Top deals on CNET here
Community Newsletter: Q&A: 4/1/05 Removing malware that just won't die!
- 3/31/05 5:06 PM
thanks
by coombe - 4/5/05 3:00 AM In reply to: Miguel K's winning answer by Lee Koo (ADMIN)
That was an excellent article and has helped me sort my problems out. There are still a couple of trojans lurking which I cannot remove. Any suggestions much appreciated.
Neil
MiguelK or others -- one more Q
by Marie Boyer - 4/5/05 3:14 AM In reply to: Miguel K's winning answer by Lee Koo (ADMIN)
Unbelieveably helpful thread. I printed it and have it in a folder on my desk!
One question left hanging: I have my new computer hooked up to a router with a built-in firewall; I installed the free on-line Adaware and SpybotS&D; I have Norton Systemworks as my anti-viral protection. Do you still recommend Zone Alarm?
yes
by sidey - 4/5/05 7:46 PM In reply to: MiguelK or others -- one more Q by Marie BoyerIn one word yes and I could go on in detail to explain why but seeing that someone else has already done an excellent job I thought I would copy and paste Judittes excellent earlier response to an almost identical question. Here it is.
Best case scenario:
1. Buy router with firewall (hardware - actually NAT - the router shows its face to the world and assigns your PC's internal addresses) Plug DSL/cable modem into incoming port. Plug any and all Computer network cards into the routers ports with Cat 5 cable. Now your computer(s) are hidden behind the router and less vulnurable to random attacks by anything.
2. Keep your Norton Systemworks which should fulfill the Anti-virus and trojan blocker functions and be on all the time. May also deal with some spyware. It is NOT a software firewall. It's other functions are utilities for other computer cleanups, go-back etc. Make sure you keep the virus checker constantly updated.
3. Keep Adaware and run it frequently. Always check for updates before using it and it should root out most ad and spyware that slips thru. If you go anywhere on the net - you will get some hitchhikers. They aren't necessarily evil but they act like a bunch of teenagers on your phone lines. They hog resources and phone their friends continually.
4. Now Best case - also add a Software Firewall to your system. Norton makes one and some like it but I don't particularly. Zone Labs makes a very reliable basic and free one which you can download. It usually plays well with Norton AV.
5. Now you can feel pretty safe. You will still have to use best practices:
Don't open anything you are sent by email without first scanning it with the Norton AV.
Don't respond to emails by unknown persons asking you for personal information even if it looks very legitimate unless you requested it.
Just use your delete key frequently and delete any junk mail you get. It really is pretty fast and easy. Also use one of the free webmails for the address you use when shopping, on forums etc. They have fairly good sorters and the junk goes to their servers not to your pc.
Do clean up your computer frequently. Your Norton Systemworks is good for that.
Go forth and enjoy. There are other things you could also use - many are free or inexpensive shareware but the above should keep you pretty secure.
Posted by: juditte Posted on: 04/03/2005 8:06 PM
Can we say Cool Web Search Spyware!
by B5Ranger - 4/5/05 11:55 AM In reply to: Miguel K's winning answer by Lee Koo (ADMIN)
The CW Shredder is the only program that fully detects and removes the Cool Web Search keyloger/addware. This is the worst one on the net. around 30% to 50% of internet active pcs have or had this on their pcs and only CW Shredder fully finds it and removes it. And it is free.
http://www.intermute.com/spysubtract/cwshredder_download.html
Remember all you need is the free middle download.
spyware attacks to make you buy the senders clean up softwar
by bpaolucci - 4/12/05 4:14 PM In reply to: Miguel K's winning answer by Lee Koo (ADMIN)
Just read an article I thought all of you would be interested in. I hope this isn't repetitive. Seems there are software vendors who have a unique marketing tool. They send you malicious spyware and then the advertisement to buy their software to get rid of it.
Per the article, the Feds are going after these predators and hitting hard. So, if anyone has experienced this problem - call/write/email the FCC.
eep! malware!!!
by fongi - 6/10/05 9:59 AM In reply to: Miguel K's winning answer by Lee Koo (ADMIN)
i am pretty sure i have malware in my pc. i get weird spam every single time i open my mailbox. i tried cleaning it out using NAV 2005 and spy sweeper. no dice. now the problem is getting worse because i can't send email from MS outlook anymore. i'm running on windows xp, but i disabled the sp2 firewall because we have a hardware firewall here at home. plus the norton security suite has a firewall, too, so i thought i was safe. I THOUGHT. argh!!! help, please!!!
oh, also, i disabled the preview pane in outlook just now. found out through one forum discussion that spammers can work through previewed mail. argh.
i'm too frustrated to read through all the comments, so if anyone has a quick fix, please let me know! how do i get rid of malware that my computer does not detect???
Repost your question Computer Help forum.
by Kees Bakker - 6/10/05 10:15 AM
In reply to: eep! malware!!! by fongi
And tell more about the weird spam (normally comes from outside the computer) and why you can't send email anymore (what happens if you do; does Outlook Express still work?).
Kees
spam
by fongi - 6/11/05 5:31 PM In reply to: Repost your question Computer Help forum. by Kees Bakker
the weird spam stopped coming in after i disabled the preview pane in outlook. it definitely came from outside the computer. started about three months ago, 'til it got really irritating now a week back. anyway, i still can't send email. outlook displays this error message:
the message could not be sent because one of the recipients was rejected by the server. server response: 550 5.1.7 unable to relay for someone@domain.com (account:'account name', smtp server: smtp.server.com, error number: 0x800ccc79).
which totally does not make sense to me. it doesn't matter to whom i send email. the same error message shows up. i can still receive messages, but all my outgoing mail gets blocked.
will repost question at computer help, thanks
just read the winning answer
by bpaolucci - 6/10/05 10:29 AM In reply to: eep! malware!!! by fongilook for Miguel's winning answer and print it out and follow his instructions. Keep the print out - you never know when you'll need it. First take care of your firewall situation.
You can only have one firewall - you had 3 and turned off Microsoft's (presumably from service pack 2). You may not have turned it off completely. Go into your C drive and open it up. It's either under window security or service pack 2. There, a dialog box with a couple of tabs that will appear. Be sure to uncheck firewall everywhere it's checked on the first two tabs. That's the only way to completely shut it off.
Then go and shut off one of the other firewalls you have. You want a firewall that has incoming and outgoing protection (Windows service pack 2 doesn't have both).
My understanding is this regarding firewalls: When you have more than one they compete with each other and it's like having nothing.
Good luck, with this. I have ajust recovered from a similar mess. You too will survive.
Barbara
Mark F.'s winning answer
by Lee Koo (ADMIN) - 3/31/05 4:25 PM
In reply to: 4/1/05 Removing malware that just won't die! by Lee Koo (ADMIN)
Answer:
Hi Tom,
Spyware is an ever-increasing problem nowadays for all computer users, and it is good to see that you are trying to combat these nasty little beasts. However, although Spybot, (full name: Spybot Search and Destroy), is a very good utility to combat spyware, Spy Doctor may not be. In fact, a reputable Web site called Spyware Warrior suggests that Spy Doctor is not to be trusted. I should add that Spy Doctor is not to be confused with another antispyware utility called Spyware Doctor, which as far as I know is a trusted antispyware utility.
This confusion with names is an important point. You notice that I gave Spybot its full name of Spybot - Search and Destroy. There are too many supposed clones of good programs around, and so I try to stay with full names wherever possible.
For your information, the article on Spy Doctor can be found at this link;
http://netrn.net/spywareblog/archives/2004/08/01/spy-doctor-and-spyware-doctor/
Spyware is not the only problem we computer users face, and it seems from your question that your daughter's computer is also infected with another form of nasties, called adware. As you have described, adware can infect the computer with pop-up advertisements, even though your daughter is not using her internet browser to surf the internet. You state that you already use Ad-Aware, but perhaps with the other steps I suggest, we can get Ad-Aware to remove all of these for you.
There is plenty you and your daughter can do to stop these advertising pop-ups, and whilst we are at it, there is also more you both can do to protect her computer against other threats. Besides spyware and adware, we are also under attack from viruses and hackers.
You haven't said in your question what other protective software you use, so I am going to assume you do not use any others. In that case, my list of utilities you need are;
1] A Firewall: If you have nothing else, you need a firewall. This is a program that effectively sits between the computer and the internet connection, and scans every piece of data that comes in or tries to go out. It is a necessary block against hackers attempting to invade your daughter's computer, and, if she already has spyware on it, it will stop all attempts of the spyware to "phone home" without her permission. I suggest you go to http://www.zonelabs.com and download and install their free ZoneAlarm firewall.
2] Anti-virus: You need to immediately scan your daughter's computer for viruses. Try an online scan for malware at http://housecall.trendmicro.com and set it to "fix all problems", then run the scan.
Whilst online anti-virus scans are good, you cannot beat an anti-virus program residing on the computer in the background, checking every program that may be downloaded and/or installed. I suggest you download AVG7, a free program from http://www.grisoft.com.
Once it is installed, you need to run the program, and immediately select the option to search for updates. This is not just updates to the program itself, but more importantly it is updates to the ever increasing list of virus definitions.
Do not use AVG7 to scan the computer just yet, I will suggest later on that you scan the computer whilst it is in Safe Mode.
3] Anti-Adware: Whilst you already have Ad-Aware from Lavasoft.com, is it the latest version available? And have you updated its adware definitions lately? The latest version of Ad-Aware is Ad-Aware SE Personal, Build 1.05. You can easily check the version of your daughter's Ad-Aware by starting the program and checking the Status screen, bottom right hand corner. If her version is not this one, then I recommend you download and install Ad-Aware SE Personal from http://www.lavasoftusa.com .
As with AVG7, it is important, once the program has been installed, to open it and then check for updates immediately. I will suggest scanning in Safe Mode later.
4] Anti-Spyware: You already have Spybot - Search & Destroy, but is its spyware definitions up to date? you need to open Spybot S&D and check for updates, and make sure that you click the Immunise button for any new updates you receive. Again, I suggest you scan the computer with this program in Safe Mode.
Many people nowadays have more than one anti-spyware program, and although you do, I believe that you should uninstall Spy Doctor now and go for a different "second" anti-spyware program. The one I use is SpywareBlaster from http://www.javacoolsoftware.com/spywareblaster.html .
This program complements Spybot S&D and together they are very effective in combating spyware. As with the others, you need to install the program, and then open it to check for updates. As soon as they are received, you need to Immunise under the Protection tab. However, this program does not scan the computer, it protects against spyware in a different way.
I am also trying out Microsoft's new, (or newly acquired), AntiSpyware software in addition to all the above. It seems ok so far. If you are interested, (and you can never have too much anti-spyware programs), take a trip over to Microsoft's Anti-Spyware page at; http://www.microsoft.com/athome/security/spyware/software/howto/scanauto.mspx
Scanning Recommendations:
I recommend that, once all of the above programs are installed, you scan your daughter's computer in Safe Mode. The advantages of this is that Network Support is not enabled, meaning that any malware currently on the computer cannot phone home, and also many of these nasties do not get the chance to start in Safe Mode, making them easier to remove.
There are two ways to start the computer in Safe Mode. Either reboot the computer and tap the F8 key once a second until the Safe Mode options appear, or the easiest way is to use the System Configuration Utility. Close down all running programs, then goto Start > Run and type in "msconfig", (without the "" quotes). Click OK, and the System Configuration Utility window will appear. Click the "BOOT.INI" tab, and under Boot Options select "/SAFEBOOT" with the "Minimal" options selected. Click OK. You will then see a prompt to restart the computer, and when you click "Restart" the computer restarts, (reboots), into Safe Mode. Starting in Safe Mode may take a few minutes, so don't worry if there is a delay. Also, the desktop screen will return to its default state which may not be very pleasant to look at, or navigate, but when the computer is rebooted again, it will return to its normal state.
In Safe Mode, goto Start > All Programs and find the AVG folder for AVG7 and start AVG. Select a full scan. Any viruses it finds should, for the time being, be quarantined rather than deleted. You can always open up AVG7 at a later date to delete the viruses.
When that is done, goto Start > All Programs again and find the Spybot folder and start Spybot - Search & Destroy, and use the Check for Problems option to scan for spyware. Any red entries it displays after the scan can be removed. Spybot S&D places these in an area similar to AVG's quarantine area in case any need to be recovered later.
Next, find Lavasoft's Ad-Aware in All Programs, and carry out a full system scan. Again, any red entries displayed at the end should be selected and removed. Ad-Aware will quarantine these for later removal.
Once those three scans have done, I suggest that you scan the hard disk for errors, and then defragment the disk. Beware, these two procedures may take some time. To perform the scan disk for errors, (called Error Checking), double click on the "My Computer" icon on the desktop, and then right click the C drive. Select "Properties", then under the "Tools" tab, select the "check now" option for error checking. You will see further options, so make sure that "Automatically fix file system errors" and "Scan for and attempt recovery of bad sectors" are both selected. Then click start.
As I say, this may take some time, but is well worth it whilst you have removed all malware from the system and you are in Safe Mode.
When done, return to the Tools tab of the C drives Properties, and select "Defragment now". A Disk Defragmenter window will open. Click the "Analyze" button. If you get a message saying that the disk does not need de-fragmenting, you can Close out of the procedure. Otherwise click the Defragment button.
Again, this could be a lengthy process. But it is very useful in tidying up the files on the computer so they are closer together and easier to access.
When all this is done, you nee to reboot the computer. But before you do so, return to Start > Run and type in "msconfig", then click the BOOT.INI tab to remove the tick from the /SAFEBOOT option. When the computer re-starts, it will do so in full mode. If the desktop remains in the default mode, right click any empty part of the desktop and select Properties. In the Settings tab, use the slider under "Screen Resolution" to return the screen display to what it was before. If you are unsure what it was, move it to the right one notch at a time, then click Apply until the right resolution appears. Also, check the Color quality which should be Highest (32 bit) if the monitor supports that.
It is important to keep the Windows Operating System up to date, so my 5th suggestion in needs is;
5] Windows Update: Make sure your daughter's Windows Operating System, (OS), is up to date. To do this, goto Start, and click the “Windows Update” link. Beware, if you have not been to Windows Update before, there may be a lot of critical and other updates your OS needs to download.
6] Internet Browser: Sadly, nowadays, Microsoft's Internet Explorer is the main target for malware and is not considered the safest browser to be used. There are other good browsers around, and the favorite at present is Firefox. Also, Microsoft's Outlook Express email client is considered less secure than others, and Firefox has a companion email client called Thunderbird.
If you are interested in moving to these, they can be found at http://www.mozilla.org . I use Firefox myself, and find it a very good browser.
7] Windows Messenger Service: Not to be confused with MSN's Instant Messenger, the Windows Messenger service is a utility to communicate between computers that are networked. But this service has been hijacked by spammers and other malware. The service can be disabled. To do this, goto this site; http://grc.com/stm/shootthemessenger.htm and follow the instructions to download and install the "Shoot the Messenger" utility.
All of the anti-malware programs, AVG7, Spybot S&D, Lavasoft's Ad-Aware, and SpywareBlaster need to have their virus/adware/spyware definitions updated regularly, and in particular AVG, once every 2 or 3 days, and then each one used to scan your computer often, except SpywareBlaster which does not scan in the same way.
And Finally There is a lot of information here, and perhaps a lot of work to do. Once they have been done, hopefully your daughter will have much less malware problems with her computer. But there are some more things your daughter can do to avoid these in the future.
A. Never open emails from sources she doesn't know.
B. Never open any email attachments before saving them to disk, (The desktop is a good temporary place to save them), then right clicking the attachment and selecting "Scan with AVG".
C. Never accept attachments from Instant Messengers unless from trusted sources, and unless they have been scanned first.
D. Be careful which sites she visits. Common sense is the best defence we have in the war against viruses, spyware and other malware.
My apologies for such a long reply.
Good luck
Mark
Submitted by: Mark F. of Littleover Derby, United Kingdom
Mozilla
by one2three - 4/1/05 3:34 AM In reply to: Mark F.'s winning answer by Lee Koo (ADMIN)
I read your antispyware etc advice with great interest. I have yet to implement it and need to go through it thoroughly but I wonder if you could answer two questions?
1. I installed zonelabs and found I couldn't use email anymore! I'm using the XP firewall and that "works" ok. Any suggestions about what might be happening with zonelabs?
2. I use mozilla but I use Outlook Express. I have Outlook but am used to Express and as they say "if it ain't broke don't fix it". If I change to Outlook would it be better than Express or if I go to Thunderbird (or Navigator) will I be able to seamlessly continue to access all the old emails?
Thanks in hope
Robin
Outlook Express and Zone Alarm
by dv8or70 - 4/1/05 4:35 AM In reply to: Mozilla by one2threeI've used Outlook, Outlook Express, and Thunderbird with Zone Alarm. There should be no reason to switch the programs other than personal preference.
You don't say how you cannot use email anymore. Can you see your old emails? Can you not receive new emails? Both? If the issue is the new emails, then my guess is that Zone Alarm is blocking your connections to your email server. Open Zone Alarm and go to Program Control on their left menu. Go to the Programs tab. Scroll down the list of programs until you see "Outlook Express" (not, "Microsoft Outlook"). Make certain that there is a green check mark in the Access column for "Trusted" and "Internet" as well as the "Send Mail" column. If not, then Left Click on the "x" in each of those areas, a menu will pop up, choose "Allow".
If this doesn't work, then I highly recommend posting your query on the Zone Labs User forums where I've received some good information: http://forum.zonelabs.org/zonelabs
I agree
by MarkFlax - 4/1/05 5:38 AM
In reply to: Outlook Express and Zone Alarm by dv8or70
with what dv8 says about Outlook Express and Zonealarm. His suggestions should get your email working again.
As to Outlook versus Outlook Express, I wouldn't change to Outlook. It is mainly a corporate email client for Microsoft Exchange email servers, and as far as I know, it is not easy to configure for normal everyday usage.
If you are happy using Outlook Express and have n problems, then why not stick with it. With the protection suggestions given here, it would be much more secure than having no protection. But if you do want to change to Thunderbird, or some other email software, then you shouldn't have any problems.
Good luck ,
Mark
Uninstall all other email checking and virus checking
by walteradamson - 7/29/05 1:24 AM In reply to: Outlook Express and Zone Alarm by dv8or70I wasted a day on this when my outlook express and messenger would not work after I installed the new version of Zone Alarm.
Finally realised that although I had STOPPED and QUIT my old virus checker and email checker that their settings were still interfering with ZA.
Uninstalled all previous stuff.
Everything worked fine with ZA after I restarted.
Walter Adamson
Addendum
by Brandon Dollar - 4/1/05 3:49 AM In reply to: Mark F.'s winning answer by Lee Koo (ADMIN)
Also, some spyware will still be on the computer after all of this, and the best thing for those is to use either 'Hijack This!' or do a google search for a recipe for removal. Some spyware have files that reinstall it after you reboot or when you go on the internet. Make sure your webpage is set to something you specify before going on the internet.
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
