Using AdAware 6 and SpyBot S&D to kill SNRG
Straight_Man
Geeky, in my own wayNaples, FL Icrontian
Folks have been posting about SNRG and it being PITA to kill.
The defs for May 2, 2004 for AdAware 6.0 give it the ability to kill parts of SNRG, and Spybot S&D can kill the associated DSO.Exploit also.
But, when you run it and it says it cannot kill it, look carefully at what it then says:
It says, essentially, "do you want me to run on restart???" Why the heck would it do this??? Well SNRG and other junk is running, so AdAware or SpyBot S&D have to shut it down and then kill it. Easiest way to shut it down, since operating system is protecting it, is to edit its registry key so next time system starts up, SNRG does NOT start up. And if you tell AdAware with latest updated defs to run on restart when ti asks that, it does exactly that, and so can SpyBot S&D.
What happens next, is you restart computer, let AdAware kill its part, then do one more AdAware scan to doublecheck. Now, restart Widnwos again. Run Spybot S&D. If it asks you if you will let it run on restart, tell it yes, restart Windows. SpyBot will do a full scan with a slightly different dialog, this is OK. when it is done, run SpyBot S&D like normal one more time, to make sure the thing it had to run on restart to kill is gone.
I discovered this little aspect of both while up at my brother's house and killed about 844 pieces of junk on his computer-- not to mention further unmangling the computer's registry, file system, etc. His computer runs 98 SE so it has no issues with user privileges, with 2000 and XP both programs should be run as administrator.
IF you run both these programs first and run them so they can finish killing on restart and let them complete a run after restart, and THEN run HJT you will get faster pinpoint fixes as there is less left to fix that way.
HTH some of you folks.
The defs for May 2, 2004 for AdAware 6.0 give it the ability to kill parts of SNRG, and Spybot S&D can kill the associated DSO.Exploit also.
But, when you run it and it says it cannot kill it, look carefully at what it then says:
It says, essentially, "do you want me to run on restart???" Why the heck would it do this??? Well SNRG and other junk is running, so AdAware or SpyBot S&D have to shut it down and then kill it. Easiest way to shut it down, since operating system is protecting it, is to edit its registry key so next time system starts up, SNRG does NOT start up. And if you tell AdAware with latest updated defs to run on restart when ti asks that, it does exactly that, and so can SpyBot S&D.
What happens next, is you restart computer, let AdAware kill its part, then do one more AdAware scan to doublecheck. Now, restart Widnwos again. Run Spybot S&D. If it asks you if you will let it run on restart, tell it yes, restart Windows. SpyBot will do a full scan with a slightly different dialog, this is OK. when it is done, run SpyBot S&D like normal one more time, to make sure the thing it had to run on restart to kill is gone.
I discovered this little aspect of both while up at my brother's house and killed about 844 pieces of junk on his computer-- not to mention further unmangling the computer's registry, file system, etc. His computer runs 98 SE so it has no issues with user privileges, with 2000 and XP both programs should be run as administrator.
IF you run both these programs first and run them so they can finish killing on restart and let them complete a run after restart, and THEN run HJT you will get faster pinpoint fixes as there is less left to fix that way.
HTH some of you folks.
0
Comments
That's why I usually recommend running scans in SAFE MODE. In safe mode, most of the processes are not running. If people just get into the habit of dedicating 30 minutes every week or two towards PC security, and update all their defs, then reboot in safe mode, and run all their scans, they will be much happier and safer computer users.
Dexter...
Precisely-- but some things are hooked in with ROOT keys in 2000 and XP. Run AdAware while logged in as Admin ID and if the thing is hooked in as a root entry or got loaded because user happened to be running box as admin while on the web at infect time, even in Safe mode the process that needs removal might be running and Ad Aware will then have to run at restart to have the running key disabled, applied in a system registry update from DYN-DATA commiting by the O\S. The nice thing is that half the failures of Adaware to kill things could be eliminated by allowing adaware to run after restart, simply bacuse process outline goesw like this:
Run Adaware.
AdAware detects system protection of object it is told to kill.
AdAware asks if it can run on restart.
User says YES.
AdAware, if run as admin, is priv'd to then trigger a registry mod to disable run of object and will if told it can run on restart, and will NOT if not told ok to do so (I tested this also on my brother's box).
User then restarts computer after saying ok.
Because the DYN-Data disabling entry got committed on restart (Windows did do a settings update based on a scanregw autorun), Ad Aware can now kill what is NOT running after restart and a DYN-Data commit. IT does.
Substitute SpyBot S&D, same basic process works for it also. And since this works based on user priv and not on run mode at AdAware or SpyBot S&D run time, lots of things can be lilled simply by telling user to let them run after restart when they ask and to not do many things before restarting box. One MAJOR user thing to remember-- let them have the option to run on restart, and restart box afer saying ok to that if the box does not in fact then reboot\restart itself.
With 98 SE, this is even more elegant, with SpyBot S&D (and I have never tried this particualr thing on XP as never had a box with SNRG that was running XP)-- SpyBot S&D not only asked if it could kill on restart, but when allowed to do so it ran as a root run (full autoscan for everything it knew) prior to even a user login box coming up (network not even activated when this happened, which is one reason for safe mode working) and killed the DSO.Exploit and several other things deader than anything and then let Windows load up its user AUTH as netwokring came up, then widnwos loaded to normal after user auth succeeded.
Users do not even have to know why in this detail, this for you folks interested in this and those who are more advanced enthusisats and for the pros that hang out here also. All they gotta now remember is that best way to use these things for a first try kill is to let them run on restart, then once box comes up into Windows fully and the run has completed, to rerun the scan once to doublecheck that the kill succeeded.
ADDED--> Quick Term def:
DSO.Exploit is a semigeneric-- it refers to anything that gets distributed in such a way that a security hole in something allows the thing being distributed to be distributed as a System Object with system protection registry entries (IE, hole is EXPLOITED) put in at infect time. O\S not only accepts the thing, but it gets registered as an O\S protected system object. ALCHEM.CAB AND TWAINTEC.CAB, which were referred to here also in a more recent thread, were system protected as .CAB and as DSO's after infection. ONLY WORKAROUND for this DSO.Exploit kind of thing without scanning regularly is never (NEVER!) to run your box on the web as admin AND to have an admin ID available to kill with OR (with earlier Windows of 9x or ME kinds) to have the killing scan run before networking is even activated.