"So How Did I Get Infected In the First Place?"

"So How Did I Get Infected In the First Place?"


(Updated from the original article by Tony Klein. See Note*)
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

Safe Computing Practices

1. Keep your Windows updated!

It is important always to keep current with the latest security fixes from Microsoft. This can patch many of the security holes through which attackers can infect your computer. Either enable Automatic Updates or get into the habit of checking for Windows updates regularly.

Operating Systems

  • Windows XP: Go to Start > Windows Update
  • Windows Vista: Go to Start > Control Panel > Security > Windows Update
  • Windows 7: Go to Start > All Control Panel Items > Security > Windows Update
  • Windows 8: Open the Search charm, enter "Turn automatic updating on or off", and tap or click Settings to find it.
  • Windows RT: Automatic updating is always on.

Alternatively, navigate to http://windowsupdate.microsoft.com, and install ALL Critical security updates listed (you will need to use Internet Explorer to do this).

Service Packs

Service packs are the means by which product updates are distributed and may contain updates for system reliability, program compatibility, security, and more. Unless you suspect your computer is infected with malware, the latest service packs can be downloaded from Microsoft Support. Once you are sure you have a clean system, it is highly recommended to install the latest service pack to help prevent against future infections.

2. Update 3rd Party Software Programs

Third Party software programs have become targets for malware creators. To check if your system is missing security updates or has insecure applications installed, install the Secunia Personal Software Inspector (PSI) or visit the Secunia Online Software Inspector page (requires Oracle Java).

3. Use a Standard/Limited User Account

Although the Administrator account is needed when setting up the computer, day-to-day usage should be with a Standard User Account which has limited permissions. An Administrator account provides the highest level of access to your computer whereas using a Standard User Account makes it more difficult for the computer to be infected.

Using a Standard User Account for every day activities applies even if you are the sole user of the computer. For additional information, see. Using a Standard/Limited User Account.


4. Watch what you download!

  • Many "freeware" programs come with an enormous amount of bundled spyware that will slow down your system, spawn pop-up advertisements, or just plain crash your browser or even Windows itself. Watch for pre-checked options such as toolbars that are not essential to the operation of the installed software.
  • Peer-to-peer (P2P) programs like Kazaa, BearShare, Imesh, Warez P2P, and others are among the most notorious. P2P programs allow the creation of a network enabling people to connect with other users and upload or download material in a fast efficient manner.
  • Note also that even if the P2P software you are using is "clean", a large percentage of the files served on the P2P network are likely to be infected. Do not open any files without being certain of what they are!

    Pre-scan downloaded files for viruses and malware at one of these multi-engine single file scan sites. Both use a dozen or more well-known anti-malware scanners in a quick, easy scan with a report of results from all.

    -- Virus Total (10mb limit): https://www.virustotal.com/en/
    -- Jotti's Malware Scan (15mb limit): Jotti's malware scan

5. Avoid questionable web sites!

  • Many disreputable sites will attempt to install malware on your system through "drive-by" exploits just by visiting the site in your browser. Lyrics sites, free software sites (especially ones that target young children), cracked software sites, and pornography sites are some of the worst offenders.
  • Most of these drive-by attempts will be thwarted if you keep your Windows updated and your internet browser secured (see below). Nevertheless, it is very important only to visit web sites that are trustworthy and reputable.
  • In addition, never give out personal information of any sort online or click "OK" to a pop-up unless it is signed by a reputable company and you know what it is!
  • For more general information see the first section, "Educate yourself and be smart about where you visit and what you click on", in this tutorial by Grinler of BleepingComputer.
Must-Have Software

*NOTE*: Please only run one anti-virus and one anti-spyware program (in resident mode) and one firewall on your system. Running more than one of these at a time can cause system crashes and/or conflicts with each other.

6. Antivirus

  • An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible.

    The following antivirus software programs are free for personal use.
    -- avast! 5 Home Edition
    -- Avira AntiVir PersonalEdition Classic
    -- Microsoft Security Essentials (Windows Defender on Windows 8)
  • Please run only one antivirus resident at a time!
  • It is recommended to set your antivirus to receive automatic updates so you are always as fully protected as possible from the newest threats.

7. Internet Browser

Many malware infections install themselves by exploiting security holes in the Internet browser that you use.

Internet Explorer -- Windows 8.1 includes Internet Explorer 11. If your operating system is Windows 7, update to Internet Explorer 10. Windows Vista systems should be updated to Internet Explorer 9. For Windows XP, your system will be more secure if you update to Internet Explorer 8. (Note: If you do not want to change your search engine/start page, uncheck "I would also like Bing and MSN defaults".)

Mozilla Firefox -- In addition to updating to the most recent version, install NoScript and only allow JavaScript, Java, Flash and other plugins to be executed only on trusted websites of your choice.

8. Firewall

  • It is critical that you use a firewall to protect your computer from hackers. The built-in Windows Vista, Windows 7 and Windows 8 firewall blocks both incoming and outbound, but is still written to the registry.

    Since most malware accesses the registry and can disable the Windows firewall, you may prefer to install a third party firewall. Following are a couple of the available firewall programs that are free for personal use.
    -- Online Armor Free
    -- Privatefirewall
  • Please only use one firewall at a time!

Other Cleaning / Protection Software

Of the below-listed programs, passive protection like that provided by SpywareBlaster, WinPatrol and Hosts file programs, can be used with active resident protection programs effectively. For example, the free version of Malwarebytes' Anti-Malware is an on-demand scan and clean program that will also not conflict with resident protection, Spybot is also on-demand but has resident protection if the Teatimer function is used.

Only scan with one program at a time should be run with a shutdown/restart between scans.

9. Consider installing SpywareBlaster by Javacool

  • This excellent program blocks installation of many known malicious ActiveX objects. Run the program, download the latest updates, "Enable All Protection" and you're done. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
  • Don't forget to check SpywareBlaster for updates every week or so.
  • See this helpful tutorial by Lawrence Abrams, Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware.

10. HOSTS File Programs

  • MVPS HOSTS -- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002.
  • hpHosts -- hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. The inclusion policy can be found at hpHosts Online - Simple, Searchable & FREE!
  • See special instructions for Windows 8 by WinHelp2002 in Updating the HOSTS file in Windows 8.

11. Anti-Malware and Anti-Spyware Programs (Select one or two)


12. WinPatrol

  • The Host-based Intrusion Prevention System(HIPS) of WinPatrol takes a snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • WinPatrol will allow you to lock your HOSTS file and will monitor changes.
  • Win Patrol is a powerful system monitor. Some of the features are described here (unofficial support site at WinPatrol Help & Information).

Happy safe computing!!

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

*Note: The original version of this article was written in 2005 by Tony Klein and has been reproduced or linked to in thousands of locations. Tony is well known in the security community for his many contributions, including the CLSID List and A Collection of Autostart Locations.

This document is an update of the original "So how did I get infected in the first place?" ©Tony Klein. With permission from Tony, I and others in the security community have continued updating this information to include current operating systems and software program information. It has come to my attention that updated copies of the article are no longer being maintained at many sites.

Revised: TonyKlein,Oct 30 2005, 05:00 AM
Reproduced and edited with permission of the author.

(Updated 15JUL2013)
(Updated 16JUL2013 to Add User Account Information)
 
Last edited:
Click to expand...
Great writeup, Corrine.

A fantastic addon I refuse to browse today's internet without is NoScript for Firefox (and to tell the truth is the only thing keeping me using Firefox as opposed to other browsers) :grin1:
 
I've used the above as the basis for my layer technique for a long time now, some of my modifications/additions below.

I start outside the Windows box; wired connection from my firewalled modem/router set to OpenDNS. Link maintained to OpenDNS in Windows with Marc's Updater (I have a variable external IP address). No Windows sharing/SMB of any kind on the internal PC's - I sometimes work on infected machines, as my OpenDNS history would confirm - this hopefully minimises any worm-type risk.

WiFiGuard updates me on any new connections to the WiFi network.

I use an amalgam of MVPS HOSTS and hpHosts, maintained/updated by HostsMan

I find NoScript too distracting and high maintenance; in my default browser, Pale Moon (normally the x64 version) I use DuckDuckGo as default search engine, DoNotTrackMe and, currently, BluHell Firewall.
 
I like it enough to have been a beta-tester since about 3-4 months into first using it (it may have been 15-16 months though, can't remember ;) ).
 
A concern I'd have about using PaleMoon is that as upstream software, how quickly do Firefox security patches get added?
 
Security patches, even from 'higher' Firefox versions are added to Pale Moon within a few days of the Firefox source code being released (time is needed to build/test first) - if it's applicable to Pale Moon - it doesn't blindly follow Mozilla in the addition of new 'features', so not all Firefox vulnerabilities will be in the Pale Moon code.

EDIT: there's a host of details on the Pale Moon site and forum, the dev, MC, is quite happy to handle any queries you might have.

Also, it's independent of Firefox's profile (unlike all? the other forks/builds that I'm aware of) so it's 'safe' to test alongside FX and can make a useful comparison/troubleshooting tool if you suspect a FX bug/problem.
 
Last edited:
I'm a little concerned none of the mitigation steps recommend not logging in with an administrative account. There are knocks on the Windows Firewall because it can be overwritten in the registry, but.... only by admins! It's a good article, but it still reinforces a lot of the misconception that security is a product (or products) you can use, when it's really a methodology that uses products when necessary to increase the security posture of a system. #1 on any "how to be more secure" list should always be "don't log onto your machine and use it with an administrative account", or it has ultimately failed - an admin is an admin, and you can't stop something running with those privileges from screwing up the system if it's determined enough.
 
Last edited:
Good point. It is surprising that wasn't in the original, particularly since the advice to use a "Limited User Account" was strongly encouraged when the article was written. I'll add it to the Safe Computing Practices section.
 
Yes - UAC is not a security boundary, it's a security measure. If you're logged in as an admin, there's a known (and impossible to plug) "drive-by" possibility by hacking/replacing a binary allowed to silently bypass UAC, like regedit. Since in most "UAC drive-by" hacks, a hacked binary can only elevate to the user's highest-privs available on a system, if you're an admin, that's... full admin. However, if you're just a user, that's then running as a regular user (great hack! /sarcasm) and no real harm done. UAC is a mechanism, but not a boundary, and not impossible to jump over or impersonate - difficult, yes, but not impossible. Even with UAC enabled, running as admin is foolhardy at best. UAC provides protection, but since it's not a boundary if there *is* any sort of foul play, your system will be wide open and vulnerabile. Also, UAC allows the ability to elevate processes to that admin account as necessary, making it possible (and fairly easy) to run without admin privs.
 
When you say "Admin" - are you referring to all user admin accounts (-10xx) or just hidden admin (-500)?
 
All - an admin is an admin, the only difference between one created and the original is that UAC doesn't apply to the inbox admin. Otherwise, they're the same.
 
So I just read the article, and if you don't mind updating it, here's what you could change (updated information).

  • Maybe list the highest SP available for each version of Windows, so it'll be easier for the user to see if he have it or not. Windows XP SP3, Windows Vista SP2, Windows 7 SP1, Windows 8 none, but update to Windows 8.1 with Update 1;
  • The Secunia Online Software Inspector have been discontinued, it can be removed from the guide;
  • Maybe add most popular P2P programs to the listing like uTorrent, qTorrent, Bittorrent, Deluge, etc;
  • VirusTotal's scan limit is now 128MB and Jotti's Malware Scan is now 25MB. In addition, quietman listed all of these online malware analysis website on BleepingComputer in a single post, maybe they could be added there too? If you don't know where it is, I can post the link to the post here (malwr.com and Hybrid-Analysis.com are also in it);
  • One advice to add in the "Avoid questionable websites!" section could be the use of a "web rating" plugin, like Web of Trust. Even if it's a user-based review, it can help identify malicious websites from legitimate ones, or at least give a first impression;
  • Update avast! and Avira's product name (we aren't on avast! 5, nor Avira AntiVir PersonalEdition Classic anymore);
  • For the Internet Browsers, you can now install Internet Explorer 11 on Windows 7 (via Windows Updates or download from Microsoft website). You can also add Google Chrome as a browser, and maybe list uBlock Origin as an extension for it (uBlock for Mozilla Firefox) since we are talking about script blockers here;
  • Online Armor Free has been discontinued (RIP), so it can be removed from the list and replaced with another one I imagine;
  • It would be a good idea to add Emsisoft Anti-Malware somewhere in there, maybe under Antivirus or Antimalware, whichever you like more;

Let me know what you think of these updates.
 
Hi, Aura. I haven't forgotten about your suggestions. I had forgotten that I had posted this here. The "original" adaptation of TonyKlein's article on my blog has had a few updates so I'll need to get the two versions in sync and then dig deeper.

I appreciate your suggestions.
 
As long as you saw my post its good haha :) And thank you, I'll monitor the thread to see the upcoming changes!
 
I would add a bit to what Aura says - Emsisoft Anti-Malware is best placed under AV since it is most commonly used standalone (although it can be used like MBAM). Most of the time EAM is reviewed and tested as an AV. If the purpose of use is for on-demand scanning then it's better to use Emsisoft Emergency Kit instead, as it does not require installation.

Someone might want to remove Spybot S&D, since it sucks (for this era anyway).

I would also suggest the use of a password manager like LastPass, since it both provides convenience and security (with the password already filled in for you, keyloggers won't get anything).

For a free antivirus I also like BitDefender Free Edition. The link to it is a bit confusing, so I can provide it if you guys need it.
 
Back
Top