Viruses, Spyware, and Hack Tools

The threat landscape is ever changing, which requires end uses to adapt to new threats. The most common threats today are malicious software applications that exploit known vulnerabilities in unpatched systems, so keeping your software and operating system up to date is critical. This applies not just to computers and laptops, but smartphones, gaming consoles, and anything else with an Internet connection.

There are a few things you will need to deal with viruses, spyware, and hacking. It is best to create a standard toolkit for working on suspect machines. That way you will have the tools handy instead of having to waste time looking for them.

Basic Tools

1. Windows 98 boot floppy - you want to be able to boot to DOS and mount CD-ROMs. Even though few systems have floppy drives anymore, it is still a handy thing to have if you need it.
   
2. Microsoft Security Essentials - select the appropriate version for your operating system either x86/32-bit or 64-bit.
3. Operating Systems - Windows OS Media.
4. Mozilla Firefox - a lightweight browser useful for accessing the Internet from a compromised system.
5. Service Packs - have a copy of the latest major service packs for Windows, Office, MDAC, Internet Explorer, and Windows Media Player.
6. Resource Kits - the resource kit and support tools are invaluable.
7. USB/Thumb drive - useful for transferring files between systems like virus definitions or other tools.

A little known defense against some malicious applications is denying traffic outbound through the firewall. These applications depend on the ability to send or receive data, sometimes using common ports embedded in HHTP, FTP, or SMTP while others require IRC or other non-standard ports. Thus, limiting the ability of clients to connect to the Internet through only designated ports improves security. Specific port recommendations will be covered in another section.

Viruses

1. You think you might have a virus? First, disconnect the system from the network. You do not want an infected machine on the network where it could potentially attack other connected devices.
   
2. Second, download the latest virus definitions on another PC and move them to the infected PC via thumb drive or CD-ROM.
   
3. Finally, boot into safe mode and scan your system.
   
4. After removing the infection, configure the antivirus program to pull virus updates every day and scan the complete system once a week. An ounce of prevention is worth a ton of cure! And if a virus eats all your files and you have no backup, you can only blame yourself.

Spyware

1. Spyware is becoming a larger and larger problem for home and business users. The best defense against spyware is being very cautious, even paranoid about what websites you visit, what applications you download from the web, and most of all never run an executable you receive through e-mail.
   
2. That being said, removing spyware is pretty tough because more often than not it will embed itself in your system in a zillion different places. Removing spyware is a lot like removing hack tools; the software utilities are only a partial solution, none of them is 100% effective. That means running two or three applications in addition to following the guidelines for removing hack tools below.

Removing MALWARE

1. Some viruses will install additional software to grant a remote user access to your PC, so removing the virus is only the first step. The following instructions apply to removing some viruses and spyware, also.
   
2. Check your startup environment by running the System Configuration applet by going to Start then Run and typing "msconfig". Once msconfig opens, go to Services, select the option "Hide all Microsoft Services" and disable everything else unless you know exactly what it is and what it is for and are 100% certain it should be running. Having disabled services, disable everything in Startup, again the same rule applies that if you are not sure what it is, turn it off. Better to lose some functionality during the troubleshooting phase than allow a malicious application to run and reintroduce itself to the system. Disable, do not delete, anything you do not recognize, though be careful, some vendor-specific applications sound like something malicious but are not. 
3. On Windows XP and previous versions disable System Restore because most malware will insert itself into the system restore cache.
4. Purge all files from all profiles /local settings/temp and /local settings/temporary internet that includes the local system and network service accounts.
5. Reset local admin user password to a known value, because you may need to use the local admin account if you have to log into the recovery console.
6. Download and install Microsoft Security Essentials and the latest definition updates, crossload them to the infected system using removable media.
7. Reboot into Safe Mode, run a full scan of the system.
   
8. Inspect the registry looking for unfamiliar programs. Back up the keys before removing anything, then delete unfamiliar values. Of course, editing the registry is dangerous, so proceed with caution.
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run subkey
   
9. Some other registry keys can sometimes contain malicious programs, so check these too and make sure they have not been altered.
   The default registry key should contain a value of "%1" %* any other value is suspect.
   HKEY_CLASSES_ROOT\batfile\shell\open\command
   HKEY_CLASSES_ROOT\comfile\shell\open\command
   HKEY_CLASSES_ROOT\exefile\shell\open\command
   HKEY_CLASSES_ROOT\htafile\shell\open\command
   HKEY_CLASSES_ROOT\piffile\shell\open\command
   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command
   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htafile\shell\open\command
   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command
   
10. Malicious users can load hacking programs automatically from win.ini. Any program listed after Run= or Load= will load automatically when Windows starts. Look in the following section of the win.ini file:
    [windows]
    Run=
    Load=
    
11. Malicious applications can use shell commands to load programs through system.ini. Review the system.ini for:
    [boot]
    shell=explorer.exe
    
12. You will also have to check the Task Scheduler service to make sure there are no applications being called through there.
    
13. Reboot, run another full scan.
14. If there are still threats make a note of how they are being loaded, there is probably an innocent sounding file in the windows directory being called to spawn the reinfection. Boot using the OS disk and run the repair option to login through the recovery console. Remove said file using the recovery console.
15. Reboot, and run yet another full scan. Yes, this is tedious, repetitive and takes forever but it is necessary.
    
16. Now that you have dealt with the threats you can see, check for threats you cannot see. Some hack tools hide themselves from the operating system. Luckily, there are tools available to help you find hidden objects. Download RootkitRevealer to locate hidden items.
    
17. Unfortunately, once a system has been compromised, you can never fully trust it. Therefore, it is best to wipe the machine clean and reinstall the operating system, then reload applications and data from backups.