WARNING Long Reply - Re: Spyware/Adware/Registry Help

From: Jen (anonymous_at_discussions.microsoft.com)
Date: 05/11/04

• Next message: Michael O.: "Properties-Registercard does not open in Windows Explorer"
• Previous message: Dave Patrick: "Re: Screensavers in registry"
• In reply to: Jim Byrd: "WARNING Long Reply - Re: Spyware/Adware/Registry Help"
• Next in thread: Loyd: "Re: WARNING Long Reply - Re: Spyware/Adware/Registry Help"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 11 May 2004 15:09:10 -0700

Thanks for the novel!! These suggestions will be most
helpful. If I have more difficulties, I'll do another
post, so keep an eye out.

Jen
>-----Original Message-----
>Hi Jen - There are currently two classes of things going
on that are causing
>people popup difficulties. If you get popups even when
your browser is not
>connected to the Internet with a title bar
reading "Messenger Service", then
>these are most likely due to open NetBios TCP ports 135,
139 and 445 and UDP
>ports 135, 137-138 and a UDP port in the range of 1026-
1029.. You really
>need to block these with a firewall as a general
protection measure. You
>can stop the popups by turning off Messenger Service;
however, this still
>leaves you vulnerable. If you have an NT-based OS such
as XP or Win2k, you
>should probably also specifically block TCP 593, 4444 and
UDP 69, 139, 445,
>and install the very important 824146 patch from MS03-
039, here:
>http://support.microsoft.com/default.aspx?kbid=824146 to
block the Blaster
>worm as well as several other parasites.
>
>
>See: Messenger Service Window That Contains an Internet
Advertisement
>Appears http://support.microsoft.com/?id=330904 which
identifies reasons to
>keep this service and steps to take if you do.
>
>You can test your system and follow the 'Prevention' link
to get additional
>information here:
>http://www.mynetwatchman.com/winpopuptester.asp Unless
you have very good
>reasons to keep this active, it should be turned off in
Win2k and XP. Go
>here and do what it says:
>http://www.itc.virginia.edu/desktop/docs/messagepopup/
or, even better, get
>MessageSubtract, free, here, which will give you flexible
control of the
>service and viewing of these messages:
>http://www.intermute.com/messagesubtract/help.html
Recommended.
>
>(FWIW, ZoneAlarm's default Internet Zone firewall
configuration blocks the
>necessary ports to prevent this use of Messenger Service.
I don't know the
>situation with regard to other firewalls.)
>
>Messenger Service is not per se Spyware or something that
MS did wrong - It
>provides a messaging capability which is useful for local
intranets and is
>also sometimes (albeit nowdays infrequently) used by some
applications to
>provide popup messages to users. However, it can also be
(and now frequently
>is) used to introduce spam via this open NetBios channel.
>For a single user home computer, it normally isn't needed
and can be turned
>off which will eliminate the spam popups. This DOESN'T,
however, remove the
>vulnerability of having these ports open, when in fact
they aren't needed,
>since they can be perverted in other ways as well, some
of which can be much
>more damaging than just a spam popup.
>
>
>
>If you're getting a lot of popups while surfing, then the
following may be
>useful:
>
>Popups - The best way to start is to get Ad-Aware 6.0,
Build 181 or later,
>here: http://www.lavasoftusa.com/support/download/.
Update and run this
>regularly to get rid of most "spyware/hijackware" on your
machine. If it
>has to fix things, be sure to re-boot and rerun AdAware
again and repeat
>this cycle until you get a clean scan. The reason is
that it may have to
>remove things which are currently "in use" before it can
then clean up
>others.
>
>Another excellent program for this purpose is SpyBot
Search and Destroy
>available here: http://security.kolla.de/ SpyBot
Support Forum here:
>http://www.net-integration.net/cgi-
bin/forums/ikonboard.cgi. I recommend
>using both normally. Update before starting, then after
fixing things with
>SpyBot S&D, be sure to re-boot and rerun SpyBot again and
repeat this cycle
>until you get a clean "no red" scan. The reason is that
SpyBot sometimes
>has to remove things which are currently "in use" before
it can then clean
>up others.
>
>Then, there are a variety of third party "Popup Killers"
available. I
>normally use AdShield, which, if you maintain its Block
List every now and
>then, almost totally stops this. In addition, it stops a
variety of
>ads/banners/etc. (particularly spyware like doubleclick)
on pages I access.
>This is probably all you'll need; however, I've also
investigated a program
>called webwasher which appears to be very good, but
decided that AdShield
>was sufficient. At the bottom of this post, you'll find a
list provided
>courtesy of bc_acadia of a number of free popup blockers
with links.
>
>****** NOTE: As of 28 Apr 03 AdShield appears to have
partnered with a new
>reseller, and AdShield is no longer free. There is a
trial version of
>AdShield3; however, IMO it is seriously crippled in not
being able to import
>or export block lists and I think for reasonable utility
one would have to
>go to the full version. While I don't normally recommend
non-free software,
>I personally will continue to use AdShield3, since I
think it is the best
>currently available combined Popup/Ad/Malware blocker,
but you should be
>aware of the fact that it now costs, ($29.95), whereas
the earlier versions
>upon which I based my original recommendation were free,
although not nearly
>as capable as the AdShield3 release. I've included below
links to both the
>older free version and the new paid version. You'll have
to investigate and
>make your own choice in the matter. *******
>
>Here are a number of AdShield-related links:
>
>http://www.fsd1.org/technology/Files/AdShield.exe -
AdShield1.2 (free)
>http://www.internettechs.net/utilities/AdShield.exe -
AdShield1.2 (free)
>http://ftp.ural.ru/home/index/windows/networking/utils/AdS
hield -
>AdShield1.2 (free)
>http://www.megalog.ru/info/utilz/AdShield.zip -
AdShield1.2 (free)
>http://www.allstarss.com/store/adshield.html - AdShield3
>http://www.mvps.org/winhelp2002/block.txt - (Mike
Burgess' .txt Block List
>for AdShield)
>http://www.mvps.org/winhelp2002/block.zip - Mike Burgess'
Zipped Block List
>for AdShield - Recommended)
>http://adshield.briankass.com/blocklists.html (lists a
number of blocklists)
>http://adshield.briankass.com/blocklist.abl (brian's
blocklist in .abl
>format)
>http://adshield.briankass.com/blocklist.txt (brian's
blocklist in .txt
>format)
>http://www.songwave.com/software/adshield_blocklist.txt
(40,000 pornsites
>blocked - *VERY* large list - use at your own risk)
>http://www.chrismyden.com/temp/block.abl (chrismyden's
blocklist in .abl
>format)
>http://www.staff.uiuc.edu/~ehowes/resource.htm#AdShield
(Eric Howes AGNIS
>for AdShield block list - Recommended) (BTW, Eric's site
contains a wealth
>of very valuable information about all aspects of net
security - Very Highly
>Recommended)
>
>There's also a new AdShield forum here:
>http://users.boardnation.com/~adshield/index.php
>
>Here's a good AdShield test site, courtesy of
siljaline: "Make ***SURE***
>you have your block scripted popups enabled
>http://www.mediaboy.net/1010100-1100001-1111010/gahk/>>>>
[Warning this URL
>opens a multitude of Browser windows almost instantly]"
>
>http://www.webwasher.com - Webwasher
>
>
>Additionally, some people have recommended Popup Stopper
and PopupBuster,
>but they have also been reported or experienced to cause
perceived problems
>for some people with "normal" links in IE6 such as Google
search results and
>links from OE. Some proponents of PopupBuster assert,
however, that this is
>normal operation for this program under
>certain circumstances which can be overridden if
necessary. YMMV Another
>"Proxy" type blocker similar to Webwasher and Proxomitron
but supposedly a
>bit easier to configure is Privoxy here:
http://www.privoxy.org/ Also, the
>free Google Tool Bar has a builtin popup blocker which
fairly effective.
>
>Also, if you're comfortable allowing changes to the
registry, there is an
>approach, IE-SPYAD, using the restricted sites list which
can be used for
>scripted popups. I use this and it works very well. See
here:
>http://www.staff.uiuc.edu/~ehowes/resource.htm
>
>There is additonal information about setting up and using
AdShield, and
>about using the Restriced Zone (and an additional list)
here:
>http://www.mvps.org/winhelp2002/hosts.htm and some of
the Frequently Asked
>Questions (FAQ's) about AdShield here:
http://adshield.briankass.com
>
>Lastly, ZoneAlarmPro3/4 has added provisions for stopping
adds/popups,
>handling cookies, web bugs, and scripting/ActiveX
components in addition to
>it's firewall functionality. Not free, but I have used it
with my other
>AdBlocking stuff (AdShield, etc.) turned off as a test,
and it appears to be
>very good indeed. So far I've experienced no problems at
>all with it set in its High Security modes for Ads
although others have
>reported the need to temporarily turn it off to reach
some sites. Also,
>Agnitum's Outpost Firewall supports a plug-in for
this: "Pre-configured to
>block most banner advertisement. Can be configured
manually or by simply
>dragging and dropping unwanted banners into the Ad
Trashcan." I
>have no experience as to how effective it is, but I have
received a
>favorable report.
>
>There's good information about hijacking in general and
fixes available for
>specific hijackers here:
http://www.spywareinfo.com/hijacked.html
>http://gmpservicesinc.com/Articles/hijack.asp
>http://www.mvps.org/inetexplorer/Darnit.htm#pop_up
>http://www.doxdesk.com/parasite/
>
>bc_acadia's list:
>
>"Some popup blockers. All of these are 100% pure
freeware, no trial
>periods. Some of these do more than just handle popups.
>
>Pow!:
http://www.analogx.com/contents/download/network/pow.htm
>NoAds: http://www.southbaypc.com/NoAds/
>PopupEraser: http://www.webknacks.com/popuperaser.htm
>Stop-the-Pop:
http://www.bysoft.se/sureshot/stopthepop/index.html
>Internet Organizer: http://www.sf.yucom.be/wdprojects/
>PopKi: http://ranfo.com/popki.html
>PopUpPopper: http://www.bayden.com/Popper/default.asp
>PopUpKiller: http://sourceforge.net/projects/puk/
>AdCruncher Proxy:
>http://home.sprintmail.com/~dtrout/AdCruncher/ReadMe.html
>KillAd: http://www.wplus.net/pp/fsc/
>ClickOff: http://www.johanneshuebner.com/en/download.html
>PopupBuster: http://www.popupbuster.com/PopUpBuster/
>Free Surfer: http://www.kolumbus.fi/eero.muhonen/FS/
>Window Shades: http://www.g-m-
m.com/Software/WindowShades/index.php
>AdShield (my personal favorite): http://www.adshield.org/
>PopupStopper: http://www.panicware.com/popupstopper.html
>Proxomitron (has learning curve):
http://www.proxomitron.org/
>For those who don't want third party stuff, your own pc's
built-in
>host file:
>http://www.mvps.org/winhelp2002/hosts.htm and
>http://www.smartin-designs.com/ and http://www.accs-
net.com/hosts/
>
>
>Here is a review of 61 popup killers, not all of them are
free:
>http://www.popup-killer-review.com/index.htm"
>
>NOTE that this site also contains a good, comprehensive
series of popup
>killer tests. Some good additional tests are also
available here:
>http://www.webknacks.com/aptest.htm
>
>There's another popup test page here:
>http://www.kephyr.com/popupkillertest/index.html
>
>
>Another good test page and lists of both free and cost
popup blockers is
>here: http://www.popuptest.com/ Recommended
>
>
>Finally, there's a new class of hijacker using Window's
Messenger Service
>(not Instant Messaging, BTW) that I discussed at first.
>
>
>you might want to consider installing the SpywareBlaster
and SpywareGuard
>here to help prevent this kind of thing and other malware
from happening in
>the future:
>http://www.javacoolsoftware.com/spywareblaster.html
(Prevents malware Active
>X installs) (BTW, SpyWare Blaster is not memory
resident ... no CPU or
>memory load - but keep it updated) The latest version as
of this writing
>will prevent installation or prevent the malware from
running if it is
>already installed, and it provides information and fixit-
links for a variety
>of parasites.
>http://www.wilderssecurity.net/spywareguard.html
(Monitors for attempts to
>install malware) Both Very Highly Recommended.
>
>Perhaps these will help.
>
>
>--
>Please respond in the same thread.
>Regards, Jim Byrd, MS-MVP
>
>
>
> In news:b5c501c43766$38712eb0$a101280a@phx.gbl,
>Jen <anonymous@discussions.microsoft.com> typed:
>> I am trying to resolve an issue on spyware/adware on a
>> user's computer. I have updated and ran Spybot, Ad-
Aware,
>> and CWShredder, and I still get the popups (I have the
>> GOogle toolbar installed, I didn't like the Yahoo
>> Toolbar). I am out of options. When I run Ad-Aware it
>> stops repsonding at the registry
>> CLSID /{934A9523-A3CA-4DC5-ADA0DGD95D979421}. This is
>> located in the HKCR\CLSID. This string represents the
>> DriectPlay8Address, and I don't want to delete that as
I'm
>> unfamiliar with editing the registry. PLEASE HELP. The
>> user machine is now popping up adds WITHOUT launching
the
>> browser. I've never seen this before, and can't find
>> another solotuion. Thanks!
>>
>> Jen
>
>.
>

• Next message: Michael O.: "Properties-Registercard does not open in Windows Explorer"
• Previous message: Dave Patrick: "Re: Screensavers in registry"
• In reply to: Jim Byrd: "WARNING Long Reply - Re: Spyware/Adware/Registry Help"
• Next in thread: Loyd: "Re: WARNING Long Reply - Re: Spyware/Adware/Registry Help"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint