General Feedback

[Thom Paine]

I just got ahold of this program, and have begun testing
it out on several systems.

So far I am impressed that it works fairly well out of
the box. I think my success is due to the fact that the
machines I put it on are clean before I start, and it is
greatly helpful in preventing infection when I purposly
try and go to malicious sites during testing.

I've installed it on a couple of already infected
machines in the hopes that it cleans them off, and while
it certainly does help, I find that an infected machine
needs to have several programs run in concert, and in a
particular way.

My best success on a very badly infected machine is this
procedure. I'm posting it in the hopes that other people
have better success. I browsed a few threads on here, and
some people get very upset that it isn't a magical fix
all with no interaction on the users part. I can
understand that's how the infection started, because
everyone is being conditioned to just click yes and carry
on with what you're doing, instead of reading what's
happening. I'm also sure if it said 'Would you like to
install and run Gator, A lame ass spyware program that
will totally hose your system in a couple of weeks and
aggrivate you and your wife, oh, but there is a cute
screensaver too' people would still click yes.

Anyhoo, on to the procedure.

1. Turn off system restore. This prevents a good removal
because spyware is installing itself in there now and
getting put back in after a reboot when you think the
coast is clear.

2. Run HijackThis first. My clean hijack this scan only
has a dozen or so lines in it. You only need one home
page and one search page. I suggest setting the home page
to google because it loads fast, and you know it's safe.
Make sure all your explorer windows and IE windows are
closed first, especially if you need to remove a BHO.

3. Run the 3 following ad-ware removers. The order isn't
important, although I like to run them in this order.
3.1 Spybot Search and Destroy.
3.2 Lavasoft Ad-Aware
3.3 Microsoft AntiSpyware

4. Let them remove EVERYTHING they analyze. There isn't
anything they find that they can't remove safely. I
noticed on AntpiSpyware that some of the items are maked
quarantine, or ignore. You will want to set them all to
REMOVE.

5. Open Windows Explorer. Go to TOOLS, FOLDER OPTIONS.
Check 'Show All hidden Files and Folders'.

6. If you have multiple users on an XP machine or a 2k
machine, this step is a pain in the ass, but neccessary.
Go to DOCUMENTS AND SETTINGS, then go into each TEMP
folder of all users on the system. This is in the
username of the logon people, then LOCAL SETTINGS then
TEMP. Delete all the files in there. If there are
files 'That are in Use' you know that they may be used by
spyware.

7. Run msconfig and remove anything that is not
absolutely necessary. I usually just have my antivirus,
maybe a Creative Sound Card driver, the nvidia stuff, and
a few others.

Be sure to keep your spyware programs up to date. Run the
update at least once a week. Preferably run it before you
do a scan.

Hope this helps.

-=/>Thom

 

[G.S.]

at first i have to say that i absolutely go with thom, i
am removeing spyware, adware, viruses, worms, trojans and
so on from systems of people that i know, and people they
know as a kind of hobby and always realize that the
biggest problem of all those threads is sitting in front
of the monitor. after scaning my own system for viruses
and adware (what i don´t do realy often) i only get 3
threads of minor spyware that i know of, but i ignore
because they come with a software i cant use without
them. so the only thing u have to do to avoid getting
transparent to those people who produce spyware is to
take care where u go on the web and to read the allerts u
get, eaven if there is only the OK button u can click (if
u look further, u maybe realize that there is a red X on
the upper right)
so watch your steps, or others will do this for you

 

[joe]

i too made a sucessful installation i disable my
antivirus because i heard sometime that antivirus tend to
make a installiton to not exexute properly therefore no
sucessful installation

 

[RG]

1) for the other replies under the "general feed back post"
caution to the users is paramount... don't say some of
your glaring things without realizing no one knows what is
safe anymore..

you can't "watch out" for where you are browsing because
you *CAN* go to completely innocent web sites and STILL be
subjected to infections.

Microsoft themselves had a problem back when Nimda/Code
Red came out at one of their FrontPage servers (as in
http://www.microsoft.com/frontpage) so if big boy can
become infected.. it means ANY PLACE YOU GO could attempt
to infect you and you MUST pay attention to what is
happening on your screen at all times.

Graphic and OTHER links can be placed inside of ANY web
page to come from other servers on the internet.. what may
look perfectly innocent could have a hidden graphic the
size of a dot that is actually an infection from site
XYZ ...

Even now, some of the hacks and wares are coming via
embedded links inside of graphic files ... so no one is
safe.. PERIOD!

2) While a good start Thom..
a) users should IMMUNIZE their system using the immunize
option inside of Spybot. 99.9% of the people out there
won't mind it and won't know that its protecting them if
it weren't for the fact that SOME webservers require hits
from Avenue-A and other ad backed cookies and ilk.

The Immunize feature is available for free in Spybot

** caution.. with immunization, the sites are placed into
Internet Explorer's "Restricted Sites Zone" .... ie.. so
that any link that REFERS to the site is run (IF RUN) with
*restricted rights* rather than the plain old "Internet"
rights..

Microsoft's AntiSpy will incorrectly detect some of these
as a threat and want to remove them. as in.. remove them
from the "restricted sites" zone ... which then leaves
that bad site available in the INTERNET zone which is LESS
secure.. this is an oversight by the program..

IF youlook at Microsoft's report.. it will tell you it is
in the ZONE MAP for DOMAINS under Internet Explorer.

b) Thom, you mention starup items.. this too is available
FOR FREE inside spybot.. click MODE .. ADVANCED.. then on
the left side.. select TOOLS .. under the tools section
are several important features.. startup and LSP's are two
of the most important..

c) for EACH USER on a system, you must run spybot and
other adware programs because EACH USER can have apps
hidden in the registry that the current user may not be
able to get access to.

ADDITIONALLY, you can export some of the settings.. such
as the ZoneMaps (from previous... mentioning a system that
is immunized and MS's antispy sees the information
incorrectly)... you can export some of the settings and
then change every reference in the file from a specific
USER id.. to be .default... and then as an administrative
user merge that registry file back in .. and then every
NEW person that logs on for the first time.. will have
THOSE default settings applied so they are protected and
the rest of the machine too from new logins that go to bad
sites...

3) I recommend people ALSO get PSTOOLS from
www.sysinternals.com ... or at the very least get PSLIST
from the same.. it shows ALL programs running.. and that
includes those that are stealthing themselves from the
standard task list that Microsoft includes ... which
itself doesn't show *every* program..

It is most often the hidden running applications that
cause all of the attempts for spyware removal to be
unsuccessful.. and it would be PSKILL in the PSTOOLS group
that can be used to kill the offending application or
service.


Lastly.. it can not be stated enough... a BASIC
instruction for users of computers.. should include
information on "how stuff works" so that they understand..
they type www.microsoft.com .. but everything they see
could come from microsoft and other servers.. because of
commands and requests that are IN the HTML file....

the more your users are educated... the less trouble they
cause in the long run!!