Thread: Ask Windows XP Expert Walter Clayton About Spyware
View Single Post
  #36  
Old August 8th 04, 11:53 PM
Walter Clayton
external usenet poster
  
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware
Yep, t'ain't nothing can be done about the person at the keyboard. BTDTBTTS
:-)

Depending on how compotent you are you can do what I do when I'm on site. Go
to http://www.nu2.nu and grab Bart's PE. You'll need either a standard
retail/oem CD (not a restore set) or an I386 directory on disk. Following
the instructions and you can create a stand alone XP environment that has
AdAware, command line AV scanners, and other tools you feel you need. It's a
lot easier to nail some of the tricker variants that load themselves in safe
mode. And since it has full networking support you can push data across a
network to another machine if things get really nasty.

I've tussled with some of the more willey varieties myself and never had to
disable SR. I have hand massaged the registry and clipped nasties off the
drive either in safe mode when AdAware and Spybot were prohibited from
correcting the registry (and that gets tricky with an active nasty :-) or
via Bart's.

TrendMicro has stepped up to the plate and offers a free tool
(http://www.trendmicro.com/download/dcs.asp) that I've started to use. Also
there's a tool at http://www.silentrunners.org/ that identifies stuff
launching with the system that isn't part of a default virgin install. Use
extremely care when interpreting the results. Some people have
unintentionally shot themselves in the foot extremely badly (flat lined the
system) when hacking the wrong thing out of the registry. Couple that with
http://www.sysinternals.com/ntw2k/fr...autoruns.shtml and, if you're
really compotent at ftp://ftp.kaspersky.ru/utils/ you'll find a Trojan
Finder tool that will let you determine what is preventing you from
terminating a task. It will also let you kill tasks. There's some other
handy stuff there as well.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"zippy" wrote in message
ink.net...
Well I hear what you are saying. But I wouldn't want to have to restore
to
a point where I had the scumware and have to start back at ground zero
trying to get rid of it. I'd lose all my hair. Guess I've just got lucky
with the way I have been doing it for a while. I have found that this
Coolweb thingy has many variants and some variants are easier to get rid
of
with just adaware, spybot, CWShredder, and HijackThis. While on other
computers I've worked on weren't quite so easy. The version I had even
got
past my firewall. Mistyped an address and got directed to a malicous
website and before I knew it I had programs like NotePad and Windows Media
player asking for permission to access the net through ZoneAlarm. Right
then and there I knew something was wrong as these shouldn't have been
asking for permission. I tried running Spybot, Adaware, and Hijack this,
even from safe mode. But I was unable to get rid of it totally till I
disabled system restore and then scanned in safe mode. It was still
asking
for permission. I usually use AVG free for virus scans, but this program
is
unable to scan in safe mode normally and was not detecting any viruses so
I
ran norton from CD, incase the variant I had disabled installed Scanners.
This also found Trojan Downloader that was created on the same day as
Coolweb. I'm thinking these two went hand in hand. I was still getting
Pop-ups, programs still asking for permission. Once I disabled restore and
then ran all these programs again it was able to quarentine most items.I
was
no longer getting all the pop-ups. Programs were no longer asking for
permission. But I still had to manually remove Content.IE5. These infected
items were found in the index dat file that Norton was unable to remove.
Had to fix Notepad. So, I've found that even with Virus Scanners,
spyware
removal tools and a firewall doesn't mean you are protected 100%. To date,
they still don't have software for Operator Error :-)) That's why now
I've
been very dilligent backing up to CD any information that I really really
need, and something does go wrong, it's just as easy for me now to just do
a
clean install of XP rather than restore. Although this is a last resort.

"Walter Clayton" wrote in message
...
;-)

Trust me or not. Disabling SR during the weed out is dangerous. Once the
machine is clean *then* purge SR and snap a base line.
Ads