Which Anti-Virus software should you use?

    Many people have Anti-Virus software, but is it the best one? I usually don't recommend to get an Anti-Virus/firewall bundle, as one company makes a better firewall, while another makes a better Anti-Virus. In this post, I will tell you which Anti-Virus/firewall software I recommend, and which ones to avoid.

   Let's start with free options. There are quite a few free Anti-Virus options out there, but most only work for a limited time, or have limited functionality. If you really don't want to spend money on this, then I recommend Malwarebytes Anti-Malware. I have used this, and so have many of my friends and family, and it works great. It is perfect for a short term solution while you try to figure out what software to purchase. This is both a fire wall and a anti virus, and The ones I recommend you avoid are Avast and AVG, both free and premium versions. These are considered a joke by the very people who code and spread malware. This is nothing personall, they just are not that great. A good free firewall is Comodo. Combinng these two is a fairly decent security solution. Now onto a great paid solution.

Note, these ads lead to paid or premium version of the product

    My favorite and, I think, best Anti-Virus is ESET's Nod32. It is one of the most up to date and fastest updating firewalls out there. This is the Anti-Virus that I use, and have for awhile. I recommend that you stay away from Norton products, the source of these have been leaked to the public, making it much easier for malware authors to avoid or bypass it. For firewall I recommend Kaspersky. It is one of the more "feared" firewalls for hackers and malware authors. These two togethor should be good enough to stop most attempted attacks. Always remember though, even the NSA gets hacked, so if you're not carefull, you can be another victim to a yet unkown zero day. so be sure to stay safe online.

Which Anti-Virus and/or Firewall software do you prefer and why?

ZeroAccess: How to remove the latest version

   In my previous 2 posts I have highlighted the changes in the newer version of ZeroAccess and how to tell if you are infected, and who is at most risk. This post will cover how to get rid of this infection, and what tools to use to protect against it.

    The easiest way is to download one of many anti-virus programs, or removal tools. I always recommend ESET as they have always gotten the job done for me and my family. ESET has made a tool specifically to remove the ZeroAccess bot, one that is easy and completely free.

1. Download the tool here
2. Start the tool by double clicking it.
3. Press "Y" when it asks you if you want to restore system services
4. Once the tool has finished working, restart your computer by pressing any key.
5. You may be prompted with a security window upon restarting, click yes or allow
6. Click "Yes" on the repair window
7. Once the repair is finished, you will be prompted to restart again, do so.
8. For best results and to ensure complete removal, purchase ESET Smart Security or ESET Nod32 and run a full scan.

    As you can see, it is fairly simple to remove this virus, if you have any trouble, comments, or questions, let me know in the comments section (Don't be embarrassed, I have to approve comments, if you think it is a stupid question, just ask that I do not post the comment, and I will contact you directly.)

    The main way this bot spreads is through exploits, most of which are patched in the latest versions of the software they are designed to exploit, so make sure you apply regular updates, and don't visit shady sites. Also, I know it may be hard to refrain from pirating things like games, so I encourage you to only download "cracks" if there have been many downloads, even then, make sure to read the comments and do not download if it is reported to be infected, or not working correctly. Also remember that I do not condone pirating or any form of illegal downloads.

ZeroAccess: 9 million infected, are you one of them?

    As I mentioned in my previous post, ZeroAccess is still around and is adapting. Over 9 million PCs are now infected with this bot. Most are located in the USA or Western Europe. 33% of super nodes are located in Germany, with the US coming in a close second with 32%. A super node is an infected machine that is not behind a system like NAT so that other bots, or peers, can access it. This post will be mainly directed at how to tell if you are infected, and who is at the most risk of infection.

    ZeroAccess uses multiple install locations, so you should check all of them. The main component drops at two locations, 1 in appdata, the other in windows/installer. if one is deleted, the other is still perfectly capable of functioning. The two locations are shown in figure 1.1.

Figure 1.1
Thanks to SophosLabs

 Both contain a dll file, named "n" (the main component), which are added to startup by hijacking a COM directive. These also contain a file named "@" which is a list of predetermined peers for the bot to connect to and retrieve updates, commands, etc. These folders also have 2 directories named "U" and "L" which contain plugins and temp files.


Also, if you have windows vista or up, ZeroAccess will try to patch services.exe fortunately, it is easy to restore by running the following command:

sfc.exe /scanfile=c:\windows\system32\services.exe

Simply check for these signs to see if you are infected. If you have been browsing the web without appying recent updates to internet explorer, adobe flash, or java, scan and fix, and apply all updates.
My next post will explain in detail how to remove and protect from this virus.

Credits:
SophosLabs

PlugX or Korplug

     Some of you may have heard about a campaign using Poison Ivy to target users in Japan, China, and Taiwan. The same group is now developing a new RAT (Remote Administration Tool) called PlugX or Korplug. They seem to be distributing both side by side and are using some of the same servers to control both. This Trojan is detected as "Backdoor.Win32.Plugx". The Trojan is being deployed in attachments to spam mail (examples provided here). Some variants of this virus may be signed with stolen certificates.

    How to remove:
    Most Antivirus programs (such as Norton and Nod32) detect and remove this Trojan, so running a scan with any of these should get rid of the problem. However, it is possible to manually remove this trojan by following these steps (provided by 2-spyware)

1. Delete registry values: 
1. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FAST
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SXS
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SxS
2. Delete files: 
1. %UserProfile%\SxS\bug.log 
2. %UserProfile%\SxS\rc.exe 
3. %UserProfile%\SxS\rc.hlp 
4. %UserProfile%\SxS\rcdll.dll

Sorry for this short post, more information on this threat will be posted later. Be sure to check the sources for more information and continued reading.

Remember to comment with a topic for my next post.



Sources:
TrendMicro
Symantec

ZeroAccess Part 3: How to stop it.

If you have read Part 1 and Part 2, you should have a pretty good idea of what ZeroAccess is and how dangerous it is. In this post, I will go through multiple methods of removal that I have found while searching the web.

1. Tools
1. cleanpcguide.com has a removal tool that you can download here
2. Use ESET's removal tool downloaded here
3. Use McAfee's RootkitRemover, available here
2. Manual Removal (as Provided by   http://www.cleanpcguide.com/remove-zeroaccess-removal-guide-how-to-remove-zeroaccess/ )
1. Stop ZeroAccess process using the windows task manager. (This will most likely be some random name, if you see a process that you do not recognize, right click and view location to find files associated with it, this will be needed in step 4, then end it.)
2. Uninstall ZeroAccess program from windows control panel Add/Remove Programs. (control panel --> Programs --> Remove/change, then find something you think looks fishy, or do not remember installing)
3. Open windows registry using regedit.exe command. Find and Remove all ZeroAccess Registry Files. (will usually be under the HKLM or HKCU run directory (startup registry))
4. Search for ZeroAccess Files on your computer and delete it. (files found in step 1)

If none of these work, the malwarbytes community is very helpful. You can ask for help here.

Tell me what you thought of this three part series, and remember to comment what I should blog about next.