How to fix popups, spyware, malware and nuisance programs
Page 1 of 2 1 2 LastLast
Results 1 to 15 of 16

Thread: How to fix popups, spyware, malware and nuisance programs

  1. #1
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824

    How to fix popups, spyware, malware and nuisance programs

    Tools for killing spyware are:

    start with an online virus check Yes you may have the latest and greatest but often these are blocked so that they appear to work but are not. Online checks cannot be blocked. If you can't get to the online page you have either got a java problem or big worries.

    a-squared trojan, dialer and worm scanner Free version (requires a free activation code).

    spybot Must be updated as soon as its installed.

    adaware Must be updated as soon as its installed.

    spyware blasterRun this as a further check[/url]

    bhodaemon Use this to see what "helper objects" are not very helpful.

    Hijack this Gives you a list and lets you decide what to kill.

    this will help you to understand what hijackthis is telling you

    more in depth tutorial for reading a hijack this log

    cwshredder gets cool web search and its variants

    About:Blank killer

    Now the tricky bit is to work out what you don't want.

    Where possible run these in safe mode (press f8 just before windows starts loading)
    First, disconnect from the internet and if you have a network, unplug the network cable. This will prevent cross-infecting from other machines or the internet feeding you more problems.

    Run spybot to kill most things automatically
    Run adaware to see if spybot missed anything
    Run bhodaemon and look up whether you want those bhos
    Run hikack this, make a note of any .exe or .dll or .cab files, check the ones you want fixed and click the fix button. Now go on a search and destroy mission on of your own. Make sure you can see hidden and system files (my computer, folder options,view for xp or my computer, view, folder options, view for 9x) Find each file and delete it - either to the recycle bin and then empty it or press and hold shift and hit the delete key.

    If files will not let you delete them, you may have to turn off a service in xp/2k and end a process tree, or in 9x/me press ctrl, alt,del and end task.

    Now use the immunise function in spybot to stop those damn things installing again.

    Only reboot to normal mode when you feel sure you got it all. If you didn't you make get it straight back again.

    There are a few more of these utils - I am sure people will add to the list.

    http://www.pestpatrol.com/pestinfo/#index
    ]pestpatrol has a library of spyware with explanations[/url] The product is commercial, but the info is free.

    You will also need some sort of winsock /lsp fix if certain spyware is removed the wrong way. When this happens you will know, because you wont get on the internet and nothing you do will make a difference.

    winsockfix

    winsock2 fix for windows 95/98/ME

    winsock2 fix for 2k/XP

    lsp fix

    Here is how SteveCohen fixed the Ndrv problem:

    I stopped the NDrv.exe process.
    I then deleted both NDrv.exe and NDrv.dll
    I also deleted the following Reg Keys:

    HKey_Current_User/Software/Clickspring
    HKEY_CLASSES_ROOT/CLSID/{1B7D753B-1981-4bd2-91F3-6D055EE113A0}
    HKEY_CLASSES_ROOT\Context1.Curl
    HKEY_CLASSES_ROOT\Context1.Curl.1
    HKEY_CLASSES_ROOT\TypeLib\{EE6F3F6A-AD8E-48DA-9B1D-D5204B2D227D}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]"NDrv"="C:\\WINNT\\system32\\NDrv.exe"
    You should attempt this in safe mode, logged in as administrator in 2k or XP. In 9x/ME there is no login, but you should still use safe mode.

    You must turn off system restore in xp or me for this to work.
    The Ndrv.exe and dll files should be found in c:\windows\sytem32 or c:\winnt\system32 if you are running windows 2000.

    To delete the registry keys, start, run, type in regedit. First thing you should do is File, Export and export the current registry to a file that can be easily found - such as c:\mybackup.reg. Find the keys above one at a time, by navigating or by using edit, find. Right click on the key and select delete. If you are sure you have the right key, click yes to delete it. If the key will not delete you have not ended the process in task manager or you do not have administrative rights to delete the key.

    if you have winlogin.exe running as a process, you probably have Wintools. good how to remove it here
    Last edited by NooNoo; September 30th, 2004 at 01:29 PM.
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  2. #2
    Registered User craigmodius's Avatar
    Join Date
    Sep 2001
    Location
    Hellmira, NY, USA
    Posts
    1,572
    thanks noonoo for making this a sticky topic, you are one smart cookie.

    the one tool I would add to the list is Spyware Blaster, which does a good job of immunizing you against this junk getting installed again. And, like the others, you should download updated definitions as soon as it is installed.
    "And just when I thought today couldn't get anymore poo-like." -Outcoded

  3. #3
    Registered User cabal's Avatar
    Join Date
    Feb 2001
    Location
    Lake Placid,NY
    Posts
    336
    Excellent advice, NooNoo. all great programs.
    I have a question about hijackthis. Do you have a good site on the net for confirming what reg entries are malware and which are benign? I haven't had much luck using google.Some are obvious but some are real head scratchers.
    "You've been livin' on the razor's edge, since you began to shave...
    Make sure you live, you're a long time dead, cradle to the grave"-Motorhead

  4. #4
    Registered User El Clammino's Avatar
    Join Date
    Jul 2002
    Location
    Boston, MA
    Posts
    260
    Quote Originally Posted by cabal
    Excellent advice, NooNoo. all great programs.
    I have a question about hijackthis. Do you have a good site on the net for confirming what reg entries are malware and which are benign? I haven't had much luck using google.Some are obvious but some are real head scratchers.

    With HiJack This! we usually check the unknowns on Google, if that doesn't return anything then we try to leave it alone. If the problem continues (Read: sometimes fixed but the user does it again...) the machine gets reimaged.

    Beware of System Soap, it's a nasty one.

    EC
    GO PATS!!!!

  5. #5
    Registered User meatwad's Avatar
    Join Date
    Oct 2002
    Location
    Numba 1 in tha hood G
    Posts
    3,835
    Quote Originally Posted by Wayward Clam
    Did I miss it? Was there a generic popup blocker amongst these utilities?
    Google Toolbar.

  6. #6
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    Neither spybot or adaware picked up on this one - Netpal games.


    It was in the favourites, had a registry key.. didn't pay much attention to it since she has realgames etc.

    Anywhoooo, I removed it because she was having issues, and on the 3rd reboot the machine "restored" the registry. Guess what came back? Netpal...
    So I did it again, again on the 3rd reboot it restored the registry. Once more to check, yup same pattern.

    Look for installerupdater.exe in the c:\ and check the java applets in the internet cache - remove them all, empty the recycle bin. Run hijack this, fix the no name bho and the netpal entry.

    Reboot 3 times. If you got it all, it will not restore the registry in 3 reboots time.
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  7. #7
    Registered User
    Join Date
    Mar 2004
    Location
    Toronto, ON
    Posts
    132
    Good things are said about the Google Toolbar - but bear in mind too that it is a BHO (Browser Helper Object) and, as such, is something of a spyware product in itself.

    More info on BHO here -

    http://www.spywareinfo.com/articles/bho/

    I have used in the past the free version of Panicware's Pop-Up Stopper -

    http://www.panicware.com/product_psfree_download.html

    and liked it very much as a stand-alone piece of software, but I have since moved to the myIE2 Lite browser -

    http://www.myie2.com/html_en/home.htm

    which continues to use the IE engine, settings and Favorites, but includes tabbing, pop up and banner ad blocking and seems to use the IE engine more efficiently than IE itself. The Lite version is very full-featured and is also a small download and install.

  8. #8
    Registered User TechZ's Avatar
    Join Date
    Apr 2003
    Location
    Bahrain, Middle East
    Posts
    7,525
    used myie love the tabbed windows not having to open new windows all the time, but i've never had spyware or anything of the sort, i only use nav/avg and zap and no problems.

  9. #9
    Geezer confus-ed's Avatar
    Join Date
    Jul 1999
    Location
    In front of my PC....
    Posts
    13,087
    Quote Originally Posted by craigmodius
    thanks noonoo for making this a sticky topic, you are one smart cookie.

    the one tool I would add to the list is Spyware Blaster, which does a good job of immunizing you against this junk getting installed again. And, like the others, you should download updated definitions as soon as it is installed.
    ... so that makes me an extra smart cookie then ? .. as it was I who suggested it to her, after that big rash of HijackThis logs broke out all over the forums - 'commitments' kept me from doing a 'one size fits most' thread on the topic, but I'm very glad she did/has

    & yeah spywareblaster does indeed beat the sh!t out of the Google Toolbar as that's bloody SPYWARE !!!!!
    (for it not to be you have to 'tweak it' muchly ... a simple install will infact be worse than many bits of malware - be aware !)

    The other thing nobody has said yet - get yourself some software firewall to do application whitelisting ! Invaluable on controlling any nasties that get under the wire

  10. #10
    Geezer confus-ed's Avatar
    Join Date
    Jul 1999
    Location
    In front of my PC....
    Posts
    13,087
    Quote Originally Posted by cgaudio
    Noonoo, 2 problems please:
    When trying to download winsockfix, I get that I must "reconfigure" my browser and get proxy permission. Is there another place to download these fixes?

    And, more importantly, I misplaced a message to you as a reply to your reply to kerzatz1. Could you look it over and comment?

    Thanks a lot!
    -Chuck
    Noo has many seemingly 'magic' powers but getting back misplaced replies isn't one of them .. if you can't see what you wrote then neither can she, its lost for good in the ether ! (unless it was via pm which I can't see at all)..

    Winsockfix gets a whole load of hits on google if you care to try (I can't second guess your proxy permissions from here & neither will our glorious leader ) - which brings me to the point that Noo's link is for 9x - Infact there are different versions for 95, 98 & 98se, me, & finally w2k & xp .. ! So search on Microfts site for the appropriate one for your o/s - I'll go google all the various alternatives later & check which applies to what .. there's also the fact that the DUN upgrades available for each o/s can mess up if not done in the right order - also something for me/whoever to check ..

    Btw please don't be like everybody else does here, it drives me nutz, don't use the 'reply with quote button' on the right (sadly it just says reply ! ) unless you are doing what I just did & refering to that reply & that reply only ... use the 'post reply' button on the left - if you have a specific point for an individual put that in bold with their name & 'veterans' of the site will understand it, as for that person only ..
    Last edited by confus-ed; April 27th, 2004 at 09:12 AM.

  11. #11
    Geezer confus-ed's Avatar
    Join Date
    Jul 1999
    Location
    In front of my PC....
    Posts
    13,087
    We need some 'startup list thingees' too !!to identify 'bad' from 'good' & 'what the bloody hell is that for?' type entries ..

    Some I like .. Answers that work.com (& the bloomin' answers do work mostly from there - that's the 'startup task list' - check off your hijackthis logs against it & most especially against any open programs, processes or tasks in windows task manager)

    Greatis Startup Application Database

    Come on guys crack open your 'favourites' & share !

    For Noo : Can you edit up your top post to include the 'good' stuff, I think that was the original plan ?

  12. #12
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    Get me a list of the good stuff, and lists of ok start up stuff would go for miles... not sure that its a good idea...
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  13. #13
    Geezer confus-ed's Avatar
    Join Date
    Jul 1999
    Location
    In front of my PC....
    Posts
    13,087
    Quote Originally Posted by NooNoo
    Get me a list of the good stuff, and lists of ok start up stuff would go for miles... not sure that its a good idea...
    I just meant add some links like I suggested (you'll have some similar ones, I pressume you use for checking on stuff ? Or do you google every one !?!)

    Yeah sure I'd like the top post as clear as possible, but the point of this one was to help folks help themselves (isn't it !?!) - well two hours(or whatever) of me googling for stuff for folks - I didn't think was inside that remit !

    Both these lists have helped me many times know what the entries in my hijackthis logs were for .. so I was thinking other folks can use those just as easily ..

    I just wrote a reply for instance on a thread (the one you just moved into this forum) where if he'd used either of those lists he could have eliminated 80% of his keys & only posted the other few he wasn't sure of .. or that's how I see it

  14. #14
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    I google the ones I don't recognise... I am getting pretty good at knowing them immediately though....

    Updated the first thread some...
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  15. #15
    Geezer confus-ed's Avatar
    Join Date
    Jul 1999
    Location
    In front of my PC....
    Posts
    13,087
    Now the tricky bit is to work out what you don't want.
    YES !

    However there's no definative 'its bad list' - it just grows & grows & grows ... at the risk of labouring the point yet more, without a list of 'known startup applications & processes' you are gonna have your work cut out !

    We need to know what shouldn't be there, well that's what we can't identify as 'good/required' ..

    You seem to be back to front on this particular aspect .. you probably like me immediately 'know' which ones to be looking at (you say so) but what about them that don't ? With a list like this you can tick off lots of 'strange stuff' knowing what its for & concentrate on the 'unfound' stuff ..

    I'll shut up now !

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •