOU SEE THIS (VIDEO)". If you see a friend post something like this, message them and give em a head's up that they're an idiot. Keep your Facebook apps list clean: Did you have to log in via FB for a contest 2 years ago? It's very possible that they're still leeching off you. Here's how you can clean up your list. 1. Go to the Facebook Privacy Center's App Settings tab (link) 2. Remove any apps that you recognize and no longer use/want. 3. Go through the rest one-by-one if you're not sure what they are. Check out their Facebook page, Google Search them, anything that will help you determine if you still need them connected. 4. With the remaining apps, you can still control their ability to post, set special privacy settings, etc. Just hit the pencil icon located with each app. ryanbruce fucked around with this message at 09:10 on Jun 2, 2015 |
#
?
Nov 13, 2011 23:35
|
|
|
|
| # ? Apr 25, 2024 20:37 |
|
|
--I have an infection--  Read the above and then do the following since it's basically what we'll have you try first anyway. Modnote: Check out the new Windows Defender Offline scanner, which is bootable and runs from a CD, DVD, or USB drive. Since it runs before Windows, it can remove rootkits and infections without lots of troublesome pre-cleaning steps.
If you're unsure if the bug's gone, update your (aka not here) thread with the results from the MSE and MalwareBytes scans. Want to be even more thorough?
ryanbruce fucked around with this message at 20:29 on Apr 15, 2012 |
|
#
?
Nov 13, 2011 23:37
|
|
|
It's probably a good idea to use an interactive firewall as well. I've found that the ESET Smart Security one is pretty good and it comes with an Antivirus that doesn't break my system. Having used Kaspersky, McAfee, Norton and BitDefender paid versions in the past 3 years on various computers I've come to the conclusion that the ESET one works best in my case with Kaspersky being on the top of my poo poo list.
|
|
#
?
Nov 15, 2011 03:14
|
|
|
Hendrik posted:It's probably a good idea to use an interactive firewall as well. I've found that the ESET Smart Security one is pretty good and it comes with an Antivirus that doesn't break my system. Having used Kaspersky, McAfee, Norton and BitDefender paid versions in the past 3 years on various computers I've come to the conclusion that the ESET one works best in my case with Kaspersky being on the top of my poo poo list.
|
|
#
?
Nov 15, 2011 06:34
|
|
|
Alereon posted:This is a pretty poor choice. While ESET may not be as bad as the others you're still paying money ($60 a year!) to slow down your system and network connection, and open yourself up to system problems and network connectivity issues with programs. There's really no justification for adding an additional firewall to your average system which has both the Windows Firewall and a router doing NAT. Have anything to add to the OP? I just gave it another skimming and noticed I had a typo on a URL, figured I'd see if you had any suggestions too.
|
|
#
?
Nov 15, 2011 09:47
|
|
|
You've done a great job, I was thinking of making a thread like this but never got around to it. Under the "Operating System Info" section, I'd stress upgrading to Windows 7 64-bit, as the 32-bit version doesn't support the same security features (like ASLR). You might also link to this site here, which has links to download Windows 7 ISOs from Microsoft, which is helpful for letting people move their crappy OEM Windows 7 32-bit installations to 64-bit. Making Secunia PSI a bit more prominent (like renaming the bold section "Use Secunia PSI to update applications" might be helpful. You could also link the pdf.js Firefox extension that allows PDF viewing without any add-ons, through JavaScript in the browser. It's still an early alpha and I've seen some rendering errors (mostly occasional blank pages) so it's not ready as an Acrobat Reader replacement yet, but people might want to check it out and/or keep an eye on it. After this has baked for awhile you might want to simplify it down for someone who knows almost nothing about computers and cross-post to GBS, and maybe get Badvertising to put it in the QCS FAQ or a sticky thread, since people post there about lovely ads giving them malware a lot.
|
|
#
?
Nov 17, 2011 02:57
|
|
|
If you are using Windows 7, it's wise to use a standard user account for your everyday computer activities. Not only will this thwart most spyware installs, it makes it very easy to clean the ones you still manage to get. A significant amount of spyware will infect only the current user's startup entries; so you can just reboot, disconnect from the internet, and switch to the admin account and start cleaning. You could probably clean 7/10 infections by using these 2 tools and the delete button (using an unaffected admin account): http://live.sysinternals.com/autoruns.exe http://live.sysinternals.com/procexp.exe Root kits and other more nasty stuff just reformat and restore a clean backup. (you are backing up right?  )It's potentially faster and always a 100% guaranteed removal.
|
|
#
?
Nov 22, 2011 10:37
|
|
|
tjl posted:Root kits and other more nasty stuff just reformat and restore a clean backup. (you are backing up right?  Hey now! Root kits arent so bad. Just run this:http://www.bleepingcomputer.com/download/anti-virus/rkill then this. http://support.kaspersky.com/faq/?qid=208283363 Then reboot, after startup run MalwareBytes to take care of the minor infections the TDSS seeded the drive with. If the infection persists, run this: http://www.bleepingcomputer.com/download/anti-virus/combofix Done deal.
|
|
#
?
Nov 22, 2011 21:29
|
|
|
Added rkill and TDSSKiller to the thread, but I won't include Combofix because it has a higher risk of system damage (and therefore should be used only after being recommended in the thread)
|
|
#
?
Nov 22, 2011 23:07
|
|
|
ryanbruce posted:Added rkill and TDSSKiller to the thread, but I won't include Combofix because it has a higher risk of system damage (and therefore should be used only after being recommended in the thread) TDSSKiller has saved me hundreds of hours on tickets and has become a pretty essential tool in my kit. Ive noticed a huge swell of nasty variants over the last month and a half, actual Boot sector / network proliferation type stuff, TDSSKiller takes about 45 seconds to run and has nailed all but one of them (out of about 80 workstations and servers that's a drat good result) Ive only had to fall back on combofix once recently, and it was for sound not working on internet flash based videos. We tried every drat thing and we couldn't reload due to sensitive data and installed software (and no media for the software and lost licenses), after spending 12 hours on various sound card / flash / windows / anything else we could find fixes we submitted a ticket with microsoft. 7 hours in they didnt have anything either. In the end I just ran combofix for fun and it found an infection latched on to one of the flash audio / video management dlls that was recording all sorts of juicy personal information but gave no other hint of it being there (other than the missing sound). TLDR, Combofix may occasionally throw some collateral damage out there but it is blisteringly effective at what it does, a great last resort.
|
|
#
?
Nov 23, 2011 04:59
|
|
|
While TDSSKiller definitely helps, I've always had to run Combofix afterwards to get rid of lingering poo poo that came back every reboot. I didn't try RKill though, maybe that plus TDSSKiller would be effective. I generally don't worry too much about system damage from Combofix, as once a system is thoroughly infected I assume there's a possibility that Windows will be damaged beyond repair, either via the infection or cleaning, and that thoroughly cleaning is the priority.
|
|
#
?
Nov 23, 2011 05:20
|
|
|
Just want to say thanks for all the information in this thread guys, it helped me clean my system pretty quickly. [edit] Also requesting this thread be put in the third post of the FAQ.
|
|
#
?
Dec 13, 2011 01:20
|
|
|
Ted Ed Fred posted:Just want to say thanks for all the information in this thread guys, it helped me clean my system pretty quickly. I never posted in here but this fixed my problems once I figured out what I was doing. Many thanks to ryanbruce for being knowledgeable and friendly.
|
|
#
?
Dec 13, 2011 01:58
|
|
|
Good thread. I hadn't heard of Secunia PSI so I installed that and it told me my Silverlight 4 was at end of life. Apparently Silverlight 5 won't install onto Vista x64. I was recently hit with a bad virus (I believe by clicking on an image through a Google image search) that made it past my Webroot software easily. So I'm trying to lock down my PC as much as possible now. I'm only going to go on Green WOT links from now on. Two things I've done that haven't been mentioned are using NoScript 2.2.3 add-on for Firefox https://addons.mozilla.org/en-US/firefox/addon/noscript/ and running Internet applications through Sandboxie http://www.sandboxie.com/ Luckily I have no need for Java right now so I'm not even going to install it.
|
|
#
?
Dec 15, 2011 06:47
|
|
|
RKill doesn't actually delete anything, it only kills the processes (and redoes .exe file associations I believe) so that you can run an actual cleanup/removal tool. If something keeps coming back every reboot, rkill isn't going to get rid of it. e: My method for computers that come into my shop for repair is RKill -> TDSSKiller -> ComboFix -> Malwarebyes -> SuperAntiSpyware -> Microsoft Security Essentials Pretty much a guaranteed fix. A few of them aren't necessary but it makes sure there's nothing still lingering around. Also some of the new viruses are moving all your desktop and start menu shortcuts into a temporary folder so it makes it look like they are gone. You have to be careful running disk cleanup, ccleaner, or anything that clears the temp folders or else it may delete all of your start menu shortcuts and items on your desktop. Maniaman fucked around with this message at 15:46 on Dec 29, 2011 |
|
#
?
Dec 29, 2011 15:43
|
|
|
Okay, new issue on a different computer. How do I get rid of AVG Linkscanner? Edit: I have uninstalled it 4 times, upon reboot it reinstalls itself. I have seen AVG referred to as "virus software that is worse than a virus." Rhyno fucked around with this message at 23:13 on Dec 31, 2011 |
|
#
?
Dec 31, 2011 01:43
|
|
|
Just want to thank the op for an informative and in depth post. Caught the antivirus 2012 virus a few days ago and thought i had rid myself of it until it reared it's ugly head yesterday. After performing all the steps in the op i believe (knock on wood) that i have rid myself of it. Thanks again.
|
|
#
?
Jan 8, 2012 19:13
|
|
|
I picked up a trojan just by surfing and followed all of the directions in this thread and now Microsoft Security Essentials tells me everything is good BUT all my photos and music are gone. Are they gone forever? This is the trojan I got. I was surfing with Firefox and did a google image search for a bicycle I wanted to look at, clicked on the link and blam! http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3aWin32%2fFakeSysdef&threatid=2147639286
|
|
#
?
Jan 18, 2012 16:36
|
|
|
jet sanchEz posted:I picked up a trojan just by surfing and followed all of the directions in this thread and now Microsoft Security Essentials tells me everything is good BUT all my photos and music are gone. Are they gone forever? It usually just hides all the .mp3 and .jpg, etc extensions and rarely actually deletes them. Enable hidden files and folders and you should be fine. If you have any questions or followups, please create a new thread. I'm trying to keep this thread security related 
|
|
#
?
Jan 18, 2012 21:02
|
|
|
Following the instructions after a little virus scare. So far everything looks good but tdsskiller is telling me about a possible threat: Locked File Service: sptd suspicious object, medium risk Googling tells me it's possibly related to daemon tools, but at the same time a lot of initial google searches about the service tell me that deleting it causes it problems. Also no one says to outright remove the service for any good reason. So before I go ahead and trash it, what can anyone tell me about it?
|
|
#
?
Feb 12, 2012 04:51
|
|
|
I agree with most of what is said here. MSE, Malwarebytes, Super-AntiSpyware, RKill, CCleaner and Combofix. Although, I would like to add one thing. For the RARE occasion that they all fail, a boot time scan with AVAST has worked in the past for me a few times. Generally, using the aforementioned tools will give you control of your desktop (At least to the point where you can uninstall and install programs). Also, don't forget about a good old System Restore. I am sure that there are more tools that I have thrown at stuff, but if all of these have failed, I generally pull the data and recommend a fresh install.
|
|
#
?
Feb 19, 2012 15:36
|
|
|
Any suggestions for Mac users? I just noticed a suspicious "disabled" add-on in my Firefox that has no remove button, doesn't appear to do anything, and who's file I can't seem to find, even after finding it's ID through the Troubleshooting Information screen. I'm not happy about, it and whatever it is I want it dead. But after that, I want to batten down the hatches on this tinderbox I'm riding through the internet so I know it's safe. So I'd appreciate any tips on that for the future.
|
|
#
?
Feb 29, 2012 02:28
|
|
|
ryanbruce posted:Oracle Java You missed a 't' out in the 'http'. The adblock I've used for Opera (if you'd like to link it) is located here and it has been great. The SHSC.info seems to be dead. I noticed the big FAQ linked here often but no links were alive.
|
|
#
?
Mar 28, 2012 22:52
|
|
|
Fixed/added those links. SHSC.info was transferred to someone else a while back, I hope they didn't kill it too 
|
|
#
?
Mar 29, 2012 00:27
|
|
|
Are you sure about MSE? I know little about this, but Avira seems to consistently outperform it in testing.
|
|
#
?
Apr 4, 2012 05:06
|
|
|
Maha posted:Are you sure about MSE? I know little about this, but Avira seems to consistently outperform it in testing.
|
|
#
?
Apr 8, 2012 08:45
|
|
|
I don't know if you want to add this to the OP, but Microsoft has an offline malware/rootkit scanner that has received a lot of praise around here, Windows Defender Offline. http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
|
|
#
?
Apr 11, 2012 22:00
|
|
|
Belle Isle Tech posted:I don't know if you want to add this to the OP, but Microsoft has an offline malware/rootkit scanner that has received a lot of praise around here, Windows Defender Offline.
|
|
#
?
Apr 12, 2012 02:38
|
|
|
Alereon posted:Thanks, that's pretty cool! I added it to the second post since it's for use after you're infected, rather than as prevention. I..I.. feel so violated.
|
|
#
?
Apr 12, 2012 05:31
|
|
|
ryanbruce posted:I..I.. feel so violated. Feel free to integrate it however you want in your post, I just wanted to get it in there without delay.
|
|
#
?
Apr 13, 2012 01:38
|
|
|
Just kidding anyway
|
|
#
?
Apr 13, 2012 01:49
|
|
|
Edit: After playing around and trying various uninstall and reboot solutions it turns out that simply running CCleaner again solved the issue with websites now displaying properly. Hopefully this will be useful for people following your helpful advice in the future and have this problem. Thanks. I'm actually annoyed at the simplicity of the solution because of the complex solutions offered on some forums like renaming Firefox user profiles. ------------------------------------------------------------------------------------------------------- Very useful information, greatly appreciated. I'm in the process of following this advice and I've got as far as installing CCleaner and MalwareBytes. I ran CCleaner and after I did this Firefox has stopped working properly. It displays webpages like Wikipedia, Facebook and these forums in very basic looking text and doesn't load pictures or video. I tried using internet explorer, which I haven't used in a long time, and that seems fine despite also being part of the CC clean up. I have Googled this and tried going to view > page style in Firefox and the basic page style option is selected. I've also uninstalled then reinstalled Firefox but the problem persists. I'm running windows 7 64bit and have not made any changes other than installing and running ccleaner just now so it must be that. I have seen other people on Google having the same problem but all the advice is over my head and covers going into windows directory etc. Are you aware of this issue and is there a solution? I only use Firefox and it has all my bookmarks etc so I wouldn't want to lose those or stop using it. If you think it's worth making a separate thread I will however it's specifically about your advice so I thought it best to post here. Final Cause fucked around with this message at 19:43 on Apr 15, 2012 |
|
#
?
Apr 15, 2012 19:10
|
|
|
Alereon posted:You might also link to this site here I'm confused - do both sections of that page have the Windows 7 ISO with SP1 integrated? Both headings (Download Windows 7 ISO with SP1/Download Windows 7 SP1 Integrated ISO) suggest to me they're both linking to integrated ISOs, but if that was the case surely they'd not list two sections?
|
|
#
?
Apr 22, 2012 23:57
|
|
|
WattsvilleBlues posted:I'm confused - do both sections of that page have the Windows 7 ISO with SP1 integrated? Both headings (Download Windows 7 ISO with SP1/Download Windows 7 SP1 Integrated ISO) suggest to me they're both linking to integrated ISOs, but if that was the case surely they'd not list two sections? One batch is from Softpedia, one batch is from Digital Underground.
|
|
#
?
Apr 23, 2012 20:28
|
|
|
ryanbruce posted:One batch is from Softpedia, one batch is from Digital Underground. Ah right, so they're identical ISOs for each product edition from either source?
|
|
#
?
Apr 23, 2012 21:08
|
|
|
For keeping things like flash and java up to date, making a customer updater using the free http://ninite.com/ program is pretty useful. Not sure how it's viewed by the SA community but i've heard nothing bad about it, and it works great for quicking updating a fresh install or a one button update for applications.
|
|
#
?
Apr 23, 2012 22:08
|
|
|
Iringahn posted:For keeping things like flash and java up to date, making a customer updater using the free http://ninite.com/ program is pretty useful. Not sure how it's viewed by the SA community but i've heard nothing bad about it, and it works great for quicking updating a fresh install or a one button update for applications.
|
|
#
?
Apr 24, 2012 01:23
|
|
|
How does one become infected with malware? I know the standard "don't click on shady links" bit but there are other ways to catch poo poo, no? I remember a long time ago I left Internet Explorer (pre-2005) on a random page while I slept overnight, and woke up to a ton of adware/malware crap on my computer. Can you get infected just by being on a webpage with a malicious ad?
|
|
#
?
Jul 4, 2012 16:12
|
|
|
Yes, ads have malware embedded into them, so if you browse a page and you're using Internet Explorer or one of your plug-ins isn't updated (especially Flash or Reader) it'll instantly infect your machine. That's why the most important part of keeping your machine secure is keeping it updated.
|
|
#
?
Jul 4, 2012 17:43
|
|
|
|
| # ? Apr 25, 2024 20:37 |
|
|
Is MSE still the recommended AV package? In the most recent AV Comparatives test (http://www.av-comparatives.org/images/stories/test/ondret/avc_fd_mar2012_intl_en.pdf) it came bottom for detection rates
|
|
#
?
Jul 5, 2012 15:11
|
|
