today i :
- had to remove adware from the boss's computer. lol what were you doing before it happened...i was searching the internet
. Coolwebsearch is getting to be a big problem though.
This one had inserted about 20 links in the favourites menu, put a flashing icon on the taskbar, put link icons all over the start menu and the desktop, changed the desktop background to a fake fatal exception image and DISABLED access to several tabs in display properties.
Well, i got the adaware out and scanned finding an extensive array of items which were checked through and deleted. then deleted the temporary internet files, run hijack this and check through CAREFULLY (hijackthis is really not something to mess with you have to read each and every item and understand it before deleting the bad ones). It is important also to have all internet explorer windows and windows explorer windows closed when working with adaware and hijack this otherwise it is not gonna work. Then i knew we had some file deleting to do otherwise it was gonna come back. I had already identified one of the adware files from my adaware and hijack this searches so i checked the time on the properties of that file and then searched the whole hdd for files created that day and when i found suspicious ones with around the same time stamp, then i added the extension .shit to all these files (.shit is something i reserve exclusively for malware). There was an obscene amount of .exe and other files to rename.
It is also important to figure out if any file that the OS needs has been renamed or altered, that is something that only comes with experience, so you rename the extensions of files and do not delete them in order that when you reboot you will have the option to rename the file back again and figure out what to do without hosing the OS completely.
It was interesting to see that some files were also placed in C:\ and not c:\winnt\system32 like the rest of the files. That is when i got worried and i enabled to see hidden and system files and checked that all the boot files were in place. i also looked at the autoexec.bat and config.sys files to see if anything was up but it was not.
At that point i was not finished cos we need to look at the registry and figure out if malware is being loaded that way so i ran regedit and i checked
HKLM/SOFTWARE/Microsoft/Windows/Current Version/run
which is loading programs at startup like tray programs and stuff. So i read the entries and again it is important to figure out what each one does otherwise you might disable an important program when you delete and entry that you thought was malware. I saw an entry for msn messenger and thought nothing of it but when i checked again i saw it was loading the file msm***.exe (forgot the full name) and not msn***.exe so i searched for the .shit files and saw the exe file was created today and deleted the registry entry cos it was obviously malware cos no installs were done that day.
It is important to check the /Current Version/RunOnce as well and also to determine that the malware has not shifted all your previous entries to /Current Version/Run2 or something else and now your /Current Version/Run is empty except for the malware run entry and therefore all your cool anti-malware software is now in the inactive /Current Version/run2 and will NOT be loaded at startup. I have seen this happen.
i started to investigate the changed background image and cos i could not change it cos of the missing tabs in display properties i went to a background image site and right clicked on an image and set the background to that image which worked. the missing display properties tabs were not restored though.
at that point i decided to reboot cos i opened internet explorer again and the homepage was not changed to a malware search engine or something. this is curiously different to previous adware that i have seen, i guess the deleting of files and the tagteam of adaware and hijackthis was effective.
perhaps it is a bit cavalier to reboot at that point. if the IE homepage was getting changed again like usual after all the efforts i would have looked into what programs were being loaded presently. i might have used killbox or rebooted into safe mode to rename a program file that was presently been used and could not be deleted.
when i rebooted the missing display properties tabs were not restored although everthing else was ok, i opened IE to see if the homepage was changed again but it was not. But regarding the display properties ii was stumped. then i figured that some kind of policy was being enforced that prevented the tabs from displaying like the way that sysadmins prevent users from altering setup of the computers. so i run gpedit.msc and check
user configuration/administrative templates/control panel/display
and i DISABLE the "hide desktop tab", "hide appearances and themes" (forget the rest but you get the picture.
then when i was finished everything seemed ok.
i got permission to purchase and make installs of adaware professional which has active adwatch facility to prevent adware. (always nice when i happens to the boss's pc, guaranteed funding to make sure it doesnt happen again). The thing about adwatch is that it needs some enabling to make it run at startup and to make it actively prevent adware. not something that is obvious to the regular user.
then we see what happens. I think that adware is a major threat at the moment. i am doing more removals of adware at the moment than virii on clients pcs. i suppose it is the interest of free porn
.
our zyxel adsl security router is doing a good job of keeping out trojans. blackice firewall which is installed on each pc is not reporting events other than email spoofs and stuff. previously we were getting insane amounts of zombie pcs trying to install trojans on open portsi still like to keep blackice on all pcs in case one becomes compromised and starts to infect the network.
norton antivirus corporate is still doing a below satisfactory job and i think we have to look at another vendor because it really should catch adware as well. mailserver has corporate also but i am again unsatisfied. our ISP which is different to my home ISP is doing a below satisfactory job in stopping email virii while my home ISP is doing well.
so really anyone that tells you that you dont need an antivirus program / firewall AND an anti-adware program is recommending that your PC remain open to one of the threats.
hope you enjoyed the adware removal tips. Adware is messy and you really need to understand what you are doing and clean it all up completely otherwise it will come back immediately.
- had to remove adware from the boss's computer. lol what were you doing before it happened...i was searching the internet
. Coolwebsearch is getting to be a big problem though. This one had inserted about 20 links in the favourites menu, put a flashing icon on the taskbar, put link icons all over the start menu and the desktop, changed the desktop background to a fake fatal exception image and DISABLED access to several tabs in display properties.
Well, i got the adaware out and scanned finding an extensive array of items which were checked through and deleted. then deleted the temporary internet files, run hijack this and check through CAREFULLY (hijackthis is really not something to mess with you have to read each and every item and understand it before deleting the bad ones). It is important also to have all internet explorer windows and windows explorer windows closed when working with adaware and hijack this otherwise it is not gonna work. Then i knew we had some file deleting to do otherwise it was gonna come back. I had already identified one of the adware files from my adaware and hijack this searches so i checked the time on the properties of that file and then searched the whole hdd for files created that day and when i found suspicious ones with around the same time stamp, then i added the extension .shit to all these files (.shit is something i reserve exclusively for malware). There was an obscene amount of .exe and other files to rename.
It is also important to figure out if any file that the OS needs has been renamed or altered, that is something that only comes with experience, so you rename the extensions of files and do not delete them in order that when you reboot you will have the option to rename the file back again and figure out what to do without hosing the OS completely.
It was interesting to see that some files were also placed in C:\ and not c:\winnt\system32 like the rest of the files. That is when i got worried and i enabled to see hidden and system files and checked that all the boot files were in place. i also looked at the autoexec.bat and config.sys files to see if anything was up but it was not.
At that point i was not finished cos we need to look at the registry and figure out if malware is being loaded that way so i ran regedit and i checked
HKLM/SOFTWARE/Microsoft/Windows/Current Version/run
which is loading programs at startup like tray programs and stuff. So i read the entries and again it is important to figure out what each one does otherwise you might disable an important program when you delete and entry that you thought was malware. I saw an entry for msn messenger and thought nothing of it but when i checked again i saw it was loading the file msm***.exe (forgot the full name) and not msn***.exe so i searched for the .shit files and saw the exe file was created today and deleted the registry entry cos it was obviously malware cos no installs were done that day.
It is important to check the /Current Version/RunOnce as well and also to determine that the malware has not shifted all your previous entries to /Current Version/Run2 or something else and now your /Current Version/Run is empty except for the malware run entry and therefore all your cool anti-malware software is now in the inactive /Current Version/run2 and will NOT be loaded at startup. I have seen this happen.
i started to investigate the changed background image and cos i could not change it cos of the missing tabs in display properties i went to a background image site and right clicked on an image and set the background to that image which worked. the missing display properties tabs were not restored though.
at that point i decided to reboot cos i opened internet explorer again and the homepage was not changed to a malware search engine or something. this is curiously different to previous adware that i have seen, i guess the deleting of files and the tagteam of adaware and hijackthis was effective.
perhaps it is a bit cavalier to reboot at that point. if the IE homepage was getting changed again like usual after all the efforts i would have looked into what programs were being loaded presently. i might have used killbox or rebooted into safe mode to rename a program file that was presently been used and could not be deleted.
when i rebooted the missing display properties tabs were not restored although everthing else was ok, i opened IE to see if the homepage was changed again but it was not. But regarding the display properties ii was stumped. then i figured that some kind of policy was being enforced that prevented the tabs from displaying like the way that sysadmins prevent users from altering setup of the computers. so i run gpedit.msc and check
user configuration/administrative templates/control panel/display
and i DISABLE the "hide desktop tab", "hide appearances and themes" (forget the rest but you get the picture.
then when i was finished everything seemed ok.
i got permission to purchase and make installs of adaware professional which has active adwatch facility to prevent adware. (always nice when i happens to the boss's pc, guaranteed funding to make sure it doesnt happen again). The thing about adwatch is that it needs some enabling to make it run at startup and to make it actively prevent adware. not something that is obvious to the regular user.
then we see what happens. I think that adware is a major threat at the moment. i am doing more removals of adware at the moment than virii on clients pcs. i suppose it is the interest of free porn
.our zyxel adsl security router is doing a good job of keeping out trojans. blackice firewall which is installed on each pc is not reporting events other than email spoofs and stuff. previously we were getting insane amounts of zombie pcs trying to install trojans on open portsi still like to keep blackice on all pcs in case one becomes compromised and starts to infect the network.
norton antivirus corporate is still doing a below satisfactory job and i think we have to look at another vendor because it really should catch adware as well. mailserver has corporate also but i am again unsatisfied. our ISP which is different to my home ISP is doing a below satisfactory job in stopping email virii while my home ISP is doing well.
so really anyone that tells you that you dont need an antivirus program / firewall AND an anti-adware program is recommending that your PC remain open to one of the threats.
hope you enjoyed the adware removal tips. Adware is messy and you really need to understand what you are doing and clean it all up completely otherwise it will come back immediately.
Comment