S
Slyda
Hi there
A pop-up has placed a link on my right-click menu. How
do I get rid of it?
Thanks,
A pop-up has placed a link on my right-click menu. How
do I get rid of it?
Thanks,
J
Jim Byrd
Hi Slyda - Well, you maybe need to see what else it's done also.
HijackThis, below, will handle your specific problem, but read carefully
first, and do the other steps here as well.
If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone Alarm 3.x, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.
For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 162 or later, here: http://www.lavasoftusa.com/support/download/.
Update and run this regularly to get rid of most "spyware/hijackware" on
your machine.
Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After fixing any "Red" things with SpyBot S&D, be sure
to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan.
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Lastly, a very useful utility for examining your system and correcting
problems is Hijack This, which you can download here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip See also,
HijackThis Quick Start Help, http://www.tomcoyote.org/hjt/ (Recommended)
This site has a number of useful references and information also:
http://www.spywareinfo.com/articles/hijacked/ and here
http://www.spywareinfo.com/downloads.php
Another program giving a good inventory of all of the possible start vectors
is AutostartExplorer, here: http://www.misec.net/aexp.jsp While it doesn't
allow control of startups, it's extremely comprehensive in examining all of
the possible sources. Highly Recommended
Next, go here: http://www.mlin.net/StartupCPL.shtml and get Mike Lin's
Startup Control Panel applet. A somewhat more difficult to use but more
extensive program to do the same thing is StartupList from here:
http://www.lurkhere.com/~nicefiles/index.html, or even better, Autoruns from
here: http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns. Be
very careful about doing any Registry modifications directly unless you're
comfortable with this, and be sure that you BACKUP your Registry before
making any changes, so that you can recover if something goes wrong.
Changes made with StartUpCPL are less likely to cause problems, and are
usually a matter of just re-enabling the particular program. Another
program of this type that I can recommend is StartMan, free, here:
http://www.spywareinfo.com/downloads/startman/. If you have problems with
suspected hijackers, you can look up and investigate suspect programs in
your StartUp lists here:
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm (Recommended)
http://www.3feetunder.com/krick/startup/list.html (Recommended)
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm (Recommended)
Some hijackers install themselves as Browser Helper Objects. Get BHOCop
here: BHO Cop http://www.pcmag.com/article2/0,4149,270,00.asp
(Unfortunately, no longer free from that link but you can read about it
there, and here is a direct download link for it:
http://websec.arcady.fr/bhocop.zip) and take a look at what BHO's are
currently installed. Some things like AdShield and Acrobat are normal, but
if you see something that doesn't make any sense, try disabling it and see
if that helps. Another excellent program for this same purpose is BHODemon,
(still free) here: http://www.definitivesolutions.com/ or here:
http://www.spywareinfo.com/downloads/bhod/ I would recommend both. You can
also check/control BHO's using the Tools function of SpyBot S&D.
There's good information about hijacking and fixes available here:
Andrew Clover's parasite page: http://www.doxdesk.com/parasite/ (Highly
recommended)
Robert Allen's parasite page: http://allentech.net/parasite/index.phtml
(Highly recommended)
http://www.spywareinfo.com/hijacked.html
http://gmpservicesinc.com/Articles/hijack.asp (links here for .reg files to
lock and unlock your homepage, BTW. You can also use this program to toggle
locking/unlocking of your homepage:
http://www.dougknox.com/security/scripts/nosethomepage.vbs Recommended)
http://www.mvps.org/inetexplorer/answers.htm#home_page
Also, there's a new class of hijacker using Window's Messenger Service (not
Instant Messaging, BTW). See: Messenger Service Window That Contains an
Internet Advertisement Appears http://support.microsoft.com/?id=330904
which identifies reasons to keep this service and steps to take if you do.
You can test your system and follow the 'Prevention' link to get additional
information here: http://www.mynetwatchman.com/winpopuptester.asp.
These are due to open NetBios ports 135, 137-139 and
445. You really need to block these with a firewall as a general
protection measure. You can stop the popups by turning off Messenger
Service; however, this still leaves you vulnerable.
Messenger Service is not per se Spyware or something that MS did wrong - It
provides a messaging capability which is useful for local intranets and is
also sometimes (albeit nowdays infrequently) used by some applications to
provide popup messaages to users. However, it can also be (and now
frequently is) used to introduce spam via this open NetBios channel.
For a single user home computer, it normally isn't needed and can be
turned off which will eliminate the spam popups. This DOESN'T, however,
remove the vulnerability of having these ports open, when in fact they
aren't needed, since they can be perverted in other ways as well, some
of which can be much more damaging than just a spam popup.
Unless you have very good reasons to keep this active, it should be turned
off in Win2k and XP. Go here and do what it says:
http://www.itc.virginia.edu/desktop/docs/messagepopup/ or, even better, get
MessageSubtract, free, here, which will give you flexible control of the
service and viewing of these messages:
http://www.intermute.com/messagesubtract/help.html Recommended.
(FWIW, ZoneAlarm's default Internet Zone firewall configuration blocks
the necessary ports to prevent this use of Messenger Service. I don't
know the situation with regard to other firewalls.)
Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:
http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Both Very Highly Recommended.
See if any of this helps and post back with your results.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
HijackThis, below, will handle your specific problem, but read carefully
first, and do the other steps here as well.
If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone Alarm 3.x, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.
For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 162 or later, here: http://www.lavasoftusa.com/support/download/.
Update and run this regularly to get rid of most "spyware/hijackware" on
your machine.
Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After fixing any "Red" things with SpyBot S&D, be sure
to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan.
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm
Lastly, a very useful utility for examining your system and correcting
problems is Hijack This, which you can download here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip See also,
HijackThis Quick Start Help, http://www.tomcoyote.org/hjt/ (Recommended)
This site has a number of useful references and information also:
http://www.spywareinfo.com/articles/hijacked/ and here
http://www.spywareinfo.com/downloads.php
Another program giving a good inventory of all of the possible start vectors
is AutostartExplorer, here: http://www.misec.net/aexp.jsp While it doesn't
allow control of startups, it's extremely comprehensive in examining all of
the possible sources. Highly Recommended
Next, go here: http://www.mlin.net/StartupCPL.shtml and get Mike Lin's
Startup Control Panel applet. A somewhat more difficult to use but more
extensive program to do the same thing is StartupList from here:
http://www.lurkhere.com/~nicefiles/index.html, or even better, Autoruns from
here: http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns. Be
very careful about doing any Registry modifications directly unless you're
comfortable with this, and be sure that you BACKUP your Registry before
making any changes, so that you can recover if something goes wrong.
Changes made with StartUpCPL are less likely to cause problems, and are
usually a matter of just re-enabling the particular program. Another
program of this type that I can recommend is StartMan, free, here:
http://www.spywareinfo.com/downloads/startman/. If you have problems with
suspected hijackers, you can look up and investigate suspect programs in
your StartUp lists here:
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm (Recommended)
http://www.3feetunder.com/krick/startup/list.html (Recommended)
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm (Recommended)
Some hijackers install themselves as Browser Helper Objects. Get BHOCop
here: BHO Cop http://www.pcmag.com/article2/0,4149,270,00.asp
(Unfortunately, no longer free from that link but you can read about it
there, and here is a direct download link for it:
http://websec.arcady.fr/bhocop.zip) and take a look at what BHO's are
currently installed. Some things like AdShield and Acrobat are normal, but
if you see something that doesn't make any sense, try disabling it and see
if that helps. Another excellent program for this same purpose is BHODemon,
(still free) here: http://www.definitivesolutions.com/ or here:
http://www.spywareinfo.com/downloads/bhod/ I would recommend both. You can
also check/control BHO's using the Tools function of SpyBot S&D.
There's good information about hijacking and fixes available here:
Andrew Clover's parasite page: http://www.doxdesk.com/parasite/ (Highly
recommended)
Robert Allen's parasite page: http://allentech.net/parasite/index.phtml
(Highly recommended)
http://www.spywareinfo.com/hijacked.html
http://gmpservicesinc.com/Articles/hijack.asp (links here for .reg files to
lock and unlock your homepage, BTW. You can also use this program to toggle
locking/unlocking of your homepage:
http://www.dougknox.com/security/scripts/nosethomepage.vbs Recommended)
http://www.mvps.org/inetexplorer/answers.htm#home_page
Also, there's a new class of hijacker using Window's Messenger Service (not
Instant Messaging, BTW). See: Messenger Service Window That Contains an
Internet Advertisement Appears http://support.microsoft.com/?id=330904
which identifies reasons to keep this service and steps to take if you do.
You can test your system and follow the 'Prevention' link to get additional
information here: http://www.mynetwatchman.com/winpopuptester.asp.
These are due to open NetBios ports 135, 137-139 and
445. You really need to block these with a firewall as a general
protection measure. You can stop the popups by turning off Messenger
Service; however, this still leaves you vulnerable.
Messenger Service is not per se Spyware or something that MS did wrong - It
provides a messaging capability which is useful for local intranets and is
also sometimes (albeit nowdays infrequently) used by some applications to
provide popup messaages to users. However, it can also be (and now
frequently is) used to introduce spam via this open NetBios channel.
For a single user home computer, it normally isn't needed and can be
turned off which will eliminate the spam popups. This DOESN'T, however,
remove the vulnerability of having these ports open, when in fact they
aren't needed, since they can be perverted in other ways as well, some
of which can be much more damaging than just a spam popup.
Unless you have very good reasons to keep this active, it should be turned
off in Win2k and XP. Go here and do what it says:
http://www.itc.virginia.edu/desktop/docs/messagepopup/ or, even better, get
MessageSubtract, free, here, which will give you flexible control of the
service and viewing of these messages:
http://www.intermute.com/messagesubtract/help.html Recommended.
(FWIW, ZoneAlarm's default Internet Zone firewall configuration blocks
the necessary ports to prevent this use of Messenger Service. I don't
know the situation with regard to other firewalls.)
Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:
http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Both Very Highly Recommended.
See if any of this helps and post back with your results.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
S
siljaline
Slyda said:
Spyware Removal Tools, Lavasoft's "Ad-aware",
Direct download -
http://ftp.pcworld.com/pub/new/privacy___security/aaw6181.exe
Lavasoft/Ad-aware home: http://www.lavasoftusa.com
Mirror site: http://www.lavasoft.de/
*Also* install and run SpyBot Search & Destroy,
Direct download -
http://spybot.eon.net.au/files/spybotsd_mainapp.exe
SpyBot home: http://security.kolla.de/
SpyBot How-To: http://www.tomcoyote.org/SPYBOT/
More detailed help: http://tomcoyote.org/~mosaic1/spybot/
Support Forum, http://net-integration.net/cgi-bin/forum/ikonboard.cgi
Navigate to the SpyBot S&D section.
Install, reboot, read FAQ and overview, use online update feature to obtain the
latest reference files, scan for Spyware much like you would with your
pre-installed anti-virus scanner.
Rid your machine of unwanted Spyware pests.
HTH
--
siljaline
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_
S
Slyda
Hi there Jim,
Thanks for the help. I already had Spybot installed, and
was using it to check my system. I have since installed
and run the AdAware 6.0 latest build and the BHODemon
neither of which has solved my problem.
I have a feeling that I have somehow gotten rid of the
software, and have been left with some kind of entry into
the setup of the IE menu.
The link appeared a while ago after I hit a few sites
looking for some software to download - it was an advert
for Hardcore Movies. The next time I checked my
Favourites, there was a folder there and a link. I
deleted all of that, and cleared my Temp Files and
cookies to try and make sure I had cleaned my machine,
but now I have this link on my right-click menu.
I was wondering if there was some way to get IE to go
back to its default right-click menu settings. By the
way, I have CNET's Kontiki download manager installed,
and the link is sitting in the same section of the menu
as the Kontiki "Get this with Kontiki" option.
I am guessing that what I need to somehow do is to get
that menu bar back to its default, or to find the
registry that makes that entry appear.
Any thoughts would be appreciated.
Thanks
Thanks for the help. I already had Spybot installed, and
was using it to check my system. I have since installed
and run the AdAware 6.0 latest build and the BHODemon
neither of which has solved my problem.
I have a feeling that I have somehow gotten rid of the
software, and have been left with some kind of entry into
the setup of the IE menu.
The link appeared a while ago after I hit a few sites
looking for some software to download - it was an advert
for Hardcore Movies. The next time I checked my
Favourites, there was a folder there and a link. I
deleted all of that, and cleared my Temp Files and
cookies to try and make sure I had cleaned my machine,
but now I have this link on my right-click menu.
I was wondering if there was some way to get IE to go
back to its default right-click menu settings. By the
way, I have CNET's Kontiki download manager installed,
and the link is sitting in the same section of the menu
as the Kontiki "Get this with Kontiki" option.
I am guessing that what I need to somehow do is to get
that menu bar back to its default, or to find the
registry that makes that entry appear.
Any thoughts would be appreciated.
Thanks
S
Slyda
Stop the presses! 
HiJackThis sorted it out. It managed to find the entry
that was adding the extra link into the IE menu bar and
now it is all sorted out.
Thanks for your help in this!!!
Very much appreciated....
Regards,
Slyda
HiJackThis sorted it out. It managed to find the entry
that was adding the extra link into the IE menu bar and
now it is all sorted out.
Thanks for your help in this!!!
Very much appreciated....
Regards,
Slyda
J
Jim Byrd
YW, Slyda - Glad you got it straightened out.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In