Viruses & Malware

One of our customers called today.  Their Windows machine had become infected with a keystroke logger that gave a hacker their bank account information.

We check for viruses in incoming mail, but please be aware that no virus scanner is going to catch everything.  Anytime a virus is released, there is a period of time that elapses before someone who gets infected provides the necessary information to a anti-virus company who then develops a signature that virus checkers use to check for it’s presence.

Also be aware that viruses and other malware, like this keystroke logger, frequently come across the web often bundled with legitimate and sometimes not so legitimate software.

I recently installed something called “Dexpro”, it was a virtual desktop program for Windows.  I have virtual desktops built into Linux and MacOS, and I find them very useful and wanted the same capability for Windows.

Dexpro got good reviews, but when I installed it, without my permission it also installed something called WhiteSmoke Toolbar.  Actually to be more precise, I’m not sure if the website I downloaded from did the installation or it’s installer.  In addition my searches and other things were redirected to the WhiteSmoke website.

I removed the toolbar from the browser and reset my search engine preferences back the way I thought I had them but when I attempted to use add/remove programs to get rid of it from my machine, it aborted the attempt.  I attempted to use several third party application removal programs, they all failed.  Finally, I deleted the files (that I knew about) manually and went in and deleted the registry keys.

I thought I had rid myself of this awful beast but when I attempted to fire up Flyff (a MMORPG video game), an anti-hacker program packaged with Flyff saw that some of the web queries were redirected to another website, so it wouldn’t fire up and I knew I hadn’t yet rid myself of this thing.

A scan with Microsoft Essentials revealed nothing.  A scan with SuperAntiSpyware found three trojans (and about 300 cookies) but Flyff still wouldn’t run complaining of redirects.

I then did a full scan with MalWareBytes, it found another 17 trojans after which everything seemed to be back to normal.  Still I wouldn’t trust this machine for anything sensitive.

For online banking or anything else security sensitive, consider buying a Mac or loading Linux on your PC.  If you have Windows, don’t depend upon Microsoft Essentials.  It is lightweight and good for gaming as it doesn’t interfere with game I/O much but it lets a lot slip through.  If you must use WIndows for sensitive work, I suggest a good virus scanner like Avast or AVG and in addition MalwareBytes and SuperAntiSpyware.

Windows has a lot of services enabled that the typical home user doesn’t need.  The more services running, the more targets malicious software has to abuse.  It is best to turn off everything you don’t need.  There are two places to turn stuff off that you don’t actually use.  In the start menu, bring up Run, and type in services.msc.

Unless you’re using your Windows machine as an Internet Gateway (I suggest you don’t do this, go buy a $50 router to perform this function more securely), you should disable Applications Layer Gateway.  Also turn off net.tcp port sharing, again, multiple computers, get a router.

If your machine is not part of a Windows network, Disable Server and Workstation. Also disable Computer Browser, if you’re not on a Windows network there are no other computers to browse.  Turn off distributed link tracking client.  No network, no NTFS files to transfer between computers.  Same for distributed transaction client, no network, no distributed transactions.

If you’re not hot swapping hard drives, turn off logical volume manager.  This service looks for volumes when you plug in a new device.  My advice is to shut it off unless you need it.  If you’ve got thumb drives that you’re swapping in, then you might need it.

If you’re not using volume shadow copy service for backups, disable it.

If you don’t need anything to run automatically at particular times, disable the task scheduler.  As I understand it, this service runs applications with administrative privileges but they can be scheduled without administrative privileges, so it is a potential avenue for privilege escalation.

Remote Access Connection Manager, Remote Helpdesk, these are things someone outside of your machine can use to get in, disable them unless you are actually using them.

The same can be said for the rest of the services.  It is a good idea to Google each one and decide what you need and what you don’t.  It’s also a good idea to create a system restore point before starting so if you mess things up too bad you can get your machine back to where it was.

Turning off unneeded services not only improves security of your Windows machine, it can also significantly improve performance.

I mentioned there were two places, the other is also launched from run, but instead of services.msc put in msconfig.exe.  The msconfig program can also change services but I don’t recommend it, use services.msc for that.  What I do recommend using the msconfig program for is to check the startup section and see if there aren’t unnecessary things being launched there.  For example, Google, Java, and Adobe all have update services, but I’d rather not have them continuously running in the background eating resources and potentially deciding an upgrade is necessary while I’m doing something else, so I disable them all.

Another example is Nero’s inCD which enables you to use a DVD-WR like a big floppy.  However, it interfers with other programs being able to mount CD’s and I rarely (read never) use my dvd-rw for this so I disable it and it’s helper application.

I have an Asus monitor program that reads temperature sensors and such but again I don’t want it running in the background 24×7 so I have it disabled unless I start it manually.

Many gamers play games that require steam, it sucks LOTS of resources just sitting there, so best to shut it off unless you actually want to play a game, then start it manually.  The same goes for Skype.

As with Windows services, turning off applications that aren’t being used saves resources and improves security.

Lastly, in the win.ini and system.ini tabs, if yo don’t have any 16 bit applications left over from the days of 286 processors and Windows 3.11, disable 16-bit support.  If you don’t use Outlook, disable mail support.

Once you do all these things your system will be more secure and faster.  Boot times in particular will be much faster.