Some 30% of computers with a security solution installed scanned last week  were infected with some kind of malware.  In the case of computers without any kind of protection, the figure goes up to 44%. Source: http://www.infectedornot.com

Click Image for full article.

This is a very nasty and insidious spyware/malware program.  Spyware experts are now saying that the makers are borrowing  code from other malicious programs to install rootkit like features on infected machines.

More recent versions of CWS spyware now have features similar to rootkits which allow the program writers to hide their files on Windows operating systems.

These new variants can hide their settings in the registry and also hide rootkit files in alternate data streams.

The software is usually installed on a machine by visits to malicious websites or  emails using various ploys to get users to download and install the script.

Once installed, CoolWebSearch will hijack browsers and redirect users to some of the several bookmarks it imports.  When you attempt to change your homepage back again it constantly overwrites it,  it slows down general performance and causes Windows to freeze, crash or reboot, and can also make you victin to a Denial of Service (DOS) attack.

Getting rid of it is now much easier.  TrendMicro have a free CoolWebSearch removal program

Use this utility to get rid of CoolWebSearch and it’s related programs. 

Also download Spybot S&D and use its TeaTimer protection, which runs in the background and alerts you to any attempted registry changes.

If you are running Windows, also use  Advanced Windows Care.  Both of these programs will add a large number of changes to your Registry.  This is nothing to be concerned about as the changes are necessary to stop any nasties from attching themselves to your pc and making changes you really don’t want.

Keep your anti-spyware up to date and if you click on any links that prompt you to download, read the EULA first.

Check for rootkits on your machine.

As with all programs, regular updates is essential to offer you greater protection.

May 2008 Important Note: Grisoft have now incorporated this as part of the new AVG Anti-Virus v8.0.1
It is only available in the paid version NOT the free version, so please scroll to the bottom of the page for more Rootkit Removers although the standalone version is available through the download link at the end of the description.

Grisoft has developed quite a following with its free (for personal, non-commercial use) security applications, and for good reason.

Now there’s an anti-rootkit utility in AVG’s free software stable, too, and for users seeking a minimum of interaction, AVG Anti-Rootkit Free may very well be the Right Tool for the Job.

Grisoft makes its free AVG Anti-Rootkit application available for download. Users download the avgarkt.exe setup file, which features simple installation.

In keeping with the goal to make AVG Anti-Rootkit a very simple tool, the file features a simple .exe install file that triggers a setup wizard.

Users can select between a normal interface (which Grisoft recommends and sets as the default) or a low graphics interface (which is optimized for visually impaired users who rely on screen-reading programs).

Users must accept the AVG Anti-Rootkit Free license agreement before they can use the program to check their Windows system for stealth rootkit programs.

Next, users must specify the location of the AVG Anti-Rootkit Free installation files.

As with most software programs, users must specify the name of the Start Menu Folder. This is the name the AVG Anti-Rootkit application receives on the user’s Start menu.

Once users have specified all setup information, the free anti-rootkit utility installs itself.

Due to the way most anti-rootkit applications operate, it’s necessary to reboot Windows to enable proper operation. AVG’s free anti-rootkit application is no different. AVG’s setup utility gives users the option of rebooting immediately automatically or manually rebooting later.

AVG purposefully keeps its anti-rootkit interface simple. There are very few options for users to choose, thereby helping simplify the already confusing and complex world of rootkits.

AVG includes concise educational information aimed at helping regular (non-IT professionals) better understand the threat stealth rootkit programs present.

The Learn More tab lists information on what rootkits are and how users can protect their PCs from the stealth threats. There’s also a link to Grisoft’s site where additional computer security information is made available.

Users can check for AVG Anti-Rootkit Free updates using the third tab (About & Update). Clicking the About & Update tab also reveals the current version users have installed.

An interesting note, Grisoft informs users on this third tab why the AVG Anti-Rootkit uses random window titles. The reason is that AVG’s programmers wanted intentionally to change the name of the window the free anti-rootkit application uses to help thwart detection efforts rootkit hackers might program into their malware.

If users click the Check For New Version button found on the third About & Update tab, they are directed to Grisoft’s Web site. Here users will see whether the version they are using is current or whether updates must be downloaded.

The Search For Rootkits tab is the meat of the program and the reason users will download it in the first place.

Clicking the Search For Rootkits button triggers a search of stealth rootkit programs. The free AVG application tracks its progress in the progress bar at the menu’s bottom.

By default, the Search For Rootkits button only searches critical Windows directories on the root drive.

When no rootkits are found, AVG presents a congratulations window.

When rootkits are found, AVG displays those that are found (with information on the rootkit path and type). Users can then highlight the rootkit items in question and click the Remove Selected Items button to eliminate the offending files from their Windows systems.

With the In-Depth Search, however, AVG Anti-Rootkit searches for stealth rootkit files on all the hard drives and partitions within a system.

Just as with the simple rootkit search, the AVG Anti-Rootkit Free application tracks its progress as it works. Should users wish, they can terminate the search using the provided Stop button.

These are all the options a user can select when working with AVG’s free anti-rootkit program. By purposefully keeping the application easy to use, AVG engineers have created a free malware detection utility that’s the Right Tool for regular (personal) users seeking to check their systems for unwanted stealth software.

Download your copy here

Do NOT rely upon just this Rootkit finder, use a few others too as they all vary in their search definitions and criteria.

You can find a comprehensive list at AntiRootkit.com

I recommend the use of IceSword and Rootkit Unhooker, but there are many free to use rootkit finders listed. Check the column on the right to ensure it is Free and do NOT use the Beta versions.

Related Post:
Panda Anti-Rootkit Free

Click to join FreePCSecurity

© Free PC Security 2007 – 2008

Technorati Tags: Rootkits, Technology, Anti-Rootkit, Free Tools, Free PC Security, IceSword, RootKit-Unhooker, Security

What is a rootkit?

A rootkit is not an exploit — it’s the code or program an attacker leaves behind after a successful exploit. The rootkit then allows the hacker to hide his or her activity on a computer, and it permits access to the computer in the future. To accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on.

Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional Windows rootkits such as SubSeven and NetBus operate in user mode.

Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. They have the same level of system privileges as any other application running on the compromised machine. Since these rootkits operate in user mode, applications such as antivirus scanners can detect the rootkit’s existence if they have a signature file.

A kernel-mode rootkit is remarkably different — and much more powerful and elusive. Kernel-mode rootkits have total control over the operating system and can corrupt the entire system.

By design, kernel-mode rootkits control the operating system’s Application Program Interface (API). The rootkit sits between the operating system and the user programs, choosing what those programs can see and do.

In addition, it uses this position to hide itself from detection. If an application such as an antivirus scanner tries to list the contents of a directory containing the rootkit’s files, the rootkit will suppress the filename from the list. It can also hide or control any process on the rooted system.

Rootkit detection

Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.

Signature-based detection: As its name implies, this method scans the file system for a sequence of bytes that comprise a “fingerprint” that’s unique to a particular rootkit. However, the rootkit’s tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection.

Heuristic/behavioral-based detection: This method works by identifying deviations in normal operating system patterns or behaviors. For example, this method could detect a rootkit by determining that a system with 200-GB hard drive that reports 160 GB of files has only 15 GB of free space available.

Rootkits are hard to detect. But there are programs – including a free one from Panda which I have covered in another post.

Related Post:
Panda Anti-Rootkit – Free

Click to join FreePCSecurity

© Free PC Security 2007 – 2008