If you follow this guide, and practice the eightfold path laid out before you, you should become a safe citizen of the internet and prevent any insidious software from ever plaguing you again.
If you can't solve your problems with hijackthis, CWShredder, Spybot S&D, and AdAware, then I hate to say it, but SpywareBlaster isn't gonna change anything.
If you can't solve your problems with hijackthis, CWShredder, Spybot S&D, and AdAware, then I hate to say it, but SpywareBlaster isn't gonna change anything.
I see you're not familiar with SpywareBlaster. Its purpose is not to remove spyware, but to prevent further "infestations". It's used after all spyware is removed.
From their site:
SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
By setting a "kill bit" for spyware ActiveX controls, SpywareBlaster can prevent the installation of any spyware ActiveX controls from a webpage. It does this while not interfering with "friendly" ActiveX controls - so your browser can work correctly and you can have peace of mind!
You won't get any more annoying "Yes/No" boxes popped up, asking you to install a spyware ActiveX control (which can increasingly be found in pop-up ads!). In fact, Internet Explorer will never even download or run the spyware ActiveX control!
In addition, SpywareBlaster can prevent many of these spyware ActiveX controls from running, even if they are already installed on your system.*
The newest SpywareBlaster version can even block spyware/tracking cookies!
And SpywareBlaster does not need to be running in the background to provide this protection!
That's a great article prime(suspect). It was very concise and well written. It's obvious you took your time and you produced an excellent article. You should do it more often, I'm certain you'd get published.
Spybot S&D has an "immunize" feature that will add an extra measure of protection for combating future possible downloads of spyware. On my version it even recommends SpywareBlaster. I've never run it by I would take an educated guess that it would run a memory resident program. The downside of this is the additional resources needed to run yet another background program. A good firewall, either hardware or software, can't be spoken for enough to help block some of the filth in the first place. Zonealarm and Norton Internet Security often comes to mind as solid software firewalls. Most spyware, though, is by the unintentional installing of the spyware by the end user. One method that GiantInternetCorp uses to get its messages across is by using the Windows Messenger Service, which is not to be confused with the Windows Internet Messenger. This allows spyware companies to broadcast messages to people even when their computer is not even connected to the internet. This is the same process that network administrators would use to broadcast a message to users across the local network. Usually these messages consist of the "Shut down your computer while the server is restarted" or something similar. Although not used today as much as in the past, it still resides on your computer. If you desire to turn off the process, in winxp, go to START -> RUN -> type "services.msc" and hit ENTER. You will have a window pop up listing services available. Double click on the line that says "messenger". Set to "disable". Needless to say, you will most likely need admin access to change this. Most all the current anti-spyware apps will catch the spyware that uses this method but it's an added layer of protection if one felt the need to take that step.
Again, excellent article primesuspect. Be sure to wear your sunglasses around here now.
Spybot S&D has an "immunize" feature that will add an extra measure of protection for combating future possible downloads of spyware. On my version it even recommends SpywareBlaster. I've never run it by I would take an educated guess that it would run a memory resident program.
Similar to SpywareBlaster, the immunize feature in Spybot is not memory resident. It also works by setting a kill bit in the registry that prevents the component from being installed.
Similar to SpywareBlaster, the immunize feature in Spybot is not memory resident. It also works by setting a kill bit in the registry that prevents the component from being installed.
One thing-- I have seen things that prevent Active-X from loading or downloading break things, even when the Active_X offered is actually benign. So, be aware of what your system is doing, have a trojan and worm aware app that reacts fast to trojan and worm intrusion(some AVs are weak in this regard, one that is very active in this regard is N-Prot in the paid version-- they provide program updates for automatic update when needed and defs for macro viruses, trojans, worms, hybrids, known bad active-x, and even some word viruses which have reappeared recently adn have done same day updates for many majors and my paid version grabs any available defs and program updates daily from one of three servers it knows of in the us or tells me there are none if none), and since any one app can be imperfect or fixes delayed if there is no money coming in, most folks end up donating to the dev of their favorite app or if none do then it withers and dies in the long run or updates are slow in coming when the devs have to take time out to make money to earn a living. If I like an app I support it regularly, and to my mind I am paying to keep it alive. With a paid app, you are hiring them to do the dev, same principle applies to regular donations-- then they can and do spend more time at it and hopefully you get faster updated apps and more debugging work.
This might seem to be a thread sidetrack, but what lots of the Active-X folks do to get Active-X that is not good installed is to use trojans. Kill the trojan, no download of Active-X occurs-- the download of the DOWNLOADER never happened.
I will always use an imunizer that tells me what it wants to do and lets me revoke its ideas beforehand-- here's why, just from today's run: SpyBot S&D wanted to kill parts of N-Prot (including what runs the def pickup) and soemthing I want and use occassionally which is the launch bar icon for WinZip's wizard. It also found that Opera had an Alexa module to search using Alexa installed, that I let it kill, and had pulled the access itself to that feature at Opera Install time. Use apps also that let you undo and then choose at worst to rekill all but what you undid-- some apps force you to undo what you killed in a batch, the best let you recover just one change.
System knowledge and knowing how things get on your computer are key, and they ways (plural) that they can mean that you need a complete security solution suite and knowledge of how it can happen and what you should NOT kill also for best results. Spyware killers that let you undo what you want left before the fact are best, together with the other tools that let you prevent junk from getting on the box and detecting it is there.
Prime's article is excellent (GOOD WORK, Brian), but keep the whole system security idea active in your mind. Learn who to trust more(but not any one source exclusively, each security pro knows some things and has his or her own preferences as to how to prevent and detect and then kill things right-- none of them know everything) and who is making claims that are exaggerated. But use software that lets you undo what misuse can do. And address the areas including AV for your box-- none of them can be exclusively done by one program. Use all the tools you can trust including those suggested here(spyware and adware killers, PLUS AV that includes robust trojan and worm (internet and other) and macro viral\malware killing capacities, firewalls, and system intrusion detection software(A good firewall can provide warning of intrusion that HAS occured and when it happened if you learn how to read the logs the best of those keep)), and your box is likely to be up and effective without major repairs much longer so long as hardware does not fail.
I believe what Ageek is saying is: Be aware. Think before you click. I suggest everyone read up on ACTIVEX so we aren't misinformed about what ACTIVEX is and what it does. There's no need for us to start running around yelling "The activex sky is falling."
First line of defence is to use a good virus protection program and keep it updated. Second is to use a good spyware search and destroy program, keep it updated and run it from time to time. Third...be cautious when poking your cursor in places you normally wouldn't go.
0
Straight_ManGeeky, in my own wayNaples, FLIcrontian
edited February 2004
That and:
Since no one dev team can be all knowledgeable, it is usually best to use more than one program and use what you can undo. Know the program, know how to use it, but use other good programs also that do not break each other. Here is an example-- Ad-Aware can trigger on SpyBot S&D's backup it gens when it immunizes. Blast the backup, and if you were not careful your undo for SpyBotS&D just got vaporized by Ad-Aware. If you do not know and only suspect, keep the undo option open. Know how not to vaporize your undo.
Prime and I have done a lot of junk removal, you could ask us if in doubt before committing to a change that might do things you do not want done, or ask and find out where to ask, the program authors and those who use the program how to use it.
I've been doing junk removal with as little damage as possible for a long time(over a decade), one of my major interests has been keeping junk off boxes. I make 90% of my money consulting, adn lots of what I charge very minor amounts for or give free is how to safely take junk off boxes without destroying major apps and core O\S parts or parts of programs you want. I am not perfect either, get security info from more than one source. But, I will say do not do that yet and later say do it when I know that this one thing can be done if I am honestly not sure. I tend to say don't until you understand the major consequences, and do not trust global promises in security(Gibson Research has lots of good fine tools, but I do nto agree with all his opinions). Each software dev team has specialties they learned, and out of specialty they are not so good as they are within their specialty, and that goes for all coders.
There is no one specific IT security Bible (or any one Security Oracle that is not constantly learning) that lasts, what is being doen is in flux. Yuo need software that can flux as needed also, so look for software that has been around a long time or test the new stuff and make it prove itself while also using what you know works and is being actively updated. If new fights old and old is still proven good, use old for now until new is mature.
The best fix is to kill on entry, but that is not always possible, so you need some scanning tools also-- actively working if running all at once does not slow your box too much. Prevention is good, but coding rules morph so if you use something that runs mostly on rules or heuristics to pick out what is bad, it might kill future software that is good if you put some of that on the box.
The obverse is true also-- lets say you have a favorite program that was written way back when and you cannot find anything that does exactly that in a way that is intuitive fro what you know. Lets say when it was written, the rule that what is considered wrong because folks are taking advantage of holes did not exist and it used things that did the things that would be considered wrong in ways that would not harm your box and you knew that. ACTIVE-X itself has morphed over the years. Impose new rules on old code, you are likely sooner or later to break the old code accidentally. There is a balance here between getting rid of what you know is bad and what LOOKS LIKE IT MIGHT BE BAD or that ONE person has told you is bad.
John D-- who recommends trusting those who have proven skill and knowledge and make a career of security MORE than those who do not, but give no one person exclusive and total trust for the unique box that is yours, and that includes what the security software does. I run AV software through ICSA and IECAR tests, at random, for instance.
Great article prime. I've been using mostly spybot but downloaded the other progs too. And i urge everyone to visit www.grc.com. There's a lot of usefull stuff there. Letting the shields up util try to penetrate your firewall is a if not the only good way to know it's working. Also try leaktest. It tries to connect to the grc.com server and obviously a working firewall will prevent this. The program will tell you if it got through or if it failed. If it says that it got through and your firewall didn't say anything about it, then you're in trouble.
BTW has anyone ever heard of the makecall virus. According to startup mechanic (www.startupmechanic.com) i've got it but i don't know how to remove it and norton hasn't said a word. I'll try the apps in the article and see what happens.
...BTW has anyone ever heard of the makecall virus. According to startup mechanic (www.startupmechanic.com) i've got it but i don't know how to remove it and norton hasn't said a word. I'll try the apps in the article and see what happens.
I think Startup Mechanic may have a problem with false alarms. It tells me that GrabClipSave is added as part of the CUYDOC virus. I emailed the guy who wrote GCS and he is trying to sort it out with the author(s) of Startup Mechanic. My email even made his front page news section! (I am "Steve")
Like you, I run NAV with latest defs and it hasn't made a peep. Since CUYDOC has been in Norton's defs since last October I'm sure it's just a glitch.
Yea but something has been trying to start the dialer in windows. Checkout this thread for more info. After i used startup mechanic the popup dissapeared but the c:/programs windows opens every time instead. Here a screenshot of what i disabled. Is that a valid app or something else.
"Wat is spyware en hoe te verwijderen 8 februari 2004
Echt dol op spyware zijn we niet. Vaak is het een geniepige manier om allerlei rotzooi om onze computer te zetten, en echt beter worden we er niet van. Maar wat is eigenlijk spyware, en belangrijker: hoe komen we er vanaf en voorkomen we het? Brian Ambrozy schreef een uitgebreid item over het onderwerp.
Meer info bij Short-Media"
Okay, I know it's in dutch, but wtf does this say!?!
1. Please warn people that if their View File Name Extensions are not enabled they will see something like babes.jpg instead of babes.jpg.exe - this applies to email attachments in particular.
2. Tell people that if they want porn DO NOT patronize web sites - learn how to use USENET. alt.binaries is a good place to start. Free Agent by www.forte.com is the most popular. If you do not know about the newsgroups you are missing out on the best secret on the Internet. There are many wonderful things out on the newsgroups besides naked women. You will be amazed if you haven't been there yet. If you are on AOL enable newsgroups in your preferences and then go to keyword Newsgroups. feester at aol
Preface: I know very little about PCs... I do medical transcription for a national company who provides my PC and I have almost no problems with security, spyware, viruses, etc. (in trying to protect patient privacy, I am assuming there is hypervigilance on the part of my company).
Anyway, I just sit here and transcribe from voice files all day long, oblivious to current problems like spyware and identity theft. Then I get on my husband's home PC, and boy, it's like working on a piece of crap. He uses a few online gambling sites and I suspect that's where the problem is. He finally started running Ad Aware, but just last night, his default home page was reset to some bogus search page covered with ads.
Anyhow, I started searching on my work computer for a solution and found this great article. Unfortunately, I don't feel I have the expertise to start in on this. I couldn't even access the Task Manager so I could see the processes running from the run menu or by ctl-alt-del. I can do this on my work computer, no problem. My husband's computer is running Windows ME and I couldn't find anything resembling the task manager.
Any ideas would be welcome. Poke fun at me, if you must, but at this point it seems like his PC has the equivalent of Ebola, and I would like to do something about it.
Comments
I can think of quite a few people who should give this a read themselves.
P.S.
I think it's about time I gave Firebird a shot...
I see you're not familiar with SpywareBlaster. Its purpose is not to remove spyware, but to prevent further "infestations". It's used after all spyware is removed.
From their site:
Your Spyware article is top dog @ Overclockers.com too!
Selling yourself out all over the net Huh, you cheap www floozy! :bigggrin:
Great article, nice job!
It's a shame spyware even exists though :\
We have a celebrity in da house, the worldfamous primesuspect.
I fixed the download links in the article, so they should all work now
Spybot S&D has an "immunize" feature that will add an extra measure of protection for combating future possible downloads of spyware. On my version it even recommends SpywareBlaster. I've never run it by I would take an educated guess that it would run a memory resident program. The downside of this is the additional resources needed to run yet another background program. A good firewall, either hardware or software, can't be spoken for enough to help block some of the filth in the first place. Zonealarm and Norton Internet Security often comes to mind as solid software firewalls. Most spyware, though, is by the unintentional installing of the spyware by the end user. One method that GiantInternetCorp uses to get its messages across is by using the Windows Messenger Service, which is not to be confused with the Windows Internet Messenger. This allows spyware companies to broadcast messages to people even when their computer is not even connected to the internet. This is the same process that network administrators would use to broadcast a message to users across the local network. Usually these messages consist of the "Shut down your computer while the server is restarted" or something similar. Although not used today as much as in the past, it still resides on your computer. If you desire to turn off the process, in winxp, go to START -> RUN -> type "services.msc" and hit ENTER. You will have a window pop up listing services available. Double click on the line that says "messenger". Set to "disable". Needless to say, you will most likely need admin access to change this. Most all the current anti-spyware apps will catch the spyware that uses this method but it's an added layer of protection if one felt the need to take that step.
Again, excellent article primesuspect. Be sure to wear your sunglasses around here now.
KingFish
Gibson Research Corporations has some excellent small utillities.
UnPnP, DCOMbobulator, Shoot The Messenger, XPdite.
There's also a couple of firewall tests, Shields Up! and Leaktest.
Here's the link:
http://www.grc.com/default.htm
I always go there after a reinstall, to secure my installation.
Similar to SpywareBlaster, the immunize feature in Spybot is not memory resident. It also works by setting a kill bit in the registry that prevents the component from being installed.
KingFish
One thing-- I have seen things that prevent Active-X from loading or downloading break things, even when the Active_X offered is actually benign. So, be aware of what your system is doing, have a trojan and worm aware app that reacts fast to trojan and worm intrusion(some AVs are weak in this regard, one that is very active in this regard is N-Prot in the paid version-- they provide program updates for automatic update when needed and defs for macro viruses, trojans, worms, hybrids, known bad active-x, and even some word viruses which have reappeared recently adn have done same day updates for many majors and my paid version grabs any available defs and program updates daily from one of three servers it knows of in the us or tells me there are none if none), and since any one app can be imperfect or fixes delayed if there is no money coming in, most folks end up donating to the dev of their favorite app or if none do then it withers and dies in the long run or updates are slow in coming when the devs have to take time out to make money to earn a living. If I like an app I support it regularly, and to my mind I am paying to keep it alive. With a paid app, you are hiring them to do the dev, same principle applies to regular donations-- then they can and do spend more time at it and hopefully you get faster updated apps and more debugging work.
This might seem to be a thread sidetrack, but what lots of the Active-X folks do to get Active-X that is not good installed is to use trojans. Kill the trojan, no download of Active-X occurs-- the download of the DOWNLOADER never happened.
I will always use an imunizer that tells me what it wants to do and lets me revoke its ideas beforehand-- here's why, just from today's run: SpyBot S&D wanted to kill parts of N-Prot (including what runs the def pickup) and soemthing I want and use occassionally which is the launch bar icon for WinZip's wizard. It also found that Opera had an Alexa module to search using Alexa installed, that I let it kill, and had pulled the access itself to that feature at Opera Install time. Use apps also that let you undo and then choose at worst to rekill all but what you undid-- some apps force you to undo what you killed in a batch, the best let you recover just one change.
System knowledge and knowing how things get on your computer are key, and they ways (plural) that they can mean that you need a complete security solution suite and knowledge of how it can happen and what you should NOT kill also for best results. Spyware killers that let you undo what you want left before the fact are best, together with the other tools that let you prevent junk from getting on the box and detecting it is there.
Prime's article is excellent (GOOD WORK, Brian), but keep the whole system security idea active in your mind. Learn who to trust more(but not any one source exclusively, each security pro knows some things and has his or her own preferences as to how to prevent and detect and then kill things right-- none of them know everything) and who is making claims that are exaggerated. But use software that lets you undo what misuse can do. And address the areas including AV for your box-- none of them can be exclusively done by one program. Use all the tools you can trust including those suggested here(spyware and adware killers, PLUS AV that includes robust trojan and worm (internet and other) and macro viral\malware killing capacities, firewalls, and system intrusion detection software(A good firewall can provide warning of intrusion that HAS occured and when it happened if you learn how to read the logs the best of those keep)), and your box is likely to be up and effective without major repairs much longer so long as hardware does not fail.
John D.
read up on ACTIVEX so we aren't misinformed about what ACTIVEX is and what it does. There's no need for us to start running around yelling "The activex sky is falling."
First line of defence is to use a good virus protection program and keep it updated. Second is to use a good spyware search and destroy program, keep it updated and run it from time to time. Third...be cautious when poking your cursor in places you normally wouldn't go.
Since no one dev team can be all knowledgeable, it is usually best to use more than one program and use what you can undo. Know the program, know how to use it, but use other good programs also that do not break each other. Here is an example-- Ad-Aware can trigger on SpyBot S&D's backup it gens when it immunizes. Blast the backup, and if you were not careful your undo for SpyBotS&D just got vaporized by Ad-Aware. If you do not know and only suspect, keep the undo option open. Know how not to vaporize your undo.
Prime and I have done a lot of junk removal, you could ask us if in doubt before committing to a change that might do things you do not want done, or ask and find out where to ask, the program authors and those who use the program how to use it.
I've been doing junk removal with as little damage as possible for a long time(over a decade), one of my major interests has been keeping junk off boxes. I make 90% of my money consulting, adn lots of what I charge very minor amounts for or give free is how to safely take junk off boxes without destroying major apps and core O\S parts or parts of programs you want. I am not perfect either, get security info from more than one source. But, I will say do not do that yet and later say do it when I know that this one thing can be done if I am honestly not sure. I tend to say don't until you understand the major consequences, and do not trust global promises in security(Gibson Research has lots of good fine tools, but I do nto agree with all his opinions). Each software dev team has specialties they learned, and out of specialty they are not so good as they are within their specialty, and that goes for all coders.
There is no one specific IT security Bible (or any one Security Oracle that is not constantly learning) that lasts, what is being doen is in flux. Yuo need software that can flux as needed also, so look for software that has been around a long time or test the new stuff and make it prove itself while also using what you know works and is being actively updated. If new fights old and old is still proven good, use old for now until new is mature.
The best fix is to kill on entry, but that is not always possible, so you need some scanning tools also-- actively working if running all at once does not slow your box too much. Prevention is good, but coding rules morph so if you use something that runs mostly on rules or heuristics to pick out what is bad, it might kill future software that is good if you put some of that on the box.
The obverse is true also-- lets say you have a favorite program that was written way back when and you cannot find anything that does exactly that in a way that is intuitive fro what you know. Lets say when it was written, the rule that what is considered wrong because folks are taking advantage of holes did not exist and it used things that did the things that would be considered wrong in ways that would not harm your box and you knew that. ACTIVE-X itself has morphed over the years. Impose new rules on old code, you are likely sooner or later to break the old code accidentally. There is a balance here between getting rid of what you know is bad and what LOOKS LIKE IT MIGHT BE BAD or that ONE person has told you is bad.
John D-- who recommends trusting those who have proven skill and knowledge and make a career of security MORE than those who do not, but give no one person exclusive and total trust for the unique box that is yours, and that includes what the security software does. I run AV software through ICSA and IECAR tests, at random, for instance.
BTW has anyone ever heard of the makecall virus. According to startup mechanic (www.startupmechanic.com) i've got it but i don't know how to remove it and norton hasn't said a word. I'll try the apps in the article and see what happens.
Like you, I run NAV with latest defs and it hasn't made a peep. Since CUYDOC has been in Norton's defs since last October I'm sure it's just a glitch.
And now, back to our regularly scheduled program: the primesuspect hour
I googled my name tonight, and i found this:
"Wat is spyware en hoe te verwijderen 8 februari 2004
Echt dol op spyware zijn we niet. Vaak is het een geniepige manier om allerlei rotzooi om onze computer te zetten, en echt beter worden we er niet van. Maar wat is eigenlijk spyware, en belangrijker: hoe komen we er vanaf en voorkomen we het? Brian Ambrozy schreef een uitgebreid item over het onderwerp.
Meer info bij Short-Media"
Okay, I know it's in dutch, but wtf does this say!?!
2. Tell people that if they want porn DO NOT patronize web sites - learn how to use USENET. alt.binaries is a good place to start. Free Agent by www.forte.com is the most popular. If you do not know about the newsgroups you are missing out on the best secret on the Internet. There are many wonderful things out on the newsgroups besides naked women. You will be amazed if you haven't been there yet. If you are on AOL enable newsgroups in your preferences and then go to keyword Newsgroups. feester at aol
Anyway, I just sit here and transcribe from voice files all day long, oblivious to current problems like spyware and identity theft. Then I get on my husband's home PC, and boy, it's like working on a piece of crap. He uses a few online gambling sites and I suspect that's where the problem is. He finally started running Ad Aware, but just last night, his default home page was reset to some bogus search page covered with ads.
Anyhow, I started searching on my work computer for a solution and found this great article. Unfortunately, I don't feel I have the expertise to start in on this. I couldn't even access the Task Manager so I could see the processes running from the run menu or by ctl-alt-del. I can do this on my work computer, no problem. My husband's computer is running Windows ME and I couldn't find anything resembling the task manager.
Any ideas would be welcome. Poke fun at me, if you must, but at this point it seems like his PC has the equivalent of Ebola, and I would like to do something about it.