How to fix popups, spyware, malware and nuisance programs

[NooNoo]

Tools for killing spyware are:

start with an online virus check Yes you may have the latest and greatest but often these are blocked so that they appear to work but are not. Online checks cannot be blocked. If you can't get to the online page you have either got a java problem or big worries.

a-squared trojan, dialer and worm scanner Free version (requires a free activation code).

spybot Must be updated as soon as its installed.

adaware Must be updated as soon as its installed.

spyware blasterRun this as a further check[/url]

bhodaemon Use this to see what "helper objects" are not very helpful.

Hijack this Gives you a list and lets you decide what to kill.

this will help you to understand what hijackthis is telling you

more in depth tutorial for reading a hijack this log

cwshredder gets cool web search and its variants

about:Blank killer

Now the tricky bit is to work out what you don't want.

Where possible run these in safe mode (press f8 just before windows starts loading)
First, disconnect from the internet and if you have a network, unplug the network cable. This will prevent cross-infecting from other machines or the internet feeding you more problems.

Run spybot to kill most things automatically
Run adaware to see if spybot missed anything
Run bhodaemon and look up whether you want those bhos
Run hikack this, make a note of any .exe or .dll or .cab files, check the ones you want fixed and click the fix button. Now go on a search and destroy mission on of your own. Make sure you can see hidden and system files (my computer, folder options,view for xp or my computer, view, folder options, view for 9x) Find each file and delete it - either to the recycle bin and then empty it or press and hold shift and hit the delete key.

If files will not let you delete them, you may have to turn off a service in xp/2k and end a process tree, or in 9x/me press ctrl, alt,del and end task.

Now use the immunise function in spybot to stop those damn things installing again.

Only reboot to normal mode when you feel sure you got it all. If you didn't you make get it straight back again.

There are a few more of these utils - I am sure people will add to the list.

http://www.pestpatrol.com/pestinfo/#index
]pestpatrol has a library of spyware with explanations[/url] The product is commercial, but the info is free.

You will also need some sort of winsock /lsp fix if certain spyware is removed the wrong way. When this happens you will know, because you wont get on the internet and nothing you do will make a difference.

winsockfix

winsock2 fix for windows 95/98/ME

winsock2 fix for 2k/XP

lsp fix

Here is how SteveCohen fixed the Ndrv problem:

Quote:

I stopped the NDrv.exe process.
I then deleted both NDrv.exe and NDrv.dll
I also deleted the following Reg Keys:

HKey_Current_User/Software/Clickspring
HKEY_CLASSES_ROOT/CLSID/{1B7D753B-1981-4bd2-91F3-6D055EE113A0}
HKEY_CLASSES_ROOT\Context1.Curl
HKEY_CLASSES_ROOT\Context1.Curl.1
HKEY_CLASSES_ROOT\TypeLib\{EE6F3F6A-AD8E-48DA-9B1D-D5204B2D227D}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]"NDrv"="C:\\WINNT\\system32\\NDrv.exe"

You should attempt this in safe mode, logged in as administrator in 2k or XP. In 9x/ME there is no login, but you should still use safe mode.

You must turn off system restore in xp or me for this to work.
The Ndrv.exe and dll files should be found in c:\windows\sytem32 or c:\winnt\system32 if you are running windows 2000.

To delete the registry keys, start, run, type in regedit. First thing you should do is File, Export and export the current registry to a file that can be easily found - such as c:\mybackup.reg. Find the keys above one at a time, by navigating or by using edit, find. Right click on the key and select delete. If you are sure you have the right key, click yes to delete it. If the key will not delete you have not ended the process in task manager or you do not have administrative rights to delete the key.

if you have winlogin.exe running as a process, you probably have Wintools. good how to remove it here

[craigmodius]

thanks noonoo for making this a sticky topic, you are one smart cookie.

the one tool I would add to the list is Spyware Blaster, which does a good job of immunizing you against this junk getting installed again. And, like the others, you should download updated definitions as soon as it is installed.

[cabal]

Excellent advice, NooNoo. all great programs.
I have a question about hijackthis. Do you have a good site on the net for confirming what reg entries are malware and which are benign? I haven't had much luck using google.Some are obvious but some are real head scratchers.

[El Clammino]

Quote:

Originally Posted by cabal

Excellent advice, NooNoo. all great programs.
I have a question about hijackthis. Do you have a good site on the net for confirming what reg entries are malware and which are benign? I haven't had much luck using google.Some are obvious but some are real head scratchers.

With HiJack This! we usually check the unknowns on Google, if that doesn't return anything then we try to leave it alone. If the problem continues (Read: sometimes fixed but the user does it again...) the machine gets reimaged.

Beware of System Soap, it's a nasty one.

EC

[meatwad]

Quote:

Originally Posted by Wayward Clam

Did I miss it? Was there a generic popup blocker amongst these utilities?

Google Toolbar.

[NooNoo]

Neither spybot or adaware picked up on this one - Netpal games.


It was in the favourites, had a registry key.. didn't pay much attention to it since she has realgames etc.

Anywhoooo, I removed it because she was having issues, and on the 3rd reboot the machine "restored" the registry. Guess what came back? Netpal...
So I did it again, again on the 3rd reboot it restored the registry. Once more to check, yup same pattern.

Look for installerupdater.exe in the c:\ and check the java applets in the internet cache - remove them all, empty the recycle bin. Run hijack this, fix the no name bho and the netpal entry.

Reboot 3 times. If you got it all, it will not restore the registry in 3 reboots time.

[bazcook]

Good things are said about the Google Toolbar - but bear in mind too that it is a BHO (Browser Helper Object) and, as such, is something of a spyware product in itself.

More info on BHO here -

http://www.spywareinfo.com/articles/bho/

I have used in the past the free version of Panicware's Pop-Up Stopper -

http://www.panicware.com/product_psfree_download.html

and liked it very much as a stand-alone piece of software, but I have since moved to the myIE2 Lite browser -

http://www.myie2.com/html_en/home.htm

which continues to use the IE engine, settings and Favorites, but includes tabbing, pop up and banner ad blocking and seems to use the IE engine more efficiently than IE itself. The Lite version is very full-featured and is also a small download and install.

[TechZ]

used myie love the tabbed windows not having to open new windows all the time, but i've never had spyware or anything of the sort, i only use nav/avg and zap and no problems.

[confus-ed]

Quote:

Originally Posted by craigmodius

thanks noonoo for making this a sticky topic, you are one smart cookie.

the one tool I would add to the list is Spyware Blaster, which does a good job of immunizing you against this junk getting installed again. And, like the others, you should download updated definitions as soon as it is installed.

... so that makes me an extra smart cookie then ? .. as it was I who suggested it to her, after that big rash of HijackThis logs broke out all over the forums - 'commitments' kept me from doing a 'one size fits most' thread on the topic, but I'm very glad she did/has

& yeah spywareblaster does indeed beat the sh!t out of the Google Toolbar as that's bloody SPYWARE !!!!!
(for it not to be you have to 'tweak it' muchly ... a simple install will infact be worse than many bits of malware - be aware !)

The other thing nobody has said yet - get yourself some software firewall to do application whitelisting ! Invaluable on controlling any nasties that get under the wire

[confus-ed]

Quote:

Originally Posted by cgaudio

Noonoo, 2 problems please:
When trying to download winsockfix, I get that I must "reconfigure" my browser and get proxy permission. Is there another place to download these fixes?

And, more importantly, I misplaced a message to you as a reply to your reply to kerzatz1. Could you look it over and comment?

Thanks a lot!
-Chuck

Noo has many seemingly 'magic' powers but getting back misplaced replies isn't one of them .. if you can't see what you wrote then neither can she, its lost for good in the ether ! (unless it was via pm which I can't see at all)..

Winsockfix gets a whole load of hits on google if you care to try (I can't second guess your proxy permissions from here & neither will our glorious leader ) - which brings me to the point that Noo's link is for 9x - Infact there are different versions for 95, 98 & 98se, me, & finally w2k & xp .. ! So search on Microfts site for the appropriate one for your o/s - I'll go google all the various alternatives later & check which applies to what .. there's also the fact that the DUN upgrades available for each o/s can mess up if not done in the right order - also something for me/whoever to check ..

Btw please don't be like everybody else does here, it drives me nutz, don't use the 'reply with quote button' on the right (sadly it just says reply ! ) unless you are doing what I just did & refering to that reply & that reply only ... use the 'post reply' button on the left - if you have a specific point for an individual put that in bold with their name & 'veterans' of the site will understand it, as for that person only ..

[confus-ed]

We need some 'startup list thingees' too !!to identify 'bad' from 'good' & 'what the bloody hell is that for?' type entries ..

Some I like .. Answers that work.com (& the bloomin' answers do work mostly from there - that's the 'startup task list' - check off your hijackthis logs against it & most especially against any open programs, processes or tasks in windows task manager)

Greatis Startup Application Database

Come on guys crack open your 'favourites' & share !

For Noo : Can you edit up your top post to include the 'good' stuff, I think that was the original plan ?

[NooNoo]

Get me a list of the good stuff, and lists of ok start up stuff would go for miles... not sure that its a good idea...

[confus-ed]

Quote:

Originally Posted by NooNoo

Get me a list of the good stuff, and lists of ok start up stuff would go for miles... not sure that its a good idea...

I just meant add some links like I suggested (you'll have some similar ones, I pressume you use for checking on stuff ? Or do you google every one !?!)

Yeah sure I'd like the top post as clear as possible, but the point of this one was to help folks help themselves (isn't it !?!) - well two hours(or whatever) of me googling for stuff for folks - I didn't think was inside that remit !

Both these lists have helped me many times know what the entries in my hijackthis logs were for .. so I was thinking other folks can use those just as easily ..

I just wrote a reply for instance on a thread (the one you just moved into this forum) where if he'd used either of those lists he could have eliminated 80% of his keys & only posted the other few he wasn't sure of .. or that's how I see it

[NooNoo]

I google the ones I don't recognise... I am getting pretty good at knowing them immediately though....

Updated the first thread some...

[confus-ed]

Quote:

Now the tricky bit is to work out what you don't want.

YES !

However there's no definative 'its bad list' - it just grows & grows & grows ... at the risk of labouring the point yet more, without a list of 'known startup applications & processes' you are gonna have your work cut out !

We need to know what shouldn't be there, well that's what we can't identify as 'good/required' ..

You seem to be back to front on this particular aspect .. you probably like me immediately 'know' which ones to be looking at (you say so) but what about them that don't ? With a list like this you can tick off lots of 'strange stuff' knowing what its for & concentrate on the 'unfound' stuff ..

I'll shut up now !