how-to block ads
|
| | | | FAQ Revisions | Editors: lilhurricane  , CalamityJane , TheJoker
Last modified on 2009-10-18 20:09:30
view: single page · printable | |
1.0 Forum Rules | 1.1 Posting Guidelines & Etiquette | 1.2 SCU Helpers | 2.0 Help - I'm Infected! | 2.1 Malware Removal | 2.2 White List Fixes | 3.0 Security Software Tutorials | 4.0 Prevention | 5.0 Additional Resources |
login and you can contribute to the FAQ
|
|
1.0 Forum Rules·What are the Rules of this Forum?
·So...What is this Forum all about?
| | (back) | •All "HijackThis" threads will be locked or deleted unless you follow these steps first.
•Direct links or executable files are NOT permitted. No exceptions.
•There is a forum "Approved WhiteList" you can point to in a post
•Posts that provide step by step instructions to various exploits are not allowed.
•We reserve the right to edit, move or remove any post or thread without explanation.
•Please do not start a new topic if you are currently receiving assistance in one.
•Make sure your topic has not been covered before. A forum search for the subject you are looking for may give you the answer faster than posting about it. Duplicate posts may be locked.
•Please post responsibly!
•These rules are subject to change without notice
 feedback form
 feedback form
by lilhurricane
last modified: 2007-11-11 14:53:47 | | (back) | This forum is dedicated to helping folks get help. It is different from the Security forum ....
When following the Posting Rules for starting a new topic...you allow for others to assist you in cleaning your computer. By eliminating the "pre-clean" requirements ...the helpers are able to tackle the root of your problem.
This may seem like work...and it is! For both yourself and those who help you.
But the satisfaction of knowing you've brought yourself to a level where the assistance is addressing the direct problem...that's paramount to the "cure". You can do it!
feedback form
feedback form
by lilhurricane
last modified: 2007-11-11 14:52:56 |
1.1 Posting Guidelines & Etiquette·What we'd like to see
·Site Posting Rules & ToS
·How to post for assistance
| | (back) | •Use Forum search. Your question or comment may have already been discussed, answered, or resolved.
•Stay on topic..add to existing threads only when it is applicable. Better to create a new thread for an unrelated post
•Please do not "cross-post". If you've posted to this forum, there's no need to post in another or vice versa.
•Note: As a matter of ettiquete, you should stick with one forum. If you are getting help in another forum then you should inform the other - this way there is never "duplication" of members time & efforts.
•Please do not use offensive language, nor launch personal attacks on another user.
•Be welcoming to new posters, we were all new at one time trying to learn 
•Please utilize the "Hey Mods" link on the bottom of any post for anything requiring Mod attention.
feedback form
feedback form
by lilhurricane
last modified: 2006-08-24 06:52:17 | | (back) | The site rules on posting can be found here along with our ToS
Another good read: How to Get Noticed
feedback form
feedback form
by lilhurricane
last modified: 2006-04-19 17:50:40 | | (back) | A good example of the proper way to post to the Security Clean-Up Forum:
•Will have descriptions of current symptoms.
•Will tell us what programs from the FAQ were utilized. (should be all), state what was found.
..and will look something like this (click then enlarge screenshot):
You can link to a thread elsewhere onsite for reference, but please create a new thread w/ all requested info for our SCU Forum
feedback form
feedback form
by lilhurricane
last modified: 2008-01-04 14:57:03 | | (back) | • CalamityJane BBR MVM & VIP; Microsoft MVP Windows Security 2003-2009; ASAP Member
•  TheJoker BBR MVM & VIP; Microsoft MVP Windows Security 2009; ASAP Member
• LoPhatPhuud BBR MVM & VIP; Microsoft MVP Consumer Security 2005-2010
• CajunTek BBR MVM, Malware Remover
• bcastner BBR MVM & VIP; Microsoft MVP Windows Networking 2004-2009; ASAP Member; SWI Ambassador
• Atribune Microsoft MVP Windows Security 2006-2009; Malware Analyst
• ahulett Microsoft Malware Protection
Subject to changes.
feedback form
feedback form
by lilhurricane
last modified: 2009-10-05 22:07:07 |
2.0 Help - I'm Infected!·Mandatory Steps Before Requesting Assistance
·Screenshots of Desktop Hijack
| | (back) | You must follow all these steps for posting to the forum! No shortcuts!
Scroll down and view all
We want to help, really!
These instructions will tell you what we need run to pre-clean your computer, and what required logs to attach to your post.
This forum is for cleanup of symptomatic infections. It is not to diagnose operating system applications, debate security issues or analyze for the sake of analyzing.
Please follow the instructions below so we may better assist you.
DO NOT RUN COMBOFIX UNLESS ASKED
Those not following this carefully before posting, will find their topic closed, moved or removed.
Some malware will try to block programs. If you are unable to get some to run, rename the executable file to a random file name (such as somefile.exe, somefile.scr, etc) and double-click the file to see if it will run.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
First make a copy (or print out) these instructions so you have them handy as some of the infection cleaning steps will need to be done offline and in Safe Mode.
1. Download, install, update all of these free antispyware programs.
This will remove the most commonly known types of spyware, hijackers and other common malware and will make our job easier.
After installing and updating each one, Do the Scan to clean in SAFE MODE, offline with IE closed
How to start the computer in Safe mode
Windows 98: »support.microsoft.com/kb/180902
Windows XP: »support.microsoft.com/kb/315222
Windows Vista: »windowshelp.microsoft.com/Window···033.mspx
Copy the instructions in the link above for easy use in safemode since you will not be able to access online information. (Note: Safe Mode with Networking is not recommended) Copy any other instructions you need to operate the programs you are using so you have them handy.
Download, Install, Scan instructions
Malwarebytes' Anti-Malware (free/donationware):
»www.malwarebytes.org/mbam-download.php
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
-- If the program won't start, go to MBAM's program folder (normally C:\Program Files\Malwarebytes'
Anti-Malware), rename mbam.exe to a random file name (keep the .exe extension) and double-click on it
to start the program.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your topic along with a current HijackThis log after running utilties.
Note 1:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
Note 2:
Some malware will try to block Malwarebytes' Anti-Malware. If you are unable to get Malwarebytes' Anti-Malware to run, rename the executable file (normally C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe) to a random file name (such as somefile.exe, somefile.scr, etc) and double-click the file to see if it will run.
Spybot Search & Destroy 1.6.2 (free/donationware):
If you already have Spybot, make sure it is the latest version 1.6.2
Download it here:
»www.safer-networking.org/en/down···dex.html
(a) Download and install Spybot S&D.
(b) Click on "Update" in the left column.
(c) Click on "Search for Updates".
(d) Select a download location (usually one close to you).
(e) Click "Download Updates" and wait of the updating process to finish.
(f) Close all programs and reboot into safe mode. Do not open IE.
(g) Click "Search and Destroy" in the left column.
(h) Click "Check for Problems".
(i) Have Spybot remove/fix all the problems it identifies in RED. The items not listed in red should not be touched at this time.
(j) Reboot to normal mode and scan again. Repeat until no more bad (red highlighted) items are found.
Ad-aware AE Free (freeware version for personal use):
»www.lavasoft.com/products/ad_aware_free.php
Note: Windows 2000, XP, and Vista only!
(a) Download and install Ad-Aware AE Free. If you an had an older Ad-aware installed, grant the installer permission to uninstall it when it asks.
(b) As the installation ends, it will check for any program and definition updates needed. Please allow ALL to download and install. Then restart your computer.
(c) Reboot to SAFE MODE. Scan again with Adaware (full system scan)
(d) Wait for the scanning process to complete.
(e) When finished it will present a list of infected items found, if any and a recommended action. Use the *Perform Action Now* button to remove any infected items with a TAI above 3.
(f) Reboot your computer back into normal mode.
If you are running Win2000, WinXP, or Vista download and run these additional freeware scanners to clean for trojans and spyware (Note: These additional tools will not run on Win98/ME).
Windows Defender (Microsoft) (freeware) (XP and Vista Only)
»www.microsoft.com/windows/produc···ult.mspx
(a) Download and install Microsoft Windows Defender
(user the recommended settings on installation)
(b) Reboot to SAFE MODE
(c) Choose *Run Quick Scan Now*. Let it scan your system and choose to fix the infections found at the end.
(d) Reboot to normal mode and scan again. Repeat until no further bad items are found.
Complete instructions on using Windows Defender can be found here:
Using Windows Defender
»www.microsoft.com/athome/securit···ult.mspx
Q. Does the version of Windows Defender that is included in Windows Vista provide additional protection?
A. Yes. Windows Defender in Windows Vista offers additional performance and security enhancements including the ability to scan only files that have changed, to run under a security-enhanced account, and to scan files when you run them. Windows Defender will also allow you to scan files as you download them if you use Internet Explorer 7.
Malicious Software Removal Tool
»https://www.microsoft.com/security/malwa···ult.mspx
(Just download and run it - it will remove any malicious malware found)
ONLINE AV SCANS
2. Get a free online Antivirus scan at one or more of the following. This is an important step to do even if you ran your resident AV program, as some malware can disable the program currently installed on your PC. The online AV scanners can sometimes reveal infections your present AV can not. Use both scanners. Do a full system scan, delete any infected files found, and choose to save the log at the end (we may need to see a copy)
Go here: »www.eset.com/onlinescan to run an online scannner from ESET.
-Note: If IE doesn't work, try an alternate browser. Firefox & Opera are now supported w/ a downloadable tool. This is found here:
 esetsmartins···.exe.zip 587,671 bytes
-Tick the box next to YES, I accept the Terms of Use.
-Click Start
-When asked, allow the activex control to install
-Click Start
-Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
-Click Scan
-Wait for the scan to finish
-Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
-Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
(Includes 64-bit Platform Support)
Trend Micro Housecall - Free on-line Scan
»housecall.trendmicro.com/
3. If the above steps have solved the problem, please skip the following step. You can refer to this FAQ for additional cleaning, fine-tuning recommendations:
»Security »I think my computer is infected or hijacked. What should I do?
If you are still having a problem: Create a Diagnostic log using HijackThis
(a) Instructions for HijackThis:
* Download Trend Micro Hijack This™
»download.bleepingcomputer.com/hi···tall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
4. Do this only if you are still having a problem and need your HijackThis log analyzed.
Post a new Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem.
(a) Start the title of your post with "HJT Log" followed by a short remark regarding your problem.
(b) The first paragraph of your post should explain exactly what the problem is. For example, is it a system slow down? Is it Pop ups or ads? Is your computer trying to call out or send emails? etc...
(c) The second paragraph should tell us in detail, which one of the above steps you followed and what the results were. Which steps you had to skip and why, etc... Please note the phrase "in detail". "I've followed all the steps.", may not be enough information for those who are here to help.
(d) The third paragraph should contain the HijackThis log you copied in step 3.
Also copy and paste in the logs from the online AV scan and Malwarebytes' Anti-Malware
5. Special Problems?
If you can connect to the internet but are having a problem accessing certain security sites,such as those listed in this topic for downloading software and help, etc., you may have a Hijacker that has manipulated your HOSTS file.
To correct this situation, download this free tool called HostsXpert:
»www.funkytoad.com/index.php?opti···temid=31
Unzip the HostsXpert file and doubleclick on HostsXpert.exe
(1). Press 'Restore Original Hosts' and press 'OK'
(2). Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself
If you do not know what a HOSTS file is, you are most likely not using a custom one. If you are on a company computer, check with your system administrator first. For more information on HOSTS file hijacking, see here:
»Security »How do I recover from Hosts file hijacking?
Edit: 13 Sept 2009 by lilhurricane: Support added for Firefox & Opera / downloadable tool found above
Edit: 05 Jul 2009 by TheJoker: Added instruction to rename mbam.exe if program won't start.
Edit: 16 May 2009 by CalamityJane: Fixed Eset online scan link, added Windows Defender is now XP and Vista compatible only.
Edit: 13 Apr 2009 by TheJoker: MBAM instructions updated
Edit: 31 Mar 2009 by CalamityJane: Adjust Ad-Aware instructions, latest v. Ad-Aware AE; Spybot S&D latest v. 1.6.2
Edit: 21 Dec 2008 by CalamityJane: Fixed Windows Defender download link
Edit: 19 Nov 2008 by CalamityJane: Updated Microsoft Malicious Software Removal Tool link
Edit: 18 Nov 2008 by lilhurricane: Funky Toad link to HostsXpert Updated
Edit: 07 Aug 2008 by CalamityJane: (Removed) Ewido - no longer available / winsockfix (outdated)- no longer recommended for operating systems XP SP2 and up
Edit: 27 May 2008 by lilhurricane: Updated links to Safe Mode booting
Edit: 24 April 2008 by CalamityJane:
1. Removed AVG antispyware, no longer available as a standalone spyware scanner.
2. Added Microsoft Malicious Software Removal Tool
3. Added Vista where it was missing in some places
Edit: 03 Apr 2008 by CalamityJane: Updated for Ad-Aware 2007 and Hijackthis (installer version)
Edit: 19 Nov 2007 by lilhurricane: References to MS Anti-Spyware removed (Defender)
Edit: 16 Sep 2007 by CalamityJane: Updated Spybot v.1.5; and HostXpert (formerly "Hoster"); Added Ad-Aware 2007 Free for Vista
Edit: 01 Sep 2007 by CalamityJane: Updated HijackThis instructions for Trend-Micro version.
Edit: 20 July 2008 by lilhurricane: Windows Defender info now includes Vista as a supported operating system
Edit: 08 April 2007 by lilhurricane: Changed link for Safe Mode instruction to point to MS article. Using msconfig in WinXP is not recommended due to the fact that today's new malware sometimes deletes the safeboot key.
Edit: 24 Oct 2006 by CalamityJane: Added eTrust online scanner; removed CWShredder and AboutBuster; Windows Defender is for XP only
Edit: 07 Apr 2006 by CalamityJane: Microsoft Antispyware is now Windows Defender.
feedback form
feedback form
by CalamityJane edited by lilhurricane
last modified: 2009-10-18 20:09:30 | | (back) | The following is a collection of screen shots of desktop hijackings, scams, fake alerts, and web based scare messages. These are indicative of a Vundo or Smitfraud infection. Please see these FAQ's for removal:
•Trojan Vundo/Virtumonde/Winfixer Removal
•SpywareQuake/SpyFalcon/Smitfraud Removal
If you still are having problems, refer to the instructions here
*Click on thumbnails to enlarge:
Credit to originating site: Webhelper's CWS Diaries
Newer variants added Nov 17 2006
April 25, 2007 - New screenshots of Antivirus Golden (Video AX Object variant)
Edit April 25, 2007 by CalamityJane: New screenshots added of Zlob/smitfraud variant Antivirus Golden (Video AX Object variant)
Edit Nov 17, 2006 by CalamityJane: New screenshots added
feedback form
feedback form
by Cudni edited by lilhurricane
last modified: 2007-12-28 17:32:13 |
2.1 Malware Removal·AproposRootkit Removal
·Aurora / Nail Removal
·E2Give Malware Removal
·EliteBar / PokaPoka Removal
·SpyAxe/Spyware Strike Removal
·Zlob/Smitfraud Removal
·Trojan Vundo/Virtumonde/Winfixer Removal
| | (back) | Symptoms
Unexplained Popups even after all steps in the following FAQ come up "clean"
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
No apparent signs in a HijackThis log.
No entries visibile under "Device Manager" or "Network Places"
This pest is adware that is hidden by a rootkit. It produces various popups from a number of advertisers, all generating from adchannel.contextplus.net
The best way to tell if you've got it is to run this diagnostic tool:
Download Rootkit Revealer (free tool)
»technet.microsoft.com/en-us/sysi···445.aspx
Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
We may need to request a copy of it later.
If you see 200-300 or so entries that are similar to the following, you can try running the AproposFix posted further down.
Sample entries in the RootkitRevealer log showing Apropos infections have a random named folder in the Programs Folder and some of the highlighted file names see below for example. The ace.dll file is frequently seen as well.
quote:
C:\Program Files\Holt_old Note: Random Named Folder in Program Files 13/11/2005 17:37 0 bytes Hidden from Windows API.
C:\Program Files\Holt_old\ace.dll 26/10/2005 15:46 568.00 KB Hidden from Windows API.
C:\Program Files\Holt_old\AI_07-11-2005.log 07/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_08-11-2005.log 08/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_09-11-2005.log 09/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_10-11-2005.log 10/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_11-11-2005.log 11/11/2005 00:05 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_12-11-2005.log 12/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_13-11-2005.log 13/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache 13/11/2005 17:58 0 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache\0000001c_436ee411_0000b71b 07/11/2005 00:20 3.81 KB Hidden from Windows API.
C:\Program Files\Holt_old\Cache\0000001c_436fd078_000ec82e 07/11/2005 17:08 5.38 KB Hidden from Windows API.
C:\Program Files\Holt_old\Cache\00000029_435febb3_0007270e 26/10/2005 15:48 2 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache\00000029_435fed33_0002dc6c 13/11/2005 19:07 3.54 KB Hidden from Windows API. quote:
etc. The log itself will be very long with lots of entries similar to the above)
The Fix
Please download AproposFix from here:
»Security Cleanup FAQ »Security Clean-Up Approved White List
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode, and post the entire contents of the log.txt file in the aproposfix folder into a New Topic.
Thanks to Swandog46 for developing this fix tool :)
1/6/07 --- fixed broken link to RootkitRevealer ~lil~
feedback form
feedback form
by CalamityJane edited by lilhurricane
last modified: 2008-01-06 11:18:38 | | (back) | Aurora/Nail fix
By racooper w/SwanDog46 & miekiemoes
PLEASE READ AND FOLLOW THESE INSTRUCTIONS CAREFULLY; YOU MAY WANT TO PRINT OR SAVE THESE INSTRUCTIONS LOCALLY BEFORE STARTING.
1. Please download, install, and update the free version of Ewido AntiMalware:
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Exit Ewido. DO NOT scan yet.
Download CCleaner and install, but do not run it yet.
2. Please download this revised installer for the Nailfix utility.
DO NOT run it yet.
Alternate download links here:
http://www.spywareedge.net/nf/nailfix.exe
http://www.spywareaid.com/index.php?file=s...22&softtype=exe
3. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
4. Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
5. Next, run Ewido again.
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
6. Then run HijackThis, click Scan, and place a checkmark by the following item (if found):
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [random] c:\windows\system32\random.exe r
Close all open windows except for HijackThis and click Fix Checked Note that the 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.
Locate and delete the following File in BOLD:
c:\windows\system32\random.exe (or whatever the name may have changed to, as noted above).
6. Now, run CCleaner.
[*]Uncheck "Cookies" under "Internet Explorer".
[*]If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
[*]Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
7. Please start a new topic if you need help. Do not post your logs in someone else's threads. Please NOTE: If you have not done so already, follow the Manadory Steps first before post a HijackThis log. The rules are here:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
Edited for new version of Nailfix 22Jul2005
feedback form
feedback form
by CalamityJane edited by lilhurricane
last modified: 2006-01-02 23:49:29 | | (back) | E2TakeOut version 1.00
by: RubbeR DuckY
This program removes the E2Give and PTech malware. Simply download, unzip, and run the E2TakeOut.exe file. Follow the onscreen directions and be sure to restart your computer when prompted.
Main indicators in a HijackThis log:
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O20 - AppInit_DLLs: iniwin32.dll
O20 - AppInit_DLLs: inicfg32.dll
How to Use
Please download E2TakeOut by Rubber Ducky from here:
»www.malwarebytes.org/E2TakeOut.zip
* Extract the file to your Desktop
* Double click E2TakeOut.exe
* Click the Begin Removal button
* Wait until the program is finished scanning
* Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
* Reboot your computer
* Once your computer has rebooted E2TakeOut will open and produce a report
* Please copy/paste that report into your next reply
feedback form
feedback form
by CalamityJane | | (back) | LQfix by miekiemoes (free tool) is used for the latest variants of Elitebar including the pokapoka strains.
You can download it here:
»users.pandora.be/bluepatchy/miek···Qfix.exe
Download it to your desktop
Double-click LQfix.exe and click install.
Leave the default settings. If you change them, the fix will fail.
Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
Follow the prompts on the screen. Your system will reboot afterwards.
Your system may take longer than usual to start up this one time; please be patient.
.................
And the free version of Ewido Security Suite can also remove most of the variants of pokapoka and Elitebar safely, including the Qoologic Trojan that often accompanies EliteBar
»www.ewido.net/en/download/
feedback form
feedback form
by CalamityJane edited by lilhurricane
last modified: 2006-01-09 00:18:18 | | (back) | Please see:
»Security Cleanup FAQ »Zlob/Smitfraud Removal
Edit: 16 April 2006 New tool now fixes all Smitfraud variants. FAQ combined into one:
»Security Cleanup FAQ »Zlob/Smitfraud Removal
feedback form
feedback form
by CalamityJane
last modified: 2006-04-16 21:36:02 | | (back) | These removal tools only work for the following operating systems:
1. SmitfraudFix: Windows 2k, 2003 and XP ONLY
2. RogueRemover: Vista
Windows 98/ME users will need to follow the complete pre-cleaning FAQ here:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
SpywareQuake and SpyFalcon are just two of many examples of the Zlob/Smitfraud family of desktop hijackers that pop up over the desktop or gives an alert from the taskbar near the clock and displays a warning message that your computer is infected with spyware and telling you to buy/download/install their program. These warnings are fake and try to trick you into buying the commercial version of software. The many versions of this pest can vary with the warning message shown. A list of example screenshots can be seen here:
»Security Cleanup FAQ »Screenshots of Desktop Hijack
Other Zlob/Smitfraud variants include:
AlphaCleaner
AdwarePunisher
AntiVirusGold
AntispywareSoldier
PSGuard
RazeSpyware
Search Maid
Security IGuard
SpyAxe
SpyFalcon
SpySheriff
SpywareStrike
Virtual Maid
VirusBurst
WinHound
{This list of names has become to long to list all of the possibilities)
Zlob/Smitfraud Removal
Note: Not for Vista users. If you are running Windows Vista, please use the RogueRemover tool described in the next section.
The following steps may not clean all of it, but should be a good start and will restore the desktop to default at least so you can proceed with complete removal using various tools.
1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)
2. {WinXP, 2k only!) Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop.
How to extract (decompress) zipped or compressed files
»www.lvsonline.com/tut-compresstu···ex.shtml
A folder named SmitfraudFix will be created on your Desktop.
Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
3. Reboot into Safe Mode
How to start the computer in Safe mode:
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
4. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press Enter to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter
5. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
6. Now please scan with HijackThis to produce a log. Post that log in a new topic along with the Ewido log you saved earlier (or the Adaware log) and the Panda report. We will also need the log from SmitFraudFix called rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your new topic. Logs needed in your post are:
rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed
Fresh HijackThis log
...........................................
VISTA users, please use this tool instead
Please download Rogue Remover from here: [code]
»www.malwarebytes.org/rogueremover.php
[/code] & save it to your desktop.
[*]Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover.
[*]Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop.
[*]Once the program runs, select Check for Updates.
[*]When prompted, select Check for Updates.
[*]If prompted again, click Download to receive the latest updates.
[*]When completed, close the update window.
[*]Finally, select Scan and the program will walk you through the remaining steps.
.................................................................................................
Additional Instructions
a. How to Post a new Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem.
b. Instructions for HijackThis:
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
»russelltexas.com/malware/createhjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.
Download HijackThis
»www.trendsecure.com/portal/en-US···this.php
Unzip/decompress the file and save the contents (HijackThis.exe) to the new folder you made and doubleclick on HijackThis.exe to open the program. On the Main Menu page, Choose *Do a system scan and save a log*
When the scan finishes, you will get a popup to save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results here.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
................................................................................
Edit 01 Sep 2007 by CalamityJane : Added additional instructions for Vista
Edit: 08 Aug 2007 by CalamityJane: Adjusted HJT instruction for new ver. 2.02 by Trend-Micro
16 Oct 2006 by CalamityJane. Removed Ewido and Panda scan instructions as SmitfraudFix can do the whole job.
Edit 16 Jul 2006 by CalamityJane: Adjusted instructions for Ewido new ver 4.0
Edit 16 April 2006 by CalamityJane: Added SmitfraudFix tool to replace SmitRem and roguescanfix tools.
feedback form
feedback form
by CalamityJane
last modified: 2007-09-01 22:12:04 | | (back) | Vundo/VirtuMonde is an adware program that downloads and displays popup advertisements, often seen as Winfixer. Please see important note at the bottom regarding a vulnerabilty in Sun Java that may have be the source of this infection. It may also hijack the browser to unwanted advertising related sites. If you know that you have the Vundo/Virutumonde trojan and other programs have not been able to remove it, please take the following steps using the free tools below.
VundoFix by Atribune
Please download VundoFix.exe from here:
»www.atribune.org/ccount/click.php?id=4
and save it to your desktop
•Double-click VundoFix.exe to run it.
•Click the Scan for Vundo button.
•Once it's done scanning, click the Remove Vundo button.
•You will receive a prompt asking if you want to remove the files,
click YES
•Once you click yes, your desktop will go blank as it starts removing
Vundo.
•When completed, it will prompt that it will reboot your computer,
click OK.
•Please post the contents of C:\vundofix.txt and a new
HiJackThis log.
•Please post the contents of C:\vundofix.txt into a New Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem. Include the vundofix.txt contents and a fresh HijackThis log (instructions below) Please put in the Title of your topic: Vundo Removal.
We will also need to see a diagnostic log from the free tool HijackThis
Create a Diagnostic log using HijackThis
• Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed.
See here for specific instructions and screen shots to help:
»russelltexas.com/malware/createhjtfolder.htm
•Download HijackThis here
»www.trendsecure.com/portal/en-US···this.php
• Unzip the file to the new folder you made and doubleclick on HijackThis.exe to open the program. On the newusers quickstart page, Choose *Do a system scan and save a log*
• When the scan finishes, you will get a popup to Save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results into your New Topic when you are ready to post for help.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
...................................................................................
Important Note: Possible Vulnerability in Sun Java versions may be responsible for Vundo/Winfixer infections
Check your installed Sun Java versions
We have noticed a large number of Winfixer/ Vundo / Virutmonde Victims have an older version of Sun Java installed in Add/Remove Programs in the Control Panel. Other older or newer versions may also be installed
Please see this topic:
»Potential Vulnerability with Sun Java auto update
Important Note: Autoupdate of Sun Java does not uninstall previous (vulnerable) versions of the program.
Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java.
To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:
»www.java.com/en/download/windows···atic.jsp
You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software
Or you can get the manual download here:
»www.java.com/en/download/manual.jsp
And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.
Update: From the SANS Handler's Diary at the Internet Storm Center posted Handler's Diary January 13th 2006
CERTs warn about java bug being exploited
»isc.sans.org/diary.php?storyid=1039
quote:
According to the bulletins you need at least:
* Version 1.3.1_16 or later
* Version 1.4.2_09 or later
* Version (1.)5 update 4 or later {insert My Note: We are now on update 6 in this version)
to be safe.
AND you still need to manually uninstall old verisons of Sun Java after updating! quote:
Vince told it's also necessary to remove the old java environments, not just get the new ones as an attacker can target the old environments when they are still present.
Edit 16 Sep 2006 by CalamityJane: Updated HijackThis version, removed obsolete Symantec removal tool
Edit 15 Aug 2006 by CalamityJane: VundoFix is now 6.0
Edit 15 July 2006 by CalamityJane: VundoFix is now v.5
Edit 20 Jan 2006 by CalamityJane: Added warning about Sun Java Vulernability
Edit 18 Jan 2006 by CalamityJane: Updated for new v. 4 VundoFix by Atribune
feedback form
feedback form
by CalamityJane edited by lilhurricane
last modified: 2009-04-10 23:20:46 | | (back) | [Under Construction]
feedback form
feedback form
by Wildcatboy edited by lilhurricane
last modified: 2008-11-19 20:33:25 | | (back) | I. HijackThis is not a stand-alone clean tool. It does not scan the entire system and only certain areas are scanned to help diagnose the presence of undetected malware in some of the telltale places it hides. It is extremely important that you give the infected user a full system scan tool like Adaware or Spybot (or both) for spyware issues and an online AV scan for virus, worm or trojan infections. Preferably the fix should START with those steps and finish the cleanup of strays or undetected items with HJT. It is not unusual to have Adaware or Spybot find hundreds of infected files and registry items HJT does not target. Additional infected files need to be removed by online AV scans also.
Just because you "fixed" it in HJT doesn't mean it's clean.
Note:
A. Use the Mandatory Steps prerequisite for post a HijackThis log first:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
B. If a user has scanned with Adaware, SpyBot and/or Windows Antispyware and returns with many infections it means either:
1. They are using an outdated version of the program (you need to have them check this).
2. They did not get the updates (have them check for latest update)
3. They did not reboot the PC and scan again. Many infections require removal on reboot and a subsequent followup scan to completely remove the pest. I have seen it take as many as 7 repeated scans with Adaware to remove particularly hard variants.
....................................
II. Do NOT start your fix by disabling System Restore. This rule applies to any manual fixes and is especially true for spyware removal. That is because disabling System Restore wipes out all restore points. Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running. Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off. Clean the restore folder and set a new point AFTER the PC is clean and all programs are working properly.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
How to Enable and Disable System Restore in Windows ME
http://support.microsoft.com/default.aspx?...kb;en-us;264887
..........................
III. Please don't delete all the 016 items as a rule. I see this being done and it is very sloppy HJT work as the harmless, even helpful ones, should remain on the user's PC. You can check 016 items in SpywareBlaster's Database by rightclicking on the Database list in the program and choose *find* (you can find by name or by CSLID). Then, if found, you can click on *more information* and find by name to see what that item is and if there are any special instructions needed (Javacool provides information links to many of those items). With the ones that remain, if you are not sure you can check the website if you are using Eric Howe's IESPYAD. If the site shows up in the restricted zone - best to remove it. But I see too many helpers removing perfectly harmless 016 items.
..................................
IV. About (file Missing) and what it means. It doesn't always mean the file is really missing!!
You will see (file missing) in some of the lines in different sections. You can only rely on that to be true in the sections for BHOs and Toolbars (02s & 03s)
When you see (file missing) in other sections, it may really NOT be missing. You will see it in the 09's and the 023s especially. The only time you should fix the (file missing) in those sections is IF AND ONLY IF you see a *bad* file there. Be aware that "fixing" doesn't remove the malware either. It's important to have them manually delete the file as well (plus any other recommended removal methods)
Except for the 02 & 03 Sections, good items listed in other sections with (file missing) should be left alone. Most often they ARE there but HJT doesn't see the file.
Links for looking up 023 and 09 items
http://castlecops.com/O9.html
http://castlecops.com/O23.html
.................................
V. Don't begin fixes until you have an updated HJT version and it is located in the proper folder!!
quote:
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
http://russelltexas.com/malware/createhjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.
................................
VI. Back up the Registry Don't even think about giving instructions to edit the Registry unless you have them backup the Registry first
How to backup and restore the entire registry:
http://service1.symantec.com/SUPPORT/tsgen...c_nam#_Section2
...........................
VII. Don't wrap up a thread until you have given your user some prevention advice and tools.
»Security Cleanup FAQ »How do I prevent Browser Hijacks and Spyware?
Give a man a fish and he will eat for a day. Teach a man to fish and he will eat for a lifetime
Remember that part of our mission is educating our visitors! Each one should not leave here without some good free antispyware tools and instructions to be able to clean their PC and prevent future infections.
................................
VIII Remember to check for Windows Critical Security Updates Remind your victims to check Windows Update and get all the latest updates recommended for their OS and IE. The first defense against infection is a properly patched system and browser.
http://v5.windowsupdate.microsoft.com/en/default.asp
Encourage them to set their PC for automatic updates so that they won't miss any.
................................
IX DO lookup what type of malware you are dealing with where possible.
Many times, the user might have a nasty that requires extra instruction due to registry changes, lowered security system changes, or other considerations. Especially in the case of a dangerous nasty like a trojan, keylogger, password stealer or RAT. Most of the databases used to lookup HJT items have links for reference to the file names - very useful in these cases :)
In other words, just finding out a file is bad is NOT ENOUGH. you must find out why it is bad and how to clear out the entire infection. plus any cautions your user may need to know about changing passwords, accounts, etc.
...................................
X DO identify unknown files where possible and submit undetected nasties to the AT/AV/AS vendorswhere possible. You can scan single files at one of these:
Jotti Malware Scan
http://virusscan.jotti.org/
or here:
Virus Total
http://www.virustotal.com/
Those sites will submit your file to any vendors they are using at their site that do NOT detect a particular nasty (unless none of them detect it, then you need to submit manually to the Vendors)
Here
Submit Malware
Edited 21 Aug 2008: To remove reference to Malware Archive Forum ~lil~
Edited 10 Apr 2005: To add Section IV - About missing files.
Edited 15 Nov 2005: Added Sections IX and X
feedback form
feedback form
by CalamityJane edited by lilhurricane
last modified: 2008-08-21 10:05:16 |
4.0 Prevention·How do I prevent Browser Hijacks and Spyware?
·Beware Fake Codecs - it could be a trojan
| | (back) | Get the free tool Microsoft Baseline Security Analyzer (MBSA) to analyze your PC security for prevention purposes. MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities, disabling unnecessary services and your IE Browser security settings, among other things.
Get the download here: Microsoft Baseline Security Analyzer.
For Windows 98 & ME users, there is a free tool that does some of the same things called Belarc Advisor. Get the download here: Belarc Advisor.
Scan and follow the directions to make the necessary corrections.
The following topic was written by AntiSpyware Expert Tony Klein and has been posted in numerous Security Forums.
Hopefully, these tips and tools will help you understand how to stay safe and prevent any future infections. I have added some additional information at the end.
said by TonyKlein :
SO, HOW DID I GET INFECTED IN THE FIRST PLACE?
You usually get infected because your security settings are too low.
Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:
1) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself.
Pre-Scan downloaded files for viruses and malware at one of these multi-engine single file scan sites for free! Each one uses a dozen or more well-known AntiMalware scanners in one quick easy scan with a report of results from all.
Virus Total (10mb limit)
»www.virustotal.com/xhtml/index_en.html
Jotti's Malware Scan (15mb limit)
»virusscan.jotti.org/
2) Go to IE > Tools > Windows Update > Product Updates, and install ALL Security Updates listed.
It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.
Windows Update:
http://v4.windowsupdate.microsoft.com/en/default.asp
3) Adjust your security settings for ActiveX
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.
Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.
So why is activex so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?
And some more advice:
4) Install Javacool's SpywareBlaster.
SpywareBlaster
http://www.wilderssecurity.net/spywareblaster.html
SpywareBlaster will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects. Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer)
Press "select all", then "kill all checked", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer.
Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so. Let's also not forget that SpyBot Search and Destroy has the Immunize feature which works roughly the same way.
It can't hurt to use both.
Download Spybot Search and Destroy
http://www.safer-networking.org/
5) Another brilliant program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
SpywareGuard
http://www.wilderssecurity.net/spywareguard.html
An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard.
It now also features Download Protection and Browser Hijacking Protection!
6) You can use a customized HOSTS file to block known bad sites. This is accomplished by blocking these sites through the hosts file. For more information and recommended sources see here:
»Security »What is a Hosts file and where can I get it?
Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests.
http://www.jasons-toolbox.com/BrowserSecurity/
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
said by CalamityJane :
To add to Tony's excellent advice above, you many find the additional programs and Security Sites helpful in malware prevention and removal:
7. Three free programs available to remove spyware from your system:
Download, Update and Scan with Adaware 2008 (get the free edition).
Download and install Adaware 2008
»www.download.com/Ad-Aware-2008/3···10844457
Reboot your PC after scanning and cleaning with Adaware
Download, Update and Scan with Spybot Search and Destroy. (Be sure to Update the program first)
Download and install Spybot Search & Destroy (free)
http://www.safer-networking.org/
A comprehesive Tutorial by the Author of Spybot Search & Destroy:
http://www.safer-networking.org/index.php?...p?page=tutorial
Windows Server 2003, WinXP users (English versions only):
Download, Update and Scan with Windows Defender (free)
Download here:
»www.microsoft.com/athome/securit···ult.mspx
Complete instructions on using Windows Defender can be found here:
Using Windows Defender
»www.microsoft.com/athome/securit···ult.mspx
*Validation of genuine Microsoft Windows Required*
8. Scan for Viruses and common trojans online and free
»Security »What are some web based virus scanners and encyclopedias?
9. If you still have problems and think you are infected after following the various scans and help above...... get HiJackThis (another free program & diagnostic tool)
NOTE: See: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance before posting a HijackThis log and may only be posted in our »Security Cleanup forum for assistance:
Instructions for HijackThis:
* Download Trend Micro Hijack This™
»download.bleepingcomputer.com/hi···tall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next new topic.
NOTE: Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
10. Some Security Sites worth reading and bookmarking for reference and to help you get started in your PC Security.
Security At Home:protect your computer
Spyware
Home Computer Security
http://www.cert.org/homeusers/HomeComputerSecurity/
Protecting Your Home Network
http://www.microsoft.com/windowsxp/pro/usi...tecthomenet.asp
Home Network Security
http://www.cert.org/tech_tips/home_networks.html
Malicious Code Propagation and Antivirus Software Updates
http://www.cert.org/incident_notes/IN-2003-01.html
National Institue of Standards and Technology
Computer Security Resource Center
http://csrc.nist.gov/
Stay Safe Online
http://www.staysafeonline.info/
Protecting Your Privacy & Security on a Home PC
»www.spywarewarrior.com/uiuc/
IE-SPYAD: Restricted Sites List for Internet Explorer
»www.spywarewarrior.com/uiuc/reso···#IESPYAD
»Microsoft Application Tips and Tweaks »Concerning Internet Options Security, what do some of the settings mean
Internet Explorer 7 for Windows XP is available now
»www.microsoft.com/windows/ie/default.mspx
Internet Explorer works with Windows Defender to help prevent spyware from sneaking onto your computer in common ways, such as part of a larger software downloa
Edit 19 Nov 2008 by CalamityJane: Removed IESPYAD and AGNIS (from #6 recommendation to block bad sites). Added link to HOSTS file FAQ to use instead.
Edit 07 Aug 2008 by CalamityJane: Removed CWShredder (obsolete)
Updated HijackThis instructions, Ad-Aware and Spybot versions and download links.
Edit 15 Oct 2007 by CalamityJane: Updated Windows Defender download link. Updated HijackThis download instructions (now available from Trend-Micro). Added IE7 and download link.
Edit 12 Aug 2006 by CalamityJane: Name change for Microsoft Antispyware to Windows Defender
Edit 30 Jan 2006 by CalamityJane: Added Microsoft Antispyware, updated MBSA to v. 2.0; adjusted step 9 to include Security Cleanup Forum rules.
Edit 24 Jan 2006 by CalamityJane: New URL for IESPYAD
feedback form
feedback form
by CalamityJane
last modified: 2008-11-19 19:19:05 | | (back) | »www.lavasoft.de/company/newslett···cks.html
quote:
Beware - Desktop Hijacks on the Rise Again
Security Forums have been deluged with daily cries of help from victims of the "Smitfraud" desktop hijackers that are using fake codec to infect their prey.
Watch out for the Zlob Trojan that poses as a codec needed to view a video, then installs a fake virus and urges its victims to download a rogue anti-spyware program to remove it. Lavasoft has also confirmed that this malware takes advantage of unpatched systems using exploits on web pages. Visit Microsoft Update to ensure that ALL of your critical Windows security pages are updated.
Other victims have been infected by a fake e-card greeting, or even a spoofed e-mail that claims to be Windows Update (Microsoft never sends updates via e-mail). Still more unassuming victims received an e-mail asking them to open a link to see the message (these can be fake e-mails, intended only to infect), or even a link from your 'buddy' in instant messages - but don't trust it if you aren't expecting it. Even your buddy could be infected without his/her knowledge and the virus on their computer is sending you the link with one purpose, and one purpose only - to infect you!
A few of the fake codecs out there include:
braincodec (added 28 Nov2006)
EliteCodec (added 08 Nov 2006)
Emcodec
eMedia Codec
Gold Codec (added 23 Nov 2006)
HQ Codec
iCodecPack
iMediaCodec
iVideoCodec
IntCodec
KeyCodec
Media-Codec
MediaCodec
MMediaCodec
MPCODEC
PCODEC
PerfectCodec (added 15 Nov 2006)
PowerCodec
PornPass Manager
PornMag Pass
QualityCodec (Added 08 Nov 2006)
SilverCodec (added 23 Nov 2006)
SoftCodec
strCodec
Supercodec (added 15 Nov 2006)
TrueCodec
vaxsetup
Vccodec
VideoCompressionCodec
VideoKeyCodec
VideosCodec,
WinMediaCodec
X Password Generator
X Password Manager
ZipCodec
We urge you to be aware and watch out for fake codecs. This is one of the favorite methods used by the authors of malware to lure you into downloading a file that infects your computer. If you receive a link for a video that says you need a certain codec in order to view it, be careful! Today, it could be a fake codec that is actually a Trojan just waiting to infect your system.
New variants are being released daily, even faster than Security Products companies receive new samples for detection. And because it does take time for due diligence on detection for the newer variants, it is important to remember that prevention is the key!
A screen shot of what one of the fake codecs looks like:
Discussion thread is here:
»Beware Fake Codecs - it could be a trojan
Edited for new variants: 23 Nov 2006 by CalamityJane
Last edited for new variants: 15 Nov 2006 by CalamityJane
Edit 08 Nov 2006 by CalamityJane: List of codecs updated for new variants
Last edited for new variants: 15 Nov 2006 by CalamityJane
feedback form
feedback form
by CalamityJane
last modified: 2006-12-05 14:41:10 |
5.0 Additional Resources·Single File Detection Sites
·Where can I find additional resources?
·When should I reformat? How should I reinstall?
| | (back) | Where can I upload one file for malware detection?
•Jotti.org
•VirusTotal
•Kapersky File Scanner
•VirSCAN.org
•Upload Malware
UploadMalware.com is an easy way for you to submit files for analysis by anti-malware and security professionals.
This site it completely free to use, and requires no registration of any kind
Please ensure you complete all of the fields on the upload form. This is to allow us to help you in the best way possible.
Please do not upload log files of any type. Log files will be automatically deleted and no one will review them.
Please do not zip files prior to uploading unless asked to. Zipping files before uploading interferes with the automatic analysis of files.
feedback form
feedback form
by lilhurricane
last modified: 2009-08-19 10:19:15 | | (back) | •Microsoft Malicious Software Removal Tool
•Dr.Web CureIt! Curing Utility
•Sysclean Package TrendMicro
*
Edit: 19 Nov 2008 by CalamityJane: Updated Dr.Web CureIt link, Added Microsoft MSRT
Submission by John2G
feedback form
feedback form
by lilhurricane edited by CalamityJane
last modified: 2008-11-19 20:23:30 | | (back) | See here: »Security »When should I re-format? How should I reinstall?
feedback form
feedback form
by lilhurricane |
|
