Results 1 to 6 of 6

Thread: Spyware and Virii removal, the tools and the works

  1. #1

    Spyware and Virii removal, the tools and the works

    I wrote this for an overclocking forum awhile ago, but it's still up-to-date, I hope.



    First off, what is adware and spyware? According to Google, spyware is:

    A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have been known to use spyware to gather data about customers
    And adware:

    ... adware is considered to go beyond the reasonable advertising that one might expect from freeware or shareware. Typically a separate program that is installed at the same time as a shareware or similar program, adware will usually continue to generate advertising even when the user is not running the origianlly desired program

    Now that we know something about them, lets get into removing them. Different tools are made for different kinds of spyware/adware. Some of the best tools are:

    Ad-Aware 6.0

    Spybot - S&D

    Spysweeper


    The above three applications are tools made for removal of all types of known spyware/adware. But sometimes, programmers get a bit more devious and write things that aren't as easily detected. Merijn.org has freeware tools for removal of these annoying things. Some of the best known ones:

    Hijack This. Browses services, registry, etc for possible spyware/adware. USE AT YOUR OWN RISK!

    CWShredder. Tool for the removal of CoolWebSearch(homepage hijacker) variants(more info on CWS can be found here).

    Kill2Me. Tool for removal of the Look2me parasite.



    Now, you know a bit more about spyware/adware. So, lets get to work on removing it. I highly recommend Spybot - S&D and Ad-Aware 6.0 for this, and Hijack This if you can read and will follow the instructions given here.

    Scan using Ad-Aware 6.0, and remove all the files you can. Do the same with Spybot - S&D after you get done with Ad-Aware, so you'll be able to find files that Ad-Aware possibly didn't. And scan with Spysweeper as well, as members here have good feedback on it finding things that Spybot and Ad-Aware don't. I also recommend scanning with Hijack This and then posting your log here if you don't want to read the tutorial I gave you, or don't trust yourself. Remember to make backups, reboot afterwards, and then delete the backups if nothing is wrong, as I doubt it'll be long before companies start writing programs to restore Hijack This backups.



    Now, lets say that you've ran Spybot, Ad-Aware, and special tools(such as CWS), but your computer is still acting up. This is where a virus scan might come in handy. The most popular freeware scanner is AVG Anti-Virus. It's very effective, and free. You can also use Mcaffee AVERT Stinger for a quick and dirty emergency scan. Lets just let the description do the talking here:

    Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations.

    This version of Stinger includes detection for all known variants, as of August 9th, 2004:

    BackDoor-AQJ
    BackDoor-CFB
    BackDoor-JZ
    Bat/Mumu.worm
    Exploit-DcomRpc
    IPCScan
    IRC/Flood.ap
    IRC/Flood.bi
    IRC/Flood.cd
    NTServiceLoader
    PWS-Narod
    PWS-Sincom.dll
    W32/Anig.worm
    W32/Bagle@MM
    W32/Blaster.worm (Lovsan)
    W32/Bugbear@MM
    W32/Deborm.worm.gen
    W32/Doomjuice.worm
    W32/Dumaru
    W32/Elkern.cav
    W32/Fizzer.gen@MM
    W32/FunLove
    W32/Klez
    W32/Korgo.worm
    W32/Lirva
    W32/Lovgate
    W32/Mimail
    W32/MoFei.worm
    W32/Mumu.b.worm
    W32/MyDoom
    W32/Nachi.worm
    W32/Netsky
    W32/Nimda
    W32/Pate
    W32/Polybot
    W32/Sasser.worm
    W32/Sdbot.worm.gen
    W32/SirCam@MM
    W32/Sober
    W32/Sobig
    W32/SQLSlammer.worm
    W32/Swen@MM
    W32/Yaha@MM
    W32/Zafi
    W32/Zindos.worm
    Note: Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:_Restore folder.

    Another great little utility that a friend of mine once used, which found several new trojans that he had never heard of before(and removed them) that were causing him problems, is http://downloads-zdnet.com.com/Avast-Home-Edition/3000-2239-10285256.html?tag=lst-0-2]Avast Home Edition[/URL]. Also, Avast Virus Cleaner Tool is a great addition to any collection of anti-virus programs. I also recommend getting McAfee Security Center as well. It's free, and has several excellent features along with it's virus scan, including a firewall, spam blocker, etc. You can find up-to-date virus information here, and can check up on virus myths(like the jdbg hoax) at Vmyths.com.




    Messenger Service(AKA - What's-with-all-these-freaking-dialog-windows!? service):

    The Windows Messenger service was made to be used by administrators to send messages to network users, etc. But better methods(such as IM and e-mail) were utilized by admins, so it pretty much went dead. But then, companies and spammers found out how to use it to send spam in biblical proportions. You can pay $20 for a program to stop it, or you could disable the service. But, the best way is to use the Messenger-Control Ad-Aware plugin. It stops the messenger service from coming through. If you have to purchase Ad-Aware Plus to install it, then it'll be well spent money. Also, you can use the LSP-Explorer plugin to disable the Messenger Service.

    To disable the messenger server(Quote from TweakXP.com:

    Firstly
    Start > Run> Type: services.msc
    when the Services window pops up scroll down to "Messenger" the description is "Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted."
    Righ click go to Properties and in startup type select "DISABLE"

    If your computer is infested with spyware/adware/virii to an unbelievable extent(I hope it's not...), then, you'll probably have to boot into safemode(hold F8 during POST) and then run the programs. This way, very few processes will be active, and the ones that are active will be mandatory Windows ones. Or, you could just switch to a *nix distro .

    I hope this helps people out with Spyware and other forms of malware, and virii. I shall be around.
    Tell me if you think I\'m spamming or doing something stupid, please.

  2. #2
    Senior Member
    Join Date
    Jun 2004
    Posts
    281
    Pretty good list of information however you mentioned nothing about booting to safe-mode and running the programs.

    Maybe add some information on safe-mode and its place in the fight against adware and virus'.


    - MilitantEidolon
    Yeah thats right........I said It!

    Ultimately everyone will have their own opinion--this is mine.

  3. #3
    I think this should be more of a sticky in the Spyware forum than a security tutorial !

    Good info !

  4. #4
    Ok, I stuck in a safemode booting guide at the end of it. Hope that it helps.
    Tell me if you think I\'m spamming or doing something stupid, please.

  5. #5
    Junior Member
    Join Date
    Aug 2004
    Posts
    5
    thank you - that was pretty helpful.

    I've seen tons of sites & people suggesting that adaware, spybot - ect.. all be run in safe mode - but can anyone explain why it's better to run in safe mode? - What's wrong with running them in the background while you're surfing (antionline of course) or running it in normal operating mode?

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    119
    The reason folks suggest you boot into safe mode, is simply because it loads minimal drivers, plus the ones that might be running in your background.

    If you boot in normal mode, adaware and such cannot remove it if its active. (most cases, not saying its not possible )

    It maximizes your chances of success

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •