Main menu
Home Page
Shields Up!
Lavasoft
ZoneAlarm
CodeStuff
Scan Complete
My Virus Whatis
VirusList.com
Another List
BleepingComputer
MajorGeeks
Disable SysRestore
Security Center
CounterExploitation
Annoyances!!
Ans That Work
Glossary
           Virus Info

Virus Info Section

     Without your knowledge or explicit permission, the Windows networking technology, which connects your computer to the Internet, may be offering some or all of your computer's data to the entire world at this very moment!

     A means of testing your security is available from a very fine individual by the name of Steve Gibson at Gibson Research Corporation. Access to his site is listed as Shields Up! in the menu on the left. Steve is one of the good guys. He is trying to help make the Internet more secure and user friendly. Follow his advice, use his software (free and/or purchased) and you will also help to bring security back to the Internet.

     Another Company offering free and purchasable software is Lavasoft. They offer some excellent programs to dump and stop spyware. The main one: 'AdAware' is a privacy tool, that scans your memory, registry, hard, removable and optical drives for known data-mining, aggressive advertising, and tracking components. It then lists the results and offers to remove or quarantine the components.

    Now then, I want to say this about that. I am providing information here, that is from both, experience, and other people. However, things change, and in the Computer PC industry, changes are fast. Therefore, use any info from here at your own risk. I, nor any of the individuals, or Companies that I mention will take any responsibility for your choices, actions or screw-ups. There shouldn't be a need for any of these kinds of software programs but, we still have many unscrupulous individuals amongst us.

  • Spyware:
    Individual programs that embed themselves within your computer and monitor your internet browsing activites. They can "spy" on your confidential information (ie. passwords, credit card info, etc).
  • Spybot Worm:
    The spybot worm is a virus that attacks your computer system through Instant Messenger or Kazaa. If you are infected by spybot then your anti-virus software may become disabled.
  • Adware:
    Programs that relay your personal information and internet browsing patterns from your PC to another PC for advertising purposes. Adware are software applications that display advertising banners and pop-ups. If you get inundated with pop-ups chances are you have been infected by adware.
  • Malware:
    It is the short term for malicious software. Malware are more commonly referred as viruses, trojans, and worms. Malware self-propagates and hide themselves within another program. Malware are designed to annoy but they have been known to wipe out the an entire hard drive. The most common form of being infected by Malware is through openning of an email attachment.
  • Trojan:
    Software that breaks through computer security and disguises itself as something benign, such as a game or directory lister. Trojans do not replicate themselves and are usually installed by "freeware and shareware" programs. They are detected as backdoor.

    How to tell if a PC has a Virus

Specific Info

    Microsoft Messenger: - Beginning with Windows NT, Microsoft included the Windows Messenger Service, and it's been built-in to each subsequent version and release of Windows over the past several years. It is not being used for its original purpose but is being used for malicious intents. It is highly recommended that you disable it.

Shutting off Windows Messenger Service will have no effect on any of the popular "instant messaging" systems you might be using; they don't rely on Windows Messenger Service (irrespective of its name) to function. You can do it yourself or, assuming you have installed AD-aware, load the Lavasoft plugin, Messenger-Control, that gives you control over this service.
Also See: Disable MS Messenger and Shoot The Messenger

    Hex Dump: - With many files (cookies for example) there's no easy way to view any information about them. The HexDump extension for Ad-aware lets you view a hexadecimal version of a file turned up in a scan, along with an "English" translation of the hex code.

This is an aid I would recommend that you install. Even though Computers talk in a funny language, there are some helps that will assist in making what they say more human readable.

    Layered Service Providers (LSP): - Small pieces of software that can be added or inserted into the Windows TCP/IP handler by other software. Data outward bound from your computer to a legitimate destination on the Internet can be intercepted by an LSP and sent somewhere other than where you intend it to go.

This is another plugin, LSP Explorer, for Ad-aware that I would highly recommend you use.

The Internet Threats

Threat Risk
Hacking attempt Unauthorized access to your computer (total control of your system and all your files).
Viruses and remote attacks Loss of your data (files and documents), system crashes, unstable computer operation.
Trojan horses Unauthorized access to your computer (total control of your system and all your files).
Malicious web page content Loss of your privacy.
SpyWare Loss of your privacy.

Firewalls

    There are two kinds of Firewalls, hardware and software. These can be, and are, used together or separately. I personally have the hardware version which is as a result of my local network. When you share a cable connection with the other members of your family, you need a router. This causes a change in the IP addresses of your local machines to the Private range which is:

  • 10.0.0.0 with the subnet mask 255.0.0.0
  • 172.16.0.0 with the subnet mask 255.240.0.0
  • 192.168.0.0 with the subnet mask 255.255.0.0
The above addresses can not be used on, or accessed from, the Internet. So how can, do you communicate? Through the router. It will have the original IP address that your ISP assigned to you. The router will translate and "route" the messages to and from the correct machine.

ZoneAlarm is a very good software firewall. They have three different versions. The lowest version is free but provides adequate security for most casual users. It blocks dangerous Internet threats, guarding your PC from many of the tactics used by hackers and data thieves. It does not, however, guard you from e-mail viruses. To get that requires one of the higher levels which cost money.

AVG - AVG Free Edition is now available for all single home users worldwide! Download, install and use AVG Free Edition and get:
  • AVG Resident Protection
  • AVG e-mail Scanner
  • AVG On-Demand Scanner
  • Basic Scheduled Tests
  • Free Virus Database Updates
  • Automatic Update feature
  • Easy-To-Use Interface
  • Automatic Healing of infected files
  • AVG Virus Vault for safe handling of infected files
    Or another excellent choice:

Avast!4 - Free Home Version
This antivirus software is based on the ALWIL Software Virus, Worm and Trojan horse scanning technology since 1988. The avast! antivirus portfolio includes a number of products, providing effective protection at all levels - from PDAs to large networks.

AIM security

    Online Safety/Security FAQ The biggest problem with AIM is the same as with Email... Attachments. Good Anti-Virus software will help but... Read the truth about E-mail viruses.

    

    The table below is setup in the same format as the tables on the Answers that work pages. All I have done, and/or am doing, is add what I run into that isn't in their list.

Task List Name Program & Manufacturer What it is
and what you can do
gwremind Microsoft Greetings Workshop Reminders that you need??? Probably not.
Wnsapisv
or
WINSERVS or sear1 		Clickspring / PuritySCAN An Addware program.
It will drop a copy of itself in the Windows StartUp folder as wnsapisv.exe or WINSERVS.EXE. This copy will load at start-up and spawn massive quantities of large popup ads when the user is online.
Edit your startup folder manually or with one of the available programs on the Internet. A good one is StarterSetup from CodeStuff.
Wupdater Kazaa
Prefetch, Perfectnav, and Incredifind		 A spyware program.
Another program that gets loaded into your Startup. Edit your startup folder and remove it.
In general, these programs generate popup ads and may hijack web searches. Wupdater.exe seems to be a background update task. We'd recommend removing this file. You'll probably find it in C:\Program Files\Common files\updater\wupdater.exe.

Some Startup Folder Fiascos

avacyptj.exe and mcfg32c.exe

    These two jewels are placed by totempole. They can be found in the startup folder and the actual programs are found in \\Windows\\system directory. This information is thanks to Jack on Annoyances.org. In order to remove them you will have to reboot and startup in Safe Mode.

bxxs5 or BookedSpace

     BookedSpace is an adware browser helper object. Installed silently. The controlling server is www.bookedspace.com and 66.225.192.199. Again this can be found in your startup folder.

Win32:Trojan-gen - removal

I swiped this info from a Bullguard forum. The gentleman, Emilio from Solvakia, seemed to be very knowledgeable. I am including his info and the above reference for your convienence. I had a client with this Win32:Trojan-gen problem and it was a nightmare. It slowed down her PC considerably. The only other alternative would be to wipe out the system and re-load Windows. I for one am getting tired of that particular scenario.

Download CCleaner
www.ccleaner.com/

Download Advanced process termination
www.diamondcs.com.au/index.php?page=apt
(you donīt have to install it....itīs only executable utility)
Advanced Process Termination is a simple but powerful utility that provides nine (9) different process termination techniques - all at the click of a button. Process Guard also has powerful anti-hook capabilities to prevent other programs from hooking critical functions (something often done by trojans to prevent their processes from being seen or terminated). In addition to process termination, APT also allows you to Suspend and Resume processes, and also serves as a useful process list utility.
Windows 2000, Windows XP, and Windows 2003 are supported.


Procedure:
1.DISABLE SYSTEM RESTORE
   Windows ME and XP utilize a restore utility that backs up selected files automatically to
   the C:\_Restore folder. This means that an infected file could be stored there as a
   backup file, and VirusScan will be unable to delete these files. You must disable the
   System Restore Utility to remove the infected files from the C:\_Restore folder.
2.REBOOT TO THE SAFE MODE
   Safe mode is the Windows diagnostics mode. When you start the computer in Safe mode,
   only the specific components that are needed to run the operating system are loaded.
   Safe mode does not allow some functions, such as a connection to the Internet. Safe
   mode also loads a standard video driver at a low resolution. Due to the low resolution,
   your programs and the Windows desktop may look different than usual and the desktop
   icons may have moved to different locations on the desktop.

The F8 key is used to enter Safe mode. It can be, and many times is, tricky to get it to work.

3.SHOW HIDDEN FILES
   The system files are normally hidden. Since some of these are pretending to be system
   files we need to open up the system to show them.
4.RUN HIAJCKTHIS:
Check:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [jUSnC] C:\WINDOWS\dpexao.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Takrst.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Prlvgv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
FIX CHECKED........

5.RUN ADVANCED PROCESS TERMINATION
Kill these processes(select then press "ALL" button in PROCESS CONTROL OPTIONS)
C:\WINDOWS\dpexao.exe
C:\WINDOWS\System32\Takrst.exe
C:\WINDOWS\System32\Prlvgv.exe

6.FIND AND DELETE THESE FILES:(some files may not exists)
C:\WINDOWS\dpexao.exe
C:\WINDOWS\System32\Takrst.exe
C:\WINDOWS\System32\Prlvgv.exe

7.SCANS:
do some scans with applications which you can download mentioned in other posts....AD-AwareSE,SpyBot,SysClean and so on..
run scan with Ad-AwareSE (full system scan, scan volume for ADS)
run scan with SpyBot
run scan with ScanSpyware (do complete scan)
run scan with Stinger
run scan with Mwav (all scan options)
run scan with SysClean
run scan with TDS-3 (choose all choices to scan in SCAN CONTROL)


Ad-Aware SE.......Install, click Check for Updates now and get any updates, then exit.
Ad-Aware VX2 Cleaner Plug-In.....Install only
avast! antivirus software..........Install
CCleaner.............Install only, then exit
Spybot................Install, do the search for updates now and get any updates, then exit.
SpywareBlaster...Install, click Download Latest Protection Updates, Check for Updates, and then Enable All Protection, then exit. It does a great job of blocking known vulnerabilities as well as known malicious websites.
McAfee AVERT Stinger.....No installation required! Ready to run as is.
CWShredder......No installation required! Just unzip it to a folder.
Kill2me..............No installation required! Just unzip it to a folder.
about:Buster......No installation required! Just unzip it to a folder. Click Update and download any before scanning.
HSRemove........No installation required! Ready to run as is. (Only for WinNT, 2K, XP)

8.CLEANING
run CCleaner (analyze---run cleaner)

9.ENABLE SYSTEM RESTORE

10.REBOOT

    

    

AntiVirusGold

AntivirusGold is an adware application. Antivirus Gold is installed by some trojans without asking for user permission. The deskop wallpaper is modified & advertisement is displayed uring the user to buy Antivirus Gold. Upon clicking on the message, a web explorer is opened to point to www.AntiVirus-Gold.com. The purpose of this trojan is to install itself & pretend that only AntiVirus Gold can remove it. Home Page:   SpywareDB

DyFuca.InternetOptimizer

DyFuca.InternetOptimizer is a variant of the DyFuca page hijacker. Unknown-server errors, page-missing errors, server errors and even password-required errors are redirected to Internet Optimizer's controlling server at www.internet-optimizer.com. The 'DyFuCA Active Alert' component can open pop-up 'alerts' when directed by its controlling server. And can download and execute arbitrary unsigned code from its controlling server, as an update feature. Home Page:   Spython

ABetterInternet

ABetterInternet runs at your system's start-up and may track your Internet activity. If A Better Internet gathers personal information about yourself and your web browsing habits, it may target pop-up advertisements at you, redirect certain URLs, and automatically update itself and install third-party software, files and desktop icons. Home Page:   Spywareremove

2ndThought

2nd Thought may download and display advertisements, and may reset your home page and report your web activity to its parent company. Home Page:   Spywareremove

Twain-Tech

Twain-Tech Removal - This bug is adware. Comes as both a BHO and a toolbar. If you'd like to send them some love visit their site. Also read below and also send the software company who installed it on you some love as well. Free programs that are sponsored by ads are not truly free. If you want to profit from making software please go the 15 day trial route cause ads will only make people hate you. Home Page:   I am not a Geek

Addclicker

Runs in the background and periodically pops up a warning that there is a problem with your computer. Can display a warning message from the system tray that your computer has spyware. Clicking the warning message will take you to a website to download antispyware software that does not do what it claims. Home Page:   Spyware Guide

Home Page:   

Home Page:   

Home Page:   
Bravenet.com


Copyright © 2004-2004 All rights reserved.