Re: spyware removal in win 2000

From: Chek (chek_16_at_hootmail.com)
Date: 10/02/04 

Date: Sat, 2 Oct 2004 17:32:12 +0100

That was a very welcome and comprehensive guide you posted
Jim.
Including some new software tools I'll have to check out.
Thanks for that.

Chek 

-- 
Change' boos' to 'bos'  in address to email directly
"Jim Byrd" <jrbyrd@spamlessadelphia.net> wrote in message
news:OxgRGUIqEHA.1308@TK2MSFTNGP14.phx.gbl...
> Hi Mojo - Sounds like this might be a variant of some
malware called
> CoolWebSearch (if CWShredder doesn't fix it, then see
AdAware, SpyBot, and
> HijackThis, below, in that order). Read all of this
carefully first, then do
> the following in order:
>
>
> #########IMPORTANT#########
> Before you try to remove spyware using any of the programs
below, download
> both a copy of LSPFIX here:
>
> http://www.cexx.org/lspfix.htm
>
> AND a copy of Winsockfix
> http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
> Directions here:
http://www.tacktech.com/display.cfm?ttid=257
>
> The process of removing certain malware may kill your
internet connection.
> If this should occur, these programs, LSPFIX and
WINSOCKFIX, will enable you
> to regain your connection.
>
> NOTE:  It is reported that in XP SP2, the command    netsh
winsock reset
> will fix this problem without the need for these programs.
You can also try
> this if you're on XP SP1.  There has also been one, as yet
unconfirmed,
> report that this also works
there.#########IMPORTANT#########
>
>
>
> #########IMPORTANT#########
> All of the following removal tools should be run from Safe
mode when
> possible.  Reboot and test if the malware is fixed after
using each tool.
> #########IMPORTANT#########
>
>
> Sometimes the tools below will find files which they are
unable to delete
> because they are in use.  A program called Copylock, here,
> http://noeld.com/programs.asp?cat=misc#CopyLock can aid in
the process of
> "replacing, moving, renaming or deleting one or many files
which are
> currently in use (e.g. system files like comctl32.dll, or
virus/trojan
> files.)"  Another is Killbox, here:
> http://download.broadbandmedic.com/Killbox.exe
>
>
>
> Download and run Stinger.exe, here:
> http://download.nai.com/products/mcafee-avert/stinger.exe
or  from the link
> on this page:  http://vil.nai.com/vil/stinger/
>
>
> Download    sysclean.com    , from Trend Micro, here:
> http://www.trendmicro.com/download/dcs.asp along with the
latest pattern
> file, here:
http://www.trendmicro.com/download/pattern.asp  Be sure to
read
> the "How-to" info here:
> http://www.trendmicro.com/ftp/products/tsc/readme.txt
(You might also want
> to get Art's updater, SYS-UP.Zip, here for future updating
of these:
> http://home.epix.net/~artnpeg/).  (If you download and use
the updater from
> the beginning, it will automatically handle downloading
the other files.)
> Place them in a dedicated folder after appropriate
unzipping.  Disable
> Restore if you're on XP or ME (directions here:
>
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm),
then boot to
> Safe mode (HowTo here:
>
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
> Do a complete scan of your system in Safe mode and clean
or delete anything
> it finds.  Reboot to normal mode and re-run the scan
again.
>
> This scan may take a long time, as Sysclean is VERY
extensive and thorough.
>
>
> Download, UPDATE before running, and run:
> http://209.133.47.200/~merijn/files/CWShredder.exe or
here:
> http://hem.bredband.net/b157129/f/cwshredder.zip or here:
>
http://www.softpedia.com/public/scripts/downloadhero/10-17-150/
or here:
> http://www.zerosrealm.com/downloads/CWShredder.zip
> to remove the parasite.  Be sure to close all instances of
IE and OE.
>
>
> There's a good tutorial about CWS and using CWShredder
here:
>
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain
>
> BE SURE that you get v.1.59.0.1 or later!
>
> You will need to show Hidden files first and then at the
end clear the
> malware garbage from your System Restore backups after
you've cleaned up.
> It's best to perform CWShredder (and most other malware
fixers too) from
> Safe mode and then reboot. AFTER cleaning things up, then
you can disable
> and then re-enable System Restore.  See ******** below.
>
> The following links give instructions on how to do these
various functions:
>
>
> HOW TO Restart in Safe Mode
>
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
>
> HOW TO Enable Hidden Files
>
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
>
> HOW TO Disable/Flush System Restore  (do this at the end
AFTER cleaning or
> use the suggested procedure for XP at the ******'s)
>
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
> (WinXP)
>
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
> (WinME)
> or
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
(Both)
>
>
>
> Then download and run:
> http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg
to restore your
> tabs and remove any restrictions that the parasite has put
in place.
>
> Now download and run:
>
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG
to restore
> your search functions if they've been affected (as they
probably will have
> been).
>
>
> Be sure that you also download and install hotfix Q816093,
here:
>
> http://support.microsoft.com/?kbid=816093
>
> which blocks the exploit upon which this parasite family
depends.
>
>
> Another program which performs a similar function to
CWShredder (which is no
> longer beinging updated unfortunately) is xcleaner_free
(there's a more
> extensive paid version also) available here which should
also be freshly
> downloaded and run after you run CWShredder:
> http://www.xblock.com/download-freeware.shtml
>
>
> However, this also indicates that you may have acquired
some other malware
> along the way. If you go to this page at Jim Eshelman's
site, here:
> http://aumha.org/a/noads.htm and wait a little bit (be
patient), an analysis
> of a number of possible parasites on your machine will be
made to help you
> identify and remove them. NOTE: You will need to disable
Ad Blocking in Zone
> Alarm 3.x or later, if present or any other Ad Blocking
software which
> interferes with Java Scripting for this scan to work. You
should get a
> message between the two lines of **** giving the results
of the scan.
>
> Get Ad-Aware SE Personal Edition, here:
> http://www.lavasoftusa.com/support/download/.  UPDATE, set
it up in
> accordance with this:
http://forum.aumha.org/viewtopic.php?t=5877 or the
> directions immediately below and run this regularly to get
rid of most
> "spyware/hijackware" on your machine.   If it has to fix
things, be sure to
> re-boot and rerun AdAware again and repeat this cycle
until you get a clean
> scan.  The reason is that it may have to remove things
which are currently
> "in use" before it can then clean up others.  Configure
Ad-aware for a
> customized scan, and let it remove any bad files
found.....
>
> <Begin Setup Directions>
> Then, courtesy of NonSuch at Lockergnome, open Ad-aware
then click the gear
> wheel at the top and check these options to configure
Ad-aware for a
> customized scan:
>
> General> activate these: "Automatically save log-file" and
"Automatically
> quarantine objects prior to removal"
>
> Scanning > activate these: "Scan within archives", "Scan
active processes",
> "Scan registry", "Deep scan registry," "Scan my IE
Favorites for banned
> sites," and "Scan my Hosts file"
>
> Tweaks > Scanning Engine> activate this: "Unload
recognized processes during
> scanning."
>
> Tweaks > Cleaning Engine: activate these: "Automatically
try to unregister
> objects prior to deletion" and "Let Windows remove files
in use after
> reboot."
>
> Click "Proceed" to save your settings, then click "Start."
Make sure
> "Activate in-depth scan" is ticked green, then scan your
system. When the
> scan is finished, the screen will tell you if anything has
been found, click
> "Next." The bad files will be listed. Right click the pane
and click "Select
> all objects" - This will put a check mark in the box at
the side, click
> "Next" again and click "OK" at the prompt "# objects will
be removed.
> Continue?"
> <End Setup Directions>
>
> Courtesy of
http://www.nondisputandum.com/html/anti_spyware.html:  HINT:
If
> Ad Aware is automatically shut-down by a malicious
software, first run
> AWCloak.exe,
http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
> opening Ad Aware. When AAWCloak is open, click "Activate
Cloak". Than open
> Ad Aware and scan your system.
>
>
> Another excellent program for this purpose is SpyBot
Search and Destroy
> available here:  http://security.kolla.de/  SpyBot Support
Forum here:
>
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi.
I recommend
> using both normally.  After UPDATING and fixing ONLY RED
things with SpyBot
> S&D, be sure to re-boot and rerun SpyBot again and repeat
this cycle until
> you get a clean "no red" scan.  The reason is that SpyBot
sometimes has to
> remove things which are currently "in use" before it can
then clean up
> others.
>
> Note that sometimes you need to make a judgement call
about what these
> programs report as spyware. See here, for example:
> http://www.imilly.com/alexa.htm
>
> Both of these programs should normally be UPDATED and run
after doing any
> other fix such as CWShredder and, as a minimum, normally
at least once a
> week.
>
>
>
> If they don't fix it then start here:
>
> Download HijackThis, free, here:
> http://209.133.47.200/~merijn/files/HijackThis.exe
(Always download a new
> fresh copy of HijackThis [and CWShredder also] - It's
UPDATED frequently.)
> You may also get it here if that link is blocked:
>
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
> or here:
http://www.bleepingcomputer.com/files/spyware/hijackthis.zip
>
> There's a good "How-to-Use" tutorial here:
> http://computercops.biz/HijackThis.html
>
> In Windows Explorer, click on Tools|Folder Options|View
and check "Show
> hidden files and folders"  and uncheck  "Hide protected
operating system
> files".  (You may want to restore these when you're all
finished with
> HijackThis.)
>
> Place HijackThis.exe or unzip HijackThis.zip into its own
dedicated folder
> at the root level such as C:\HijackThis (NOT in a Temp
folder or on your
> Desktop), reboot to Safe mode, start HT (have ONLY HT
running - IE MUST be
> closed) then press Scan. Click on SaveLog when it's
finished which will
> create hijackthis.log. Now click the Config button, then
Misc Tools and
> click on Generate StartupList.log which will create
Startuplist.txt
>
> Then go to one of the following forums:
>
> Spyware and Hijackware Removal Support, here:
> http://forums.spywareinfo.com/
>
> or Net-Integration here:
>
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>
> or Tom Coyote here:
http://forums.tomcoyote.org/index.php?act=idx
> or Jim Eshelman's site here:  http://forum.aumha.org/
> or Bleepingcomputer here:
http://www.bleepingcomputer.com/
> or Computer Cops here:
http://www.computercops.biz/forums.html
>
>
>
> Register if necessary, then sign in and READ THE
DIRECTIONS at the beginning
> of the particular site's HiJackThis forum, then copy and
paste both files
> into a message asking for assistance, Someone will answer
with detailed
> instructions for the removal of your parasite(s).  Be sure
you include at
> the beginning of your post a description of "What specific
> problem(s)/symptoms you're trying to solve" and "What
steps you've already
> taken."
>
>
> *******
> ONLY IF you've successfully eliminated the malware, you
can now make a new,
> clean Restore Point and delete any previously saved
(possibly infected)
> ones. The following suggested approach is courtesy of Gary
Woodruff:  For XP
> you can run a Disk Cleanup cycle and then look in the More
Options tab.  The
> System Restore option removes all but the latest Restore
Point. If there
> hasn't been one made since the system was cleaned you
should manually create
> one before dumping the old possibly infected ones.
> *******
>
>
> Once you get this cleaned up, you might want to consider
installing Eric
> Howes' IESpyAds, SpywareBlaster and SpywareGuard here to
help prevent this
> kind of thing from happening in the future:
>
> IESpyads -
https://netfiles.uiuc.edu/ehowes/www/resource.htm  "IE-SPYAD
adds
> a long list of sites and domains associated with known
advertisers,
> marketers, and crapware pushers to the Restricted sites
zone of Internet
> Explorer. Once you merge this list of sites and domains
into the Registry,
> the web sites for these companies will not be able to use
cookies, ActiveX
> controls, Java applets, or scripting to compromise your
privacy or your PC
> while you surf the Net. Nor will they be able to use your
browser to push
> unwanted pop-ups, cookies, or auto-installing programs on
your PC."  Read
> carefully.
>
> http://www.javacoolsoftware.com/spywareblaster.html
(Prevents malware Active
> X installs) (BTW, SpyWareBlaster is not memory resident
... no CPU or memory
> load - but keep it UPDATED) The latest version as of this
writing will
> prevent installation or prevent the malware from running
if it is already
> installed, and it provides information and fixit-links for
a variety of
> parasites.
>
> http://www.javacoolsoftware.com/spywareguard.html
(Monitors for attempts to
> install malware) Keep it UPDATED.  All three Very Highly
Recommended
>
> Next, install and keep updated a good HOSTS file.  It can
help you avoid
> most adware/malware.  See here:
http://www.mvps.org/winhelp2002/hosts.htm
> (Be sure it's named/renamed HOSTS - all caps, no
extension)  Additional
> tutorials here:
>
http://www.bleepingcomputer.com/forums/index.php?s=14f3f9225081133297a8acdd11137c5b&showtutorial=51
> (detailed) and here:
http://www.spywarewarrior.com/viewtopic.php?t=410
> (overview)
>
>
> Finally, be sure that you have a good hardware or software
firewall and an
> AntiVirus installed, and bring your OS up-to-date with ALL
Critical updates
> from Windows Update.
>
> -- 
> Please respond in the same thread.
> Regards, Jim Byrd, MS-MVP
>
>
>
> In news:ef3e5d3c.0410020337.2ad78304@posting.google.com,
> mojo <mojo7676@hotmail.com> typed:
> > Apologies for x posting.
> >
> > Any advice on the following situation greatly
appreciated.
> >
> > runing win 2000.
> >
> > Somehow got some nasty spyware/pop up crap (from
zestyfind (?) and
> > some other crap made by some outfit called nictech).
Adaware can see
> > the files and deletes them on a reboot. However, the
files replicate
> > themselves (with another name) upon startup. file names
change but
> > they're all .dlls - eg. agfiveds.dll, aactres.dll,
awlui.dll,
> > afledit.dll. they all live in c:\winnt\system 32. The
root problem
> > still persists. I've tried getting rid manually (through
cmd/dos
> > emulation) by changing the file attributes to read, not
hidden and not
> > system but still won't let me delete because 'some other
process is
> > using the file' (or words to that effect). tried to
close down
> > everything in the task manager and was left with
critical processes
> > only but still couldn't delete the damned file. tried
the same in safe
> > mode but again, can't delete. did try to find some way
of booting into
> > the hard drive with a win98 startup disk but nothing
happening there
> > either. i think it doesn't see/recognise the ntfs or
whatever the file
> > system is on the win2k hard drive.
> >
> > Any ideas greatly appreciated.
> >
> > tia
> >
> > mojo
>