Re: How secure is your Windows Computer?

From: E. (bellyup_at_thebar.now)
Date: 05/03/04 

Date: Mon, 03 May 2004 20:54:29 GMT

Mimic wrote:

> "mailbox" <mailbox62001@yahoo.com> wrote in message
> news:47730f14.0405022323.1038b307@posting.google.com...
>
>>Let's all go to our C:Windows Directory after we have made all of our
>>files in this directory visible. Tell the group the names of the
>>Folders and Files which show as a light color and let's discuss this.
>> Dangerous code is always discovered in this directory and but you
>>need to enable the Windows Features to (view or show) all Hidden
>>Files.
>>
>>Let's see how secure your computer actually really is!
>>
>>Tracker
>
>
> OK debbs, how about you tell me, I dont have any "light color" folders
> [hidden to normal people]. I do have:
>
> Docs && settings
> inetpub
> nvidia
> program files
> windows
> wutemp
> mycnf.cnf
>
> So, what can you tellme about my machine, theres actually alot you can glean
> from that dir listing, if you arent to thick and know a bit.
>
> --
> Mimic

Sadly, what she said about hidden files is almost true, tho more by
chance than by any knowledge on her part.
Checking hidden files (actually system files using dir /od /as) in the
%windir and \system + system32 directories has become a must-do when
removing cwsearch variants and some of the newer + nastier spyware.
Many programs *say* they can remove CWSearch, but none,by themselves can.

A quick how-to on removing CWSearch variants (and possibly even on topic
for these groups! Precedent!)

The following cocktail is the *only* way to remove coolwebsearch
variants properly. Spybot, adaware and spysweeper do NOT remove
coolwebsearch. running these programs, and setting them to 'block' hides
the symptoms but does NOT remove the infection.

Download, install and update Spybot.
Download, install and update spysweeper.
Download, install and update Hijackthis and CWshredder from:
http://209.133.47.200/~merijn/files/HijackThis.exe
http://209.133.47.200/~merijn/files/CWShredder.exe
Download, install and update SpywareBalster from:
http://www.javacoolsoftware.com/downloads.html

1 You will need to kill off whatever is loading spyware wise from the
registry. Youcould use msconfig, but that doesn't give a full listing.

2 Do a search for hidden files in the windows directory and
windows\system32 directory for obvious crud once you have a vague idea
on when the stuff was installed. dir /as /od *.exe dir /as /od *.dll and
just dir /od (order by date)
Check the file properties/do a google on anything you don't recognise or
has been installed recently. Note down what the files are, the date etc.
Some of the stuff here is good, results of windowsupdate etc. Use your
head and make a judgement.

3 attrib -r -h -s <name.spyware.extension> the delete (if not in
memory)

4 Run Hijack this, kill off the obvious spyware, note filenames and
locations of files to be removed

5 Reboot into safe mode

6. run hijackthis again and kill greeblies.

7. run cwshredder until nothing is found. If settings keep returning
(such as hosts entries + home page settings) even in safe mode, you will
have to do more digging to identify files and can them in dos mode.

8. run spybot and spysweeper to remove junk. They complement each other
nicely.

9. run spywareBlaster and remove junk + restore proper registry settings.

10. reset home page to it's proper location.

11. *delete any files identified in steps 1, 2 and 4

12 check the hosts file

13 check usual spyware/activeX locations

14 reboot, run windows update.

Bear in mind if one of the svchost.exe nkvd.us or Vrape variants are on
the box you will probably have to download on another machine and copy
to the infected machine.

*Some variants require you to delete the files is pure DOS mode rather
than safe mode.

I have had the unfortunate experience lately of having to removing this
POS from many machines, and there are always installed files which are
spyware but are not detected by ANY of the cleaning tools available.

You might have to install all the tools, get rid of as much stuff as
possible (the major websearch plugins) before you can update the tools
at all. Get a coffee and get comfortable ;->
E.