Troubleshooting Q&A - February 19, 2004
Dealing with Sneaky, Slimy Malware
There are all sorts of less than scrupulous downloads and sites that covertly install malevolent code onto your system. In this week's Q&A, learn how to avoid malware malaise by protecting yourself from the threat of insiduous, often invisible adware and spyware.
By Ron Pacchiano and Forrest Stroud
Q. I have no idea how it happened, but for some reason my web browser now defaults to a strange search engine that I’ve never seen before (blazefind.com). I don’t recall making the change myself, and I can’t imagine why it would have happened. It’s also had a tendency to mess up the auto-complete part of my address bar, making it a pain to enter in addresses.
Worse, I can’t seem to get rid of whatever’s causing these problems or find a way to return to the default search engine. As a matter of fact, I can’t even get to MSN anymore. Do you have any ideas why this might be happening and how I can go about restoring everything to the way it was before?
A. Unfortunately, I do have a pretty good idea how this may have happened. However, I’m not sure if you’re going to be able to easily correct it. My brother recently had a very similar problem to yours. I spent a few hours diagnosing his system and discovered that his PC had somehow become infected with the TROJEN.DIGITS virus.
According to the information on Symantec’s SecurityResponse web site, when the TROJEN.DIGITS virus is executed, it creates the file Excel10.dll and registers it has a Browser Helper Object, which means that the component receives information regarding all the actions inside Internet Explorer. It also modifies the HOSTS file to point to a number of different web sites specified by the Trojan’s creator. In addition, it deletes a bunch of files from your system and makes extensive changes to your registry.
My guess is that the virus was likely inadvertently downloaded to the machine via a piece of freeware or shareware. A word of advice — you should be very careful about what software you install on your system. Be sure to carefully read the EULA (end user license agreement) for any piece of shareware or file sharing package (such as KaZaA). These types of applications are often littered with adware and spyware programs that insiduously install themselves on your machine. How do you think these freeware/shareware utilities get the funding needed to allow you to use them for free or next to nothing?
Making matters worse, some sites will even automatically download components onto your system if you’re not careful (like modem dialers, browser plug-ins, search bars, etc.). Adware.IGetNet, Adware.MainSearch, Adware.Winshow, Adware.ILookup, Adware.AdultLinks, and Adware.SearchCounter are just a few of the many examples that you may have the misfortune of coming across. This index page from Symantec will give you an idea of just how many of these malware programs are out there — it lists over a hundred more adware viruses alone.
Before moving on, I'll stress one more time the importance of reviewing the entire EULA for all software you download, as the fine print is the only thing keeping such malware legal (of course, just how ethical these programs are is an entirely different matter).
Diagnosing and Removing the Problem
Back to the problem at hand — Norton indicated that the virus on my brother’s computer should have been easy to remove. Well, they were wrong – very wrong. I literally spent hours removing the infected files from the system and cleaning out the Windows Registry. Just when I thought I had removed every possible component of the virus from the system, it resurfaced. This happened at least three times. It finally got to the point where I had no other option but to erase the hard drive and reinstall the operating system.
Now I don’t know if you have the exact same virus I had (again, there are many, many varieties out there), but I think it’s safe to say that you’re definitely suffering from malware malaise. I recommend you first get your hands on a good anti-virus package, which will hopefully be able to find, identify, and remove the virus from your PC, or at very least, diagnose and point you in the right direction on the long and frustrating path of cleaning your system and getting it back to “normal.”
If, however, you’re in need of a more immediate solution, I would suggest checking out Symantec’s Online Security Check site. On this site you’ll find tools that are capable of detecting your PC’s vulnerability to external attacks and, more importantly, can even scan your system for viruses and Trojan horses. Once Norton identifies your virus, it will hopefully be able to remove it for you.
However, because viruses like these often make modifications to key system files like the windows HOSTS file, they often can’t just be automatically removed. Instead, the files will need to be edited and/or restored manually. In these situations, Norton’s online Virus Encyclopedia can give you a complete profile on the virus that infected your system, including detailed information on what changes it made and how to go about removing it. Hopefully, you’ll have better luck then I did.
Something else I should point out — when I had previously scanned my brother’s PC in search of the virus, it had reported multiple times that the system was virus free. However, when I started the computer in Safe Mode and rescanned it, it found four (4) copies of the offending virus. Bottom-line, don’t make just one pass and assume that everything is OK if it doesn’t find anything. Perform at least one scan in Safe Mode to be sure.
Installing Safeguards to Prevent Future Infestations
Once you get the system repaired I would recommend taking the time to install some safeguards to minimize the chances of this happening to you again. For starters, always make sure that your anti-virus definitions are up to date. This is one of the easiest and most important things you can do to protect your PC.
I would also recommend installing a personal firewall on your system. Firewalls will alert you to both the inbound and outbound activity on your network and will also allow you to control exactly what type of traffic is allowed to pass through to your machine. Many firewalls offer very detailed logs that record and warn you of any suspicious activity. Keep an eye out for any programs you do not recognize trying to send data out of your system to the internet. ZoneAlarm is a great firewall and is offered in a free version.
A good adware and spyware scanner would be valuable in this situation as well. One of the best programs I’ve come across in the last few years for dealing with these types of threats comes from LavaSoft and is appropriately named Ad-Aware. Ad-Aware performs a comprehensive scan of your memory, registry, and hard drive looking for known data mining, aggressive advertising, and tracking components. It’s a small download, is very simple to use, and best of all, is completely free. You can download it at http://www.lavasoftusa.com/support/download/.
Another good spyware removal utility is called SwatIT. Like Ad-Aware, SwatIT is a completely free program that scans your computer for Trojans, Worms, Bots, and other Hacker programs. SwatIT can detect and remove over 4,000 different Trojan programs plus variants. It doesn’t work on adware, though, so you should install both applications on your system. You can download SwatIT at http://swatit.org/download.html.
One of the ways you can come into contact with these malicious programs is through those annoying popup windows. These windows can sometimes redirect you to less than scrupulous sites that covertly download malevolent applications onto your system. One of the best ways to thwart popup windows is by using a popup block. Fortunately, there’s another free utility available called Stop-The-Pop designed just for this purpose.
Stop-the-Pop will also recognize and kill hostile activeX controls from companies known to develop spyware or adware. Gator, GAIN, C2, Comet Systems, Cydoor, and Marketscore are all on Stop-the-Pop-Up’s black list. The banner ads in ICQ Pro and MSN Messenger 4.6-5.x are also removed. Stop-The-Pop can be downloaded at http://www.bysoft.se/sureshot/stopthepop/index.html.
If you're willing to shell out a few bucks, you can purchase a suite that handles all of these preventative measures for you, including setting up a personal firewall, anti-virus protection, popup elimination, and more. One of the best available suites is Norton's Internet Security 2004, which can be purchased for around $70.
One last utility you might want to consider installing is the Browser Hijack Blaster. This utility runs silently in the background and only springs into action when an attempt is made to modify the IE Homepage, IE Default Page, IE Search Page, or Browser Helper Objects (BHO). Whenever one of these items is changed (or added), you are immediately provided with information on the item, along with the option to keep the change or revert to your previous settings. More information on this valuable little utility can be found at http://www.wilderssecurity.com/bhblaster.html.
While these tools (and others like them) are very effective at protecting your PCs, there is only so much they can do, and they work most effectively when used in conjunction with a bit of common sense. Remember, as helpful as they are, nothing will ever be 100% effective. I hope these tips and recommendations help, and best of luck to you!
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|