This article is more of a preventive measure than a fix and will harden internet explorers security but at the same time retaining the functionality that IE has.
First in tools, internet options, advanced uncheck "Enable Install On Demand (Internet Explorer)" and "Enable Install On Demand (Other)" and "Enable Third-Party Browser Extensions (Requires Restart)" and choose apply and ok. Also ensure your internet security setting is at least medium (unless you know what you are doing and have made it custom).
Goto http://www.windowsupdate.com and make sure you have all the latest updates.
Then download Suns Java JRE from http://java.com/en/index.jsp (the link you want to hit is the "get it now" in the top right). Running Suns Java protects you because it has less exploited vulnerabilities than microsofts Java. Lots of spyware use holes in Microsofts java to install thier spyware so switching to Sun's closes a lot of holes.
>> Download: Sun Java
Then download Spybot Search and Destroy from http://www.safer-networking.org/ run it and make sure to let it download the newest updates. Now goto Spybots immunize function and under "permanent internet explorer immunity" choose immunize, then under "permanently running bad download blocker for internet explorer" select "ask for blocking confermation and choose install.
>> Download: Spybot S&D
Next, download spyware blaster from http://www.javacoolsoftware.com/spywareblaster.html run it and ensure it's fully updated. Now choose "select all" and then hit "Protect Against Checked Items". Just for reference all the items that are in red are items that Spybots immunize doesn't protect you against that's why you should use both programs.
>> Download: Spyware Blaster
Both Spybot search and destroy's immunize function and spyware blaster are one time set things, these programs no longer have to be running to keep you from getting infected with the stuff they block against. What they do is disallow any activeX program that's was known to them at the time you immunized from even running. With both Spybot and Spyware Blaster it is important that you check for updates every two weeks or so and re-immunize yourself when new updates are released to stay current. Spybot's other immunize function ("permanently running bad download blocker for internet explorer") installs a BHO that will ask you for permission to block other known bad BHO's from installing. BHO's are really not needed and fairly rare and most people only have the adobe acrobat BHO. You could have set this option to always block but I chose "ask for blocking confirmation" for those people that use something that I do not that uses a BHO.
Now download both DSOstop2 and HTAstop2003 from http://www.nsclean.com/freebies.html and run both of those.
>> Download: DSOstop2. HTAstop2003
In addition there's another great free utility that you can run but unlike everything above it has to always be open just like an antivirus called spywareguard from javacool. You can download it and run it as well to further increase your security against spyware if you choose. It's available here: http://www.wilderssecurity.net/spywareguard.html
>> Download: Spyware Guard
That should beef things up considerably. Having a good antivirus is also helpful because many of them are starting to add spyware to thier definitions, for instance my McAfee 8 caught that spyware trying to install.
I hope this helps you guys because these settings are pretty solid but at the same time loose enough that you can still have active scripting enabled and activeX. Granted you could disable those as well but at that point you might as well go download an old version of Mosiac browser because it isn't worth using IE with everything disabled.
Ad-Aware Personal: freeware adware removal tool
Trojan Defense Suite >> discontinued
Pest Patrol
Free Online Spyware Scanner and Cleaner
Bazooka Adware and Spyware Scanner
HijackThis
A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.
Download: Hijackthis
View: Homepage
View: Tutorial
CWShredder
A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D and Ad-aware tend to forget essential parts of the hijack, so until they update, you can use this to completely remove the hijack. This program is updated to remove the new variants once they come out.
Download: http://www.trendmicro.com/ftp/products/onl.../cwshredder.exe
Browser Hijacking
Hijacking browser is a common problem for Internet Explorer users.
The browser had certain bug that allow people to modified the registry so that it will direct to some other page.
Hijacking browser is a serious matter.. But i learn a few tricks on how to fight no hijacking in no time at all.
Note: Hijacking browser only happen 99% in most cases for IE users.
How do you fall prey to a browser hijacking? There are numerous ways. Here are some common ones:
1. By installing software which changes your browser settings. This may happen with commercial software, but is much more common with freeware or adware.
2. By visiting a site which exploits a browser bug to change settings without your permission.
3. By visiting a site which persuades you to allow your settings to be changed, usually by offering freebies. When you accept the offer, your browser settings are changed or software installed. While such sites may tell you of their intentions, usually it’s in the fine print or couched in deceptive terms
And to the worst thing is spyware removal such as Spybot S&D won`t help much in repairing your hijack browser..
Reclaming hijack browser
These instructions involve editing the registry and other advanced techniques. Do not attempt these procedures without making proper backups (read Backing Up and Restoring the Windows Registry to learn how) and don’t attempt them at all if you’re not familiar with registry editing.
1. If you’ve been hijacked, you can reclaim your browser with a bit of work.
If your Control Panel’s Internet Options have been disabled, get them back by locating the file control.ini (use Start -> Find/Search to locate it). Open control.ini in Notepad and look for the lines:
[don’t load]
inetcpl.cpl=yes
Delete the second of these two lines, close and save the file and reboot your computer.
(IMG:http://www.geekgirls.com/images/Hijacked%20-%20Step%201.jpg)
2. Close any open Internet Explorer windows.
a. Click Start -> Run, type regedit and click OK to open the Registry Editor.
b. Navigate to:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
If you find sub-folders called restricted or control panel, delete them.
Check for the same sub-folders in:HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Internet Explorer and delete them, too, if they exist. Then close Regedit.
3. If your search pages have been redirected, re-establish the defaults:
a. Open the Registry Editor and navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Change the Search Page value to:
http://home.microsoft.com/access/allinone.asp
and, if it exists, change the Search Bar value to:
http://search.msn.com/spbasic.htm
b. Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL and change the default value to:
http://home.microsoft.com/access/autosearch.asp?p=%s
c. Navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search
Change the SearchAssistant value to:
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
and change the CustomizeSearch value to:
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
4. Reset your home page to your chosen page:
a. In Internet Explorer, choose Internet Options from the Tools Menu and, on the General tab, type in your preferred home page.
b. Do a search for any files with the extension HTA. If you find any such files, open each in turn in Notepad and see whether they contain a reference to the site which has hijacked your browser. Delete any HTA files which contain such a reference.
c. Locate the file HOSTS (it has no file extension) and open it in Notepad. Once again, look for any reference to the hijacking site. If you find any references, delete the lines containing those references.
5.
a. Click Start -> Run -> msconfig and check the programs under the Startup tab. If you find an entry which contains regedit.exe /s disable it, and disable other programs you know to be suspicious.
b. Still in msconfig, click the System.Ini tab and click the + beside [boot] to expand the section. Look for a line reading shell=explorer.exe. The line should read exactly that; delete any following commands, but make sure you leave shell=explorer.exe intact.
Note: If you’re using Windows NT, 2000 or XP, this information is contained in the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
which should contain the value explorer.exe.
c. Click OK to exit from msconfig and reboot your system.
OK guys... There are alot of pop ups when you access certain says which says:-
Your Computer is not safe from Adwares or Spyware! Click here to download
Warning - if your computer has been running slower than usual, it maybe infected with adware or spyware.
Dun believe these links there are must probably adware or spyware itself. Just Ignore these popup and just close it.
One example is the attached picture
This post has been edited by benlye: Oct 4 2004, 09:26 AM
Attached thumbnail(s)
when all else fails you can install a trial of
Process Guard
it will then intercept each and every process that tries to start
(generally its installed on a known clean box and you just approve all these processes)
you can then allow, allow once, disallow or disallow once each process
this is enough to interrupt the most serious infection of not only spyware but truely serious malware infections
of course you need a clean or at least functional box to research which process is which
and then manually root them out (from the GUI, Safemode and sometime the commandline of the recovery console)
a list of potential startup processes > http://www.aros.net/~zaphod/startups.htm#A
Pest Patrol Research Library > http://www.pestpatrol.com/pestinfo/
googling individual processes is generally perferable however
Default Processes in W2K
How to manually unregister dlls (from Pest Patrol)
UnRegister DLLs
You can use the Regsvr32 tool (Regsvr32.exe) to register and unregister object linking and embedding (OLE) controls such as dynamic-link library (DLL) or ActiveX Controls (OCX) files that are self-registerable.
RegSvr32.exe has the following command-line options:
Regsvr32 [/u] [/n] [/i[:cmdline]] dllname
/u - Unregister server
/i - Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
/n - do not call DllRegisterServer; this option must be used with /i
When you use Regsvr32.exe, it attempts to load the component and call its DLLSelfRegister function. If this attempt is successful, Regsvr32.exe displays a dialog indicating success. If the attempt is unsuccessful, Regsvr32.exe returns an error message, which may include a Win32 error code.
Example: To unregister Winshow's winshow.dll:
1. Click the Start button, and select Run
2. Enter this command line:
regsvr32 /u [systemroot]\winshow.dll
For example, in a Windows XP machine in which your systemroot was at c:\winnt, you would enter:
regsvr32 /u c:\winnt\winshow.dll
----------------------------------------------------------------------------------------------
from the commandline you can also generally use %systemroot%
Good Luck, if a reinstall is the alternative,
be not afraid, and ruthlessly cull registry entries :P
the worse you can do is bork the registry
but its Ideal for you to have multiple backups of your registry
from a known good state, dig out the current infection and then replace
%systemroot%\WINNT\system32\config with your backup
0 comments:
Post a Comment