YW Weeble - Well, if I understood your response, getting the Norton stuff
out of there probably did it for you (perhaps if only by allowing a proper
SP2 install
). At any rate, it sounds like you're running OK now.
Here are some additional thoughts about defending your machine that you may
want to consider, some of which were in my original post:
If you want to take steps to defend your machine, there are a number of
things which need to be considered. I would suggest the following:
The minimum necessary to start with are a good hardware or software firewall
and an AV, and by bringing your OS up-to-date with ALL Critical updates.
Run the following programs regularly; I recommend at least once a week.
Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page:
http://vil.nai.com/vil/stinger/
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here:
http://www.trendmicro.com/download/pattern.asp Be sure to read
the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt (You might also want
to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/). (If you download and use the updater from
the beginning, it will automatically handle downloading the other files.)
Place them in a dedicated folder after appropriate unzipping. Show hidden
and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
Disable Restore if you're on XP or ME (directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), then boot to
Safe mode (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
Read tscreadme.txt carefully, then do a complete scan of your system
in Safe mode or from a Clean Boot (see below) and clean or delete anything
it finds. Reboot to normal mode and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible. Reboot and test if the malware is fixed
after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot:
1. Start|Run enter msconfig.
2. In the Startup tab, click the "Disable All" button.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button.
4. Click OK and then reboot.
#########IMPORTANT#########
Sometimes the tools below will find files which they are unable to delete
because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
"replacing, moving, renaming or deleting one or many files which are
currently in use (e.g. system files like comctl32.dll, or virus/trojan
files.)" Another is Killbox, here:
http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often useful is Delete Invalid File,
here:
http://www.purgeie.com/delinv.htm which handles invalid/UNC
file/folder name deleting, rather than the in use problem
Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/. Tutorial here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=48
UPDATE, set it up in accordance with this:
http://forum.aumha.org/viewtopic.php?t=5877 or the directions immediately
below and run this regularly to get rid of most "spyware/hijackware" on your
machine. If it has to fix things, be sure to re-boot and rerun AdAware
again and repeat this cycle until you get a clean scan. The reason is that
it may have to remove things which are currently "in use" before it can then
clean up others. Configure Ad-aware for a customized scan, and let it
remove any bad files found.....
<Begin Setup Directions>
Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:
General> activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes during
scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."
Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found, click
"Next." The bad files will be listed. Right click the pane and click "Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"
<End Setup Directions>
Courtesy of
http://www.nondisputandum.com/html/anti_spyware.html: HINT: If
Ad Aware is automatically shut-down by a malicious software, first run
AWCloak.exe,
http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
opening Ad Aware. When AAWCloak is open, click “Activate Cloakâ€. Than open
Ad Aware and scan your system.
Another excellent program for this purpose is SpyBot Search and Destroy
available here:
http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. Totorial
here:
http://www.safer-networking.org/en/index.html I recommend using both
normally.
After UPDATING and fixing ONLY RED things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan. The reason is that SpyBot sometimes has to remove things
which are currently "in use" before it can then clean up others.
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.
I would recommend reading: "How did I get infected in the first place",
here:
http://forums.techguy.org/t208517.html
Next, courtesy of Mike Burgess:
"--Recommended Minimum Security Settings--
Close all instances of IE and OE
Control Panel | Internet Options
Click on the "Security" tab
Highlight the "Internet" icon, click "Custom Level"
1) "Download signed ActiveX scripts" = Prompt
2) "Download unsigned ActiveX scripts = Disable
3) "Initialize and script ActiveX not marked as safe" = Disable
4) "Installation of Desktop items" = Prompt
5) "Launching programs and files in a IFRAME" = Prompt
Click on the "Content" tab
Click the "Publishers" button
Highlight and click "Remove" any unknowns, click Ok
Click on the "Advanced" tab
Uncheck: "Install on demand (other)", click Apply\Ok
Prevent your "HomePage" setting from being Hijacked
http://www.mvps.org/winhelp2002/ietips.htm
_____________________________
Mike Burgess
Information isn't free if you can't find it!
http://www.mvps.org/winhelp2002/"
Note the Publisher setting - this vector is often overlooked. See here:
http://mvps.org/winhelp2002/restricted.htm#Setting
Then, from me:
Disable BOTH "Install on Demand" options on the IE6 Advanced tab.
Another set of not unreasonable (although much more severe) security setting
recommendations is available here:
http://www.infinisource.com/techfiles/surf-safe.html Also, see here for a
comprehensive discussion of this (highly recommended):
https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm
There's a reasonable test of your Browser's secuity here: Jason Levine's
Browser Security Tests
http://www.jasons-toolbox.com/BrowserSecurity/
You might want to consider installing Eric Howes' IESpyAds, SpywareBlaster
and SpywareGuard here to help prevent this kind of thing from happening in
the future:
IESpyads -
https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial53.html
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs, blocks spyware/tracking cookies, and restricts the actions of
potentially dangerous sites) (BTW, SpyWareBlaster is not memory resident ...
no CPU or memory load - but keep it UPDATED) The latest version as of this
writing will prevent installation or prevent the malware from running if it
is already installed, and, additionally, it provides information about and
fixit-links for a variety of parasites. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial49.html
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial50.html
All three Very Highly Recommended
SpywareBlaster is probably the best preventive tool currently available,
expecially if supplemented by using the Immunize function in SpyBot S&D and
a good HOSTS file (see next). IMPORTANT NOTE: A good additional source of
preventive blocking for ActiveX components is the Blocking List available
here:
http://www.spywareguide.com/blockfile.php While smaller than the
SpywareBlaster list, it contains some different malware CLSIDs and appears
to be updated with new threats more frequently. Recommended as a supplement
to SpywareBlaster. Read all of the instructions in the Expert package
download carefully. You might want to consider using:
http://www.changedetection.com/monitor.html to monitor and notify you of
changes/updates to this (or others, for that matter) list.
Next, install and keep updated a good HOSTS file. It can help you avoid
most adware/malware. See here:
http://www.mvps.org/winhelp2002/hosts.htm
(Be sure it's named/renamed HOSTS - all caps, no extension) Additional
tutorials here:
http://www.spywarewarrior.com/viewtopic.php?t=410
(overview)
and here:
http://www.bleepingcomputer.com/forums/tutorial51.html (detailed)
Lastly, with regards to cookies: An overview of the approach I recommend,
courtesy of Mel's Spyware Tools, here:
http://homepage.cooketech.net/~cybermel/Mel's Spyware Tools and Ad Blockers.html
XML-Menu for IE6 - (
https://netfiles.uiuc.edu/ehowes/www/main.htm, click on
IE6 Tools on website) "This package contains a full menu of custom Import
XML files that can be used to manipulate IE6's handling of cookies in the
Internet and Trusted zones (the Privacy tab controls only the Internet
zone). The files are divided into three sets: one "short list" of
recommended files, and two "advanced" lists containing a wide range of
possible Privacy configurations. The ReadMe covers the basics of using
custom XML Import files and details all the files that are available. A
..REG file that can be used to restore the default Privacy tab settings is
included."
This is the technique that I use and, while I do very infrequently have to
override on some sites that don't have a Privacy Policy in place, I've found
it almost infallible in stopping bad cookies (I use 1-e, BTW) FWIW, MVP
Eric Howes' site, above, is one of the very best on the net with regard to
anything having to do with security. Very Highly Recommended.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
