Category Archives: Malware Removal

Ransomware! – How A Layered Security Approach Can Defeat It

My Australian mate, Mal Cowan, steps into the breech when his good friend gets infected with one of the most difficult to remove pieces of malware currently ripping up the Internet – ransomware. Follow Mal, in this guest writer article, as he spins up his skill set and puts the hammer to a ransomware payload cybercrime.

imageRecently, I received a frantic call from a good friend.  He informed me that when he booted his computer, there was a message supposedly from Australian Law Enforcement, stating that his PC had been involved in illegal activity and, distributing pornographic material.

Freak-out time – The malware had taken a photo of him via his webcam and placed it in the top  middle of the Law Enforcement notice.

Note: This scam is not restricted to Australia. The graphic below provides ample evidence that this type of ransomware is a global issue.

Graphic courtesy of F-Secure.

Immediately, I knew what this program was – Ransomware.  Tech and blog sites have been full of news of this scourge in the past few months.

At first look, there was a full screen message – complete with an official looking logo from the Australian Federal Police.  The computer’s IP address had been logged, and there was indeed a photo of my friend, along with the messages outlined above.

The clincher? The message stated that he had to pay a fine to unlock his computer.

First, I tried to start Task Manager to stop the malware process.  That did not work – it simply would not load.  The computer was well and truly locked.

Next, I tried to restart the computer in Safe Mode.  No luck.  The message appeared again.  Still frozen.

Then, I inserted Kaspersky Rescue Disk (a fantastic Linux based recovery disk made for just this type of situation), and restarted the computer.

Selecting boot options before Windows started, I loaded Kaspersky and updated the malware database via the Internet.  The wonderful thing about Kaspersky is, it scans the infected machine without Windows running, so anything nasty cannot hide.

After a three hour scan, Kaspersky came up with 50 Trojan detections (one of the biggest I have ever seen).  It was able to eliminate all but one of them.

I crossed my fingers and restarted Windows.  Instead of the message, there was just a big white screen – still locked.  Kaspersky had obviously made a dent, but I needed something more.

Before leaving for my friends house, I had loaded up a USB stick with Hitman Pro Kickstart.  Hitman Pro is a wonderful true cloud antivirus scanner using multiple AV engines, with an excellent detection rate.

Recently, it also added a feature in which one can create a bootable USB stick that can bypasses the infected boot process.  The catch is – this must be done on an uninfected machine (which is why I used my personal computer to create it).

I inserted the USB stick into the slot, restarted the machine, and went to boot options (the F12 key on the infected machine) and selected “Boot from USB”.

Hitman Pro Kickstart came through.  It booted straight into the Windows environment without a hitch, and then proceeded to run a scan (an Internet connection is required).  I was a bit dismayed when the scan came back clean, as I knew Kaspersky had not been able to eliminate one threat.

But now, I was past the ransomware Trojan and able to start other antimalware applications.  Malwarebytes was next.  I updated it and proceeded to run a full scan.  Bingo.  It nailed a few more Trojans that had got past Kaspersky and Hitman Pro, and after deleting these nasties and rebooting the computer normally again, a further scan with Hitman Pro, Malwarebytes and AVG, the computer came up clean.

The point of my story really is quite simple.  NOBODY can rely on one antivirus/antimalware application to catch all malware.  The ransomware obviously got past the onboard, realtime antivirus (which was not AVG, I installed that afterwards).  Kaspersky detected most of the infections, Hitman Pro helped me boot into the Windows environment, and Malwarebytes cleaned up the rest.  AVG came up with a clean scan after I uninstalled the old antivirus.

How did my friend get infected?  Who knows.  There are so many exploits that this Trojan could have used that I don’t have a clue.  The computer is a family machine, used mostly by children for online games and such.

Just visiting a family friendly site can get your computer infected these days. It could have been worse.  It might have been an infection that actually encrypted the contents of the whole computer.  That’s a nightmare I am glad I didn’t have to deal with.

Thanks Mal.   Smile

Advertisements

9 Comments

Filed under Anti-Malware Tools, Free Security Programs, Guest Writers, Malware Removal

Malware Hunting? Checkout These 20 + Free Tools Designed To Destroy Tough Malware

imageChoosing and using the right tool, which has been designed specifically for the job at hand, is obviously a levelheaded approach. Still, I’ll wager that you can conjure up more than one occasion when you’ve encountered the “one tool for all purposes” mindset – the so-called “Birmingham Screwdriver” effect – “If it doesn’t work – hit it. If it still doesn’t work, use a bigger hammer.”

The Birmingham Screwdriver approach, taken by many AV solutions, may not always be the most appropriate approach to eradicating a tough malware problem – a specially designed application which targets specific classes of malware may be a better solution.

The following tools have been specifically designed to help skilled users better identify malware infections and then, eradicate (hopefully), those specific infections. These tools require advanced computer knowledge – unless you feel confident in your diagnostic skills, you should avoid them.

Just to be clear – not all of these tools are “one-click simple” to decipher, and users need to be particularly mindful of false positives.

Should you choose to add these applications to your antimalware toolbox, be aware that you will need the latest updated version for maximum impact.

Note: Many of the following tools have been tested and reviewed here previously.

Emsisoft HiJackFree

The program operates as a detailed system analysis tool that can help you in the detection and removal of Hijackers, Spyware, Adware, Trojans, Worms, and other malware. It doesn’t offer live protection but instead, it examines your system, determines if it’s been infected, and then allows you to wipe out the malware.

Runscanner

If you’re a malware hunter, and you’re in the market for a free system utility which will scan your system for running programs, autostart locations, drivers, services and hijack points, then Runscanner should make your shortlist. The developers of Runscanner describe this freeware utility as having been designed to “detect changes and misconfigurations in your system caused by spyware, viruses, or human error.”

HijackThis

HijackThis is a free utility which heuristically scans your computer to find settings that may have been changed by homepage hijackers, spyware, other malware, or even unwanted programs. In addition to this scan and remove capability HijackThis comes with several tools useful in manually removing malware from a computer. The program doesn’t target specific programs, but instead it analyses registry and file settings, and then targets the methods used by cyber-crooks. After you scan your computer, HijackThis creates a report, and a log file (if you choose to do so), with the results of the scan.

RKill

RKill is a program developed at BleepingComputer.com – “It was created so that we could have an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.”

Emsisoft BlitzBlank

BlitzBlank is a tool for experienced users and all those who must deal with Malware on a daily basis. Malware infections are not always easy to clean up. In more and more cases it is almost impossible to delete a Malware file while Windows is running. BlitzBlank deletes files, Registry entries and drivers at boot time before Windows and all other programs are loaded.

McAfee Labs Stinger

Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations.

Specialty Removal Tools From BitDefender

28 special removal tools from Bitdefender.  On the page – click on “Removal Tools”.

Microsoft Malicious Software Removal Tool

This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

NoVirusThanks

NoVirusThanks Malware Remover is an application designed to detect and remove specific malware, Trojans, worms and other malicious threats that can damage your computer. It can also detect and remove rogue security software, spyware and adware. This program is not an Antivirus and does not protect you in real time, but it can help you to detect and remove Trojans, spywares and rogue security software installed in your computer.

Norton Power Eraser

Symantec describes Norton Power Eraser in part, as a tool that “takes on difficult to detect crimeware known as scareware or rogueware. The Norton Power Eraser is specially designed to aggressively target and eliminate this type of crimeware and restore your PC back to health.”

FreeFixer

FreeFixer is a general purpose removal tool which will help you to delete potentially unwanted software, such as adware, spyware, Trojans, viruses and worms. FreeFixer works by scanning a large number of locations where unwanted software has a known record of appearing or leaving traces. FreeFixer does not know what is good or bad so the scan result will contain both files and settings that you want to keep and perhaps some that you want to remove.

Rootkit Tools:

If you think you might have hidden malware on your system, I recommend that you run multiple rootkit detectors. Much like anti-spyware programs, no one program catches everything.

IceSword

IceSword is a very powerful software application that will scan your computer for rootkits. It also displays hidden processes and resources on your system that you would be unlikely to find in any other Windows Explorer like program. Because of the amount of information presented in the application, please note that IceSword was designed for more advanced users.

GMER

This freeware tool is essentially a combination of Sysinternals’ Rootkit Revealer and Process Explorer. The program can list running processes, modules and Windows services, in addition to scanning for the presence of rootkits.

Special mention 1:

MalwareBytesIn addition to its superb free AV application, MalwareBytes offers a basket full of specialty tools. The following application descriptions have been taken from the site.

Chameleon

Malwarebytes Chameleon technology gets Malwarebytes running when blocked by malicious programs.

Malwarebytes Anti-Rootkit BETA

Malwarebytes Anti-Rootkit removes the latest rootkits.

FileASSASSIN

FileASSASSIN can eradicate any type of locked files from your computer.

RegASSASSIN

RegASSASSIN removes malware-placed registry keys in two simple steps – just reset permissions and delete! This powerful and portable application makes hard-to-remove registry keys a thing of the past.

Special mention 2:

A Rescue Disk (Live CD), which I like to think of as the “SWAT Team” of antimalware solutions – is an important addition to your malware toolbox. More often than not, a Live CD can help you kill malware DEAD!

Avira AntiVir Rescue System – The Avira AntiVir Rescue System a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections.

Kaspersky Rescue Disk – Boot from the Kaspersky Rescue Disk to scan and remove threats from an infected computer without the risk of infecting other files or computers.

10 Comments

Filed under Anti-Malware Tools, downloads, Freeware, Geek Software and Tools, Malware Removal, Rootkit Revealers, System Recovery Tools

Tweaking.com Windows Repair 1.7.5 – A One Click Simple Free Repair Utility

imageWhile freeware maintenance applications are readily available for download (and, many of them are very capable), finding a good, solid, freeware system repair application, suitable for less technically inclined computer users, is always a challenge.

One of my favorites in this application genre is Tweaking.com’s Windows Repair – a super all-in-one repair tool which has undergone 30 revisions since I last reviewed it. This small tool has plenty of functionality, including the ability to fix registry errors and file permissions – as well as issues with Internet Explorer, Windows Update, Windows Firewall, and more.

Windows Repair can even restore Windows original settings which have been changed by malware – a common occurrence.

Fast facts – Windows Repair can do the following:

Reset Registry Permissions
Reset File Permissions
Register System Files
Repair WMI
Repair Windows Firewall
Repair Internet Explorer
Repair MDAC & MS Jet
Repair Hosts File
Remove Policies Set By Infections
Repair Icons
Repair Winsock & DNS Cache
Remove Temp Files
Repair Proxy Settings
Unhide Non System Files
Repair Windows Updates
and more…

As the following screen captures show – Windows Repair is not only simply to operate but, it “holds the user’s hand” while working through the repair process.

Note: All screen shots can be expanded to the original size by clicking.

image

For those users dealing with a malware infected system, the application directs to a number of anti-malware freebies so that the repair process can begin on the right footing.

Previous users will note that both Avast and ComboFix (a specialty antimalware tool), have been added to Step One.

image

As the application points out in the following screen shot, there’s nothing to be gained by completing a repair sequence if there are errors in the file system.

While the system file check is optional, it makes good sense to run this tool.

image

Likewise, with the file version checking tool.

image

Prior to starting the repair process both a System Restore Point, and a Registry backup option, are available.

A quick piece of advice: Never allow an application to make system changes, without creating a System Restore Point first. It takes only a minute, or two.

image

The updated application dispenses with the old three level system of repairs. Instead, all repairs have been  combined into a single window – as illustrated in the following screen capture.

image

In the above screen capture, I’ve highlighted a single repair – Repair Winsock and DNS Cache. For the Geek crowd this is a simple repair.

The Geek way:

Go to “Run” in the Start menu (“Search” for “Run” if you can’t see it).

In the Run box, type CMD (doesn’t need to be capitalized).

image

At the command prompt, (not in the Run box), type – ipconfig/flushdns.

image

Hit “Enter”, and that’s it. The DNS cache has just been flushed.

Looks pretty simple – if you are a Geek. With Windows Repair, there’s no need to have all the esoteric system info that geek’s carry around in their heads – one click and the job is done.

Let’s take a quick look at repairing a problem I have on this machine – Windows Update is acting a little wonky.

I’ve selected the Repair Windows Update checkbox.

image

The following screen capture illustrates Windows Repair running the routine.

image

Time to complete the repair – 14 seconds – not including the required restart. How’s that for speed?

image

Here’s what regular readers have to say about this super application – based on a previous review.

Steve

September 1, 2011 at 10:49 pm

Excellent program. Just featured it twice in a week because it really saved us. I’m so use to re-registering files or doing fixes it is second nature. We just ran into a computer that the answer and suggestions on the web just didn’t work. The program re-registered over 1000 files and the pc was fixed. Ironically I had worked with it for two hours and remembered your review! SFC and every solution became fruitless.

TeXaCo

September 7, 2011 at 10:34 pm

I just wanted to let you know that my brother talked to me about problems on his computer where registry entries were apparently messed up. He could not open any word documents at all because they were all garbled with numbers and letters.

I didn’t know exactly what to tell him how to fix it and then I remembered you posting this so I told him to download this and try it out. Sure enough after using the registry repair at tweaking.com his computer is back to normal….without a reformat.

I just figured you would like to know. It saved me some headaches

Thanks for posting this.

Using Tweaking.com – Windows Repair by MajorGeeks.com (Click on graphic to play video).

image

System requirements: Windows XP, 2003, 2008, Vista, Win 7.

Download at: MajorGeeks

For those users who prefer to carry their utilities on a Flash drive – a portable version is available here.

Windows Repair makes it easy to repair common Windows problems and, its ease of operation should make it ideal for less experienced users.

7 Comments

Filed under Computer Tools, downloads, Freeware, Malware Removal, System Utilities

Comodo Cleaning Essentials – An Aggressive On-Demand Malware Scanner

imageThis past week, Neil J. Rubenking, PC Magazine’s lead analyst for security, in his article – The Best Free Antivirus for 2012 – included Comodo Cleaning Essentials.  Earlier this year, I took this freebie application for a test run and wrote up my impressions. Curiously, this post had both Twitter and Facebook referrals but, limited response from regular readers.

Comodo Cleaning Essentials is a tough application when used in the fight against malware, and in the event you missed this post, I’ve republished it here.

Comodo Cleaning Essentials

Comodo’s recently released portable Comodo Cleaning Essentials (freeware), is an interesting breed of applications within applications – an aggressive on-demand malware scanner (the core application), combined with several system tools – a variation of Windows Task Manager (Killswitch), and an Autorun Analyzer.

Users who are familiar with Sysinternals Process Explorer will have little difficulty getting down to work with Comodo’s Autorun Analyzer. Or, for that matter, Killswitch – an impressive Windows Task Manager replacement.

For now, I’ll focus on the on-demand malware scanner. All graphics in the following review can be expanded to their original size.

Simple, straightforward, and easy to understand GUIs are the standard – and, Comodo Cleaning Essentials meets that standard.

image

For my initial test run, I did not hold back in terms of the volume of information the application had to deal with – as illustrated in the following graphic. I should add – I set the selectable heuristics at “low level”. Users may choose to bump up  this setting.

image

image

Updating of the database is an automatic process, as illustrated.

image

Following application launch, my first reaction was – Get It Done! Thirty six minutes in, and memory scanning had not yet been completed. SLOW!

image

Three hours plus. Yawn – I’M WAITING!!!!!!!!

image

Waiting still – at the four hour plus mark. At this point I exited the application (2 Million objects scanned), since drive E: is malware free. As well, the 49 threats found by the scanner were all false positives – not a bad thing necessarily. More on this to follow.

image

Comodo Cleaning Essentials is no slouch at eating up the clock cycles – as illustrated in the following screen shot.

image

I jumped ahead here a little bit here, and ran a comparable scan with Microsoft Security Essentials which, as you can see in the following graphic, is not a system resource hog.

image

MSE test run – using the same test parameters.

image

The MSE scan completed in just under three hours. Keep in mind however – MSE is not portable, and is designed to act as a first line of defense against malware penetration.

Comodo Cleaning Essentials on the other hand, has been crafted as a “real world – everything is messed up” solution. Especially valuable in circumstances where malware has blocked access to onboard AVs.

image

The false positive issue.

No doubt, warnings and cautions generated by antimalware scanners, can often be a major frustration – time consuming and just a pain in the butt. On the other hand, scanning a HD which has been overrun by malware, demands the use of an aggressive tool – and, Comodo Cleaning Essentials certainly qualifies as “aggressive”. Simply put – you can’t have your cake and eat it too.

Autorun Analyzer:

As mentioned earlier, this component is a Process Explorer takeoff – with a number of worthwhile additional features.

The following screen capture (showing all entries), indicates 3 possible unsafe entries which, on investigation proved to be benign. Still, better safe than sorry. So, I take no issue with warnings which prove to be a “false alarm”. I’m all in favor of a “give me the bad news philosophy” – I’ll determine the relevancy of the information provided.

image

KillSwitch:

As a Windows Task Manager Replacement, KillSwitch has it in spades. The following screen shots illustrate just a few of the enhancements.

image

Over the years, I’ve happily been able to convince more than a few readers to occasionally spot check their network connections, using stand alone applications such as CurrPorts.  KillSwitch includes this capability – a very good move in my estimation.

image

Finally (at least for this report), KillSwitch includes a “Quick Repair” tool which, in the right circumstance, could be invaluable. Sorry, for this review I couldn’t find any items on this test platform to repair.   Smile

image

Fast facts: 

Classifies the threat level of all objects and processes currently loaded into memory and highlights those that are not trusted

Allows the admin to terminate, delete or suspend every untrusted item with a single click.

On-demand malware scanner quickly finds viruses, rootkits and hidden services

Extremely efficient malware removal routines thoroughly disinfect virus stricken endpoints

Detailed statistics and graphs allow admins to analyze and fine tune system activity to almost infinite levels of detail

Leverages Comodo’s huge whitelist database to accurately identify the trust status of every running process with minimal false positives

Integration with Comodo cloud scanning technology delivers instant behavioral analysis of unknown processes

Powerful system tools provide control over even the most obscure system settings

Simple interface for admins to manage trusted vendors list

Comprehensive event logs provide detailed overview of system activity on endpoint machines

Quick repair feature allows fast restoration of important Windows settings

Can replace the standard Windows Task Manager if required

Another indispensable addition to admin’s security toolkit to complement software such as Comodo Internet Security

Lightweight – requires no installation and can be run right from a USB stick

System Requirements: Windows 7 – 32 and 64 bit, Windows Vista – 32 and 64 bit, Windows XP – 32 and 64 bit

Download at: Comodo

I’m not suggesting that Comodo Cleaning Essentials is the perfect tool (if you find such a tool, please let me know   Smile  ), but, if you’re on the hunt for a lightweight, standalone security application – that doesn’t require installation – Comodo Cleaning Essentials deserves a close look.

A caveat: This application is not designed to be used by anyone other than highly knowledgeable, and well experienced users.

9 Comments

Filed under Anti-Malware Tools, Comodo, downloads, Freeware, Malware Removal, System Utilities, Windows Task Manager Replacement

Comodo Cleaning Essentials – Fast It’s Not – Powerful It Is

imageComodo’s recently released portable Comodo Cleaning Essentials (freeware), is an interesting breed of applications within applications – an aggressive on-demand malware scanner (the core application), combined with several system tools – a variation of Windows Task Manager (Killswitch), and an Autorun Analyzer.

Users who are familiar with Sysinternals Process Explorer will have little difficulty getting down to work with Comodo’s Autorun Analyzer. Or, for that matter, Killswitch – an impressive Windows Task Manager replacement.

For now, I’ll focus on the on-demand malware scanner. All graphics in the following review can be expanded to their original size.

Simple, straightforward, and easy to understand GUIs are the standard – and, Comodo Cleaning Essentials meets that standard.

image

For my initial test run, I did not hold back in terms of the volume of information the application had to deal with – as illustrated in the following graphic. I should add – I set the selectable heuristics at “low level”. Users may choose to bump up  this setting.

image

image

Updating of the database is an automatic process, as illustrated.

image

Following application launch, my first reaction was – Get It Done! Thirty six minutes in, and memory scanning had not yet been completed. SLOW!

image

Three hours plus. Yawn – I’M WAITING!!!!!!!!

image

Waiting still – at the four hour plus mark. At this point I exited the application (2 Million objects scanned), since drive E: is malware free. As well, the 49 threats found by the scanner were all false positives – not a bad thing necessarily. More on this to follow.

image

Comodo Cleaning Essentials is no slouch at eating up the clock cycles – as illustrated in the following screen shot.

image

I jumped ahead here a little bit here, and ran a comparable scan with Microsoft Security Essentials which, as you can see in the following graphic, is not a system resource hog.

image

MSE test run – using the same test parameters.

image

The MSE scan completed in just under three hours. Keep in mind however – MSE is not portable, and is designed to act as a first line of defense against malware penetration.

Comodo Cleaning Essentials on the other hand, has been crafted as a “real world – everything is messed up” solution. Especially valuable in circumstances where malware has blocked access to onboard AVs.

image

The false positive issue.

No doubt, warnings and cautions generated by antimalware scanners, can often be a major frustration – time consuming and just a pain in the butt. On the other hand, scanning a HD which has been overrun by malware, demands the use of an aggressive tool – and, Comodo Cleaning Essentials certainly qualifies as “aggressive”. Simply put – you can’t have your cake and eat it too.

Autorun Analyzer:

As mentioned earlier, this component is a Process Explorer takeoff – with a number of worthwhile additional features.

The following screen capture (showing all entries), indicates 3 possible unsafe entries which, on investigation proved to be benign. Still, better safe than sorry. So, I take no issue with warnings which prove to be a “false alarm”. I’m all in favor of a “give me the bad news philosophy” – I’ll determine the relevancy of the information provided.

image

KillSwitch:

As a Windows Task Manager Replacement, KillSwitch has it in spades. The following screen shots illustrate just a few of the enhancements.

image

Over the years, I’ve happily been able to convince more than a few readers to occasionally spot check their network connections, using stand alone applications such as CurrPorts.  KillSwitch includes this capability – a very good move in my estimation.

image

Finally (at least for this report), KillSwitch includes a “Quick Repair” tool which, in the right circumstance, could be invaluable. Sorry, for this review I couldn’t find any items on this test platform to repair.   Smile

image

Fast facts: 

Classifies the threat level of all objects and processes currently loaded into memory and highlights those that are not trusted

Allows the admin to terminate, delete or suspend every untrusted item with a single click.

On-demand malware scanner quickly finds viruses, rootkits and hidden services

Extremely efficient malware removal routines thoroughly disinfect virus stricken endpoints

Detailed statistics and graphs allow admins to analyze and fine tune system activity to almost infinite levels of detail

Leverages Comodo’s huge whitelist database to accurately identify the trust status of every running process with minimal false positives

Integration with Comodo cloud scanning technology delivers instant behavioral analysis of unknown processes

Powerful system tools provide control over even the most obscure system settings

Simple interface for admins to manage trusted vendors list

Comprehensive event logs provide detailed overview of system activity on endpoint machines

Quick repair feature allows fast restoration of important Windows settings

Can replace the standard Windows Task Manager if required

Another indispensable addition to admin’s security toolkit to complement software such as Comodo Internet Security

Lightweight – requires no installation and can be run right from a USB stick

System Requirements: Windows 7 – 32 and 64 bit, Windows Vista – 32 and 64 bit, Windows XP – 32 and 64 bit

Download at: Comodo

I’m not suggesting that Comodo Cleaning Essentials is the perfect tool (if you find such a tool, please let me know   Smile  ), but, if you’re on the hunt for a lightweight, standalone security application – that doesn’t require installation – Comodo Cleaning Essentials deserves a close look.

A caveat: This application is not designed to be used by anyone other than highly knowledgeable, and well experienced users.

4 Comments

Filed under Anti-Malware Tools, Comodo, downloads, Freeware, Malware Removal, System Utilities, Windows Task Manager Replacement

Microsoft’s Malicious Software Removal Tool Focuses On Families – Malware Families, That Is

imageLike it or not, (what’s not to like), you get scanned once a month – provided that is, you update your Windows OS on the second Tuesday of each month (fondly known as Patch Tuesday).

Malware comes, and malware goes. Not all malware of course, but the majority of malware doesn’t stick around very long – just a few days in many cases. Still, with upwards of 300,000 new malware samples every day (according to some estimates), AV solutions could soon be overrun in the race to keep pace with this onslaught. Luckily, malware can often be be grouped by families (malware with inherited characteristics), and that’s where Microsoft’s Malicious Software Removal Tool specifically, comes into play.

The Malicious Software Removal Tool, which is updated monthly, is included with Patch Tuesday’s Windows Update and once activated – runs in the background targeting specific, prevalent malware families. If an infection is found, the tool will remove the malware (hopefully), and provide a report on any actions taken.

A list of malicious software detected and cleaned by the Malicious Software Removal Tool is available here.

If you wish, you can download and then run this tool manually, as required. The latest edition of the tool is always available at the Microsoft Download Center.

System requirements: Windows 7, Windows Server 2003, Windows Vista, Windows XP

You might wonder as to why Microsoft would make a point of including this AV scanner as part of Windows update. Here’s why (in my view) – an astonishingly large number of users don’t have any security applications installed or, an installed AV solution’s databases is rarely (if ever) updated.

If you take issue with this statement (and that’s fair), then test it by asking a typical user friend/s to name their AV application; tell you the last time they updated the database and, if they recall the last time they ran a malware scan. I think you’ll be disappointed with the response.

A website worth taking note of: Microsoft Consumer Security Support Center.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

4 Comments

Filed under 64 Bit Software, Anti-Malware Tools, Freeware, Malware Removal, Microsoft, Microsoft Patch Tuesday, Software, Windows Tips and Tools, Windows Update

With Kaspersky’s Free TDSSKiller You’ll Have A Fighting Chance To Kill Rootkits

imageThere’s malware, and then – there’s MALWARE. In other words, all malware is not created equal. For example, Rootkits are not your common everyday piece of malware.

Rootkits are often designed to overwrite the Hard Drive’s MBR (master boot record), the first sector – Sector 0 – where the code to boot the operating system following BIOS loading, resides.

As a consequence, Rootkit files and processes will be hidden in Explorer, Task Manager, and other detection tools. It’s easy to see then, that if a threat uses Rootkit technology to hide, it is going to be difficult to find.

And yes, I’m aware that major AV application developers are fond of pointing out that their products will flag and remove Rootkits. Users are expected to believe those claims – DON”T!

From a previous article (June 2011) –

Microsoft is telling Windows users that they’ll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector. A new variant of a Trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration.

Scanning for Rootkits occasionally, is good practice and by scanning with the right tools, Rootkits can be hunted down and eradicated (maybe) – but  personally, I would never trust that any detection/removal application has successful removed a Rootkit.

If you have detected that your system has become infected by a Rootkit, I recommend that you first wipe the drive –  using a free tool such as Darik’s Boot And Nuke, reformat, and only then – reinstall the operating system.

Rootkit detectors can be difficult to work with and consequently, my good buddy Michael C., following the last post on Rootkit detection – Got A Rootkit Infection? – Find Out With These Four Free Rootkit Detectors – posed the following question: “Just wondering if there is a rootkit detector for us “average users” that doesn’t require a MIT degree.”

And, there is.

Kaspersky Labs has developed the free TDSSKiller utility which is designed to detect and remove common Rootkits. Specifically, Rootkits in the Rootkit.Win32.TDSS family (TDSS, Sinowal, Whistler, Phanta, Trup, Stoned) – in addition to regular Rootkits (now, there’s a misnomer), as well as Bootkits.

Usage instructions:

Download the TDSSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer with an archiver (free 7-Zip, for example).

Run the TDSSKiller.exe file.

The utility can detect the following suspicious objects:

Hidden service – a registry key that is hidden from standard listing.

Blocked service – a registry key that cannot be opened by standard means.

Hidden file – a file on the disk that is hidden from standard listing.

Blocked file – a file on the disk that cannot be opened by standard means.

Forged file – when read by standard means, the original content is returned instead of the actual one.

BackBoot.gen – a suspected MBR infection with an unknown bootkit.

The interface (as shown below) is clean and simple. Click on any of the following graphics to expand.

image

A scan in progress.

image

The completed scan shows the system is clean and free of Rootkit infections. You’ll note that the scan finished in 10 seconds.

image

Following the scan, you will have access to a full report – if you choose.

image

System requirements: Win 7, Vista, XP (both 32 and 64 bit systems).

Download at: Kaspersky

Since the false positive issue is always a major consideration in using tools of this type, you should be aware that tools like this, are designed for advanced users, and above.

If you need help in identifying a suspicious file/s, you can send the file/s to VirusTotal.com so that the suspicious file/s can be analyzed.

To read a blow by blow description of just how difficult it can be to identify and remove a Rootkit, you can checkout this Malwarebytes malware removal forum posting.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

13 Comments

Filed under 64 Bit Software, Anti-Malware Tools, downloads, Free Anti-malware Software, Freeware, Kaspersky, Malware Removal, Malwarebytes’ Anti-Malware, Recommended Web Sites, Rootkit Revealers, rootkits, Software, System Security, Utilities, Windows Tips and Tools