VoyForums
[ Show ]
Support VoyForums
[ Shrink ]
VoyForums Announcement: Programming and providing support for this service has been a labor of love since 1997. We are one of the few services online who values our users' privacy, and have never sold your information. We have even fought hard to defend your privacy in legal cases; however, we've done it with almost no financial support -- paying out of pocket to continue providing the service. Due to the issues imposed on us by advertisers, we also stopped hosting most ads on the forums many years ago. We hope you appreciate our efforts.

Show your support by donating any amount. (Note: We are still technically a for-profit company, so your contribution is not tax-deductible.) PayPal Acct: Feedback:

Donate to VoyForums (PayPal):

Login ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 1[2]34 ]

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Date Posted: 00:14:33 02/11/05 Fri
Author: LB
Subject: anti-parasites guide (v.long post)
In reply to: coyotyl 's message, "apparently not ..." on 22:40:00 02/10/05 Thu

- I wrote this for work, but it is cobbled together mainly from the aumha website -

Fighting Parasites
Information for virus-checking a PC with a possible infection

Anti-Parasite Quick-Fix Protocol

Follow this quick -step guide, which will clean a machine from all but the most malicious and harmful of parasites.

1. Clean out the ‘Temporary Internet Files’ and ‘Temp’ folders.

These folders represent the accumulated trash that Windows has failed to clean. If left unchecked they will slow down Windows and may contain infected files. There are many temporary folders in Windows, and there are also many Windows cleaning tool kits that will exhaustively search and remove files, though 99% of most problems are solved by cleaning the TIF and Temp folders.

Close all programs and reboot the computer. Purge the TIF folder. This can be done in two ways; either through Tools/Internet Options in I.E, or from Windows Explorer. You can safely delete all your cookies, as the ones you want will be rebuilt the next time you visit a site. In ‘My Computer’, go to the Temp folder, press Ctrl + A to select everything, and delete it. If any file in the Temp folder is in use you will not be able to delete it. If a file is infected and will not let you delete it it can still be neutralised, until a more powerful anti-parasite tool can be run which will pick it up and destroy it. Open the file in Notepad, select all the text, and then delete it, and save the file. Right click on the file, select properties, and then allow it only ‘Read’ permissions.

Always empty the recycle Bin after purging these folders.

You should also clear the browser history at regular intervals from I.E, using Tools/Internet Options, or set the number of days that History can be retained for as low as possible (1 day).

Reduce the size of the TIF folder; in I.E from Tools/Internet Options, click settings, and reduce the amount of space allocated to 1 MB.

Use Tweak UI. This is a set of Windows productivity tools called PowerToys, which enables you to adjust the Windows User Interface. It is very powerful, but essential in improving the performance of a PC. Directions for use can be found at:
http://www.microsoft.com/ntworkstation/downloads/powertoys/networking/nttweakui.asp
http://aumha.org/a/powertoy.htm


2. Run an Online Virus-Check

Run an initial threat assessment from the following URL:
http://aumha.org/a/noads.htm
Write down every parasite family it says you have. At this stage do not follow any removal instructions. Note: this tool is not at all comprehensive, it is just designed to give an overview and will catch some items, such as MySearch.

3. Download the following tools:

1. CWShredder http://aumha.org/downloads/cwshredder.zip
2. Ad-Aware SE http://www.lavasoftusa.com/support/download/
3. Spybot S&D http://www.safer-networking.org/index.php?page=download
4. Hijack This http://aumha.org/downloads/hijackthis.zip

4. Run CWShredder

Unzip the file, click ‘Fix’ to run it, and let it remove everything. This is the only tool that will reliably remove the CoolWebSearch (CWS) spyware/hijacker. There are many CWS variants and CWS has become so common that CWShredder should be run whenever a possible parasite infected is suspected. Additionally, some current variations of CWS block Ad-aware and Spybot from catching everything. For more information on CWS see
http://www.spywareinfo.com/~merijn/cwschronicles.html

One variation of the CWS parasite is responsible for the IEDLL.EXE and PSAPI.DLL problems Windows users have experienced. If a user has the variation of CWS that removes the General tab of Internet properties, remove the parasite. To restore the General tab go to
http://www.kellys-korner-p.com/regs_edits/iegentabs.reg

Another variant can disable CWShredder and other leading anti-parasite programs. If CWShredder freezes or hangs, first clear the Temp and Temporary Internet Files caches, and try again. If the problem persists use the CWS.Smartkiller utility at http://aumha.org/a/parasite.php#tools


5. Run Ad-Aware SE

Install Ad-aware SE and update it, before running it. Let it remove everything it finds.

Ad-aware is a very reliable anti-virus product. All anti-parasite software has the potential of causing serious problems, but Ad-aware has only ever reported minor issues such as loss of network or Internet connectivity. In the unlikely event that such problems occur, open the quarantine list and selectively restore quarantined items. You need to have administrator privileges to run on Windows 2000 or XP.

For parasites that are currently running, Ad-aware may not be able to remove them on the first pass. It may only be able to disable the auto-launch, which activates them at computer start-up. Usually it will ask you if you want to try it again after a reboot. Say yes, then reboot. Even if it doesn’t ask you, rebooting and then running again is a good idea.

6. Run Spybot Search and Destroy

Install and run. In most cases you can safely remove all red coloured items it identifies, but discretion is needed with respect to its recommendations.

Generally Spybot S&D is more aggressive than Ad-aware. It digs harder and is more intrusive. However Spybot’s more aggressive approach introduces a few more risks, so it needs to be treated with a bit more caution.

Spybot recommends stripping your system of less critical things that you might not want removed. For example, Spybot attempts to remove Most recently Used (MRU) lists. This gives no significant protection, but does remove conveniences on which most users rely.

It is recommended to use none of Spybot’s ‘Immunize’ or real time protection features, and only use its scanning and cleaning features.

7. Download and run Hijack This

This step is only needed if you still believe there is a parasite infection. Most users should use this only to scan, not to fix. Unzip to a new folder on the desktop. Disable any anti-parasite protection programs that may be running, especially Spybot’s ‘immunize’ features, before running the logs, as these will appear in the log similar to how some parasites might appear. Run the program. Save the log and then post it as a new thread on the Aumha Hijack This Logs Forum
http://forum.aumha.org/viewforum.php?f=30

Hijack This pulls data from Windows registry areas that can be used by legitimate and illegitimate programs alike. Do not remove everything it finds, doing this WILL trash the system! However the comprehensive list it generates does find things that none of the other detection tools will find. Hijack This is also pretty useful in seeing what else a PC is running without your knowledge. For detailed explanations of each line in a Hijack This log, see
http://aumha.org/a/hjtutor.htm

8. Avoid Betrayware

Betrayware is a type of parasite program that advertises itself as anti-parasite, but deploys adware or spyware. Sometimes the software is free, other Betrayware programs actually charge to download. You programs in this class lead you to believe they are making you safer, while actually invading your computer as insidiously as any other software. For an up-to-date list of Betrayware see
http://www.spywarewarrior.com/rogue_anti-spyware.htm


Other recommended freeware to use

1. IE-SpyAd http://aumha.org/freeware/freeware.php#ie-spyad

IE-SpyAd is a simple registry patch that adds a long list of known advertisers, marketers, and spyware pushers to the Restricted Sites zone of IE. No matter what the security settings you prefer in IE in general, a browser will automatically switch to maximum security mode when it wanders onto pages that are known to be ‘high risk’ web environments.

The patch is updated a few times a month, and can be edited to add or remove specific items.

2. Advanced Process Manipulation http://www.diamondcs.com.au/downloads/apm.exe

An extremely sophisticated freeware tool for viewing and manipulating processes running in Windows NT, 2000, or XP, including tracking all modules running secondary to a given process. This is useful for unloading stubborn and hidden files in some especially difficult anti-parasite and anti-virus recovery situations.

3. BHOList http://www.spywareinfo.com/~merijn/files/bholist.zip

A Browser Helper Object (BHO) is a small program that runs automatically every time you start your Internet Browser. Usually a BHO is installed on a system by another software program. BHOs in general have something to do with ‘helping’ a user browse the Internet. Many BHOs are what now is called adware or spyware. For instance they do things like monitor the websites that are visited and report this data back to their creators. They can also routinely conflict with other running programs, causing a variety of page faults, run time errors, and generally impede browser performance.

BHODemon http://www.spywareinfo.com/downloads/bhod/ is a very useful for viewing and disabling the BHOs that may be installed on a machine.

A complete list of BHOs can be viewed at http://sysinfo.org/bhoinfo.html. Listed BHOs are tagged ‘X’ for certified spyware or other malware. ‘L’ for legitimate items, ‘O’ for open to debate, and ‘?’ for BHOs of unknown status.

See also the Microsoft article ‘Browser Helper Objects: The Browser The Way You Want It’ http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho,asp.

4. CWS SmartKiller http://www.safer-networking.org/files/delcwssk.zip

This is a speciality tool to remove the CoolWebSearch.SmartSearch variant, which can disable CWShredder and other leading anti-parasite programs.

5. FINDnFix http://freeatlast.100free.com or http://downloads.subratam.org/FINDnFix.exe

For W2K and XP only. This is an ingenious but cumbersome utility that helps to track and remove some of the most sophisticated stealth parasites. Originally created for cracking the likes of Look2Me, its primary component (!LOG!.bat) generates a catalogue of usually unavailable launch information that may uncover deeply-hidden malware files.

6. HackDefenderDisabler http://aumha.org/downloads/unhackdef.zip

A batch file that executes a simple method to break the HackDefender virus, which hides many parasite components from Hijack This and other tools, and even can disable the anti-virus and anti-parasite tools themselves. Execute the batch file and compare Hijack Logs before and after.

7. Hosts File reader http://www.members.accessbee.com/mitch.HostsFileReader.exe

This makes it easy to find, read, and fix the Windows HOSTS file. Increasing numbers of exploits are hijacking the HOSTS file, which is essentially a custom DNS table local to the user’s computer. Check this if, when trying to access a website, the browser is redirected to another website instead. This utility is particularly helpful with some parasite versions, which try to keep a user from accessing anti-parasite websites. They will be using HOSTS file manipulation to do this, so it is a good idea to keep a copy of this program around, even if it is not immediately needed.

Note: the location of the default HOSTS file is stored in the Windows Registry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters in the value ‘DataBasePath’. The value should be %SystemRoot%\System32\drivers\etc in W2K and XP and %SystemRoot% in Windows 95, 98, and ME.

8. KazaaBegone http://www.spywareinfo.com/~merijn/files/kazaabegone.zip

This cleans a computer from the Kazaa virus. However the program will break a user’s Internet connection. Therefore, before running it, it is important to download the tool ‘LSPFix’ http://www.cexx.org/lspfix.htm so it can repair the damage from the repair from the damage of having installed Kazaa.

9. Kill2Me http://www.spywareinfo.com/~merijn/files/kill2me.zip

Use this to remove the Look2Me parasite. Look2Me is an advertising and information network that uses a shell extension to attach itself to Windows and display pop-up advertising for its clients. It monitors visited web sites, and submits the information to a server.

Also see http://www.pchell.com/support/look2me.shtml for further removal instructions if problems persist, including editing registry settings and deleting registry keys.

10. RestrictApp http://www.mvps.org/sramesh2k/utils/RestrictApp.exe

This blocks a program from loading at startup if it is launched from a Run or RunOnce Registry key. For example, to remove TV Media; block TVM.exe then re-boot and delete the TV Media folder in Program Files.

11. Silent Runners http://www.silentrunners.org/

Generates a list of what is loading at startup. However this is not as exhaustive as FINDnFix.

12. ToolbarCop http://www.mvps.org/sramesh2k/utils/ToolbarCop.exe

A useful tool that finds many of the same items (such as toolbars and BHOs) as Hijack This, but makes it easier to identify what they are – making it easier to decide what to remove.

13. RegCleaner http://www.worldstart.com/weekly-download/programs/regcleaner.exe

Removes old and obsolete registry items.

14. VX2Finder http://tools.zerosrealm.com/VX2Finder.exe

This is the currently recommended tool for removing VX2.BetterInternet. If it finds this virus, disconnect from the Internet (and stay off until the PC has been cleaned). Have VX2Finder search for VX2.BetterInternet, then click ‘Delete these files’. Re-boot when asked to do so. Once Windows is reloaded, launch the VX2Finder and click the ‘User Agent’, ‘Guardian reg’, and ‘Restore Policy’ buttons, saying OK each time. When finished, re-boot again. Run VX2 again, and have it check for the virus a final time to confirm the PC is clean.

15. Zone Labs Security Scanner http://download.zonelabs.com/bin/free/em/index4.html

An online scanning service that determines whether a computer has tracking cookies running on it.

16. Spyware’s weekly newsletter http://www.spywareinfo.com/about.php#newsletter

A very useful newsletter for keeping up-to-date on the most important new findings.

17. Introduction to Browser Hijacking http://www.geekgirls.com/net_hijacked.htm

An article by Rose Vine, which provides an introduction to browser hijacking, and some useful precautions to take.

18. Threat Assessment Chart (TAC) http://www.lavasoftnews.com/ms/tac_main.html

This is another name for Lavasoft’s database of viruses and other threats. You can search the database to see how points are awarded. TAC numbers of 3 and above get added to the database. The system is based on a total of 10 points, 1 being the least threatening, and 10 being the most threatening and/or problematic. Behaviour and intent are scored more heavily than technical threat.

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Replies:

[ Contact Forum Admin ]

Forum timezone: GMT-8
VF Version: 3.00b, ConfDB:
Before posting please read our privacy policy.
VoyForums(tm) is a Free Service from Voyager Info-Systems.
Copyright © 1998-2019 Voyager Info-Systems. All Rights Reserved.