1-stop Answers here: Spyware, Secret Installs, Popups & related

Discussion in 'Tech Talk' started by MB-G26, Oct 12, 2003.


  1. MB-G26

    MB-G26 Bk2MiscResource
    Lifetime Member

    6,147
    396
    One stop info reply for all (the typical and most frequently posted problems :)

    If you use IE for your browser:
    1. IE -> Tools -> Internet Options -> Advanced tab.

    A. UNtick the boxes for "Enable Install On Demand"
    B. DISable ActiveX(ploit) for ALL "zones", or if you MUST allow it for certain sites, put those sites in the "Trusted" zone and set all ActiveX entries to "Prompt".
    C. DISable all entries java & javascript for ALL zones except "Trusted", or at least set them to "Prompt" for zones other than the "Internet" zone.
    D. DISable "all installation of desktop items" for ALL zones

    2. Go to http://www.lurkhere.com/ and read the paragraphs about the "Hijack This!"**** program. Then go to the "Nice Files" page there and download and install the program. This will keep your homepage in IE from being hijacked.

    An alternative that performs same/similar function is StartPage Guard (http://www.pjwalczak.com/spguard/index.php)

    A similar and effective program is SpywareGuard:
    http://www.wilderssecurity.net/spywareguard.html Also free, although donations are appreciated.

    http://www.wilderssecurity.net/bhblaster.html
    3. While on the "Nice Files" page at LH, download and install Spybot Search & Destroy. Run it every few days to detect and discombobulate any spyware/crapware that you may have picked up and not realized it.

    4. Go to http://www.javacoolsoftware.com/spywareblaster.html and download and install SpywareBlaster. "SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed." The program is free, and you can help support it (dev'ing and hosting it does cost money) with a donation, if you chose.

    5. Go to www.wilders.org and then to their "free tools" subsection, which is at http://www.wilders.org/free_tools.htm
    Download and install these:
    A. HTAstop (in the prevention section, about 1/2 down the page)
    B. WSH Anti-Polymorphism Patch
    C. DSOStop v2
    D. Windows Media Player Scripting Fix v1.0

    And from the "monitoring" section there, get and install:
    E. ScriptSentry or AnalogX Script Defender (depending upon whether you have MS VBS installed)
    F. DHCP Fix
    H. StartUp Monitor

    and from the "misc" section there, download and install:
    I. BHO Captor or BHOCop

    "Messenger" Problems; Popup Problems & Programs

    For "Messenger" popup problems, go here:
    http://forums.spywareinfo.com/index.php?showtopic=1920 as this section of the forum gives information about programs that will tame the darn thing, as well as gives specific instructions to manually tame it with a step-by-step procedure for each OS.

    Review and comparison of current, popular Popup killer programs is located at http://www.popup-killer-review.com/test.htm and is a pretty comprehensive site regarding the 'science' of pupups, how they function and how killer programs are defeated, and of popup killers themselves.

    Oh, the *sigh* at the beginning isn't directed at you - it's directed at the scumburgers that create and foist this crap over and over again onto unsuspecting computer users.
    m

    PS. IE-SPYADS HAS A NEW URL. See updating post in this thread dated 8/7/04. There is an easy way to keep probably 90% of the crap sites from even being able to touch your machine to begin with: install "IE-SPYAD" - what it does is put a huge list of bad and universally-undesireable sites into the "Restricted" zone of IE. Go here: http://www.staff.uiuc.edu/~ehowes/resource.htm to read what it is and how it works. This is a good alternative to learning to use the HOSTS file to do the same thing, and some Windows OSs (Xp and 2000, I think) reportedly slow to a crawl if the HOSTS file is large.

    Hazeleger.net is severely curtailing what, if any forums will remain available after 2/14-2/15/04. This post has therefore been edited to remove the reference to the various sections/forums.http://www.hazeleger.net/yabbframe.htm


    (originally posted here: http://www.glocktalk.com/showthread.php?s=&threadid=190268&perpage=10&pagenumber=2)

    ***UPDATE: mando updates to HiJackTHIS! & CWShredder, due to new (as of 11/16/03) variant of the CWS Trojan.
    See the Spywareinfo URL above for download links to the updated versions.

    Spywareinfo.com is having hosting problems at the moment. Here's an alternative DL location:

    CWSHREDDER LINK http://www.majorgeeks.com/download4086.html
    CWShredder 1.59.1
    Author: Merijn.org
    Date: 2004-06-28
    Size: 137 Kb
    License: Freeware
    Requires: Win All

    Added 3/13/04- A growing spyware problem, incredibly, is self-proclaimed "anti-spyware" applications that actually CONTAIN spyware and often this is NOT appropriately disclosed. While not a previously-unknown problem, it IS become a rather prolific one. For examples, this article is worth reviewing:
    http://news.com.com/2100-1032_3-5153485.html?tag=st_rn
    See also http://www.netrn.net/spywareblog/
    "Spyware Warrior
    Waging the war against spyware"
    There are several areas which list phoney "anti-spyware" apps which are actually spyware themselves.
     

    Wanna kill these ads? We can help!
    BuckyP likes this.
  2. Loading...


  3. ArestiaFL

    ArestiaFL Makin' waffles

    7
    0
    Another very effective spyware tool is Ad-Aware, downloadable from www.lavasoftusa.com. I also HIGHLY recommend you install a virus scanner. In the event you don't want to pay outlandish prices for programs that slow your computer to a crawl, go download AVG Anti-Virus for FREE (www.grisoft.com). AVG is implemented on my corporate network and has kept out Gaobot, Melissa, Swen and The BLASTER virus. I highly recommend them, they're good people, and the program sits quietly on your system eating up a mere 2 MB of virtual memory (compared to Norton at 36 and McAfee at 21).

    Finally, if you have a high speed connection and aren't being a router or a firewall, PLEASE download the latest Microsoft patches from http://windowsupdate.microsoft.com! You also may want to invest in a router or firewall software. It will save you many many headaches! Good luck!
     

  4. Texas T

    Texas T TX expatriate
    CLM

    1,935
    0
    Geez... only six people have voted. At least I got the correct answer. :)


    T
     
  5. NetNinja

    NetNinja Always Faithful

    967
    0
    Nice Post MB-G26.

    As always a wealth of Knowledge.
     
  6. MB-G26

    MB-G26 Bk2MiscResource
    Lifetime Member

    6,147
    396
    So definately add your 'one-stop' fix/prevention tricks and such.
    m
     
  7. DWavs

    DWavs Moderator
    Moderator

    2,070
    1
    Stickied.

    David
     
  8. David_G17

    David_G17 /\/\/\/\/\/\/\/

    2,046
    0
    if none of the above work.

    run linux ;a
     
  9. HerrGlock

    HerrGlock Scouts Out
    CLM

    23,748
    4
    As I've often said:

    Step One: Remove all Microsoft products from your computer...

    THEN we can talk about locking it down.

    DanH
     
  10. I agree with David. SuSe 9 is looking good.

    I downloaded and installed all the things in the original post and now I have no room left on my harddrive to do any work.
     
  11. In addition to MB-G26's suggestions, you may want to consider (strongly consider!) using something other than Internet Explorer for browsing, and Outlook (or Outlook express) for email.

    You might want to consider Mozilla ( http://mozilla.org/ ) or Opera ( http://www.opera.com/ ) .
     
  12. Anti-virus software is a must. I have used and really liked f-prot on Linux. They also have versions for nearly every operating system. Windows, Linux, FreeBSD, Unix... etc.

    It is very reasonalby priced and at least with the Linux version there were new definitions available every 12 to 24 hours.

    They can be found at www.f-prot.com
     
  13. Shoeless

    Shoeless Gun Totin' Girl

    1,654
    0
    Mel, you are unbelievable. Almost every post you write seems like it has hours of tedious research behind it. Girl, you are one valuable resource!

    xoxo
    Shoeless
     
  14. streeter69

    streeter69 This is Kewl

    450
    0
    One BIG DITTO;f
     
  15. Blast

    Blast 'nuff said

    16,574
    264
    Your posts are highly appreciated, MB-G26. You have provided me with tools that saved my rickity old computer.;f
    Keep up the good work.^c
     
  16. MB-G26

    MB-G26 Bk2MiscResource
    Lifetime Member

    6,147
    396
    The recent attempted hack of GT's servers got me thinking, as did several inquiry threads. So.... here's an expanded and rearranged update - takes more than 1 posts:

    SUGGESTIONS:
    The follow is focused on users of Windows 9.x and up, and of Internet Explorer. IE 6.x users - achieve the same things but you will have to look for where 6.x puts these options w/in IE Internet Tools.

    1. DISable virtually everything in ALL "Zones" in IE-> Tools -> InternetOptions ->Security except for the "Trusted Zones", including specifically:
    A. All ActiveX entries (1st 5 entries in IE5.5)
    B. Cookies (both entries)
    C. File and Font download (one entry each)
    D. MS VM - Java Permissions (DISable java)
    E. Misc: (Access Data Source.... etc., (9 entries, including Installation of Desktop Items...)
    (set to HIGH Software Channel Permissions)
    F. DISable all scripting entries (3 java/java script entries, Active, Paste & Scripting Java Applets)
    D. Set User Authentication to "Annonymous logon"

    E. A bit outdated, but for background info re the "Zones" http://www.nwnetworks.com/iezones.htm "Internet Explorer Security Zones, by Scott Schnoll"

    F. See "Accidental Trojan Horses - Security Problems in Windows 98 PCs" http://www.computerbytesman.com/acctroj/ regarding ActiveX issues.

    G. Advisable to change the default settings in "My Computer" zone - which can't be done straight manually since it isn't displayed like the other zones. See http://www.edensoft.com/ieak.html "Changing settings in the My Computer security zone"

    H. Put "*.glocktalk.com" (w/o quote marks) in your Trusted Zone so it will work properly. Ditto for any other sites you need the otherwise disabled functionalities for.

    I. ENSURE each & every single option is DISabled or set to "HIGH" (if that is the most disabling option offered) in the Restricted Zone.

    2. DISable/UNtick the following in IE -> Tools -> Internet Options -> Advanced tab.
    A. UNtick the boxes for "Enable Install On Demand"

    3. Protection from browser high-jackers and others, including silent-download invaders:
    A. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html Also free, although donations are appreciated.

    B. Browser Hijack Blaster: http://www.wilderssecurity.net/bhblaster.html

    C. Go to http://www.lurkhere.com/ & look at info re: "Hijack This!" program. Download is mirrored @"Nice Files" page there. Installation will keep your homepage in IE from being hijacked. It "includes a copy of StartupList, that can be run from the HijackThis interface. Updated August 15th, 2004"

    4. Protect against Start Page hijacks: StartPage Guard (http://www.pjwalczak.com/spguard/index.php)

    5. Protect against infections of spyware: locate, download & install & keep updated the following:
    A. Spybot Search & Destroy: also at lurkhere.com and a variety of other mirror sites. Home page: http://www.safer-networking.org/ Official support forums: http://forums.net-integration.net/index.php?c=7

    B. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
    From http://www.wilders.org/free_tools.htm

    C. HTAstop (in the prevention section, about 1/2 down the page) also on http://www.simtel.net/pub/pd/53731.shtml

    D. Robin Keir Script Trap http://keir.net/software.html

    E. WSH Anti-Polymorphism Patch (Wilders)
    F. DSOStop v2 (Wilders)
    G. Windows Media Player Scripting Fix v1.0 (Wilders)

    From the "monitoring" section there at Wilders, get and install:
    H. ScriptSentry or AnalogX Script Defender (depending upon whether you have MS VBS installed)
    I. DHCP Fix
    J. StartUp Monitor

    from the "misc" section @ Wilders, download and install:
    K. BHO Captor or BHOCop

    L. Obtain/install Ad-Aware, and use it as a backup to Spybot Search & Destroy. Start w/their main page http://www.lavasoft.de/ (AA products require frequent updates, have pay & free versions, & are often the subject of problem complaints immediately after updates/upgrades are issued.)

    M. Considering installing EBURGER Windows Security Utility, "a menu-driven batch file utility that allows you to disable, re-enable, or otherwise configure the following aspects of Windows", and his "Windows Script (Host) Uninstaller".
    This is the same Eric Howe that writes IE-SPYAD (see below- URLs have changed as of 6/04)
    N. Consider UNinstalling Windows's "VBS Script" from Add/Remove Programs/Windows Components.

    O. Consider changing the "association" of "dangerous file types" to something harmless, like Notepad. (WSH, HTA, SHS-scrap files, MSHTA, etc.) See http://www.nsclean.com/psc-exe2.html (Privacy Software Corporation Security Advisory, Friday, April 13, 2001, "EXE2HTML HTA Exploit Generator" - authored by the coders of commercial AT programs BOClean, IECLean, and the freeware HTASTOP.) See also: "Scrap Files Can Tear Your Up", http://www.pc-help.org/security/scrap.htm

    6. Ensure your "bindings" are properly configured. http://grc.com/su-bondage.htm
    (to rearrange your bindings, follow Gibson's step-by-step)

    7. DISable Windows Messenger (not the same as the other Messenger)
    A. Read and follow: (link out of date - currently culling new ones)

    8. Obtain/install a pop-up blocker:
    A. Review & comparison of current, popular Popup killer programs is located at http://www.popup-killer-review.com/test.htm

    9. Prevent 'bad' websites from effectuating things on your computer:
    A. A huge list of bad and universally-undesireable sites into the "Restricted" zone of IE. See Eric Howe's pages which provide IE-SPYAD, a self-installing add-in to the IE Restricted Zone which adds a choice of undesirable websites to that zone.
    10. Obtain and install CW Shredder (CoolWebSearch trojan killer program) http://www.spywareinfo.com/~merijn/cwschronicles.html

    11. Ensure no phoney, 'pretending' "anti-spyware" programs are installed. See details here: http://www.netrn.net/spywareblog/

    12. Ensure machine is running a good, updated ANTI-VIRUS PROGRAM "resident". Obtain an additional AV, such as the freeware AVG6, www.grisoft.com, and while keeping the 2nd one updated DO NOT RUN IT RESIDENT - RUN IT WEEKLY ON MANUAL LOAD DEMAND.
    12(A) Good, reliable, and frequently updated free Anti-Trojan programs are almost impossible to find anymore, but SERIOUSLY CONSIDER spending the $40 for a good AT program. An AV program is NOT any guarantee in the least against a trojan - too much difference between the beasts. I recommend BOClean AT - about $40, & have used it for several years. Tho not affiliated in any way with PSC company or its coders, this is the only AT I have ever recommended. http://www.nsclean.com/boclean.html
    12(B) If you won't run an AT, next best idea is implementing various fixes and work-arounds to combat trojan infections. Example: http://www.hackfix.org/subseven/ SubSeven Trojan info & fix page. Wilders.org also has a TON of 'trojan' and exploit fix tools indexed - free & downloadable, altho dated.

    12(C). Anti-Virus programs (not a complete list):

    (i) AVG (Anti-Virus Grisoft) www.grisoft.com
    (ii) Trend Micro (including Online virus scan)
    http://housecall.trendmicro.com/

    13. Ensure the appropriate patches installed from http://windowsupdate.microsoft.com ; http://www.microsoft.com/windows98/downloads/corporate.asp ; https://v4.windowsupdate.microsoft.com/en/default.asp . There are alternative source sites for MS's patches if for some reason you have trouble w/the MS update pages. (You will have to RE-ENABLE all the ActiveX, Java, Script, Cookies, Download, etc., settings for whatever zone the MS page you use is in.)
    A. http://members.tripod.com/erpman1/
    B. http://www.mdgx.com/web.htm
    C. http://www.softwarepatch.com/
    D. http://www.rwclements.com/upgrades/mswin98.html (back up the URL or use links on page for updates for non win98 updates)
    E. http://www.techspot.com/tweaks/updates/

    14. Ensure the FIREWALL is updated, if applicable, properly configured, and learn to utilize "Advanced" or "Special" Rules.
    A. Consider using a different FW if you believe the one you have is being successfully penetrated.
    (A)(1) Sygate Personal Firewall STD and PRO Versions. See the Sygate site for most updated version info. You may be able to download from here http://smb.sygate.com/buy/download_buy.htm
    If you use Zone Alarm do some research into ZA's various downsides - including false alerts and issues regarding alert sensitivity settings. If you have ZA and choose to go w/a different FW, thoroughly research the UNinstall steps before UNinstalling ZA.

    (B). If concerned with FW "alerts" and log entries, Learn to understand WHAT your FW logs are actually indicating.
    (1) http://www.robertgraham.com/pubs/firewall-seen.html
    "Firewall Foresics, What Am I Seeing?"

    (2) http://www.interhack.net/pubs/fwfaq/
    "Internet Firewalls: Frequently Asked Questions"

    (3) Sygate products - FireWall, forums: http://forums.sygate.com/vb/

    (4) Intrusion Detection Services http://www.ssimail.com/Sesintrude.htm

    (5) Doshelp.com (firewall) Intrusion & Attack Reporting Center (helpful tips, explanations, FW help, Trojan Ports list, AV Tools, Security Patches, Security News, etc.) http://www.doshelp.com/sectips.htm

    (6) Dshield.org FAQ http://www.dshield.org/primer.php
    (7) http://unixgeeks.org/security/newbie//security/firewall.html "Firewall Basics"
    (8) Firewall Exploits: http://www.iss.net/security_center/advice/Exploits/default.htm
    (9) Beyond-Security's SecuriTeam.com http://www.securiteam.com/

    (10) Intrusion Detection Tools: http://www.foundstone.com/resources/intrusion_detection.htm

    go to part 2
    m
     
  17. MB-G26

    MB-G26 Bk2MiscResource
    Lifetime Member

    6,147
    396
    15. Utilize a reporting organization for serious intrusion attempts.
    (A) http://www.dshield.org/
    This is an excellent site to become familiar with. It is part of the Internet Storm Center/SANS ("SysAdmin, Audit, Network, Security" Institute, established 1989) and has an IP number registration lookup interface - useful for IP numbers reflected in the FW log as attempted intrusions, as well as a recent port useage/exploit lookup. (http://www.dshield.org/reports.php) Both the ISC and SANS sites are WELL worth perusing. For example, see not only the graphic on the main Dshield page which depicts current threat traffic, but also the "Trends" page on Sans: http://isc.sans.org/trends.php.

    If implemenation of 'special' Rules is desired, consider utilizing Dshield's recommended "block list" of offending IP blocks: http://www.dshield.org/block_list_info.php
    http://www.dshield.org/fightback.php
    (A)(1) Download and install CVT, the a freeware reporting client which processes and sends appropriate log entries to Dshield.
    http://www.dshield.org/howto.php
    (A)(2) http://www.mynetwatchman.com/
    B. See "Tool leaky - Why Your Firewall Sucks" http://tooleaky.zensoft.com/

    16. There are a variety of sites which offer free infection scanning. A word search in TechTalk will result in several threads listing these.
    A. http://www.pcflank.com/scanner1.htm; http://www.pcflank.com/test.htm
    B. Security Space Security Audits http://www.securityspace.com/smysecure/index.html
    C. GRC's "Shield's Up!" Security Analysis https://grc.com/x/ne.dll?bh0bkyd2

    D. Security Analysis Service http://www.vulnerabilities.org/

    E. Firewall Test, Port Scan.... http://www.auditmypc.com/
    F. http://www.cert.org/
    Vulnerabilities, Incidents & Fixes

    G. Port Scan Security Check http://www.sdesign.com/securitytest/index.html

    H. Sygate Security Probe page http://scan.sygate.com/probe.html

    REMEMBER TO DISABLE ANY FIREWALL REPORTING SERVICE/PROGRAM YOU HAVE IMPLEMENTED BEFORE DOING AN INTENTIONAL SECURITY AUDIT - YOU DO *NOT* WANT TO REPORT A FRIENDLY IP AS AN INTRUDER.

    17. Various utilities would be helpful to have on board, including process viewers (which will show you EVERYTHING that is running - far beyond what the TaskManager - Cntrl-Alt-Del - box shows.) There is at least one freely available at Wilders.org

    A. This is another free one - PrcView. http://www.xmlsp.com/pview/prcview.htm There are many payware programs, also.
    18. Get to know Regedit and your Registry and the Windows Regedit program. Always, ALWAYS keep full, current, manual backups of your full registry stored on removable media.
    (A) A Registry info site: http://www.winguides.com/registry/

    19. Learning to put the HOSTS file to good use is also helpful, but this is limited to certain MS OS's as a nice, fat HOSTS file does NOT play well with some OS's above 9.x
    A. http://www.accs-net.com/hosts/
    Gorilla Design Studio Presents: Using the Hosts File
    (This site is very comprehensive and also links to basically the best HOSTS file sites I know of, so I didn't post them all individually.)

    m
     
  18. rhikdavis

    rhikdavis U.S. Veteran

    7,234
    19
    How much to fly you out to my place and just set my computer up. ;f
     
  19. MB-G26

    MB-G26 Bk2MiscResource
    Lifetime Member

    6,147
    396
    hehehe..... in fact, I'm temporarily at my sister's in Kali, where all things computer sometimes kinda sort work and Winblows is a rare commodity, lol!
    m
     
  20. MB-G26

    MB-G26 Bk2MiscResource
    Lifetime Member

    6,147
    396
    Just came across this and thought I'd add it to the 'helpful info' list:
    http://www.lurkhere.com/forum600.html
    Conferences Windows 98 Family ( http://www.lurkhere.com/cgi-bin/forums/dcboard.cgi?az=list&forum=DCForumID14&archive= )
    Topic #983
    "Uninstalling AOL" Jul-28-04, 09:09 AM (EDT)

    m
     
  21. MB-G26

    MB-G26 Bk2MiscResource
    Lifetime Member

    6,147
    396
    Jun-21-04, 05:09 AM (EDT)
    Note from the much admired Mr.Eric L Howes:
     

Share This Page

Duty Gear at CopsPlus