![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Official Anti-Spyware info thread
- Thread starter Fark_Maniac
- Start date
Very nice guide, but I have a few suggestions.
First of all if you have other people in the house hold especially if you have kids who use the PC it may be best to make limited accounts. Many people may not like this idea, but it should be mentioned as an option.
Also there are more options then Sygate. I myself like Outpost.
A custom hosts file is also good too. I use this more for blocking of ads, but it does help with spyware. However you should know the hosts file can easily be modified by spyware.
I also recommend the program called SpywareBlaster.
Also this may help for people wanting to look at their own hijackthis logs.
http://aumha.org/a/hjttutor.htm
Generally the tips in this guide are good.
First of all if you have other people in the house hold especially if you have kids who use the PC it may be best to make limited accounts. Many people may not like this idea, but it should be mentioned as an option.
Also there are more options then Sygate. I myself like Outpost.
A custom hosts file is also good too. I use this more for blocking of ads, but it does help with spyware. However you should know the hosts file can easily be modified by spyware.
I also recommend the program called SpywareBlaster.
Also this may help for people wanting to look at their own hijackthis logs.
http://aumha.org/a/hjttutor.htm
Generally the tips in this guide are good.
Shadow2531
[H]ard|Gawd
- Joined
- Jun 13, 2003
- Messages
- 1,670
Here's a good page for info on configuring IE.
https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm
https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm
beanman101283
2[H]4U
- Joined
- Nov 4, 2004
- Messages
- 3,051
Another tip is to run spyware scans either in safe mode or at least disconnected from the internet to keep programs from redownloading and installing themselves.
http://hjt.iamnotageek.com for your HJT analyzing needs 
OK, here's my "standard" approach to removing spyware. I have had pretty good luck recently with removing quite a bit of spyware from machines.
First, grant the user's profile admin. rights. Some of this junk can't be removed w/o it, yet it can install just fine with user rights... :rolleyes; whatever. Logging in as admin, or another account with admin right won't do it either. There is junk that's loaded in that specific profile. If you have multiple user profiles with spyware, you will have to do this process for profile.
Next, run windows updates, but don't apply SP2 if you have not already done it. SP2 doesn't play well with "dirty" machines like ones with spyware. I'd recommend you clean the machine as much as possible before applying SP2. That's another can of worms. It's my belief that some spyware is using virus like exploits to install itself. Meaning you can get spyware from buffer overflow commands instead of virus. So get the core security patches for your SP version (SP1 is pretty much required, SP2 will be soon, but not at the time of writting this).
Next, reboot into safe mode and run scans. Some spyware cannot be removed w/o loading into safe mode. Run HiJackThis, MS Anti-Spy, and Ad-Aware SE doing *full scans* not the "intelligent" scans. Export the HJT log to a text file, and analyze it *on another machine* at the http://htj.iamnotageek.com site, since your in safe mode, you don't have internet access on this machine. You may get away with just running the two scanners and skipping HJT. Remove all spyware and settings found with these softwares. Run the browser hijack restore with MS Anti-spy in the advanced tools.
Note, when is safe mode, you are not loading drivers, like your chipset and video drivers. Scans will run slower in safe mode vs. normal mode.
Rinse and repeat rebooting into safe mode and scanning until no spyware is found. Good Luck.
First, grant the user's profile admin. rights. Some of this junk can't be removed w/o it, yet it can install just fine with user rights... :rolleyes; whatever. Logging in as admin, or another account with admin right won't do it either. There is junk that's loaded in that specific profile. If you have multiple user profiles with spyware, you will have to do this process for profile.
Next, run windows updates, but don't apply SP2 if you have not already done it. SP2 doesn't play well with "dirty" machines like ones with spyware. I'd recommend you clean the machine as much as possible before applying SP2. That's another can of worms. It's my belief that some spyware is using virus like exploits to install itself. Meaning you can get spyware from buffer overflow commands instead of virus. So get the core security patches for your SP version (SP1 is pretty much required, SP2 will be soon, but not at the time of writting this).
Next, reboot into safe mode and run scans. Some spyware cannot be removed w/o loading into safe mode. Run HiJackThis, MS Anti-Spy, and Ad-Aware SE doing *full scans* not the "intelligent" scans. Export the HJT log to a text file, and analyze it *on another machine* at the http://htj.iamnotageek.com site, since your in safe mode, you don't have internet access on this machine. You may get away with just running the two scanners and skipping HJT. Remove all spyware and settings found with these softwares. Run the browser hijack restore with MS Anti-spy in the advanced tools.
Note, when is safe mode, you are not loading drivers, like your chipset and video drivers. Scans will run slower in safe mode vs. normal mode.
Rinse and repeat rebooting into safe mode and scanning until no spyware is found. Good Luck.
My Expierence with istsvc.exe I tried everything from, Adware, Hi Jack this, shutting down the process manually and trying to delete, plus 3 other programs that would "help" spent time rebooting and booting into safe mode deleteing reg keys and deleting the program but it kept coming back! Early on I thought I should visit the maker of istsvc website. But why should I... This stuff is similar to a trojan horse why would they offer an uninstall. So a week later and probably shortening the life of my 2 $$$ drives, I decided to visit www.isearchtech.com and well there was an unistall worked fine they very first time took a couple of secs, no rebooting nescisarry, that was it. I felt like an idiot when I pressed ctrl+alt+del to find I could identify each and every process and looked over all the different ways spyware attacks registry and msconfig and all reg values wiped clean.
Lesson learned Check the maker of the spyware's website first from now on
worked fine they very first time took a couple of secs, no rebooting nescisarry, that was it. I felt like an idiot when I pressed ctrl+alt+del to find I could identify each and every process and looked over all the different ways spyware attacks registry and msconfig and all reg values wiped clean. Lesson learned
Check the maker of the spyware's website first from now on well, very usefull infoz in your replyies , now little add from me:
1)F-Secure Internet Security 2005 and u don't need anything else (RAM needed. really
but if u have slower compz u may install some other antivirus and firewall and use this firewll nonstop , and sometimes do the full scan via antivir
good firewallz:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=
¤ BlackIce (probably the best in the world )¤
¤outpost ¤
¤visnetic ¤
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
u may also try panda's product's
aha , there is 2nd way to keep pc in good condition:
there are some pci cards that can restore the structure of your harddisk (even if u do format c: and so on ... i don't know the exact name of this but i think u have had heard about it )
1)F-Secure Internet Security 2005 and u don't need anything else (RAM needed. really
but if u have slower compz u may install some other antivirus and firewall and use this firewll nonstop , and sometimes do the full scan via antivir
good firewallz:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=
¤ BlackIce (probably the best in the world )¤
¤outpost ¤
¤visnetic ¤
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
u may also try panda's product's
aha , there is 2nd way to keep pc in good condition:
there are some pci cards that can restore the structure of your harddisk (even if u do format c: and so on ... i don't know the exact name of this but i think u have had heard about it )
just a minor querk. if adware uses trojan tactics and polymorphic code to invade computers , wouldnt it be logical to use polymorphic anti-spyware programs , programs that are stealthed and hidden from detection systems used on adware?
as for blackice....it failed grc.com's test repeatly so i dont recommend it . use a free and reliable one such as sygate as they also have online tests for firewall capabilities ^^
i use:
spybot s&d
adaware SE
spywareblaster
AVG antivirus free home edition(surprisingly, it can remove quite a number of trojans and it updates nearly daily)
sygate personal firewall free edition
i use these personally and my ram at bootup is near 400mb free (512 stick)
its not wise to put all your eggs in one basket imho.
as for blackice....it failed grc.com's test repeatly so i dont recommend it . use a free and reliable one such as sygate as they also have online tests for firewall capabilities ^^
i use:
spybot s&d
adaware SE
spywareblaster
AVG antivirus free home edition(surprisingly, it can remove quite a number of trojans and it updates nearly daily)
sygate personal firewall free edition
i use these personally and my ram at bootup is near 400mb free (512 stick)
its not wise to put all your eggs in one basket imho.
Strikemaster
[H]ard|Gawd
- Joined
- Mar 29, 2001
- Messages
- 1,264
For the brave and foolhardy (and/or power user types ), learn the uses of the advanced tools in HijackThis and SpyBot S&D. HJT's "Remove Services" tool is worth it's weight in gold, especially for killing ISTSVC infestations...
I'll recommend CastleCops, and point you to Subratam.org as well for good info and a lot of help.
My standard toolkit when beating this slime into oblivion:
HijackThis
CWShredder
DLLCompare ( tutorial )
KillBox
VX2Finder ( tutorial )
LSP-Fix
From McAfee, the Stinger mini-scanner
SpyBot: Search & Destroy (Accept NO substitutes!)
Ad-Aware SE Personal
To fix the inevitable damage to the TCP/IP stack: WinSockFix
And, to prevent the crap from getting a foothold in the first place:
Avast! Antivirus (free for home use)
Opera
FireFox or Mozilla
), learn the uses of the advanced tools in HijackThis and SpyBot S&D. HJT's "Remove Services" tool is worth it's weight in gold, especially for killing ISTSVC infestations...I'll recommend CastleCops, and point you to Subratam.org as well for good info and a lot of help.
My standard toolkit when beating this slime into oblivion:
HijackThis
CWShredder
DLLCompare ( tutorial )
KillBox
VX2Finder ( tutorial )
LSP-Fix
From McAfee, the Stinger mini-scanner
SpyBot: Search & Destroy (Accept NO substitutes!)
Ad-Aware SE Personal
To fix the inevitable damage to the TCP/IP stack: WinSockFix
And, to prevent the crap from getting a foothold in the first place:
Avast! Antivirus (free for home use)
Opera
FireFox or Mozilla
Ice Czar
Inscrutable
- Joined
- Jul 8, 2001
- Messages
- 27,174
a rootkit will hide a virus or spyware from any scan
Chuck said:
It's good to know that most people are educated enough to use Adaware or Spybot or SpySweeper, but running these programs will not get rid of everything. In this post I will give an overview on how to get rid of ALL spyware, garunteed!
Note: You will probably want to download the programs and updates listed here BEFORE going into safe mode. It is best to download them off another computer and burn them to a CD or put them on a USB drive. If your internet does not work in safe mode, and you need it, try "Safe Mode with Networking".
First, turn off System Restore. Right-click My Computer, and click on the System Restore tab and turn it off there. You can turn this back on when you are finished this.
You are going to want to preform all operations in "Safe Mode".
Reboot your computer, and hit "F8" right before Windows starts to load. Then choose "Safe Mode" on the list.
Once you're in safe mode, you are going to want to clean up all unnecessary garbage on your computer. to start, delete these folders:
C:\temp
C:\windows\temp
C:\documents and setings\"your user name"\local settings\temp
C:\documents and settings\"your user name"\temporary internet files
Note: some of these folders may not exist
Then, from My computer, right-click the C: drive, and hit properties. Click on "Disk Cleanup", and delete everyhing it finds.
Next, you are going to want to run some programs.
First, download and run "Microsoft AntiSpyware, found here:
Microsoft AntiSpyware
After it is done downloading, install and run the program. Wait for it to finish scanning, and let it repair and delete everything it finds.
Reboot your computer, again into safe mode. Now, download Spybot
SpyBot
and Adaware
AdAware
Install and run both these programs, and fix everything they find.
Then, reboot again into safe mode.
*This next part is more tricky and require user discretion on what to fix*
First, click Start and Run, and type "msconfig". In this program, clickthe "services" tab. Click the "hide all microsoft services" box first.
Uncheck the box of everything that looks bad, such as "WinTools" or "eBates". If you see something familiar, such as "Norton services" or "wan miniport driver" or anything you are unsure of, leave it checked.
Next, move to the last tab, "Startup". Uncheck the box of anything that looks malicious, such as "Webrabate01" or "zdrwerxdf.exe" check where the program is stored, the filepath, and make sure it isn't something that you want. Files stored directly in C:\. C:\windows or C:\windows\system32 are a bad sign, especially if thier filenames look random.
After you are done, hit "Apply", "Ok" and then reboot, yet again, into safe mode.
Now you need to download HijackThis, a great program for deleting all kinds of hidden spyware. You can download it for free here:
HijackThis
Install it and run "System Scan". After it finishes searching, you will have a large list of items. Read each one and check the box if it looks bad. Most of the things listed will be bad, but some thing such as printer utilities, and antivirus services will be listed too. You can probably go ahead and delete all BHO's, and anything that looks very weird, or you don't recognize as something you use or installed, check the box. When you are done, hit "Fix selected items". It will make backups, just in case. when this is done, you are probably totally virus and spyware free, or very close to it.
If you cannot access the internet, it is probably beacuse of LSPs, you can download the LSP fix utility here:
LSP Fix
Run the program, and click "I know what I am doing". Then click Finish" it will remove everything in the remove catagory. If there is nothing in this catagory, then your system is probably clean from LSP exploits.
*This last part requires more knowledge on what to delete and what to keep*
First, go into My computer, then click tools, and hit folder options. Go to the view tab and click the "Show hidden files" button. Additionaly, uncheck "hide file extensions for known types" and DO check the "show contents of system folders" boxes.
To make things easier, Click the folders button at the top of the screen to make a tree view. Then goto view --> details, and click arrange icons by type. Then go back to the folders options, view and hit "apply to all folders".
Now, open up "My Computer" and browse to the Program Files directory. Delte any folders that you see to be obviously spyware. Make sure you look in C:\program files\common files too. Culprit folders will look like Mysearch, GAIN, Lycos, istbar, Save, Wildtangent (wt), and many others that look like possible adware.
If you are more proficient at checking your operating system, look in the C:\, C:\windows, and C:\windows\system32 folders for culprit .exe files, such ass hidden .exe's and garbled names or obvious spywareware files. Somecommon ones may be:
-msbb.exe
-anything with a spyware name as an installer
-rundll16.exe
-lasas.exe
-ie.exe
-etc...
After all this is done, reboot one last time to make sure everything is working, and then empty the recycle bin. Your system should now be fully cleaned, anything that gets past this will probably mean you will have to wipe your system out.
That's my old writeup, I need to add prevention techniques like Firefox.
Safe Mode is your friend, and don't forget KillBox, HijackThis, Processguard or LSP Fix!
Note: You will probably want to download the programs and updates listed here BEFORE going into safe mode. It is best to download them off another computer and burn them to a CD or put them on a USB drive. If your internet does not work in safe mode, and you need it, try "Safe Mode with Networking".
First, turn off System Restore. Right-click My Computer, and click on the System Restore tab and turn it off there. You can turn this back on when you are finished this.
You are going to want to preform all operations in "Safe Mode".
Reboot your computer, and hit "F8" right before Windows starts to load. Then choose "Safe Mode" on the list.
Once you're in safe mode, you are going to want to clean up all unnecessary garbage on your computer. to start, delete these folders:
C:\temp
C:\windows\temp
C:\documents and setings\"your user name"\local settings\temp
C:\documents and settings\"your user name"\temporary internet files
Note: some of these folders may not exist
Then, from My computer, right-click the C: drive, and hit properties. Click on "Disk Cleanup", and delete everyhing it finds.
Next, you are going to want to run some programs.
First, download and run "Microsoft AntiSpyware, found here:
Microsoft AntiSpyware
After it is done downloading, install and run the program. Wait for it to finish scanning, and let it repair and delete everything it finds.
Reboot your computer, again into safe mode. Now, download Spybot
SpyBot
and Adaware
AdAware
Install and run both these programs, and fix everything they find.
Then, reboot again into safe mode.
*This next part is more tricky and require user discretion on what to fix*
First, click Start and Run, and type "msconfig". In this program, clickthe "services" tab. Click the "hide all microsoft services" box first.
Uncheck the box of everything that looks bad, such as "WinTools" or "eBates". If you see something familiar, such as "Norton services" or "wan miniport driver" or anything you are unsure of, leave it checked.
Next, move to the last tab, "Startup". Uncheck the box of anything that looks malicious, such as "Webrabate01" or "zdrwerxdf.exe" check where the program is stored, the filepath, and make sure it isn't something that you want. Files stored directly in C:\. C:\windows or C:\windows\system32 are a bad sign, especially if thier filenames look random.
After you are done, hit "Apply", "Ok" and then reboot, yet again, into safe mode.
Now you need to download HijackThis, a great program for deleting all kinds of hidden spyware. You can download it for free here:
HijackThis
Install it and run "System Scan". After it finishes searching, you will have a large list of items. Read each one and check the box if it looks bad. Most of the things listed will be bad, but some thing such as printer utilities, and antivirus services will be listed too. You can probably go ahead and delete all BHO's, and anything that looks very weird, or you don't recognize as something you use or installed, check the box. When you are done, hit "Fix selected items". It will make backups, just in case. when this is done, you are probably totally virus and spyware free, or very close to it.
If you cannot access the internet, it is probably beacuse of LSPs, you can download the LSP fix utility here:
LSP Fix
Run the program, and click "I know what I am doing". Then click Finish" it will remove everything in the remove catagory. If there is nothing in this catagory, then your system is probably clean from LSP exploits.
*This last part requires more knowledge on what to delete and what to keep*
First, go into My computer, then click tools, and hit folder options. Go to the view tab and click the "Show hidden files" button. Additionaly, uncheck "hide file extensions for known types" and DO check the "show contents of system folders" boxes.
To make things easier, Click the folders button at the top of the screen to make a tree view. Then goto view --> details, and click arrange icons by type. Then go back to the folders options, view and hit "apply to all folders".
Now, open up "My Computer" and browse to the Program Files directory. Delte any folders that you see to be obviously spyware. Make sure you look in C:\program files\common files too. Culprit folders will look like Mysearch, GAIN, Lycos, istbar, Save, Wildtangent (wt), and many others that look like possible adware.
If you are more proficient at checking your operating system, look in the C:\, C:\windows, and C:\windows\system32 folders for culprit .exe files, such ass hidden .exe's and garbled names or obvious spywareware files. Somecommon ones may be:
-msbb.exe
-anything with a spyware name as an installer
-rundll16.exe
-lasas.exe
-ie.exe
-etc...
After all this is done, reboot one last time to make sure everything is working, and then empty the recycle bin. Your system should now be fully cleaned, anything that gets past this will probably mean you will have to wipe your system out.
That's my old writeup, I need to add prevention techniques like Firefox
.Safe Mode is your friend, and don't forget KillBox, HijackThis, Processguard or LSP Fix!
MooCow
[H]F Junkie
- Joined
- Apr 13, 2000
- Messages
- 8,209
I had to use BartPE to delete some files that weren't able to be removed while Windows was running. Of course you could use some old DOS command line bootup tool, but who the hell doesn't want an interface to work with?
BartPE
BartPE
And yes, it can load Ad Aware and at least a few more spyware removal tools!
Here is one that has not been mentioned...
...create a separate USER account for your normal everyday account.
On my workstation at home, I use two accounts:
ADMIN ---> Password-protected administrator account used only for making system changes (registry, page-file, etc.) and installing authorized software packages.
USER ---> Locked-down (...and I mean LOCKED-DOWN!!) user account. Mostly ONLY read & execute access to the system & boot volume(s), and modify access on program directories that require it (i.e. certain games that have 'save' directories or config files stored in the game's main directory as opposed to the user's profile!).
Also, if I can't get a specific program to work under the USER account (...due to the program being improperly written or designed for NT's multi-user environment), I simply use the 'run as' option for that specific program. However, I try to avoid this when possible, because any foreign app/virus/program that exploits the app running under 'admin' priviledges can potentially do anything it likes with the system.
I hope this helps. Using the above methodology virtually ELIMINATES the ability of virus and spyware to infect the system. Malware that happens to get through is usually taken care of by my virus and spyware-detection apps (McAfee VirusScan Enterprise v8.0i, and Microsoft Anti-Spyway/Spybot respectively!).
...create a separate USER account for your normal everyday account.
On my workstation at home, I use two accounts:
ADMIN ---> Password-protected administrator account used only for making system changes (registry, page-file, etc.) and installing authorized software packages.
USER ---> Locked-down (...and I mean LOCKED-DOWN!!) user account. Mostly ONLY read & execute access to the system & boot volume(s), and modify access on program directories that require it (i.e. certain games that have 'save' directories or config files stored in the game's main directory as opposed to the user's profile!).
Also, if I can't get a specific program to work under the USER account (...due to the program being improperly written or designed for NT's multi-user environment), I simply use the 'run as' option for that specific program. However, I try to avoid this when possible, because any foreign app/virus/program that exploits the app running under 'admin' priviledges can potentially do anything it likes with the system.
I hope this helps. Using the above methodology virtually ELIMINATES the ability of virus and spyware to infect the system. Malware that happens to get through is usually taken care of by my virus and spyware-detection apps (McAfee VirusScan Enterprise v8.0i, and Microsoft Anti-Spyway/Spybot respectively!).
Carlosinfl
Loves the juice
- Joined
- Sep 25, 2002
- Messages
- 6,633
Spybot 1.4 has been released!
Ice Czar
Inscrutable
- Joined
- Jul 8, 2001
- Messages
- 27,174
Anti-adware misses most malware
(about 6 months old at this point, scroll down)
an ounce of prevention is worth a pound of cure
direct download of symantec's > noscript.exe
and processguard (freeware version)
more or less a firewall for the kernal
install it, reboot, rightclick on the taskbar icon (or desktop icon) > Main Tab uncheck learning mode > security tab remove all > protection tab remove all > close reboot and start approving processes your sure of
here are the W2K\XP Default Processes
add in your browser and research the rest as they are requested
(you make a rule for each process, if you dont check the box your either allowing or denying that process only once, just like a rule based firewall)
(about 6 months old at this point, scroll down)
an ounce of prevention is worth a pound of cure
direct download of symantec's > noscript.exe
and processguard (freeware version)
more or less a firewall for the kernal
install it, reboot, rightclick on the taskbar icon (or desktop icon) > Main Tab uncheck learning mode > security tab remove all > protection tab remove all > close reboot and start approving processes your sure of
here are the W2K\XP Default Processes
add in your browser and research the rest as they are requested
(you make a rule for each process, if you dont check the box your either allowing or denying that process only once, just like a rule based firewall)
Ice Czar
Inscrutable
- Joined
- Jul 8, 2001
- Messages
- 27,174
Here is a good list of apps that pretend to be anti-spyware but aren't
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Also, I have noticed a lot of misinformation about using HijackThis. Like deleting all BHO's.
Or the assumption that most things are bad and can be fixed. These are both not good advice.
Neither is the advice "if you don't know what it is, fix it" good.
If you don't know what your doing. Ask for help in a forum like http://forums.tomcoyote.org
It's easy to make thing worse or break things all together. In addition some stuff (Like About:Blank) needs to be removed in a specific way or it can mutate into a nightmare.
One further note.
Automated HJT log parsers are wrong a lot. Don't use one as your only resource in fixing an HJT log.
m
(edited spelling)
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Also, I have noticed a lot of misinformation about using HijackThis. Like deleting all BHO's.
Or the assumption that most things are bad and can be fixed. These are both not good advice.
Neither is the advice "if you don't know what it is, fix it" good.
If you don't know what your doing. Ask for help in a forum like http://forums.tomcoyote.org
It's easy to make thing worse or break things all together. In addition some stuff (Like About:Blank) needs to be removed in a specific way or it can mutate into a nightmare.
One further note.
Automated HJT log parsers are wrong a lot. Don't use one as your only resource in fixing an HJT log.
m
(edited spelling)
Ice Czar
Inscrutable
- Joined
- Jul 8, 2001
- Messages
- 27,174
its best to keep track of your HijackThis logs
rerunning it after you install any software
so you know what is a legitimate entry and keeping that master list handy
rerunning it after you install any software
so you know what is a legitimate entry and keeping that master list handy
MooCow
[H]F Junkie
- Joined
- Apr 13, 2000
- Messages
- 8,209
I hate those polymorphic randomly named exe files, there is some sort of master process that watches over all of them, yet its not found in task manager, or even the sysinternals process explorer. I can see it, if you delete it, it spawns another process of a different filename. The only way I removed it was to write down the name, pull the plug, and use the UBCD to delete it. AVG with latest updates did not find it... If you do a restart or shutdown in windows, it will only rename itself again because the author of the spyware dropper knows that we'll do that Clever fuckers indeed, such a waste of programming knowledge.
If you do a restart or shutdown in windows, it will only rename itself again because the author of the spyware dropper knows that we'll do that Clever fuckers indeed, such a waste of programming knowledge.
Ice Czar
Inscrutable
- Joined
- Jul 8, 2001
- Messages
- 27,174
MooCow
[H]F Junkie
- Joined
- Apr 13, 2000
- Messages
- 8,209
Yeah, I used the rootkit revealer, found a few things, but I don't know if it involves me now removing printers and whatever... these new stealth startup methods are a real pain in my balls.
Update: Ok... for this one system I had, I deleted the registry keys that were found by rootkit revealer, and it seemed to stop the trojan droppers from loading. Wow, quite a fucker it was today. But the keys were very random in nature, and they seemed like vital key entries used by windows. Very risky to delete, but it went through for me. And the printers seemed to be infected so I removed them... oh man this is gonna be fun in the future.
Update: Ok... for this one system I had, I deleted the registry keys that were found by rootkit revealer, and it seemed to stop the trojan droppers from loading. Wow, quite a fucker it was today. But the keys were very random in nature, and they seemed like vital key entries used by windows. Very risky to delete, but it went through for me. And the printers seemed to be infected so I removed them... oh man this is gonna be fun in the future.
ComputerBox34
[H]F Junkie
- Joined
- Nov 12, 2003
- Messages
- 13,771
I'm not sure if anyone's mentioned this but Spybot S&D 1.4 has been released. Lots of new goodies in there.
www.safer-networking.org
www.safer-networking.org
MustangWorld
Weaksauce
- Joined
- Oct 4, 2004
- Messages
- 97
ComputerBox34 said:
yeah, it was posted in this very thread last month
mzs_biteme
[H]ard|Gawd
- Joined
- Nov 7, 2001
- Messages
- 1,595
[v]@bans said:
I guess you missed out on something that most PC users (on this forum anyways) already know...: Installing Win98, Win2k, WinXP (pre SP2) on a live Internet connection is like pissing into the wind... Unpatched OS's like that are like fresh meat for the Internet scum... It's been researched and documented (I've seen several articles) that in most cases, a fresh install of Win2k on a broadband connection WILL (!!!) get infested in less than 1hr(!!!!!!). Talk about being pissed off...
Couple pointers from my personal experience:
-NEVER connect a "fresh install" PC directly to Internet. Use an Internet router. That right there eliminates 70~80% chances of catching something. If router is not available, use a different PC do download some kind of Firewall software (ZoneAlarm, Sygate, etc) and install it on a fresh PC.
-after installing firewall ALWAYS, get the latest OS patches from MS. Dont go wondering around the Net on unpatched PC. There is always time for pr0n later... Much safer pr0n...
-after you get patches for you PC, install some kind of AV software (this one IS the best out of all free programs out there: http://www.free-av.com/ )
-then install Ad-Aware or others and keep up with their updates as well. I ALWAYS scan with AdAware after a night of heavy browsing.
BTW, I charge $150 for my "Spyware, Adware cleaning services", and half that for just reimaging somebody's drive with WinXP SP2, and you know what, people pay me 150 just so they don't loose their favorite screen saver which was probably the reason they got spyware in the first place.... Go figure.....
Ice Czar
Inscrutable
- Joined
- Jul 8, 2001
- Messages
- 27,174
^ very true
generally I download & burn service packs from the enterprise download and any odd hotfixes with a secured computer, but if you can't:
How to Download Service Packs w\ Knoppix
my checklist
---------------------------------------------------------------
install Service Pack and hotfixes
close the vulnerable NetBIOS ports and cleanup bindings
Cofigure IPSec
Retrict access to LSA info
disable unecessary services
disable Guest account
setup my user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts
remove the "Everyone" group and replace with "Authenticated Users" shares
disable default hidden shares, administrative shares, IPC$
disable HTML in e-mail
disable ActiveX
disabling or limiting WHS\VB\Java\Java Scripts (install, Script Defender, noscript.exe)
rename shscrap.dll to shscrapold;
Unhide File extensions, protected files, all files and folders
Enable Encrypted File System
Encrypt the Temp Directory
setup to clear the paging file at shutdown
lockdown the registry
disable dumpfile creation
remove insecure subsystems (OS/2 and POSIX)
protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
these all make it much harder for someone that has already compromised your computer
if there is a brain behind the attack (a hack or trojan) then they would need to reenable these if they can, which might tip their hand, the same goes for an automated attack like a worm, if it could manage it at all, and many more minor peices of malware\spyware, rely on some of these for infection or more accurately reinfection like runonce.exe, regedit, ect or as the vector for infection in more serious malware like ftp or telnet
Install and schedual trojan scanner, anti virus and intrusion detection
Install and configure ProcessGuard
Install Firefox and Lockout access to Internet Explorer with NTFS Permissions to all accounts other than the Administrative Account
configure security policy control
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights
set security options
configure firewall
baseline Rootreveler
>>>>>>>>> connect to the internet
Test
Run Baseline Security Analyzer (freeware)
Run NessusWX (freeware)
Do multiple remote Port Scans
Software Install
install other software and baseline HijackThis & RootRevealer after each
Disable Restore Points (if XP) and Ghost the install
Its extremely rare any one box would get all of those
but I consider all of them
--------------------------------------------------------------------------------------------------------------------------------
then Ideally hook it up behind a hardware firewall and montior traffic into and out if the box with an IDS tap like SNORT
generally I download & burn service packs from the enterprise download and any odd hotfixes with a secured computer, but if you can't:
How to Download Service Packs w\ Knoppix
my checklist
---------------------------------------------------------------
install Service Pack and hotfixes
close the vulnerable NetBIOS ports and cleanup bindings
Cofigure IPSec
Retrict access to LSA info
disable unecessary services
disable Guest account
setup my user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts
remove the "Everyone" group and replace with "Authenticated Users" shares
disable default hidden shares, administrative shares, IPC$
disable HTML in e-mail
disable ActiveX
disabling or limiting WHS\VB\Java\Java Scripts (install, Script Defender, noscript.exe)
rename shscrap.dll to shscrapold;
Unhide File extensions, protected files, all files and folders
Enable Encrypted File System
Encrypt the Temp Directory
setup to clear the paging file at shutdown
lockdown the registry
disable dumpfile creation
remove insecure subsystems (OS/2 and POSIX)
protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
these all make it much harder for someone that has already compromised your computer
if there is a brain behind the attack (a hack or trojan) then they would need to reenable these if they can, which might tip their hand, the same goes for an automated attack like a worm, if it could manage it at all, and many more minor peices of malware\spyware, rely on some of these for infection or more accurately reinfection like runonce.exe, regedit, ect or as the vector for infection in more serious malware like ftp or telnet
Install and schedual trojan scanner, anti virus and intrusion detection
Install and configure ProcessGuard
Install Firefox and Lockout access to Internet Explorer with NTFS Permissions to all accounts other than the Administrative Account
configure security policy control
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights
set security options
configure firewall
baseline Rootreveler
>>>>>>>>> connect to the internet
Test
Run Baseline Security Analyzer (freeware)
Run NessusWX (freeware)
Do multiple remote Port Scans
Software Install
install other software and baseline HijackThis & RootRevealer after each
Disable Restore Points (if XP) and Ghost the install
Its extremely rare any one box would get all of those
but I consider all of them
--------------------------------------------------------------------------------------------------------------------------------
then Ideally hook it up behind a hardware firewall and montior traffic into and out if the box with an IDS tap like SNORT
mzs_biteme
[H]ard|Gawd
- Joined
- Nov 7, 2001
- Messages
- 1,595
Ice Czar said:^ very true
generally I download & burn service packs from the enterprise download and any odd .......................................................................................
Wow! For all that I'd have to charge at least $300...
On the Knopixx, I've used it before and find it quite a nifty boot-CD to have...
On that note, for the ultimate security, I vote to browse the Net using nothing but Knopixx boot CD. I mean think about it: it has Mozilla, Office applications, it mounts vid cards, NICs and sound cards w/o problems (95% of time
), you still have access to Floppy, it'll mount your USB flash drives, and CDRW (if I remember correctly).That said, there is no reason for a Joe-Shmoe to have a fully configured Dell just to F@#%K it up in the first hour of getting it out of the box. Like Dude, your PC got spammed......
Mike
Ice Czar
Inscrutable
- Joined
- Jul 8, 2001
- Messages
- 27,174
nothing like sailing the netherworld on a RAM drive and CDROM
I regularly surf w\ Knoppix
I regularly surf w\ Knoppix
Only a few people have mentioned this...
Pest Patrol is extremely good at removing pests from systems. When used in conjunction with Adaware, SpyBot 1.3/1.4, and then finishing off with HiJack this and a clean up in Msconfig makes a system clean as... well, clean.
Also, diverging (slightly), the same people who make Pest Patrol also make VET anti-virus, the best anti-virus program on the market we've found. From practical experience (no, I don't work for CA or get paid comission to sell their product, </disclaimer>), VET will pick up viruses that other programs, like Nortons, McAfee etc simply don't. It uses little system resources and has a very good background protection service.
I only mentioned anti-virus cause quite often viruses and spyware can be related and someties are the same.
Pest Patrol is extremely good at removing pests from systems. When used in conjunction with Adaware, SpyBot 1.3/1.4, and then finishing off with HiJack this and a clean up in Msconfig makes a system clean as... well, clean.
Also, diverging (slightly), the same people who make Pest Patrol also make VET anti-virus, the best anti-virus program on the market we've found. From practical experience (no, I don't work for CA or get paid comission to sell their product, </disclaimer>), VET will pick up viruses that other programs, like Nortons, McAfee etc simply don't. It uses little system resources and has a very good background protection service.
I only mentioned anti-virus cause quite often viruses and spyware can be related and someties are the same.
The Bryophyte
Gawd
- Joined
- Jun 24, 2001
- Messages
- 974
Removing temp files can be a big help in getting rid of some of the wimpier tracking cookies etc. and lowering scan times at the very least. I use Crap Cleaner . The only thing to be aware of with it is that it only removes temps for the user that is logged on when it is run under winxp.
Microsoft's antispyware has been very effective in my experience though I have had some false positives with it. Download here
Also, make sure you turn off system restore. Leaving it running is a sure way to get re-infected almost immediately. If you don't know how to turn it off, here are directions.... http://support.microsoft.com/default.aspx?scid=kb;en-us;310405
Microsoft's antispyware has been very effective in my experience though I have had some false positives with it. Download here
Also, make sure you turn off system restore. Leaving it running is a sure way to get re-infected almost immediately. If you don't know how to turn it off, here are directions.... http://support.microsoft.com/default.aspx?scid=kb;en-us;310405
Viscero340
Limp Gawd
- Joined
- Dec 14, 2002
- Messages
- 223
I have been working for the past 5 years with the "guys in blue" and now the "guys in lame outfits" if you catch my drift. I would guess that about 95% of our daily business is removal of spyware and viruses. They have even developed an all encompassing price for both removals. So, over the course of the last year I have developed a sort of checklist for our newer and less experienced employees that will help them get rid of most spyware/virus problems. Usually this is in .xls with pretty logos and everything but I'm sure you bunch with get it just fine.
Virus Check/Removal
McAfee [ scanpm /adl /all ( /clean /append ) /report c:\virus.txt]
Housecall TrendMicro [http://housecall.trendmicro.com]
Temp Files/Manual Removal Of Temp Files For All User Accounts
Add/Remove Programs(check for known and uninstallable malware)
Ad-Aware SE 1.05 (Custom & Within Archive and ADS)
Spybot S&D 1.3
CWS
HijackThis 1.98.2 (Do Not Remove All!)
BHO Demon/Kazaa Begone/Misc Tools if applicable
Spysweeper 4.0
PestPatrol
Registry Cleanup( run reg scrubxp then ccleaner and lastly search for pestpatrol, webroot, pepimk, soeperman, spybot, hijackthis in registry)
Restore All Browser Settings To Default Settings For All User Accounts
Double Check
Microsoft Antispyware and Housecall Online
Virus Check/Removal
McAfee [ scanpm /adl /all ( /clean /append ) /report c:\virus.txt]
Housecall TrendMicro [http://housecall.trendmicro.com]
Temp Files/Manual Removal Of Temp Files For All User Accounts
Add/Remove Programs(check for known and uninstallable malware)
Ad-Aware SE 1.05 (Custom & Within Archive and ADS)
Spybot S&D 1.3
CWS
HijackThis 1.98.2 (Do Not Remove All!)
BHO Demon/Kazaa Begone/Misc Tools if applicable
Spysweeper 4.0
PestPatrol
Registry Cleanup( run reg scrubxp then ccleaner and lastly search for pestpatrol, webroot, pepimk, soeperman, spybot, hijackthis in registry)
Restore All Browser Settings To Default Settings For All User Accounts
Double Check
Microsoft Antispyware and Housecall Online
Ice Czar
Inscrutable
- Joined
- Jul 8, 2001
- Messages
- 27,174
well I charge a flat $80 to disinfect a box includes basic securing
(extensive securing pushes that to $130)
sometimes that is good money other times it sux
the proceedure above isnt a gurantee of disinfection either
ignoring the potential for rootkits other than the tools for detecting them bundled in with Microsoft's AntiSpyware
and they are becoming depressingly common, infact without comparaitive baselines and or traffic monitoring its getting harder and harder to definatively say its 100% disinfected. All the dumb malware has been caught but there can still be an underlying issue.
The worse cases Ive had where undocumented varients of the CWS Trojan that on 2 occassions defeated me, being unable to invest more time to rooting out how it was reinstalling itself, but at least it was tipping its hand, combine that with a rootkit that goes undetected and everything looks OK yet is still rotten at the core.
In those 2 cases it was easier to save out data and do a fresh reinstall and config then scan the data and put it back
(extensive securing pushes that to $130)
sometimes that is good money other times it sux
the proceedure above isnt a gurantee of disinfection either
ignoring the potential for rootkits other than the tools for detecting them bundled in with Microsoft's AntiSpyware
and they are becoming depressingly common, infact without comparaitive baselines and or traffic monitoring its getting harder and harder to definatively say its 100% disinfected. All the dumb malware has been caught but there can still be an underlying issue.
The worse cases Ive had where undocumented varients of the CWS Trojan that on 2 occassions defeated me, being unable to invest more time to rooting out how it was reinstalling itself, but at least it was tipping its hand, combine that with a rootkit that goes undetected and everything looks OK yet is still rotten at the core.
In those 2 cases it was easier to save out data and do a fresh reinstall and config then scan the data and put it back
Michigan PC
[H]ard|Gawd
- Joined
- Jun 29, 2005
- Messages
- 1,349
I have been using adaware personel se, and anitspyware. My pc was still not up to speed. Now I just installed spyware doctor 3.2 for 29 bucks. Best money ever spent. I scanned first with adaware and it said I had 0 spyware. I scanned then with spyware doctor. It said I had 717! I cleaned it up and now my system is faster then ever.
These programs (across the board) are ineffective in general. One program will detect spyware A, B, and C, but not X, Y, and Z. Another program will detect A, C, X and Y, but not B and Z.Michigan PC said:
Anyways, currently it's best to scan with multiple softwares, I use 3.
The Bryophyte
Gawd
- Joined
- Jun 24, 2001
- Messages
- 974
Of course safe computing is the best anti-spyware technique but I'm willing to bet that anyone else who does repair work understands the futility of trying to get an "average" user to stop re-infecting themself.
It's the porn. 1/3 of all the computers that enter my office do so loaded with porn and the drive-by installs from the porn sites....
It's the porn. 1/3 of all the computers that enter my office do so loaded with porn and the drive-by installs from the porn sites....
Ice Czar
Inscrutable
- Joined
- Jul 8, 2001
- Messages
- 27,174
between phishing serach results and DNS poisoning
there is no "safe computing" any more
of course thats just the absolutes not the day to day habits
there is no "safe computing" any more
of course thats just the absolutes not the day to day habits