Hi Ned - In addition to my other post, you may find this useful:
If you want to take steps to defend your machine, there are a number of
things which need to be considered. I would suggest the following:
The minimum necessary to start with are a good hardware or software firewall
and an AV, and by bringing your OS up-to-date with ALL Critical updates.
You can find some useful comparative AV information here:
http://www.virusbulletin.com/vb100/about/index.xml You can minamally test
your firewall here:
https://www.grc.com/x/ne.dll?bh0bkyd2 and here:
http://www.auditmypc.com/freescan/scanoptions.asp
A good general "malware" overview/removal site FAQ's with pretty good
step-by-step instructions is available for review here:
http://www.spywarenation.com/modules.php?name=FAQ
Run the following programs regularly; I recommend at least once a week.
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here:
http://www.tacktech.com/display.cfm?ttid=257
or here for Win2k/XP
http://files.webattack.com/localdl834/WinsockxpFix.exe
Info here:
http://www.spychecker.com/program/winsockxpfix.html
Directions here:
http://www.iup.edu/house/resnet/winfix.shtm
The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
to regain your connection.
NOTE: It is reported that in XP SP2, the Run command netsh winsock reset
will fix this problem without the need for these programs. (You can also
try this if you're on XP SP1. There has also been one, as yet unconfirmed,
report that this also works there.) Also, one MS technician suggested the
following sequence:
netsh int reset all
ipconfig /flushdns
See also:
http://windowsxp.mvps.org/winsock.htm for additional XPSP2
info/approaches using the netsh command.
#########IMPORTANT#########
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible. Reboot and test if the malware is fixed
after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k(if w/msconfig)/XP procedure, but see below for
links for other OS's:
1. Start|Run enter msconfig.
2. On the General tab, click Selective Startup, and then clear the Process
System.ini File, Process WIn.ini File, and Load Startup Items check boxes.
Leave the boot.ini boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article numbers to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page:
http://vil.nai.com/vil/stinger/
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here:
http://www.trendmicro.com/download/pattern.asp Be sure to read
the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt (You might also want
to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/). (If you download and use the updater from
the beginning, it will automatically handle downloading the other files.)
Place them in a dedicated folder after appropriate unzipping. Show hidden
and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
Disable Restore if you're on XP or ME (directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), then boot to
Safe mode (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
Read tscreadme.txt carefully, then do a complete scan of your system
in Safe mode or from a Clean Boot (see below) and clean or delete anything
it finds. Reboot to normal mode and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
Download and run the trial version of A2 Personal, here:
http://www.emsisoft.com/en/ Run from a Clean Boot or Safe Mode with Show
Hidden Files enabled as above.
Sometimes the tools below will find files which they are unable to delete
because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
"replacing, moving, renaming or deleting one or many files which are
currently in use (e.g. system files like comctl32.dll, or virus/trojan
files.)" Another is Killbox, here:
http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often useful is Delete Invalid File,
here:
http://www.purgeie.com/delinv.htm which handles invalid/UNC
file/folder name deleting, rather than the in use problem
Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/. Tutorial here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=48
UPDATE, set it up in accordance with this:
http://forum.aumha.org/viewtopic.php?t=5877 or the directions immediately
below and run this regularly to get rid of most "spyware/hijackware" on your
machine. If it has to fix things, be sure to re-boot and rerun AdAware
again and repeat this cycle until you get a clean scan. The reason is that
it may have to remove things which are currently "in use" before it can then
clean up others. Configure Ad-aware for a customized scan, and let it
remove any bad files found.....
<Begin Setup Directions>
Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:
General> activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes during
scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."
Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found, click
"Next." The bad files will be listed. Right click the pane and click "Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"
<End Setup Directions>
Courtesy of
http://www.nondisputandum.com/html/anti_spyware.html: HINT: If
Ad Aware is automatically shut-down by a malicious software, first run
AWCloak.exe,
http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
opening Ad Aware. When AAWCloak is open, click "Activate Cloak". Than open
Ad Aware and scan your system.
Another excellent program for this purpose is SpyBot Search and Destroy
available here:
http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. Tutorial
here:
http://www.safer-networking.org/en/index.html I recommend using both
normally. Be sure and use the Default (NOT Advanced or Beta) Mode in
Settings.
After UPDATING and fixing ONLY RED things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan. The reason is that SpyBot sometimes has to remove things
which are currently "in use" before it can then clean up others. Note that
sometimes you need to make a judgement call about what these programs report
as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.
I would recommend reading: "How did I get infected in the first place",
here:
http://forums.techguy.org/t208517.html and "Are Your Children Safe
from Spyware?" here:
http://www.pcpitstop.com/spycheck/kids.asp
Next, courtesy of Mike Burgess:
"--Recommended Minimum Security Settings--
Close all instances of IE and OE
Control Panel | Internet Options
Click on the "Security" tab
Highlight the "Internet" icon, click "Custom Level"
1) "Download signed ActiveX scripts" = Prompt
2) "Download unsigned ActiveX scripts = Disable
3) "Initialize and script ActiveX not marked as safe" = Disable
4) "Installation of Desktop items" = Prompt
5) "Launching programs and files in a IFRAME" = Prompt (Added by JB - See
more below about this.)
Click on the "Content" tab
Click the "Publishers" button
Highlight and click "Remove" any unknowns, click Ok
Click on the "Advanced" tab
Uncheck: "Install on demand (other)", click Apply\Ok
Prevent your "HomePage" setting from being Hijacked
http://www.mvps.org/winhelp2002/ietips.htm
_____________________________
Mike Burgess
Information isn't free if you can't find it!
http://www.mvps.org/winhelp2002/"
Note the Publisher setting - this vector is often overlooked. See here:
http://mvps.org/winhelp2002/restricted.htm#Setting
Then, from me:
Disable BOTH "Install on Demand" options on the IE6 Advanced tab.
Disable BOTH "Launch Programs and Files in an IFRAME" and "Navigate
sub-frames across different domains" in IE6|Security|Internet|Custom Level
in the Misc section. (Be sure that you install hotfix 889293, also.)
Another set of not unreasonable (although much more severe) security setting
recommendations is available here:
http://www.infinisource.com/techfiles/surf-safe.html And here:
http://www.techbargains.com/hottips/hottip13/index.cfm Also, see here for a
comprehensive discussion of this (very highly recommended):
https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm
There's a reasonable test of your Browser's secuity here: Jason Levine's
Browser Security Tests
http://www.jasons-toolbox.com/BrowserSecurity/ and
another extensive and Recommended one here:
http://bcheck.scanit.be/bcheck/
You might want to consider installing Eric Howes' IESpyAds, SpywareBlaster
and SpywareGuard here to help prevent this kind of thing from happening in
the future:
IESpyads -
https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial53.html
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs, blocks spyware/tracking cookies, and restricts the actions of
potentially dangerous sites) (BTW, SpyWareBlaster is not memory resident ...
no CPU or memory load - but keep it UPDATED) The latest version as of this
writing will prevent installation or prevent the malware from running if it
is already installed, and, additionally, it provides information about and
fixit-links for a variety of parasites. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial49.html
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial50.html
All three Very Highly Recommended
SpywareBlaster is probably the best preventive tool currently available,
expecially if supplemented by using the Immunize function in SpyBot S&D and
a good HOSTS file (see next). IMPORTANT NOTE: A good additional source of
preventive blocking for ActiveX components is the Blocking List available
here:
http://www.spywareguide.com/blockfile.php While smaller than the
SpywareBlaster list, it contains some different malware CLSIDs and appears
to be updated with new threats more frequently. Recommended as a supplement
to SpywareBlaster. Read all of the instructions in the Expert package
download carefully. You might want to consider using:
http://www.changedetection.com/monitor.html to monitor and notify you of
changes/updates to this (or others, for that matter) list.
Next, install and keep updated a good HOSTS file. It can help you avoid
most adware/malware. See here:
http://www.mvps.org/winhelp2002/hosts.htm
(Be sure it's named/renamed HOSTS - all caps, no extension) Additional
tutorials here:
http://www.spywarewarrior.com/viewtopic.php?t=410
(overview)
and here:
http://www.bleepingcomputer.com/forums/tutorial51.html (detailed)
Lastly, with regards to cookies: An overview of the approach I recommend,
courtesy of Mel's Spyware Tools, here:
http://homepage.cooketech.net/~cybermel/Mel's Spyware Tools and Ad Blockers.html
XML-Menu for IE6 - (
https://netfiles.uiuc.edu/ehowes/www/main.htm, click on
IE6 Tools on website) "This package contains a full menu of custom Import
XML files that can be used to manipulate IE6's handling of cookies in the
Internet and Trusted zones (the Privacy tab controls only the Internet
zone). The files are divided into three sets: one "short list" of
recommended files, and two "advanced" lists containing a wide range of
possible Privacy configurations. The ReadMe covers the basics of using
custom XML Import files and details all the files that are available. A
..REG file that can be used to restore the default Privacy tab settings is
included."
This is the technique that I use and, while I do very infrequently have to
override on some sites that don't have a Privacy Policy in place, I've found
it almost infallible in stopping bad cookies (I use 1-e, BTW) FWIW, MVP
Eric Howes' site, above, is one of the very best on the net with regard to
anything having to do with security. Very Highly Recommended.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
