Topic: Stupid Spyware

[Pestalence_XC]

OK.. my site is down at the moment.. so i move the html file to SFCx for the time being...

Please remember that the links to the software will not work (they will work to the sites listed, but not the actual software listed) as the software i have hosted on nightsoft. The instructions are listed on the page below.

http://www.sfcx.org/downloads/mirrors/Pestalence/IE.html

Hope that this helps.

[AdmWaterTiger-11thFleet-]

Good site for SpyWare fixes.

http://www.tomcoyote.com

[Clark Kent]

And it continues to get worse.  i can't manage to get anything I want Dled because whatevr this crap is it's using up just about everything in my connection to Dl new spyware, meaning more ads that screw everything up even more.  The computer itself is running at a snails pace right now, so I think I'll use what's left of my processing power for a backup then wipe the entire damn thing.  This seriously irritates me, since I haven't been going out and DLing questionable materials, just email, AOl and this board- and school work.  Right now I'm on my iMac, which thus far has proven impervious to things like this.  I'm running a virus scan right now, but the pace it's going it will take a few hours.  Once it's finished, if I don't come up with a virus I'll be commencing the wipe.
Stupid Windows.
Oh yes- I'm starting to get multiple messages to insert a windows install CD to provide system files that have apparently been deleted.  I think this thing is FUBAR.

EDIT:  System resources are now below 40% with no programs opened.

[Mackie]

actually theres only one program you need to get rid of spyware
AdAware

[Green]

Thanks Pesty.  That looks like a pretty extensive prevention effort.  I've saved your guidance and will set aside a Saturday afternoon to get it done ... will be worth it.  Definately looks good.  ::

[AdmWaterTiger-11thFleet-]

actually theres only one program you need to get rid of spyware
AdAware

Ad-Aware doesn't catch half of it. TomCoyote.com has 7,000+ forum members for a reason. He supports Ad-Aware, but there is more than that it takes to clean up the junk.

Tell Tom hello and watch the staff go to work on the issues.

<S>

[Grim]

Currently most of the programs out there cant remove a specific malware threat atm, when i was attacked by the coolwebsearch hijacker, i tried various programs such as:

-Adaware
-Hijack this.
-Spybot
-Spyhunter
-CWShredder
-and various registry editing programs

I could remove it but then 2 days later i got reinfected, i ended up restoring my pc to factory settings and luckily its fixed.

Great work by pestalence and his tips, advice and knowledge concerning IE, but personally i would not use IE, microsoft and various agencies advise that you dont til its fixed.

[RogueJedi_XC]

Great article, Pestalence. Two, maybe three, things I would change, though.

First,when you are discussing the  security settings in IE, you leave the Microsoft VM Java Pemissions level set to low. This is a monumentally bad idea. All of the hijackers put out this year get on your system using a hack into the MS Java VM. Always set the Java VM Permissions to Highest Safety.

Second, in the Advanced setting in Internet Options "Enable 3rd Party Browser Extensions" should be disabled at all times. Almost all hijackers install a BHO (Browser Helper Object), disabling this option kills half the hijacker.  Only turn this on if you use a known good toolbar, like Google's or MSN's (yeah, MSN's toolbar is actually pretty good). If you keep this enabled, keep track of what BHO's are running on your system.

Third, if you are using Sun's Java VM (and why aren't you?), then the MS Java VM settings on the Advanced tab (and perhaps the security tab, too) should be set to disabled. I don't think there's any conflict, but leaving the MS JVM running is like leaving your car unlocked but using the club to lock the steering wheel...

Also, CWShredder is your best friend. Use it before turning to Hijack This. CWShredder is aimed specifically at removing almost 2 dozen variants of hijackers. It's a damned good tool. I wish the guy who created it would open-source it so it could continue to be updated now that he's given up the race with the scum who write these things.

Ok, lets make it five things. 
You mention disabling the messenger and alerter services to help block popups. First, this only applies to Windows 2000 and XP, second, if you got all the updates as mention earlier in the article, this is not necessary. Microsoft released a patch for the Messenger overflow almost a year ago. Most users can disable these two services, though, to free up a couple of megabytes of memory. They were originally intended for network admins and the like to send urgent messages, such as "We're shutting down the servers for patching in 5 minutes, close your pr0n sites now..." ), but even they rarely ever use them. Starting with XP service Pack 2 these services will be disabled by default.

Please take this contructive critisism as it's intended -- as constructive criticism. It is a very good article and is spot-on in all but the above 5 things. I do all of what you list, already... in addition to using Firefox instead of IE. But, that may be a political thing more than anything.

[Grim]

Concerning CWshredder it is best to run the pc in safe mode then use CWshredder, then use hijack this then adaware, that should remove most of the easy to get rid of spyware.

[RogueJedi_XC]

Absolutely correct. Also, you should run a full system scan with your antivirus program in safe mode at least once a month (once a week or more in normal mode, depending how paranoid you are).

[Mackie]

actually theres only one program you need to get rid of spyware
AdAware

Ad-Aware doesn't catch half of it. TomCoyote.com has 7,000+ forum members for a reason. He supports Ad-Aware, but there is more than that it takes to clean up the junk.

Tell Tom hello and watch the staff go to work on the issues.

<S>

hrm quess im wrong then ; for me adaware has always done the job needed ;p

[Grim]

Just found this on Zdnet articles section:

Explorer hole finally filled
Robert Lemos
CNET News.com
July 05, 2004, 08:35 BST
   
A flaw that has left Windows users open to attack for the past nine months has been patched by Microsoft

Microsoft released on Friday a work-around for an Internet Explorer vulnerability that has left Windows users open to attacks for almost nine months.

The flaw, in an ActiveX scripting component, gained notoriety last month when it became the mechanism used by a network of compromised Web sites to install a malicious program on victims' computers. Microsoft has decided to plug the hole by turning off the ability for the ActiveX component to write to the operating system. The software giant published the work-around on its Web site and directed customers to use its Windows update service to download the patch.

Though Microsoft intends the change to become a standard configuration for Windows, the software giant is working on a more comprehensive solution, said Stephen Toulouse, security programme manager for Microsoft's security response centre.

"It is a permanent change, but it is an interim step -- we are still in the middle of our investigation," he said. "We have taken a look at the functionality in the product and seen that that functionality is really being used by attackers."

The change fixes a problem that allowed several compromised Web sites to infect visitors' PCs with a Trojan horse program, known as Download.Ject or JS.Scob.Trojan. The program would record the keystrokes and send them to an overseas email address. That Internet Explorer security issue and several others lead some security experts to suggest that users should consider alternative browsers.

Microsoft's configuration change blocks the ability of the ADODB.screen ActiveX component to write to the PC's hard drive. ActiveX, which adds interactivity to Web sites viewed with Internet Explorer, has long been thought to have security issues.

This particular vulnerability has been known about for more than nine months, said David Endler, director of incident response for security company Tipping Point.

"Though written configuration hardening instructions have been available online for a while, it's nice to finally see this particular security tweak in Internet Explorer distributed to the masses, even if it's long overdue," he said.

Microsoft continues to study this issue and expects to release a more comprehensive patch. Moreover, the company is readying a major security update for Windows XP, known as Service Pack 2, that should be out later this summer.

If you use IE for browsing and you use XP i recommened you check updates.

[Gambler]

The flaw, in an ActiveX scripting component, gained notoriety last month when it became the mechanism used by a network of compromised Web sites to install a malicious program on victims' computers. Microsoft has decided to plug the hole by turning off the ability for the ActiveX component to write to the operating system. The software giant published the work-around on its Web site and directed customers to use its Windows update service to download the patch.

Though Microsoft intends the change to become a standard configuration for Windows, the software giant is working on a more comprehensive solution, said Stephen Toulouse, security programme manager for Microsoft's security response centre.

I wonder exactly wtf MS is doing allowing ActiveX to write directly to the OS in the first place?  Actually I bet it was part of Bill's goal of having the ability for people to run everything remotely.  Rent MS Office and then just use it from the Internet whenever you actually need it.  Need an additional component to your OS?  Just pay us for it and we'll activate it on your PC.

[Green]

Absolutely correct. Also, you should run a full system scan with your antivirus program in safe mode at least once a month (once a week or more in normal mode, depending how paranoid you are).

RJ, what is the difference between running a scan in safe vs normal?  Am interested.

Thanks in advance.

[Clark Kent]

well, my restore is underway.  When I finally finished my backup I wasn't able to squeeze more that a percent or two out of the system, and most programs wouldn't even open- not to mention the fact that I wasn't able to gather enough power over my dialup to download anything, and the computer couldn't access any sites i wanted it to- it just ended up going to some spamware site.  The spamware protectors were not doing anything of consequence, for every prgram I disabled 3 more took it's place, plus the one that I simply could not get rid of at all.  I'll be going back to base windows ME, then I'll look into finally upgrading to windows Xp later today. 
i hate doing this.

[Clark Kent]

Well, looks like no XP for me.  The copy I have was bought by my dad off of eBay as a 451 mb download.  Everything seemed legit, and still does, to the best of my knowledge, but his laptop does not come with any specific burning software, such as adaptec easy cd creator like my computer has.   Also, his XP system will not accept my CD of CD reator, and everytime I've tried to copy this stupid file it has left me with an error message and an unusable CD, so there is no way for me to transfer this file to my computer and use it.  No XP for me.
I HATE windows.

[RogueJedi_XC]

Absolutely correct. Also, you should run a full system scan with your antivirus program in safe mode at least once a month (once a week or more in normal mode, depending how paranoid you are).

RJ, what is the difference between running a scan in safe vs normal?  Am interested.

Thanks in advance.

Safe Mode only loads a subset of the services, drivers, and programs that normal mode does. Most spyware, trojans, worms, and virii do not run in Safe Mode, so they are not able to stop the antivirus scanner from running (which has been all the fad with the script kiddies for at least the last year.). In general, you will find more stuff in safe mode than you would in normal mode, and you'll be able to delete more of that stuff (because the virii processes are not running in Safe Mode).

[AdmWaterTiger-11thFleet-]

Concerning CWshredder it is best to run the pc in safe mode then use CWshredder, then use hijack this then adaware, that should remove most of the easy to get rid of spyware.

Got it; easy, small safe.

Good stuff for browser hijackers.

<S>

WaterTiger

[Iceman]

Clark,

If you're good with your hands and technology, you could hook up the HDD with win xp on it to the comptuer with the problems. 

Just a thought, don't think you're had thought of.

Otherwise, I'd say god help you.  In all seriousness, I've never seen a spyware case this bad.  I got one a while back that would take over my IM program, (aim, trillian, etc) put up an away message with a link to itself and send me to it's homepage. It was like friends.scr or something. A friend of mine figured out how to get rid of it, but I'm on XP Pro, so I can't help ya.

[Clark Kent]

actually, that's a good idea, but I don't think I have the parts necesary to connect a laptop HD up to a destop computer, but who knows, maybe I could find a way.  Dang, now I want to see if I can pull that off.
The computer is up and running again, reformated and reinstalled, so all is well, for the moment anyways.