by Christian Wagner - cwagner@io.comLast updated 10/10/05 - by Christian Wagner - cwagner@io.com
6/13/08: This FAQ was last updated about two and a half years ago, and while much of the material is still accurate, it should probably not be used as a reference anymore. It is being kept online for historical reasons.
Thanks to all you folks on the forums where this FAQ was born.
These days, the term "malware" refers to a large variety of software which all has one thing in common: it is unwanted software which someone else wants to run on your computer. This software "infects" your computer, making it behave in a way which you do not approve of. Malware can include:
There used to be many important differences between these groups, but these days they all use the same infection methods. It is no longer useful to make a distinction between them.
You can find further reading on the various kinds of malware at Doxdesk and at Kaspersky Labs.
Removing malware from a computer can be very difficult, even for experts. It is highly recommended that you take the time to prevent being infected in the first place, instead of trying to pick up the pieces afterwards.
If you are using a PC running Windows, then you are at risk. (Macintosh computers and PCs running a non-Windows operating system do not have malware problems, primarily because their market share is low enough that it's not worth the effort to write malware for them.)
Exactly how at risk you are depends on two things: how secure your PC is, and your browsing habits. Please let your business or school's computer management people handle securing any work or school computers, and only worry about securing your own personal computer. But you should watch your browsing habits, no matter who is responsible for securing your PC.
There are three major steps to securing your PC.
A major source of malware infections is outdated software, especially Windows itself. Malware can install itself on your PC by taking advantage of bugs in your operating system, browser, or other software. These bugs are typically fixed as soon as possible, but your software must be updated to take advantage of these fixes.
Windows has a built-in system for automatically updating itself, called "Windows Update". Windows XP also supports a newer, more comprehensive version called "Microsoft Update", which you can upgrade to when you run Windows Update. You should not only have Automatic Updates turned on, but you should go to Windows Update at least once a week to make sure that everything is working as it should.
When Windows pops up a message in the System Tray (down near the clock in the Task Bar) that says "updates are ready to be installed", do not ignore that message. It is not uncommon for people to ignore that message for months, and then wonder why their system got infected.
Is it recommended that if you have a computer capable of running it, that you upgrade to Windows XP with at least Service Pack 2. Windows XP with SP2 is more secure and better-supported than any previous Windows version. Future updates to Windows XP should continue this trend.
Individual non-Microsoft pieces of software may or may not automatically keep themselves up-to-date. Some software will pop up a warning, suggesting that you download and install the new version. Others will not. It is very important to keep your web browsers, email software, java runtimes (if installed), and instant messengers up to date. Bugs in any of these pieces of software can let malware install itself on your PC. You should make a habit of checking for new versions of any software you use regularly.
A "firewall" is a piece of software or hardware that sits between your computer and the Internet, protecting your computer from attacks. You should never connect a computer to the internet without a firewall of some sort.
A hardware firewall is preferred. The inexpensive "routers" that many companies sell make fine firewalls. This includes the routers (wired and wireless) from companies like Linksys or D-Link, and the Apple Airport base stations (which work fine with PCs).
These routers shield all of the PCs that connect to them from incoming attacks from the Internet. They do not protect you from malware that you get from having bad browsing habits.
A software firewall, like the one built into Windows XP, is not as good as a hardware firewall. But it is much better than nothing, and will probably be adequate as long as you follow the first step and make sure your PC remains as up-to-date as possible.
WARNING: The built-in Windows XP firewall is turned on by default in Windows XP Service Pack 2. It is not turned on by default in previous versions of Windows XP, and versions of Windows that pre-date Windows XP do not have a built-in firewall at all. If you connect a Windows PC to the internet without a firewall (hardware or software), and the system is out of date, the computer is in very serious danger of becoming infected by something malicious within an hour or less.
This means that if you are re-installing Windows, or are setting up a new PC, do not connect it to the internet until you are sure that a firewall is in place. If you do not know what version of Windows XP you have on your PC, or do not know if the firewall is turned on, keep it disconnected until you are sure. This is one thing that makes a hardware firewall superior to a software one; you know that it is on at all times, regardless of the state of your PC.
There is no such thing as a perfect piece of anti-virus software. All anti-virus software relies on detecting malware once it has already arrived on your PC, and preventing it from running. It is much better to not let that malware onto your PC in the first place.
However, having some sort of anti-virus software running on your PC at all times is yet another level of security, and the more security the better. Some anti-virus software also comes with a software firewall (such as "Norton Internet Security").
Anti-virus software must be updated regularly in order to be effective. Most anti-virus software will automatically get its updates from the Internet.
These three steps to securing your PC are automatically monitored by Windows XP Service Pack 2 with the "Security Center" tool. This tool can be found in the Windows Control Panel; it will also pop up with a warning if it finds that any of these steps have not been performed. Please take these warnings seriously. You can find more details about the Windows XP Security center here.
One of the easiest ways to let your system get infected is to download or run something dangerous. Any time you are running new software on your PC, it could be installing something you don't want.
First, do not download or run software from unknown sources. This includes web links or programs sent to you in email or over instant messaging. Even people you trust may be sending you malware, if their own computer is infected; many viruses and worms use buddy lists and address books to send themselves to friends of the original victim. If you are downloading software, make sure that you are getting it from the original source or a trusted "mirror". Pirated software or "cracks" for commercial software are often dangerous malware in disguise. Software downloaded from pornographic websites (such as "movie viewers") are almost exclusively malware.
Second, do some basic research on any software that you would like to download and use. Many "free" software packages you can download come bundled with malware, especially adware. Software like Eudora has optional advertising built into the program itself, which is safe. That advertising is limited to within the program itself, and goes away if you uninstall it. But many other pieces of software will install advertising software which runs at all times, which causes pop-ups even when you are not using that software, and which does not go away when you uninstall the original software. File-sharing applications are notorious for "bundling" malware, but there are many free and safe alternatives.
In short, every time you run a new program on your computer, you are handing control over it to the person who wrote that software. If you do not consider that author trustworthy, do not run that software. Be paranoid and be informed.
There are certain classes of websites which are particularly dangerous.
If you must visit these sorts of sites, you must be exceedingly careful.
A continuing source of malware infections is the Internet Explorer browser. There are several reasons for this.
First, Internet Explorer is the most popular browser for Windows, because it's built in. This makes it a very popular target for attackers.
Second, Internet Explorer has a history of critical, dangerous security bugs. These bugs have often let websites install malware onto your PC just by browsing to them, and these bugs have sometimes taken up to a month to be fixed. Many computers out there are still running old, vulnerable versions of Internet Explorer.
And third, because Internet Explorer has a feature which lets websites install software, this makes bugs relating to that feature extremely dangerous. It also means that user error can have dire consequences.
It is strongly recommended that users of Windows switch to an alternate browser, such as Firefox or Opera. These browsers also have security bugs found in them on a regular basis, but they are still more secure because these bugs are not as dangerous as the ones in Internet Explorer, and they are fixed considerably quicker.
If you wish to continue using Internet Explorer, there are two important things to do. The first is to follow the first step in securing your PC: make sure that you always keep Windows and Internet Explorer up-to-date by using Windows Update. It is also important to keep alternative browsers up-to-date, but it is ten times more important with Internet Explorer.
The second is to understand what "ActiveX" is.
"ActiveX" is the technology built into Internet Explorer which lets web sites ask to run small programs on your computer. This allows you to go to a website and have it request to automatically install a piece of software (like media plugins) so you don't have to go download it by hand.
The problem with ActiveX is that the programs that web sites can ask to run are the same kind of programs that you can download yourself. These programs (known as "ActiveX controls") can do anything a "real" program can. Every time you let Internet Explorer run an ActiveX control, you are handing control of your PC over to whoever wrote it.
Obviously, this feature is much abused by malware authors. In the past, there have been bugs in Internet Explorer which let websites install ActiveX controls without asking. In the future, there may be more, although Windows XP Service Pack 2 has made some major changes to make it harder for bugs like that to exist.
But even when ActiveX is working as designed, you should be careful. Saying "yes" to a single request to install the wrong ActiveX control can infect your PC. You should learn to recognize what the requests look like, and what they mean.
In versions of Internet Explorer before Windows XP Service Pack 2, ActiveX install requests looked like this:
![[ ]](http://www.io.com/~cwagner/spyware/activex-oldschool.png)
With Windows XP Service Pack 2, you see this notification bar at the top of Internet Explorer instead:
![[ ]](http://www.io.com/~cwagner/spyware/activex-sp2-step1.png){kind=small}
If you click on the notification bar and tell it to download the control, you receive one more prompt:
![[ ]](http://www.io.com/~cwagner/spyware/activex-sp2-step2.png)
I chose Cult3D as an example because it sounds malicious, but is actually benign. You should treat all ActiveX controls as malicious, unless you know otherwise, because saying "yes" to one of these requests is exactly the same as downloading and installing a piece of software. Always research any ActiveX control you do not recognize, or simply refuse to install it. Be paranoid and be informed.
It used to be that malware infections could almost always be cleaned up by various kinds of specialized anti-virus and anti-malware software. This is, sadly, no longer the case. Once upon a time, malware was written by amateurs and teenagers. But now, there are many very skilled programmers working on malware, because it is now a money-making business. Malware has become so insidious that it is often impossible to remove without expert or professional help.
This FAQ used to go into extensive details about malware removal using automated software. This is no longer useful content, since the automated tools are no longer as effective as they used to be. You should first attempt to remove an infection with automated tools, but you should also expect them to fail.
There are two classes of anti-malware software. The first is traditional anti-virus software, which is very good at handling viruses and worms, and not so great at handling newer styles of malware. The other kind of software is "anti-spyware" applications, which are good at the newer sort of malware but not so good at the old kind. When attempting to clean up an infected system, you should run at least one of each. If you were running anti-virus software when you became infected, then you should check and see if it was keeping itself up to date, or try running a different one.
Proven antivirus software companies include Symantec (aka Norton), McAfee, Panda Software, Trend Micro, F-Secure, Eset (makers of "NOD32"), and Kaspersky Labs. Many of these companies have free web-based scanners (ironically based on ActiveX) or downloadable try-out versions.
Anti-spyware software is a little more difficult. The various anti-virus companies have been in business a long time, while anti-spyware is a new kind of software that was born at the same time as the modern age of malware. Therefore, many of the "anti-spyware" software companies out there are either incompetent, or outright frauds. The canonical list of which anti-spyware applications are good and which are bad can be found at Eric Howes' Rogue/Suspect Anti-Spyware Products & Web Sites list, and I will not attempt to replicate his effort here.
Eric Howes, in his extensive testing of anti-malware applications, has discovered that malware is very quickly outgrowing the ability for automated software to clean it. The automated tools you try may not work, even if you try multiple ones. Therefore, you will probably end up having to get help.
Many local computer repair companies can clean up infected computers. You may know an expert who is willing to help you. Sometimes, the experts will tell you that the best or only way to take care of a really bad infection is to back up your personal data, clean out the computer completely, and start over from scratch. They are not lying. Attempting to clean up an infection by hand can be extremely time-consuming and is often unsuccessful, even for experts.
If you would like to try to get help online, the following forums may be helpful. Please read their rules before you post, in order to increase the chances of getting help.
Microsoft also offers a 24/7 phone support line for malware problems with Windows; call 1-866-PCSAFETY or 1-866-727-2338. Expect very long hold times, and expect to be called back by their higher-level support team if your problem cannot be solved by the first-tier support people.
Because removing a malware infection can be so difficult and so time-consuming, it is much more efficient to spend the time and effort to not get infected in the first place. When you do manage to get your system claned up, be sure to figure out what was wrong with your PC's security or your browsing habits and change them, so you don't have to go through the process again.