Re: spyware popping up faster than i can remove

From: Jim Byrd (jrbyrd_at_spamlessadelphia.net)
Date: 09/25/04 

Date: Sat, 25 Sep 2004 07:30:01 -0700

Hi Diana - If you want to take steps to defend your machine, there are a
number of things which need to be considered. I would suggest the
following:

The minimum necessary to start with are a good hardware or software firewall
and an AV, and by bringing your OS up-to-date with ALL Critical updates.

Run the following programs regularly; I recommend at least once a week.

Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page: http://vil.nai.com/vil/stinger/

Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here: http://www.trendmicro.com/download/pattern.asp Be sure to read
the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt (You might also want
to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/). (If you download and use the updater from
the beginning, it will automatically handle downloading the other files.)
Place them in a dedicated folder after appropriate unzipping. Disable
Restore if your on XP or ME (directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), then boot to
Safe mode (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
Do a complete scan of your system in Safe mode and clean or delete anything
it finds. Reboot to normal mode and re-run the scan again.

This scan may take a long time, as Sysclean is VERY extensive and thorough.

Sometimes the tools below will find files which they are unable to delete
because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
"replacing, moving, renaming or deleting one or many files which are
currently in use (e.g. system files like comctl32.dll, or virus/trojan
files.)" Another is Killbox, here:
http://download.broadbandmedic.com/Killbox.exe

Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/. UPDATE, set it up in
accordance with this: http://forum.aumha.org/viewtopic.php?t=5877 or the
directions immediately below and run this regularly to get rid of most
"spyware/hijackware" on your machine. If it has to fix things, be sure to
re-boot and rerun AdAware again and repeat this cycle until you get a clean
scan. The reason is that it may have to remove things which are currently
"in use" before it can then clean up others. Configure Ad-aware for a
customized scan, and let it remove any bad files found.....

<Begin Setup Directions>
Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:

General> activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during
scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."

Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found, click
"Next." The bad files will be listed. Right click the pane and click "Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"
<End Setup Directions>

Courtesy of http://www.nondisputandum.com/html/anti_spyware.html: HINT: If
Ad Aware is automatically shut-down by a malicious software, first run
AWCloak.exe, http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
opening Ad Aware. When AAWCloak is open, click "Activate Cloak". Than open
Ad Aware and scan your system.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing ONLY RED things with SpyBot
S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle until
you get a clean "no red" scan. The reason is that SpyBot sometimes has to
remove things which are currently "in use" before it can then clean up
others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm

Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.

Next, courtesy of Mike Burgess:

"--Recommended Minimum Security Settings--

Close all instances of IE and OE
Control Panel | Internet Options

Click on the "Security" tab
Highlight the "Internet" icon, click "Custom Level"

1) "Download signed ActiveX scripts" = Prompt
2) "Download unsigned ActiveX scripts = Disable
3) "Initialize and script ActiveX not marked as safe" = Disable
4) "Installation of Desktop items" = Prompt
5) "Launching programs and files in a IFRAME" = Prompt

Click on the "Content" tab
Click the "Publishers" button

Highlight and click "Remove" any unknowns, click Ok

Click on the "Advanced" tab
Uncheck: "Install on demand (other)", click Apply\Ok

Prevent your "HomePage" setting from being Hijacked
http://www.mvps.org/winhelp2002/ietips.htm
_____________________________
Mike Burgess
Information isn't free if you can't find it!
http://www.mvps.org/winhelp2002/"

Note the Publisher setting - this vector is often overlooked. See here:
http://mvps.org/winhelp2002/restricted.htm#Setting

Then, from me:

Disable BOTH "Install on Demand" options on the IE6 Advanced tab.

Another set of not unreasonable (although much more severe) security setting
recommendations is available here:
http://www.infinisource.com/techfiles/surf-safe.html

You might want to consider installing Eric Howes' IESpyAds, SpywareBlaster
and SpywareGuard here to help prevent this kind of thing from happening in
the future:

IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully.

http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or memory
load - but keep it UPDATED) The latest version as of this writing will
prevent installation or prevent the malware from running if it is already
installed, and it provides information and fixit-links for a variety of
parasites.

http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. All three Very Highly Recommended

SpywareBlaster is probably the best preventive tool currently available,
expecially if supplemented by using the Immunize function is SpyBot S&D and
a good HOSTS file (see next).

Next, install and keep updated a good HOSTS file. It can help you avoid
most adware/malware. See here: http://www.mvps.org/winhelp2002/hosts.htm
(Be sure it's named/renamed HOSTS - all caps, no extension) Additional
tutorials here:
http://www.bleepingcomputer.com/forums/index.php?s=14f3f9225081133297a8acdd11137c5b&showtutorial=51 (detailed) and here:
http://www.spywarewarrior.com/viewtopic.php?t=410 (overview)

Lastly, with regards to cookies: Courtesy of Mel's Spyware Tools, here:
http://homepage.cooketech.net/~cybermel/Mel's%20Spyware%20Tools%20and%20Ad%20Blockers.html

XML-Menu for IE6 - (https://netfiles.uiuc.edu/ehowes/www/main.htm, click on
IE6 Tools on website) "This package contains a full menu of custom Import
XML files that can be used to manipulate IE6's handling of cookies in the
Internet and Trusted zones (the Privacy tab controls only the Internet
zone). The files are divided into three sets: one "short list" of
recommended files, and two "advanced" lists containing a wide range of
possible Privacy configurations. The ReadMe covers the basics of using
custom XML Import files and details all the files that are available. A
.REG file that can be used to restore the default Privacy tab settings is
included."

This is the technique that I use and, while I do very infrequently have to
override on some sites that don't have a Privacy Policy in place, I've found
it almost infallible in stopping bad cookies (I use 1-e, BTW) FWIW, Eric
Howes site, above, is one of the very best on the net with regard to
anything having to do with security. Very Highly Recommended. 

-- 
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In news:2a0601c4a2e6$d4d197e0$a401280a@phx.gbl,
diana <anonymous@discussions.microsoft.com> typed:
> If I reinstall xp will that take care of the growing
> spyware problem I have on my computer. I have used Ad_
> Aware and it works for a minute, but then they come right
> back if i go online. There is:
> Win32.Adverts.TrojanDownloader, Virtumundo, Favoriteman,
> Clear search,ImIServer IEPlugin, SahAgent, Broadcast PC,
> NetPal, BookedSpace,SideFind,VX2,180 Solutions.
> ,Someone PLEASE help me.