Re: ad-w-a-r-e.com
From: Jim Byrd (jrbyrd_at_spamlessadelphia.net)
Date: 10/12/04
- Previous message: Bruce: "www.ad-w-a-r-e.com/callback"
- In reply to: anonymous_at_discussions.microsoft.com: "ad-w-a-r-e.com"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 11 Oct 2004 22:34:50 -0700
Hi Temple and Anon - This was just identified a couple of post above by
jgmick as a VX2 variant which can be removed by dowloading and updating
AdAware and then downloading and installing the VX2 plugin for AdAware and
following the procedures in the read.me for that plugin. Do the following:
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here: http://www.tacktech.com/display.cfm?ttid=257
The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
to regain your connection.
NOTE: It is reported that in XP SP2, the command netsh winsock reset
will fix this problem without the need for these programs. You can also try
this if you're on XP SP1. There has also been one, as yet unconfirmed,
report that this also works there.
#########IMPORTANT#########
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
when possible. Reboot and test if the malware is fixed after using each
tool. HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
#########IMPORTANT#########
Sometimes the tools below will find files which they are unable to delete
because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
"replacing, moving, renaming or deleting one or many files which are
currently in use (e.g. system files like comctl32.dll, or virus/trojan
files.)" Another is Killbox, here:
http://download.broadbandmedic.com/Killbox.exe
Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page: http://vil.nai.com/vil/stinger/
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here: http://www.trendmicro.com/download/pattern.asp Be sure to read
the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt (You might also want
to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/). (If you download and use the updater from
the beginning, it will automatically handle downloading the other files.)
Place them in a dedicated folder after appropriate unzipping. Show hidden
and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
Disable Restore if you're on XP or ME (directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), then boot to
Safe mode (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
Do a complete scan of your system in Safe mode and clean or delete anything
it finds. Reboot to normal mode and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/. UPDATE, set it up in
accordance with this: http://forum.aumha.org/viewtopic.php?t=5877 or the
directions immediately below and run this regularly to get rid of most
"spyware/hijackware" on your machine. If it has to fix things, be sure to
re-boot and rerun AdAware again and repeat this cycle until you get a clean
scan. The reason is that it may have to remove things which are currently
"in use" before it can then clean up others. Configure Ad-aware for a
customized scan, and let it remove any bad files found.....
<Begin Setup Directions>
Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:
General> activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes during
scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."
Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found, click
"Next." The bad files will be listed. Right click the pane and click "Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"
<End Setup Directions>
Courtesy of http://www.nondisputandum.com/html/anti_spyware.html: HINT: If
Ad Aware is automatically shut-down by a malicious software, first run
AWCloak.exe, http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
opening Ad Aware. When AAWCloak is open, click "Activate Cloak". Then open
Ad Aware and scan your system.
Now go here, read carefully and download and run the VX2 plugin for AdAware
according to the directions:
http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml
However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x or later, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.
Once you get this cleaned up, you might want to consider installing Eric
Howes' IE-SpyAds, SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from happening in the future:
IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully.
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or memory
load - but keep it UPDATED) The latest version as of this writing will
prevent installation or prevent the malware from running if it is already
installed, and it provides information and fixit-links for a variety of
parasites.
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. All three Very Highly Recommended
Next, install and keep updated a good HOSTS file. It can help you avoid
most adware/malware. See here: http://www.mvps.org/winhelp2002/hosts.htm
(Be sure it's named/renamed HOSTS - all caps, no extension) Additional
tutorials here:
http://www.bleepingcomputer.com/forums/index.php?s=14f3f9225081133297a8acdd11137c5b&showtutorial=51
(detailed) and here: http://www.spywarewarrior.com/viewtopic.php?t=410
(overview)
Finally, be sure that you have a good hardware or software firewall and an
AntiVirus installed, and bring your OS up-to-date with ALL Critical updates
from Windows Update.
-- Please respond in the same thread. Regards, Jim Byrd, MS-MVP In news:021401c4b009$44a00af0$a601280a@phx.gbl, anonymous@discussions.microsoft.com <anonymous@discussions.microsoft.com> typed: > Help I'm suffering too, I'd like to callback RON and tell > him where to go.... >> -----Original Message----- >> I have this same problem, does anyone have a cure? >> Subject: ad-w-a-r-e pest >> From: "temple" <templemathews@yahoo.com> Sent: >> 10/6/2004 5:01:17 PM >> >> >> >> >> I am currently infected with something. Here's the URL. >> Anyone know how to get rid of it? >> >> http://www.ad-w-a-r-e.com/callback_ron.php?GUID={7E888C61- >> 1779-11D9-9269-0050BA4C7067}&country=US&type= >> .. >> >> >> .
- Previous message: Bruce: "www.ad-w-a-r-e.com/callback"
- In reply to: anonymous_at_discussions.microsoft.com: "ad-w-a-r-e.com"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
