Two days of hell ... trojan horse probs

[Cameraken]

Glad to see you are up and running again Craig.

I installed Hoster and the Host files recommended by Gary (Thanks Gary) But when I run Spybot I get ‘Windows Redirected Hosts’ Showing like it is a problem?

Why does Spybot want to ‘repair’ these? Surely Spybot should see these as safe?

This only happens on one of my PC’s (Running ME)

Just wondered if anyone else gets this?

I use ERUNT to backup my registry. It’s great, and much better that using XP’s.


Ken.

[Gary Richardson]

When you install Spybot, it creates a copy of your registry which it uses as a benchmark. Any alterations to this "template" have to be "allowed" by you.

So it sees the addition of a hosts file as a large alteration to your registry that hasn't been "allowed".

Uninstall Spybot, then re-install it. As you already have your hosts file in place, Spybot should "accept" it.

Note: Each time you update your Hosts file, Spybot should prompt you to allow the alterations, you must allow them, or forever and a day you will be told they are malicious, note you only get one shot at allowing them.

If you don't want to go through uninstalling and re-installing, try the following.

Open a new Notepad file (must be Notepad NOT wordpad). Make sure Format > Wordwrap is not checked.

Copy and paste the text in the box into it.

Quote:

@echo off

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO winme

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

echo Unsupported Version
goto last

:NT
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\Snapshots\*.*
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyblack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcBlack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\logs\resident.log
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\UpdateDL.sbe
exit

:win
deltree /y %WINDIR%\applic~1\spybot~1\snapshots\*.*
del %WINDIR%\applic~1\spybot~1\logs\resident.log
del %WINDIR%\applic~1\spybot~1\excludes\ProcBlack.sbe
del %WINDIR%\applic~1\spybot~1\excludes\ProcWhite.sbe
del %WINDIR%\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del %WINDIR%\applic~1\spybot~1\excludes\RegKeyBlack.sbe
del %WINDIR%\applic~1\spybot~1\excludes\UpdateDL.sbe
exit

:winme
del /y %WINDIR%\alluse~1\applic~1\spybot~1\snapshots\*.*
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\UpdateDL.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\RegKeyblack.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\ProcWhite.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\ProcBlack.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\logs\resident.log
exit

:last
echo Press any key to terminate,..
pause
exit

Save as ResetTeaTimer.bat save as file type "All Files" NOT txt. Somewhere where you can find it.

Double click on ResetTeaTimer.bat to run the programme and reset Spybot's Tea Timer. Should cure the problem. If not Uninstall and re-install as previously stated.

[Bob Mc]

Thanks Gary, Craig, C.J., Nancy, Ikroll and others for the great information that you shared. I’m in awe at your technical knowledge and the help that you have provided.

Until I spent some time on this thread, I would have told you that I practiced very safe computing – but now I’m not so sure.

I’ve virtually spent all day today reading and rereading the posts, looking at various security sites and sites that provided tools to minimize the threat. Now, I’m really confused!

What I’d like to ask of you folks – who have great knowledge of the types of tools necessary to minimize the surfing risk – is to help the rest of us (probably the majority of us) to understand…
a- the types of tools available for each of the different risks and,
b- some suggestions for the tools (brands) that are most effective

(Yes I know that there will be many opinions about individual products – but when you are experienced in dealing with this stuff, opinions/impressions are very important)

I read somewhere that there are over 150 different brands of antivirus software available – and probably a like number of spyware detection tools as well – and it’s clear from the experiences in this thread none of them were the end-all and be-all.

In my instance I use the following:

Firewall – ZoneAlarm Pro - (to alert me to programs/processes trying to get into my computer or trying to send something out from my computer)

Virus Protection – Norton SystemWorks

General System Checkup – Norton One Button Checkup (finds and repairs Registry inconsistencies, bad shortcuts, identifies cleanup items, etc

Registry Analysis - Norton One Button Checkup and Registry Mechanic (I’m very paranoid about the Registry and the garbage that can accumulate there – and the risk of destructive programs that can be placed there without my knowing)

Spyware & Adware – Microsoft Antispyware, Ad-Adware, Spybot Search & Destroy (one program simply doesn’t identify all of this kind of Krap)

StartUp programs – Startup Control Panel (by Mike Lin) (Every program in the world wants to startup when the pc is turned on. This program identifies the request {to change the Registry} and allows me to decide. However, this program is a couple of years old and I wonder if it catches all the newer sophisticated start up situations) I also use msconfig

Cookie Control – Cookie Pal v 1.7 – allows me to easily see and delete cookies I know I don’t want (like ad oriented stuff) – Handles IE6, Netscape and Opera. Hasn’t been upgraded for a few years, but seems to give me the visibility I want.

? My basic question here is whether I’m covering all my bases with the robustness needed as these malicious intrusions get more sophisticated?

? Am I using the “best” tool to see all proposed Registry changes before they are allowed?

? Does “Startuplist” from Merijn.org identify more startup processes/programs than an older program?

? Will WinPatrol Plus provide additional protection for startup programs and/or unwanted Registry entries?

I know that multiple spyware removers seem to add to my protection – but does the “overlapping” functionality of stuff like Norton, Registry Mechanic, Winpatrol Plus, etc. cause more problems than they solve?

I do know that my browser – internet explorer – doesn’t have the tightest security options (yet) and I will have to bite that bullet to use the “Trusted zone” more – or change to another browser.

=================

For those that are interested, the following link give a lot of information about making IE less vulnerable.

http://www.spywarewarrior.com/uiuc/b...-opts.htm#summ


Lots of questions here and probably even more that I’m not smart enough to even ask about – but I hope you can help me improve some – and maybe my list of protections can provide others a starting point.

Thanks and Regards

Bob Mc

[Cameraken]

Thank You Gary.

I will try that when I go back to work after Easter.
I added the Host file to two PC’s last November (After your suggestions)
I added Spybot to both PC’s this week (I normally just use Adaware)

It’s just one PC running WinME that complained about these six entries out of over 1800.

Ken.

[Gary Richardson]

Hi Bob Mc,

If you read my earlier post to Craig, that should give you a list of things to do and install which will give you a pretty secure level of protection.

As an addition, I'll say this.

There are a great many "bogus" malware scanners available, some are even malicious in intent, so be careful what you install to your machine.

For a list of "Rogue" programmes, see http://www.spywarewarrior.com/rogue_...e.htm#products