Re: How secure is your Windows Computer?

From: Mimic (null_at_void.net)
Date: 05/04/04 

Date: Tue, 4 May 2004 00:23:09 +0100

"E." <bellyup@thebar.now> wrote in message
news:4096b178@news.velocitynet.com.au...
> Mimic wrote:
>
> > "mailbox" <mailbox62001@yahoo.com> wrote in message
> > news:47730f14.0405022323.1038b307@posting.google.com...
> >
> >>Let's all go to our C:Windows Directory after we have made all of our
> >>files in this directory visible. Tell the group the names of the
> >>Folders and Files which show as a light color and let's discuss this.
> >> Dangerous code is always discovered in this directory and but you
> >>need to enable the Windows Features to (view or show) all Hidden
> >>Files.
> >>
> >>Let's see how secure your computer actually really is!
> >>
> >>Tracker
> >
> >
> > OK debbs, how about you tell me, I dont have any "light color" folders
> > [hidden to normal people]. I do have:
> >
> > Docs && settings
> > inetpub
> > nvidia
> > program files
> > windows
> > wutemp
> > mycnf.cnf
> >
> > So, what can you tellme about my machine, theres actually alot you can
glean
> > from that dir listing, if you arent to thick and know a bit.
> >
> > --
> > Mimic
>
> Sadly, what she said about hidden files is almost true, tho more by
> chance than by any knowledge on her part.
> Checking hidden files (actually system files using dir /od /as) in the
> %windir and \system + system32 directories has become a must-do when
> removing cwsearch variants and some of the newer + nastier spyware.
> Many programs *say* they can remove CWSearch, but none,by themselves can.
>
> A quick how-to on removing CWSearch variants (and possibly even on topic
> for these groups! Precedent!)
>
> The following cocktail is the *only* way to remove coolwebsearch
> variants properly. Spybot, adaware and spysweeper do NOT remove
> coolwebsearch. running these programs, and setting them to 'block' hides
> the symptoms but does NOT remove the infection.
>
> Download, install and update Spybot.
> Download, install and update spysweeper.
> Download, install and update Hijackthis and CWshredder from:
> http://209.133.47.200/~merijn/files/HijackThis.exe
> http://209.133.47.200/~merijn/files/CWShredder.exe
> Download, install and update SpywareBalster from:
> http://www.javacoolsoftware.com/downloads.html
>
> 1 You will need to kill off whatever is loading spyware wise from the
> registry. Youcould use msconfig, but that doesn't give a full listing.
>
> 2 Do a search for hidden files in the windows directory and
> windows\system32 directory for obvious crud once you have a vague idea
> on when the stuff was installed. dir /as /od *.exe dir /as /od *.dll and
> just dir /od (order by date)
> Check the file properties/do a google on anything you don't recognise or
> has been installed recently. Note down what the files are, the date etc.
> Some of the stuff here is good, results of windowsupdate etc. Use your
> head and make a judgement.
>
> 3 attrib -r -h -s <name.spyware.extension> the delete (if not in
> memory)
>
> 4 Run Hijack this, kill off the obvious spyware, note filenames and
> locations of files to be removed
>
> 5 Reboot into safe mode
>
> 6. run hijackthis again and kill greeblies.
>
> 7. run cwshredder until nothing is found. If settings keep returning
> (such as hosts entries + home page settings) even in safe mode, you will
> have to do more digging to identify files and can them in dos mode.
>
> 8. run spybot and spysweeper to remove junk. They complement each other
> nicely.
>
> 9. run spywareBlaster and remove junk + restore proper registry settings.
>
> 10. reset home page to it's proper location.
>
> 11. *delete any files identified in steps 1, 2 and 4
>
> 12 check the hosts file
>
> 13 check usual spyware/activeX locations
>
> 14 reboot, run windows update.
>
> Bear in mind if one of the svchost.exe nkvd.us or Vrape variants are on
> the box you will probably have to download on another machine and copy
> to the infected machine.
>
> *Some variants require you to delete the files is pure DOS mode rather
> than safe mode.
>
> I have had the unfortunate experience lately of having to removing this
> POS from many machines, and there are always installed files which are
> spyware but are not detected by ANY of the cleaning tools available.
>
> You might have to install all the tools, get rid of as much stuff as
> possible (the major websearch plugins) before you can update the tools
> at all. Get a coffee and get comfortable ;->
> E.
>