| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 39997 | 2003-11-25 02:48:00 | FAQ #8b Spyware | Susan B (19) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 194396 | 2003-11-25 02:48:00 | FAQ #8b Spyware 01 - Checking for and removing spyware 02 - Hijacked homepage 03 - New.Net Spyware 04 - Preventing future attacks 05 - So what is spyware? 06 - Links to useful information |
Susan B (19) | ||
| 194397 | 2003-11-25 02:49:00 | 01 - Checking for and removing spyware For those who have been sent to this FAQ to check for or remove spyware use the following free tools: Firstly scan your computer with an anti-virus program with the latest updated virus definitions installed then follow the steps below . Download Ad-aware • Download Ad-aware from here ( . lavasoft . de/support/download/" target="_blank">www . lavasoft . de) . • Install the program and launch it . • It is strongly recommended that you fully read the included Ad-aware help file to familiarise yourself with the program before removing any files . • Before running the scan look at the top of the main window and you will see a Gear Icon . This is where you configure the settings . Click on that and then in the next window that pops up click on the Scanning tab on the left side . Under Drives and Folders put a tick alongside Scan within archives . If you have more than one partition click on Select drives and folders and put ticks alongside the drives you want scanned . Further down under Memory and Registry put a tick by all the options there . • Now click on the Tweak tab and under Scanning engine ensure that a tick is by Unload recognised processes during scanning . Under Cleaning engine ensure that a tick is by Let windows remove files in use at next reboot then click Proceed . • Next in the Main window click on Check for updates now at the bottom right corner in order to get the latest reference files . • Once Ad-aware has downloaded and installed the latest reference files you are ready to scan . • Click Start and in the next window make sure Active in-depth scan is ticked then click Next and the scan will begin . • When it is finished put a tick by and let it fix everything it finds . • Restart your computer . Download Spybot • Next download Spybot Search and Destroy from here (http://www . safer-networking . org/) . • Install the program and launch it . • Before scanning click on the Online tab then Search for Updates . • Put a tick next to all updates then click on Download updates and wait for them to install . • Click on the Spybot-S&D tab then Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED . • Restart your computer . • Be sure to take advantage of the "Immunize" feature in Spybot (see below) . If Ad-aware and Spybot cannot solve the problem If you still have problems you may have contracted a particularly difficult to remove piece of spyware, hijacker or trojan . Other tools to try are the following: • CWShredder ( . spywareinfo . com/articles/cws/" target="_blank">www . spywareinfo . com) utility (by the author of Ad-Aware anti-spyware program and the HijackThis scanning utility) . After installing this small utility, the welcome screen gives you a choice to Scan Only which should be done for safety as well as the educational value, to see where any trojan is hiding . After scanning you may choose Next to procede with removal . • HijackThis ( . com/mirror/hjt/" target="_blank">mjc1 . com) is used to examine certain key areas of the Registry and Hard Drive and list their contents . It is advisable to seek help before deleting any entries listed in the HijackThis contents list otherwise you may remove items needed to run legitimate programs and add-ins . Assistance can be found at the links listed on the program's homepage . IMPORTANT: After using HijackThis and/or CWShredder you must update to the very newest versions of these programs before using either of them again so uninstall these utilities once your system is clean . This is because new variants on trojans can cause older versions of these programs to inflict severe damage on an infected computer . |
Susan B (19) | ||
| 194398 | 2003-11-25 02:49:00 | 02 - Hijacked homepage • If your Homepage in Internet Explorer has been hijacked with an unwanted webpage that loads everytime you start IE and go online and you have followed the instructions in FAQ #8a How do I reset my homepage in IE? you will now need to follow the instructions for 01 - Checking for and removing spyware. • CWS (CoolWebSearch) is a trojan that hijacks Internet Explorer's start and search settings to one of several different web sites. Most of these web sites appear to have an affiliate relationship with coolwebsearch.com in which CoolWebSearch pays them for every visitor they refer. There could be other domains involved in the future. To remove CWS you need CWShredder as listed above. |
Susan B (19) | ||
| 194399 | 2003-11-25 02:51:00 | 03 - New . Net Spyware If you have installed Imesh you will have also installed the associated spyware including NEW . NET which upon removal may cause Internet Explorer to no longer work but bring up the error message "DNS Error" when trying to load web pages . Your computer may also become very slow . The following advice was contributed by Jim B for removal of NEW . NET . This little piece of spyware (NEW . NET) alters the Winsock keys in the Registry to suit its own needs . Go to Add/Remove programs in the Control Panel . If you find new . net listed there, remove it . Reboot when finished and try browsing the internet . If you are still having the problem of being able to connect to the internet but not being able to go anywhere then do the following: If using Win XP you won't have the following in Add/Remove, just delete the Winsock2 file . 1) Go to Control Panel>>Add/Remove Programs>>Windows Setup . Uncheck Communications . Click Apply>>OK . It will ask you to reboot . DO NOT REBOOT . 2) Open up the Registry Editor by going to Start>>Run>>regedit . Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es . At the bottom of that thread you will see a folder called Winsock2 . Right click on it and delete the file . Close the registry editor . 3) Go back to Add/Remove Programs>>Windows Components . Double click on Communications (the word, not the checkmark box) . Put a check in Dial up Networking . Click OK You will be prompted to reboot . This time . . . REBOOT . Upon reboot . . . connect to your ISP and attempt to browse . |
Susan B (19) | ||
| 194400 | 2003-11-25 02:52:00 | 04 - Preventing future attacks With contributions from tweak'e • Once you have removed all the spyware from your system the Immunize feature in Spybot used in conjunction with SpywareBlaster (link on Spybot's Immunize page), SpywareGuard and weekly scans with Spybot and Ad-aware will go a long way toward keeping your PC free of these pests and prevent further homepage hijackings . Read the Help file in Spybot relating to Immunity to learn what this feature does and how to use it . • Important!: ALWAYS check for updated detections and reference files before scanning with Spybot and Ad-aware . Also be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis and after using HijackThis and/or CWShredder you must update to the very newest versions of these programs before using either of them again . • For those who use the Immunize feature of a product (eg Spybot) be aware that it can prevent Windows Updates from working and you will need to temporarily un-immunize your PC to let it work . Remember to re-immunize your PC after running Windows Update . • Make sure Windows Critical Updates have been applied . Some of the more evil spyware/malware uses flaws in Internet Explorer to auto download and install their software . A computer does not have to go to a site to get infected - if a computer on the same LAN goes to a dodgy site the site can infect the PC that is sharing the internet to the rest on the LAN . If you are running a Windows router/firewall PC make sure it is kept up-to-date . • Using a software firewall can help in alerting you that you have been infected . However a firewall is of little use if the operator lets the spyware in through the firewall . • Using an alternative browser to Internet Explorer such as Mozilla, Mozilla Firebird, Opera, etc will go a long way towards affording good protection against many of the nasties because they do not utilise the ActiveX controls that are used to cause a lot of the damage . • If you do use Internet Explorer ensure that Download signed ActiveX Controls, Run ActiveX controls and plug-ins and Script ActiveX controls marked safe for scripting are set to Prompt in Tools>Internet Options>Security>Custom Level . When you are prompted for these items only accept those that are necessary and you know should be safe . • Download unsigned ActiveX controls should be set to Disable as should Initialize and script ActiveX controls not marked as safe . • For information on how to configure Internet Explorer to allow safe browsing see this page ( . com/safebrowsing . html" target="_blank">hacker-eliminator . com) . • The most important way to preventing being infected is the USER reading and understanding what they are installing or clicking on . A common way to infect a PC is to fool the user into downloading/installing software . Some are easy to spot eg "FREE XXXXX software" or "XXXX dialer", others need more caution . |
Susan B (19) | ||
| 194401 | 2003-11-25 02:53:00 | 05 - So what is spyware? Spyware can make your computer and/or internet browsing run much slower than it used to and can change your Homepage to something other than one you have chosen yourself, often to porn sites . Other nasties that can install themselves onto your computer are diallers which use your internet connection to dial out to overseas phone numbers and rack up expensive toll calls . For an explanation of what spyware is and what it does have a look at this page ( . simplythebest . net/info/spyware . html" target="_blank">www . simplythebest . net) . A word about Adware Adware is generally different to spyware . Many programs come with adware to support the creation and development of the free program that you would otherwise have to pay for . A scan with Ad-aware lists the adware files and allows you to choose which you wish to delete . You can then check out whether the program's adware is invasive or not by looking it up in Google . If you use an application that contains adware, you know about it and it acts reasonably (ie not covertly but fully explains its functions) then you could consider tolerating it as a small price to pay for a free program . |
Susan B (19) | ||
| 194402 | 2003-11-25 02:55:00 | 06 - Links to useful information • Net-Integration (www.net-integration.net): Information on how to tighten your security settings and how to help prevent future attacks. Includes links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently. • Net-Integration (www.net-integration.net): So how did I get infected in the first place? • Net-Integration (www.net-integration.net ct=ST;f=38;t=2710): List of all known Browser Helper Objects (BHOs). • Spy Checker (http://www.spychecker.com/): Spyware tools. • DarnIt (www.mvps.org): List of spyware and other parasites. • SpywareInfo (www.spywareinfo.com): Spyware information and tools. |
Susan B (19) | ||
| 1 | |||||