A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » The Basics
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Ask Windows XP Expert Walter Clayton About Spyware



 
 
Thread Tools Display Modes
  #61  
Old August 18th 04, 08:19 PM
Outsource Victim #21199374
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware

Walter,

I recently found some information regarding how some spyware/adware may use
the AppInit_DLLs registry value to load their DLLs. I checked several
non-infected machines and noticed that this particular registry value was
null on all that I checked:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = {blank}

Obviously, Microsoft placed this registry value there for a reason. What
might typically be a legitimate use of this value? I'm just trying to make
sure that I do not take out something that belongs. Just to be safe, I
typically just rename a copy of the registry key with its original value.
But my curiosity compels me about this one.

"Walter Clayton" wrote:

Generally all I use is AdAware first followed by SpyBot. There's a lot of
overlap in the two tools, but they also concentrate on non-overlapping
areas. It's also wise to follow up with installing SpywareBlaster. None of
these require run time presences although SpyBot will offer to install such.
No harm in doing so and in some instances, especially with multi-user
machines, a necessity. The biggest issue is remembering to run them
periodically after checking for updates. The latter is one of the reasons,
other than not changing usage habits, that people get reinfected. It's
easier to avoid being click happy than it is to clean up the mess
afterwards.

There are instances where AdAware/SpyBot may be neutralized or unable to
clean something. I handle those on a case by case basis since you're looking
at going with some highly specialized tools that if misused will leave the
machine unbootable (note that there is a nasty that the current version of
AdAware had been cleaning incorrectly that would make it impossible to log
on to the machine without taking corrective action).

Depending on your level of expertise there are some tools that circumvent
issues with removing nasties that are resident in memory even in safe mode.
If an XP machine is being disinfected I use a bootable CD created using
Bart's tools with fully updated AdAware, Trendmicro, McAfee and Kaspersky
tools (all free versions) incorporated. This also allows me to correct any
registry issues on the host machine without any major hassles other than
knowing what parts of the registry need be hacked. The reason I include and
run AV scanners is generally if some one has a load of spyware it's not
unusual they'll have nastier stuff as well.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Andrew" wrote in message
...


I already know what Spyware can do and all to your computers but what is
the best Spyware and Ad-aware remover programs out there I'm using Spybot
1.3 and Ad-aware 6.0 from Lavasoft and I heard having two good Spyware
and Ad-aware remover programs that it will remove about 90% of Spyware
and Ad-aware off your computer and keep it out.



Ads
  #62  
Old August 19th 04, 01:25 AM
Ronnie Vernon MVP
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware

Outsource Victim #21199374 wrote:
Walter,

I recently found some information regarding how some spyware/adware
may use the AppInit_DLLs registry value to load their DLLs. I
checked several non-infected machines and noticed that this
particular registry value was null on all that I checked:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows AppInit_DLLs = {blank}

Obviously, Microsoft placed this registry value there for a reason.
What might typically be a legitimate use of this value? I'm just
trying to make sure that I do not take out something that belongs.
Just to be safe, I typically just rename a copy of the registry key
with its original value. But my curiosity compels me about this one.


Found this on the MSDN website.

quote
Application Global Classes
An application global class is a window class registered by an executable or
dynamic-link library (DLL) that is available to all other modules in the
process. For example, your .dll can call the RegisterClassEx function to
register a window class that defines a custom control as an application
global class so that a process that loads the .dll can create instances of
the custom control.

Windows NT/Windows 2000/Windows XP: To create a class that can be used in
every process, create the window class in a .dll and load the .dll in every
process. To load the .dll in every process, add its name to the AppInit_DLLs
value in following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

Whenever a process starts, the system loads the specified .dll in the
context of the newly started process before calling its entry-point
function. The .dll must register the class during its initialization
procedure and must specify the CS_GLOBALCLASS style. For more information,
see Class Styles.

To remove an application global class and free the storage associated with
it, use the UnregisterClass function.
/quote

About Window Classes (Windows User Interface):
http://msdn.microsoft.com/library/en...asp?frame=true

Or

http://tinyurl.com/69na8
--
Regards,

Ronnie Vernon
Microsoft MVP
Windows Shell/User

Please reply to the newsgroup so all may benefit.
http://www.dts-l.org
http://www.mvps.org


  #63  
Old August 19th 04, 04:39 AM
Walter Clayton
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware

What Ronnie said. :-)

The script "silent runners.vbs" from http://www.siltenrunners.org identifies
anything unusual in this registry key. Since the core OS isn't dependant on
anything being launched there, doing a rename is safe. At most the
functionality of a legitimate app may be impacted, but doing renames instead
of deletes makes it relatively easy to back out.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Outsource Victim #21199374" Outsource Victim
wrote in message
...
Walter,

I recently found some information regarding how some spyware/adware may
use
the AppInit_DLLs registry value to load their DLLs. I checked several
non-infected machines and noticed that this particular registry value was
null on all that I checked:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = {blank}

Obviously, Microsoft placed this registry value there for a reason. What
might typically be a legitimate use of this value? I'm just trying to
make
sure that I do not take out something that belongs. Just to be safe, I
typically just rename a copy of the registry key with its original value.
But my curiosity compels me about this one.

"Walter Clayton" wrote:

Generally all I use is AdAware first followed by SpyBot. There's a lot of
overlap in the two tools, but they also concentrate on non-overlapping
areas. It's also wise to follow up with installing SpywareBlaster. None
of
these require run time presences although SpyBot will offer to install
such.
No harm in doing so and in some instances, especially with multi-user
machines, a necessity. The biggest issue is remembering to run them
periodically after checking for updates. The latter is one of the
reasons,
other than not changing usage habits, that people get reinfected. It's
easier to avoid being click happy than it is to clean up the mess
afterwards.

There are instances where AdAware/SpyBot may be neutralized or unable to
clean something. I handle those on a case by case basis since you're
looking
at going with some highly specialized tools that if misused will leave
the
machine unbootable (note that there is a nasty that the current version
of
AdAware had been cleaning incorrectly that would make it impossible to
log
on to the machine without taking corrective action).

Depending on your level of expertise there are some tools that circumvent
issues with removing nasties that are resident in memory even in safe
mode.
If an XP machine is being disinfected I use a bootable CD created using
Bart's tools with fully updated AdAware, Trendmicro, McAfee and Kaspersky
tools (all free versions) incorporated. This also allows me to correct
any
registry issues on the host machine without any major hassles other than
knowing what parts of the registry need be hacked. The reason I include
and
run AV scanners is generally if some one has a load of spyware it's not
unusual they'll have nastier stuff as well.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Andrew" wrote in message
...


I already know what Spyware can do and all to your computers but what
is
the best Spyware and Ad-aware remover programs out there I'm using
Spybot
1.3 and Ad-aware 6.0 from Lavasoft and I heard having two good Spyware
and Ad-aware remover programs that it will remove about 90% of Spyware
and Ad-aware off your computer and keep it out.




  #64  
Old August 19th 04, 05:23 PM
sapper
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware



"Chris Norred [MSFT]" wrote:

Hello and welcome to our first Ask-the-Experts discussion, moderated by the Windows XP Expert Zone Community. This is a new trial effort and our goal is to make it easy for you to ask questions and find answers on a specific topic from a recognized expert in the online community. We’ll continue this discussion in the newsgroups for one week and our volunteer expert will select one or two questions each day and respond. Other experts and users online may also chime in with advice. At the end of the week, we hope to have a single thread filled with good information that can be preserved for the benefit of other users in the future.

This week, our expert host is volunteer MVP Walter Clayton who will be discussing the topic of spyware and adware and his experience helping users in the newsgroups deal with spyware issues. Walter is an IT professional from Frankfort, Kentucky. He is a self-trained computing pro with 20 years of experience, and he has been helping people in the online community for many years. Walter is a recipient of the Microsoft Most Valuable Professional (MVP) award for his volunteer efforts helping Windows users over the past five years.
A quote from Mr. Clayton:
“I enjoy working the newsgroups because it forces me to think and learn. Everyday I get a slightly different perspective on something or see a new situation or problem. There is also the challenge of keeping communication skills sharp. Determining the answer to a problem, and communicating it in the newsgroups can present its own set of challenges, especially at times when the wrong answer can leave the user in a no-boot situation.”

Our Ask the Experts discussion is different from the live chats hosted on the Windows XP Expert Zone Community site (http://communities2.microsoft.com/ho...iteid=34000077).

In these discussions, you may not get an immediate answer. The hosts will check-in at a time convenient for them and answer questions. You can post a question any time. Then you may want to add the discussion to your Favorites list in Internet Explorer (Click Favorites, and then click Add to Favorites). You should check back later in the day, or the next day, to see if your question has been answered. Click the Refresh button to see if any new posts were added while you have been reading. If you’re more comfortable using Outlook Express or another newsreader, please do.

To post a question or reply in this discussion, using the Web-based newsgroup reader:
1. Click Reply.
2. If prompted, sign in with your .NET Passport.
3. Edit the subject line if you like.
4. In the Reply form, type your message or question in the Message box.
5. Review the text you typed in the Body box to make sure it says what you want; you cannot revise your message after you click Post.
6. To receive e-mail notification when someone posts to this thread, select the Notify me of replies check box.
7. Click Send.

This is a new trial effort and your feedback and assistance are appreciated. We’ll keep links to these discussions in the Windows XP Expert Zone Community Columns Archive
(http://www.microsoft.com/windowsxp/e...s/archive.mspx).
Truly
Chris Norred
Editor
Windows XP Expert Zone Community




  #65  
Old August 20th 04, 06:31 AM
Zyklon -B
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware

Recently I have been hounded by this search assisstant hijacker, and a
related one called Shopping wizard. It has disabled MS explorer, amongst
other things. Also seems to be able to manipluate Spybot. They both show up
in the "add/remove" control panel and lead to an URL with no .isu file they
cannot be uninstalled. Oh, and here's where it gets really nasty, I
reinstalled XP, and there it was again, in the Windows directory, just a
collection of .dll's and an .lex file. The file folder cannot be deleted, or
if you are successful, wait 5 seconds and it respwans. Is this some MS
programmer's "Easter Egg"? By the way Norton does not catch it in a virus
sweep. I tied the file to these .exe's using fileAlyzer:
wuauclt.exe,lsass.exe,smss.exe,alg.exe, and I suspect it also has claws in a
few others. Can you help?
  #66  
Old August 20th 04, 03:37 PM
dagi
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware



"Michel" wrote:



"Walter Clayton" wrote:

Generally all I use is AdAware first followed by SpyBot. There's a lot of
overlap in the two tools, but they also concentrate on non-overlapping
areas. It's also wise to follow up with installing SpywareBlaster. None of
these require run time presences although SpyBot will offer to install such.
No harm in doing so and in some instances, especially with multi-user
machines, a necessity. The biggest issue is remembering to run them
periodically after checking for updates. The latter is one of the reasons,
other than not changing usage habits, that people get reinfected. It's
easier to avoid being click happy than it is to clean up the mess
afterwards.

There are instances where AdAware/SpyBot may be neutralized or unable to
clean something. I handle those on a case by case basis since you're looking
at going with some highly specialized tools that if misused will leave the
machine unbootable (note that there is a nasty that the current version of
AdAware had been cleaning incorrectly that would make it impossible to log
on to the machine without taking corrective action).

Depending on your level of expertise there are some tools that circumvent
issues with removing nasties that are resident in memory even in safe mode.
If an XP machine is being disinfected I use a bootable CD created using
Bart's tools with fully updated AdAware, Trendmicro, McAfee and Kaspersky
tools (all free versions) incorporated. This also allows me to correct any
registry issues on the host machine without any major hassles other than
knowing what parts of the registry need be hacked. The reason I include and
run AV scanners is generally if some one has a load of spyware it's not
unusual they'll have nastier stuff as well.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Andrew" wrote in message
...


I already know what Spyware can do and all to your computers but what is
the best Spyware and Ad-aware remover programs out there I'm using Spybot
1.3 and Ad-aware 6.0 from Lavasoft and I heard having two good Spyware
and Ad-aware remover programs that it will remove about 90% of Spyware
and Ad-aware off your computer and keep it out.



  #67  
Old August 20th 04, 03:43 PM
dagi
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware

Hi!
i have follows Problem:

Der Übersetzer für Netzwerkadressen (NAT) konnte keine Anfrage des
Übersetzungsmoduls des Kernelmodus stellen. Möglicherweise liegen eine
falsche Konfiguration, unzureichende Ressourcen oder ein interner Fehler vor.
Die Daten enthalten den Fehlercode.

Mistake Nr is : 32003

Can you help me??
Thanks
dagi

"Michel" wrote:



"Walter Clayton" wrote:

Generally all I use is AdAware first followed by SpyBot. There's a lot of
overlap in the two tools, but they also concentrate on non-overlapping
areas. It's also wise to follow up with installing SpywareBlaster. None of
these require run time presences although SpyBot will offer to install such.
No harm in doing so and in some instances, especially with multi-user
machines, a necessity. The biggest issue is remembering to run them
periodically after checking for updates. The latter is one of the reasons,
other than not changing usage habits, that people get reinfected. It's
easier to avoid being click happy than it is to clean up the mess
afterwards.

There are instances where AdAware/SpyBot may be neutralized or unable to
clean something. I handle those on a case by case basis since you're looking
at going with some highly specialized tools that if misused will leave the
machine unbootable (note that there is a nasty that the current version of
AdAware had been cleaning incorrectly that would make it impossible to log
on to the machine without taking corrective action).

Depending on your level of expertise there are some tools that circumvent
issues with removing nasties that are resident in memory even in safe mode.
If an XP machine is being disinfected I use a bootable CD created using
Bart's tools with fully updated AdAware, Trendmicro, McAfee and Kaspersky
tools (all free versions) incorporated. This also allows me to correct any
registry issues on the host machine without any major hassles other than
knowing what parts of the registry need be hacked. The reason I include and
run AV scanners is generally if some one has a load of spyware it's not
unusual they'll have nastier stuff as well.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Andrew" wrote in message
...


I already know what Spyware can do and all to your computers but what is
the best Spyware and Ad-aware remover programs out there I'm using Spybot
1.3 and Ad-aware 6.0 from Lavasoft and I heard having two good Spyware
and Ad-aware remover programs that it will remove about 90% of Spyware
and Ad-aware off your computer and keep it out.



  #68  
Old August 20th 04, 05:59 PM
Ronnie Vernon MVP
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware

Zyklon -B wrote:
Recently I have been hounded by this search assisstant hijacker, and a
related one called Shopping wizard. It has disabled MS explorer,
amongst other things. Also seems to be able to manipluate Spybot.
They both show up in the "add/remove" control panel and lead to an
URL with no .isu file they cannot be uninstalled. Oh, and here's
where it gets really nasty, I reinstalled XP, and there it was again,
in the Windows directory, just a collection of .dll's and an .lex
file. The file folder cannot be deleted, or if you are successful,
wait 5 seconds and it respwans. Is this some MS programmer's "Easter
Egg"? By the way Norton does not catch it in a virus sweep. I tied
the file to these .exe's using fileAlyzer:
wuauclt.exe,lsass.exe,smss.exe,alg.exe, and I suspect it also has
claws in a few others. Can you help?


As you have seen, this parasite is a particularly nasty one. I would not
recommend trying to get rid of it without some expert one-on-one help.

Go to the following URL and download the Hijackthis.zip file. Expand the zip
file and run setup to install the program.

http://aumha.org/downloads/hijackthis.zip

Next, go to this website and click on the Register link at the top of the
page (Free). Read the
"Announcement: INSTRUCTIONS FOR POSTING HJT LOGS HERE" at the top of the
topics list
and follow the instructions.

AumHa Forums:
http://forum.aumha.org/viewforum.php?f=30

Run a scan with Hijackthis and copy the log results. Paste the log to the
Hijackthis forum, in a new thread, including the details of the problem.

--
Ronnie Vernon
Microsoft MVP
Windows Shell/User


  #69  
Old August 20th 04, 06:37 PM
Me
external usenet poster
 
Posts: n/a
Default I need help!

My disc drive dosen't show up, at all, what should I do?

P.S.
Only 11, need help fast!
  #70  
Old August 20th 04, 06:37 PM
Me
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware



"Michel" wrote:



"Walter Clayton" wrote:

Generally all I use is AdAware first followed by SpyBot. There's a lot of
overlap in the two tools, but they also concentrate on non-overlapping
areas. It's also wise to follow up with installing SpywareBlaster. None of
these require run time presences although SpyBot will offer to install such.
No harm in doing so and in some instances, especially with multi-user
machines, a necessity. The biggest issue is remembering to run them
periodically after checking for updates. The latter is one of the reasons,
other than not changing usage habits, that people get reinfected. It's
easier to avoid being click happy than it is to clean up the mess
afterwards.

There are instances where AdAware/SpyBot may be neutralized or unable to
clean something. I handle those on a case by case basis since you're looking
at going with some highly specialized tools that if misused will leave the
machine unbootable (note that there is a nasty that the current version of
AdAware had been cleaning incorrectly that would make it impossible to log
on to the machine without taking corrective action).

Depending on your level of expertise there are some tools that circumvent
issues with removing nasties that are resident in memory even in safe mode.
If an XP machine is being disinfected I use a bootable CD created using
Bart's tools with fully updated AdAware, Trendmicro, McAfee and Kaspersky
tools (all free versions) incorporated. This also allows me to correct any
registry issues on the host machine without any major hassles other than
knowing what parts of the registry need be hacked. The reason I include and
run AV scanners is generally if some one has a load of spyware it's not
unusual they'll have nastier stuff as well.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Andrew" wrote in message
...


I already know what Spyware can do and all to your computers but what is
the best Spyware and Ad-aware remover programs out there I'm using Spybot
1.3 and Ad-aware 6.0 from Lavasoft and I heard having two good Spyware
and Ad-aware remover programs that it will remove about 90% of Spyware
and Ad-aware off your computer and keep it out.



  #71  
Old August 20th 04, 07:57 PM
Outsource Victim #21199374
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware

Thanks Walter.
Does anyone know what happened to silentrunners.org web site? It seems to be
having a problem all day today. If I could get to that site, I'd like to add
their tools to my arsenal of spyware/adware/malware/crapware/foistware
utilities. I'll try again later.

"Walter Clayton" wrote:

What Ronnie said. :-)

The script "silent runners.vbs" from http://www.siltenrunners.org identifies
anything unusual in this registry key. Since the core OS isn't dependant on
anything being launched there, doing a rename is safe. At most the
functionality of a legitimate app may be impacted, but doing renames instead
of deletes makes it relatively easy to back out.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Outsource Victim #21199374" Outsource Victim
wrote in message
...
Walter,

I recently found some information regarding how some spyware/adware may
use
the AppInit_DLLs registry value to load their DLLs. I checked several
non-infected machines and noticed that this particular registry value was
null on all that I checked:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = {blank}

Obviously, Microsoft placed this registry value there for a reason. What
might typically be a legitimate use of this value? I'm just trying to
make
sure that I do not take out something that belongs. Just to be safe, I
typically just rename a copy of the registry key with its original value.
But my curiosity compels me about this one.

"Walter Clayton" wrote:

Generally all I use is AdAware first followed by SpyBot. There's a lot of
overlap in the two tools, but they also concentrate on non-overlapping
areas. It's also wise to follow up with installing SpywareBlaster. None
of
these require run time presences although SpyBot will offer to install
such.
No harm in doing so and in some instances, especially with multi-user
machines, a necessity. The biggest issue is remembering to run them
periodically after checking for updates. The latter is one of the
reasons,
other than not changing usage habits, that people get reinfected. It's
easier to avoid being click happy than it is to clean up the mess
afterwards.

There are instances where AdAware/SpyBot may be neutralized or unable to
clean something. I handle those on a case by case basis since you're
looking
at going with some highly specialized tools that if misused will leave
the
machine unbootable (note that there is a nasty that the current version
of
AdAware had been cleaning incorrectly that would make it impossible to
log
on to the machine without taking corrective action).

Depending on your level of expertise there are some tools that circumvent
issues with removing nasties that are resident in memory even in safe
mode.
If an XP machine is being disinfected I use a bootable CD created using
Bart's tools with fully updated AdAware, Trendmicro, McAfee and Kaspersky
tools (all free versions) incorporated. This also allows me to correct
any
registry issues on the host machine without any major hassles other than
knowing what parts of the registry need be hacked. The reason I include
and
run AV scanners is generally if some one has a load of spyware it's not
unusual they'll have nastier stuff as well.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Andrew" wrote in message
...


I already know what Spyware can do and all to your computers but what
is
the best Spyware and Ad-aware remover programs out there I'm using
Spybot
1.3 and Ad-aware 6.0 from Lavasoft and I heard having two good Spyware
and Ad-aware remover programs that it will remove about 90% of Spyware
and Ad-aware off your computer and keep it out.




  #72  
Old August 20th 04, 08:07 PM
Walter Clayton
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware

A bit vague on the details, but, welcome to the world of serious crapware.
Cleaning these is a PITA at best.

You can go the route that Ronnie suggested or if you want to take a serious
stab at the problem yourself the easiest way is by creating a safe
environment that you can then use to rip the nasty out by the roots. That
requires some hefty technical expertise though.

First shot is to give TrendMicro a shot. Not knowing the exact variety of
the nasty you have I can't say one way or the other if Trend's package
addresses this specific nasty. Get the scanner here
http://www.trendmicro.com/download/dcs.asp and the signature file here
http://www.trendmicro.com/download/pattern-cpr.asp

Also, go here http://www.silentrunners.org/ and grab "silent runners.vbs".
When you run it, NAV will scream bloody murder. Tell NAV to let it run. This
will tell you what's hooked the system that's not part of a clean OS
install. Use *extreme* caution if you decide to address anything that this
tool points out. There are legitimate apps that hook the system in unusual
ways and people have flatlined systems past the point of recovery by doing
the wrong thing. If you need help analyzing the results, just copy and paste
the output file back here.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Zyklon -B" Zyklon wrote in message
...
Recently I have been hounded by this search assisstant hijacker, and a
related one called Shopping wizard. It has disabled MS explorer, amongst
other things. Also seems to be able to manipluate Spybot. They both show
up
in the "add/remove" control panel and lead to an URL with no .isu file
they
cannot be uninstalled. Oh, and here's where it gets really nasty, I
reinstalled XP, and there it was again, in the Windows directory, just a
collection of .dll's and an .lex file. The file folder cannot be deleted,
or
if you are successful, wait 5 seconds and it respwans. Is this some MS
programmer's "Easter Egg"? By the way Norton does not catch it in a virus
sweep. I tied the file to these .exe's using fileAlyzer:
wuauclt.exe,lsass.exe,smss.exe,alg.exe, and I suspect it also has claws in
a
few others. Can you help?


  #73  
Old August 20th 04, 08:11 PM
Walter Clayton
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware

I just went there about 10 minutes ago without any problems.

You may also want to add Autoruns from http://www.sysinternals.com (as well
as other nice tools they have) to your kit. Be careful about using it to
disable startup items though. The way the do it doesn't quite work.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Outsource Victim #21199374"
wrote in message
...
Thanks Walter.
Does anyone know what happened to silentrunners.org web site? It seems to
be
having a problem all day today. If I could get to that site, I'd like to
add
their tools to my arsenal of spyware/adware/malware/crapware/foistware
utilities. I'll try again later.

"Walter Clayton" wrote:

What Ronnie said. :-)

The script "silent runners.vbs" from http://www.siltenrunners.org
identifies
anything unusual in this registry key. Since the core OS isn't dependant
on
anything being launched there, doing a rename is safe. At most the
functionality of a legitimate app may be impacted, but doing renames
instead
of deletes makes it relatively easy to back out.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Outsource Victim #21199374" Outsource Victim
wrote in message
...
Walter,

I recently found some information regarding how some spyware/adware may
use
the AppInit_DLLs registry value to load their DLLs. I checked several
non-infected machines and noticed that this particular registry value
was
null on all that I checked:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = {blank}

Obviously, Microsoft placed this registry value there for a reason.
What
might typically be a legitimate use of this value? I'm just trying to
make
sure that I do not take out something that belongs. Just to be safe, I
typically just rename a copy of the registry key with its original
value.
But my curiosity compels me about this one.

"Walter Clayton" wrote:

Generally all I use is AdAware first followed by SpyBot. There's a lot
of
overlap in the two tools, but they also concentrate on non-overlapping
areas. It's also wise to follow up with installing SpywareBlaster.
None
of
these require run time presences although SpyBot will offer to install
such.
No harm in doing so and in some instances, especially with multi-user
machines, a necessity. The biggest issue is remembering to run them
periodically after checking for updates. The latter is one of the
reasons,
other than not changing usage habits, that people get reinfected. It's
easier to avoid being click happy than it is to clean up the mess
afterwards.

There are instances where AdAware/SpyBot may be neutralized or unable
to
clean something. I handle those on a case by case basis since you're
looking
at going with some highly specialized tools that if misused will leave
the
machine unbootable (note that there is a nasty that the current
version
of
AdAware had been cleaning incorrectly that would make it impossible to
log
on to the machine without taking corrective action).

Depending on your level of expertise there are some tools that
circumvent
issues with removing nasties that are resident in memory even in safe
mode.
If an XP machine is being disinfected I use a bootable CD created
using
Bart's tools with fully updated AdAware, Trendmicro, McAfee and
Kaspersky
tools (all free versions) incorporated. This also allows me to correct
any
registry issues on the host machine without any major hassles other
than
knowing what parts of the registry need be hacked. The reason I
include
and
run AV scanners is generally if some one has a load of spyware it's
not
unusual they'll have nastier stuff as well.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Andrew" wrote in message
...


I already know what Spyware can do and all to your computers but
what
is
the best Spyware and Ad-aware remover programs out there I'm using
Spybot
1.3 and Ad-aware 6.0 from Lavasoft and I heard having two good
Spyware
and Ad-aware remover programs that it will remove about 90% of
Spyware
and Ad-aware off your computer and keep it out.





  #74  
Old August 20th 04, 08:13 PM
Walter Clayton
external usenet poster
 
Posts: n/a
Default Ask Windows XP Expert Walter Clayton About Spyware

Oops. I see the mistake. It's http://www.silentrunners.org !!

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Outsource Victim #21199374"
wrote in message
...
Thanks Walter.
Does anyone know what happened to silentrunners.org web site? It seems to
be
having a problem all day today. If I could get to that site, I'd like to
add
their tools to my arsenal of spyware/adware/malware/crapware/foistware
utilities. I'll try again later.

"Walter Clayton" wrote:

What Ronnie said. :-)

The script "silent runners.vbs" from http://www.siltenrunners.org
identifies
anything unusual in this registry key. Since the core OS isn't dependant
on
anything being launched there, doing a rename is safe. At most the
functionality of a legitimate app may be impacted, but doing renames
instead
of deletes makes it relatively easy to back out.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Outsource Victim #21199374" Outsource Victim
wrote in message
...
Walter,

I recently found some information regarding how some spyware/adware may
use
the AppInit_DLLs registry value to load their DLLs. I checked several
non-infected machines and noticed that this particular registry value
was
null on all that I checked:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = {blank}

Obviously, Microsoft placed this registry value there for a reason.
What
might typically be a legitimate use of this value? I'm just trying to
make
sure that I do not take out something that belongs. Just to be safe, I
typically just rename a copy of the registry key with its original
value.
But my curiosity compels me about this one.

"Walter Clayton" wrote:

Generally all I use is AdAware first followed by SpyBot. There's a lot
of
overlap in the two tools, but they also concentrate on non-overlapping
areas. It's also wise to follow up with installing SpywareBlaster.
None
of
these require run time presences although SpyBot will offer to install
such.
No harm in doing so and in some instances, especially with multi-user
machines, a necessity. The biggest issue is remembering to run them
periodically after checking for updates. The latter is one of the
reasons,
other than not changing usage habits, that people get reinfected. It's
easier to avoid being click happy than it is to clean up the mess
afterwards.

There are instances where AdAware/SpyBot may be neutralized or unable
to
clean something. I handle those on a case by case basis since you're
looking
at going with some highly specialized tools that if misused will leave
the
machine unbootable (note that there is a nasty that the current
version
of
AdAware had been cleaning incorrectly that would make it impossible to
log
on to the machine without taking corrective action).

Depending on your level of expertise there are some tools that
circumvent
issues with removing nasties that are resident in memory even in safe
mode.
If an XP machine is being disinfected I use a bootable CD created
using
Bart's tools with fully updated AdAware, Trendmicro, McAfee and
Kaspersky
tools (all free versions) incorporated. This also allows me to correct
any
registry issues on the host machine without any major hassles other
than
knowing what parts of the registry need be hacked. The reason I
include
and
run AV scanners is generally if some one has a load of spyware it's
not
unusual they'll have nastier stuff as well.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp|


"Andrew" wrote in message
...


I already know what Spyware can do and all to your computers but
what
is
the best Spyware and Ad-aware remover programs out there I'm using
Spybot
1.3 and Ad-aware 6.0 from Lavasoft and I heard having two good
Spyware
and Ad-aware remover programs that it will remove about 90% of
Spyware
and Ad-aware off your computer and keep it out.





  #75  
Old August 20th 04, 10:03 PM
Davidd
external usenet poster
 
Posts: n/a
Default I need help!

Could you provide more details? Assuming this is not a new configuration
then I would check to see if you have a defective drive cable or maybe a
defective drive.

Thanks,

Davidd
\
"Me" wrote in message
...
My disc drive dosen't show up, at all, what should I do?

P.S.
Only 11, need help fast!



 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
I click on my spyware exe and Windows begins to install Windows Office XP Snapper The Basics 5 July 22nd 04 02:56 PM
I click on my spyware exe and Windows begins to install Windows Office XP Snapper The Basics 2 July 22nd 04 11:13 AM
I click on my spyware exe and Windows begins to install Windows Office XP Snapper The Basics 5 July 22nd 04 10:09 AM
How do I remove Spyware? Julian Milano General XP issues or comments 7 July 16th 04 08:20 PM
How do I remove Spyware? Julian Milano General XP issues or comments 5 July 16th 04 04:18 PM






All times are GMT +1. The time now is 07:43 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright 2004-2024 PCbanter.
The comments are property of their posters.