My Anti Spyware

How to remove BackDoor.SdBot.MYX (oo.exe, newdotnet)

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: NewDotNet

Then using Windows Explorer, delete the following folder:
C:\Program Files\NewDotNet
C:\Program Files\MsMovies

Please Download LSPFix from here and Run the Program.
Disconnect from the Internet and close all Internet Explorer Windows.
Check the “I know what I’m doing” Button and move all instances of newdotnet7_14.dll from the left panel to the right panel then click ‘Finish’

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download Alcan.zip and unzip it to your desktop.
# Reboot into Safe Mode
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
# Enter the AlcanFix folder and double-click AlcanFix.bat to run the tool.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O2 – BHO: – {2BAF9250-30AF-4235-80FA-22FB05997124} – C:\WINDOWS\lbbho.dll
O2 – BHO: RXResultTracker Class – {59879FA4-4790-461c-A1CC-4EC4DE4CA483} – C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O2 – BHO: URLLink – {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} – C:\Program Files\NewDotNet\newdotnet7_14.dll
O4 – HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 – HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 – HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 – HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O18 – Filter: text/html – {2AB289AE-4B90-4281-B2AE-1F4BB034B647} – C:\PROGRA~1\RXTOOL~1\sfcont.dll

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Finally, restart your computer, run your anti virus.

Also download and run ATF Cleaner.
Under Main choose: Select All. Click the Empty Selected button.

How to remove AdwarePunisher – rogue anti spyware

AdwarePunisher – rogue antispyware (1, 2)
uses flawed, inadequate detection scheme; same app as AdwareBazooka, AdwarePunisher, HitSpy, RemedyAntiSpy, SystemStable, & The SpyGuard.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: AdwarePunisher

Then using Windows Explorer, delete the following folder: C:\Program Files\AdwarePunisher

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download Killbox and unzip to your desktop.

Next, Download, install, and update the free version of Ewido trojan scanner:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido — When you run it for the first time, you may get a warning “Database could not be found!”. Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

If you can`t download Ewido trojan scanner, then please download and run HOSTER.ZIP

unpack the hoster.zip
Press ‘Restore Original Hosts’ and press ‘OK’
Exit Program.

If you do not already have Ad-Aware SE installed, follow these download and setup instructions. Also check for updates.

Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
F2 – REG:system.ini: Shell=explorer.exe “c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe”
O2 – BHO: winapi32.MyBHO – {B439D5EB-0A61-4ED9-8C8F-EC4148BB23F7} – C:\WINDOWS\System32\winapi32.dll
O4 – HKLM\..\Run: [winsysupd] C:\windows\winsysupd4.exe
O4 – HKLM\..\Run: [winsysban] C:\windows\winsysban4.exe
O4 – HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
O4 – HKLM\..\RunServices: [Microsoft System Checkup] wnetlogin.exe
O4 – HKLM\..\Run: [Win32.Exploit.A] C:\WINDOWS\system32\exa32.exe

Delete these files: (if can`t remove, then try KillBox)
use your real path to window directory

c:\WINDOWS\loadadv728.exe
c:\WINDOWS\loader138.exe
c:\WINDOWS\SYSTEM32\iasada.dll
c:\WINDOWS\temp.000.exe
c:\WINDOWS\SYSTEM32\intxt.exe
c:\WINDOWS\SYSTEM32\mswinb32.dll
c:\WINDOWS\SYSTEM32\mswinb32.exe
c:\WINDOWS\SYSTEM32\shell386.exe
C:\WINDOWS\System32\winapi32.dll
c:\WINDOWS\is-6QGD9.exe
C:\windows\winsysupd4.exe
C:\windows\winsysban4.exe
c:\windows\myupdates.exe
c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Next, run Ad-aware and perform a full scan. Remove everything found.

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report”. This will create a text file. Make sure you know where to find this file again.

Finally, restart your computer normally.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Winamp 5.13 released

Nullsoft have released Winamp 5.13 in response to the critical exploit.

Update Winamp as soon as possible.

Download it from here.

Malware Domain List – Updated

Bleeding Snort released an updated list of known malware-related domains yesterday, up to 9,400 entries now! For those of you employing DNS black holes, proxy-based filtering, or doing other general research of malware based on domains, you should check out this exhaustive (and exhausting!) new list. I frequently rely on this list to match against when doing research of spyware and related nasties.
Thanks to the Bleeding Snort guys for their hard work.

First reports of Nyxem damage

The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you’re infected and your clock is not set right, things could start to happen at any time – even though the official activation time is the 3rd of the month. F secure have already received first reports from users who’ve had files on their system overwritten by the worm.

When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you’re taking daily automatic backups you might end up backing up the corrupted files over good files.

The number of machines that have been hit by this worm is over 300,000. Many of those have been disinfected already, though. But thousands of computers will get their files overwritten on February 3rd – most of them in India, Turkey and Peru.

This worm family has been around since March 2004. The worm is named “Nyxem” because the original Nyxem.A variant launched a DDoS attack against the New York Mercantile Exchange website (www.nymex.com). We don’t know why.

Try the How to for remove virus or download free virus removal tool from F Secure.

ActiveX Blocklist Release 2006-01-30

This version of the SpywareGuide.com Active-X blockfile contains 3762 items and inoculates Internet Explorer against 375 different spyware and malware products.
Tired of all that Spyware and Adware being installed by ActiveX but don`t want to lose out on functionality? Spyware-Guide.com has created a system that blocks all known “bad” ActiveX controls from running inside Internet Explorer by setting the “Kill bit”. The best part of this process is that we can pull this off without *any* programs running on your PC, without even having to run a program to install the block list!

All you need to down is download the -small- registry file below (Right-Click, choose “Save As…”) and then double click it to enter it into the registry and activate the protection.

- Download Basic Registry File
- Download Experts Package
- View Additional Information

Winamp Remote Code Execution

The vulnerability is caused due to a boundary error during the handling of filenames including a computer name. This can be exploited to cause a buffer overflow via a specially crafted playlist containing a filename starting with an overly long computer name (about 1040 bytes).

Successful exploitation allows execution of arbitrary code on a user’s system when e.g. a malicious website is visited.

The vulnerability has been confirmed in version 5.12. Other versions may also be affected.

NOTE: An exploit is publicly available.

Don`t use now winamp, use another product.

Free Program – BHODemon

Internet Explorer has a nasty habit of allowing so-called Browser Helper Objects (or BHOs) to install themselves into IE. Some BHOs are helpful, like the Google Toolbar, but others (especially those planted by viruses or spyware) can be malicious and harmful.

BHODemon gives you a quick look at the BHOs installed on your PC, tells you whether a specific BHO is known to be safe or harmful, and gives you the ability to enable or disable individual BHOs with a single mouse click.

Download BHODemon

Pushing Spyware through Search

Much of the computer security industry acts like spyware is immaculately conceived. Somehow it just appears on computers, we are led to believe, and supposedly all we can do is clean up the mess after it happens, rather than prevent it in the first place. I disagree.

Now, we all love Google. I use Google’s search site all day every day, and I enjoy their downloadable applications too. So I have the greatest respect for Google’s core service. But there’s another side to their business. Indirectly, Google and other search engines make big money from spyware, through paid search advertising that infects users who don’t know any better or don’t understand what they’re getting into.

Consider a Google search for “screensavers”:

The colored icons next to search results were inserted not by Google, but by the SiteAdvisor client application, based on the results of SiteAdvisor’s automated tests for each listed site. Six of Google’s ten sponsored links get “red” or “yellow” ratings — generally indicating unwanted advertising through spyware or, in some instances, high-volume commercial email. But without SiteAdvisor (or some similar protection), users would have no idea which sites were safe; they’d be at great risk of clicking through to an unsafe site, ultimately risking installation of unwanted software.

Read more here

kbhook.dll – keylogger ?

Key loggers are a particularly nasty type of malware, because they are created to monitor and record keyboard activities. They are often designed to capture the victim’s interactions with a login form of some kind, frequently targeting logon credentials for banking websites. NetSpy, identified by this spyware scan, is known to be able to log the victim’s key strokes, take screen shots, and transmit captured data to the attacker. No wonder a spyware scanner typically categorizes it as a severe threat.

Although many malware-scanning tools identify the kbhook.dll file itself as spyware, its presence alone is not sufficient.

A web search revealed several discussions of false positives associated with files named kbhook.dll. One such discussion stated that Genius Wireless Keyboard drivers used this file without malicious intent. Another discussion of an unknown-to-me keyboard reached a similar conclusion.

Lenny Zeltser have examined kbhook.dll and found two functions: EnableHook() and DisableHook(); this is how an external program can make use of the DLL’s keyboard-controlling functionality.

If you encounter a kbhook.dll file on your system, please remain vigilant. This file is often associated with dangerous key loggers, presence of which may require a full system reinstall. However, keep in mind that malware scanning tools sometimes mis-identify this file. Specifically, the file named kbhook.dll is sometimes used by keyboard driver authors without malicious intent.