Removing Malware

As you now know, installing anti-spyware software and keeping it properly updated is the best way to keep your computer free of malware threats. However, there still may be times when you need to explore other tools to eliminate a specific malware threat, or you may just want to scan for malware with more than one tool, just to be on the safe side. In this section, you learn more about using third-party malware removal tools, and how to deal with more advanced malware threats like the CoolWebSearch browser hijacker.

Using Spyware Removal Tools

As a general rule, never install and run more than one anti-virus program on your computer at the same time, lest the programs interfere with one another and leave your computer at risk. The same is generally true with anti-spyware programs, but as long as you're not trying to run two or more programs that offer real-time protection simultaneously, there's nothing wrong with installing multiple tools. In fact, you may just find that one tool detects (or can remove) a threat that another program had trouble with.

If you've already invested in one anti-spyware tool, then there's no need to run out to purchase a second. Instead, consider downloading one of the many free spyware detection and removal tools from the Internet instead. The same vendors that produce the popular commercial tools typically make free versions of their programs available for download on their web sites. So, you might opt to run Microsoft AntiSpyware as your primary anti-spyware tool, and then periodically run scans with a tool like Ad-Aware SE Personal for the sake of completeness.

If you have a computer already infected by malware, you may have a tough time installing an anti-spyware tool to begin with. Many of the advanced threats are programmed to block popular anti-spyware tools from installing, so it is possible that you may have to try installing two or three different programs before you find one that works. To increase your chances of success on an infected system, however, you may want to attempt the installation process from the Windows Vista Safe Mode. (Safe Mode is a special Vista mode in which only a limited set of drivers and services are loaded. You can boot into it by pressing F8 when your computer first starts and then choosing Safe Mode from the Advanced Boot Options menu.)

Follow these steps to complete a malware scan with Ad-Aware SE Personal:

1. Select Start → Internet Explorer, or open your preferred web browser. Browse to http://www.lavasoftusa.com/software/adaware/ and click the Download Ad-Aware Here link. Choose a download link, and save the installation file to a suitable folder.

2. Double-click the Ad-Aware SE installation file to begin the installation process.

3. When the User Account Control dialog box appears, click Allow.

4. On the Ad-Aware SE Personal Welcome screen, click Next.

5. On the License Agreement screen, check I Accept The License Agreement and click Next.

6. On the Destination Location screen, click Next.

7. On the Install To All Users menu screen, click Next.

8. On the Start Installation screen, click Next. When the process is complete, click Finish to update the program's definition files and begin a full system scan, as shown in Figure 10-8.

   
   Figure 10-8: Scanning for malware with Ad-Aware SE Personal.

9. Once the scanning process is complete click Next. On the Scanning Result screen, click the plus sign next to each target family detected to display the TAC (Threat Assessment Chart) rating for each group of objects, as shown in Figure 10-9. Objects with a higher TAC rating are considered to be more dangerous. TAC ratings range from 1 (low risk) to 10 (extremely dangerous).

   
   Figure 10-9: Viewing detailed scan results.

10. Check the check boxes next to the items that you want Ad-Aware SE Personal to place into quarantine, and then click Next. When the confirmation window appears, click OK.

Eliminating Browser Hijacks

Although most anti-spyware tools can detect and remove almost all malware threats, a number of programs still have difficulty with some of the more complex (programmatically) pests, such as the CoolWebSearch browser hijacker. If your computer is infected with CoolWebSearch, your best bet is to try removing it with whichever anti-spyware tool you have installed first. Assuming that your anti-spyware program doesn't get the job done, your next step should be to try a dedicated removal tool like Trend Micro's CWShredder.

CWShredder is a free tool designed to detect and remove only one specific threat, namely Cool-WebSearch. However, a number of CoolWebSearch variants exist, and new ones are appearing all the time. CWShredder is updated regularly to deal with new variants as they're discovered, and truly represents your best chance of completely removing a CoolWebSearch infection once and for all.

Follow these steps to scan for and remove CoolWebSearch variants with CWShredder:

1. Select Start → Internet Explorer, or open your preferred web browser. Browse to http://www.trendmicro.com/cwshredder, and then click the Remove CoolWebSearch link. Save the cwshredder.exe file to an appropriate folder.

2. Double-click cwshredder.exe. When the Security Warning screen appears, click Run.

3. On the License Agreement screen, select I Agree.

4. When the main program window appears, click Fix to complete a scan for CoolWebSearch variants, as shown in Figure 10-10. If you choose Scan Only instead, CWShredder does not remove CoolWebSearch if it is found, but alerts you about any variants that are installed on your system.

   
   Figure 10-10: CWShredder is the premier tool for removing the CoolWebSearch browser hijacker and its numerous variants.

5. When the scanning process is complete, scroll through the result to determine whether any CoolWebSearch variants were found (as shown in Figure 10-11), and whether they were fixed.

   
   Figure 10-11: Results of a CWShredder scan.

CoolWebSearch may be the worst of a bad lot on the malware front, but it's certainly not the only malware threat that you may have trouble removing from your Windows Vista system. Malware is constantly evolving, and although most of the popular anti-spyware tools are up to the task of detecting and defeating all of the latest threats, newer variants may sometimes slip through the cracks and remain undetected.

The world of malware is a shady place, and the Internet is loaded with hundreds of malware-related web sites. Some are shrill sites hawking useless products that purport to detect and remove malware when in fact they do nothing useful at all. Others are lined with incorrect or misleading information in an attempt to trick you into a purchase, or worse, an infection. Thankfully, a number of excellent resources exist for the purpose of researching malware threats and getting help in cases where you find your PC infected.

Some of the best spyware-related resources on the web include:

• SpywareInfo (http://www.spywareinfo.com)

• CastleCops (http://www.castlecops.com)

• Microsoft AntiSpyware Home Page (http://www.microsoft.com/athome/security/spyware/software/default.mspx)

• SpywareWarrior (http://www.spywarewarrior.com)

• CA Spyware Encyclopedia (http://www.3.ca.com/securityadvisor/pest/search.aspx)

• PC Magazine Antispyware Product Guides and Reviews (http://www.pcmag.com/category2/0,1738,1639157,00.asp)

If you believe that your system is infected even after completing scans with multiple anti-spyware tools, your best bet probably lies in a tool like HijackThis (available from http://www.spywareinfo.com/~merijn/downloads.html). This tool scans for and detects all sorts of browser hijackers and browser-related malware issues. Effectively, HijackThis scans your system and creates a log of all browser-related settings (including BHOs) installed on your computer. The log includes details like changed settings, suspect Registry entries, and the like. Ultimately, HijackThis is a tool for advanced users, but if you use it to scan your system, you can post the log file it generates to web sites like the support forums at SpywareInfo or CastleCops, and a forum user experienced with the tool should be able to help you determine whether a new malware threat or browser hijacker variant is present on your system.