My Anti Spyware

News | Forum | Free Software | Online Scanners | Tutorials - HowTo

1. Been infected with spyware? Tell us about your problem.
2. Protect your PC from viruses, spyware.
3. For fast automatic spyware removal, try CounterSpy, SUPERAntiSpyware

How to uninstall combofix

Combofix by sUBs very good free anti spyware program.
But after using, you may uninstall it from your PC.

Go to to Start > Run
Type in box

combofix /u

Note: the space between the X and the /u

Press Enter.

This command will:

Delete the following:

ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

How to make Internet Explorer more secure

Follow these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Cannot View Hidden Files And Folders. How to fix

If you need show hidden files, then follow tutorial - How to show hidden files in Windows
If the tutorial don`t work for you or you have not Folder Options in the Tools menu, then

Open notepad and copy/paste the text in the quotebox below into it:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“NoFolderOptions”=-

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
“NoBrowserOptions”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
“CheckedValue”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
“CheckedValue”=dword:00000001

Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.).
Double-click on the fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Reboot your PC.

After that, try tutorial How to show hidden files in Windows

Hijacker will not let me download anti spyware program - how to fix

If you can`t download an antispyware software, open an anti virus vendors sites, then try Hosts Xpert - Free hosts file manager for restore Windows HOSTS file.

Download Hosts Xpert
Extract to your Desktop.
Run Hosts Xpert
Click “Restore MS Hosts File”
Reboot your PC

After these simple steps you should to get access to all blocked sites, if you still have a problem, then create a free forum account, and create a new topic with your more information about problem.

Combofix has expired! What you can do…

If after run Combofix you got message:

This copy Combofix has expired!
Please download an updated copy

You can do:
1. Download an updated copy from here
2. Change your PC system time to some days ago (7days for example). Warning, only if first option don`t work.

Top malwares sorted by category

1. Greediest Trojan Targeting Banks - this month, it’s Trojan- Spy.Win32.Banker.zd, which targets the clients of 33 banks. And just as we keep saying, the number of Trojans which target more than one bank is growing all the time.

2. Greediest Trojan Targeting E-payment Systems - The winner in this category is Trojan-Spy.Win32.Banker.z. This Trojan targets three plastic card systems, but also steals finance-related data from the customers of many banks. Apparently, its author prefers a comprehensive approach to making money.

3. Greediest Trojan Targeting Plastic Cards - The top malicious program in this category is Backdoor.Win32.Neodurk.13, which searches for access data for three plastic card systems, in addition to providing cybercriminals with remote control of victim computers, which is its main function.

4. Stealthiest Program - This category’s winner is a modification of Backdoor.Win32.Rbot.gen, which is packed by eight different compression utilities in the hope that this will prevent antivirus programs from detecting the malicious code.

5. Smallest Malicious Program - This category of malware was won by Trojan.BAT.DeltreeY.af, which is just 19 bytes in size. This is a primitive Trojan, which (as its name suggests) deletes folders on infected computers. Its targets include the Windows system directory; of course, if this gets deleted, you may end up with some serious problems.

6. Biggest Malicious Program - February’s “giant” is Trojan-Spy.Win32.Bancos.rv. It is 13 MB in size, and is a bit of an oddity - you might expect extensive functionality, which this Trojan doesn’t actually have.

7. Most Malicious Program - The winner from this category uses numerous methods to effectively combat antivirus protection installed on computers. February’s leader is Backdoor.Win32.Aebot.e, which uses a variety of methods to disable protection, including terminating processes in memory, stopping services and blocking updates. The malicious program terminates protection utilities by the dozen, including all kinds of firewalls, system monitoring utilities, antivirus products, etc.

8. Most Common Malicious Program in Email Traffic - In February 2007, the winner was Email-Worm.Win32.NetSky.t. Although this is a relatively old email worm, it still accounts for about 15% of all email traffic.

9. Most Common Trojan Family - We talk a lot about how the number of Trojans is on the increase. And Backdoor.Win32.Hupigon is a great example - in a single month we detected 368 modifications of this family.

10. Most common virus worm family - In February, the Warezov family was the most widespread among all virus and worm families. Samples of 118 different modifications were found in February alone.

Thanks to viruslist.com

Found first security flaw hits Vista

The security firm eEye has discovered one of the first security flaws to directly affect Windows Vista, a bug that it claims allows local users to escalate their privileges.

The flaw involves Windows’ system for managing user security levels, User Account Control (UAC), which was introduced with Vista. UAC is designed to limit the damage that can be caused by mass attacks such as worms by giving standard users limited privileges, a practice common with other operating systems.

Combined with a remote vulnerability, the newly discovered bug could essentially render UAC useless, escalating standard user privileges to system-level access, according to eEye.

eEye said: “A flaw exists within Windows Vista that allows local privilege escalation to System”

How to block VML exploit

Some days ago has been found new Zero day exploit. The exploit uses a bug in VML in Internet Explorer to overflow a buffer and inject shellcode. It is currently on and off again at a number of sites.

Secunia reported:

The vulnerability is caused due to a boundary error in the Microsoft Vector Graphics Rendering(VML) library (vgx.dll) when processing certain content in Vector Markup Language (VML) documents. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a malicious VML document containing an overly long “fill” method inside a “rect” tag with the Internet Explorer browser.

Successful exploitation allows execution of arbitrary code with the privileges of the application using the vulnerable functionality in the library.

For block the VML Exploit, try next:

1. Click Start, click Run, type “regsvr32 -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll ” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered. To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with “regsvr32 “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll” (without the quotation marks).

Thanks to SunbeltBlog.

Worm uses MS04-007, MS05-017, MS05-039, MS06-040 bugs

For the past several days, ISC have received all kinds of emails about the recent increase in scanning on port 139. One of loyal readers out there on the ‘Information SuperHighway’, Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it). It appears, in typical antivirus fashion to be named several things: McAfee is calling it “W32/SDbot.worm!MS06-040“, Sophos is calling it, “W32/Vanebot-A“, and Symantec is calling it, “W32.Randex.GEL“. (Yes, it’s been out for a couple days)

Let’s take a look at this bad boy shall we? How does it spread.. well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.

This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it’s about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to “forum.ednet.es” over port 4915. (Until the next variant changes it, and we know it will). It has the ability to do a bunch of things including spreading to network shares..

For protect your PC block 139 and 445 at the router/firewall. Netbios traffic shouldn’t be allowed to exit or enter your network from egress points anyway.

Update your antivirus. At least daily. Patch your Windows.

Thanks ISC

Don’t be a victim or how to make better choices

There are some current tools out there which may help users make better choices (or block their bad choices). I’m just going to talk about browser toolbars. For the user class of not completely hopeless up to expert I really recommend McAfee’s SiteAdvisor. This toolbar works with Firefox and IE and will provide more prominent and granular indicators that a site is dubious (or downright malicious). Users will need to keep an eye on their browser corner (which may require education) or optionally glance at the pretty red, yellow, green icons next to their google search results (RED means BAD)

SiteAdvisor

Also for those looking at getting involved in the community sign up to be a reviewer. Help SiteAdvisor catch and correctly flag all those bad sites that try oh so hard to look legit.

Netcraft Toolbar

So back to phishing. Netcraft has a really nice toolbar which can provide visual clues (YMMV) as well as speed bumps to doing something unsafe. It can actually block access to a site pending user verification (ok so we all know most users click OK on anything that pops up to get it out of the way)

NoScript

Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site.
This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality…
Experts do agree: Firefox is really safer with NoScript ;-)Works with: Firefox 1.0 - 3.0a1, Mozilla 1.7 - 1.8

SpoofStick

A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won’t notice the incorrect URL and give away important information. This practice is sometimes known as “phishing”. SpoofStick makes it easier to spot a spoofed website by prominently displaying only the most relevant domain information.

Sandboxie

You may want to run your Web browser inside the sandbox most of the time. This way any incoming, unsolicited software (spyware, malware and the like) that you download, is trapped in the sandbox. Changes made to your list of Favorites or Bookmarks, hijacking of your preferred start page, new and unwanted icons on your desktop — all these, and more, are trapped in and bound to the sandbox. You could also try a new toolbar add-on, browser extension or just about any kind of software. If you don’t like it, you throw away the sandbox, and start again with a fresh sandbox. On the other hand, if you do like the new piece of software, you can re-install it outside the sandbox so it becomes a permanent part of your system.

Sandboxie intercepts changes to both your files and registry settings, making it virtually impossible for any software to reach outside the sandbox.
Sandboxie traps cached browser items into the sandbox as a by-product of normal operation, so when you throw away the sandbox, all the history records and other side-effects of your browsing disappear as well.

Expect this warning and popup trend to continue. Google is taking steps to prevent accidental wrong exits (see http://www.stopbadware.org/ for details on this initiative)

The next versions of IE and Firefox should have some of these protections built in. None of these will remove the need for user education (good luck explaining hostnames and mouse-overs to grandma). The criminals will figure out ways to circumvent these technologies and users will continue to ignore all the annoying popup warning windows and glaring red warning symbols. Its just human nature. If only it were as simple as just telling people to “only surf trusted sites”. Right. uh huh.

How to protect from PowerPoint 0-day vulnerability ?

Some days ago has been found 0-day vulnerability in the Microsoft PowerPoint.

Unspecified vulnerability in mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows remote user-complicit attackers to execute arbitrary commands via a crafted PPT file, which causes a “memory corruption error,” and exploited by Trojan.PPDropper.B

For protect your PC follow next instructions:

Don`t use administrator rights account for browse internet and check mail. Or use DropRights : How to drop rights for safe surf for make it.
Don`t Open, Save, Cancel unknown attachments.
Don`t visit unknown sites.
Use PowerPoint Viewer 2003 to open and view files. PowerPoint Viewer 2003 does not contain the vulnerable code and is not susceptible to this attack. You can download PowerPoint Viewer 2003 for free.
If you can, apply strict filtering of PPT files (maybe at least quarantine them, so they can be scanned and reviewed later). Users should be extra careful when opening PowerPoint files until Microsoft releases a patch (or some workaround is available)
Good idea to turn on memory-based security mechanisms (Data Execution Prevention).

Wanna free anti spyware ? Get Adware.

Adware comes in all forms, and this time, it’s under the false pretense of being Webroot’s Spysweeper 5. To be specific, there is a torrent for SpySweeper 5 that comes with a “keygen” to bypass registration, but when executed it is actually adware —a 180solutions installer. It immediately connects to the net and then installs the Aquarium screensaver.

The link is here: www(dot)torrentspy(dot)com/torrent/793200/Spy_Sweeper_5_Final

As result, check twice before download antything from torent, donkey …

Thanks Sanbeltblog.

Automatic remove Titan shield

Good news, some days ago in the smitfraudfix have been added Titan Shield signatures.

[HKEY_CURRENT_USER\Software\ADV] (Soon removed with SpywareSheriff)

%USERPROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\TitanShield Antispyware.lnk
%USERPROFILE%\Local Settings\Application Data\TitanShield\*.*
%STARTMENU%\Programs\TitanShield Antispyware\*.*
%STARTMENU%\Programmes\StartUp\titanshield.lnk
%DESKTOP%\TitanShield Antispyware.lnk
%PROGRAMFILES%\TitanShield Antispyware\*.*

If you have problems with TitanShield, download and try smitfraudfix.

Analyze it

ISC reader Robert detected one of his systems trying to connect to port 25 on various servers around the world. As this immediately screams: spam bot, Robert decided to analyze the box further.

He captured some packets and found an interesting binary that he submitted to ISC for analysis.

After analyzing this binary, they discovered a malware piramide. So, this is what’s happening:

extdrvr.exe is a spam bot that Robert detected. This malware is particularly nasty as, at the moment just one of the 26 anti-virus programs on VirusTotal finding it suspicious.
When executed, the spam bot connects to spm.freecj.com and asks for the list of e-mail addresses to send spam to, together with the e-mail body. Immediately after this is downloaded, it will try sending the spam.

But that’s not all. The malware also downloads other Trojan downloaders which, in turn, download other stuff.

First downloader that the main spam bot downloads is http://69.31.46.144/[REMOVED]/d1.html. This downloader will in turn download a pretty nasty dialer (so, making money *is* behind all this), from a well known malware network (that some of you probably already filtered): http://85.255.114.166/[REMOVED].exe.
The dialer will make itself persistent across reboots and will make services RasMan and TapiSrv automatically start at boot.
The dialer will also get the number it should call from http://216.80.7.64/[REMOVED]/getnumtemp.asp?nip=0.

If this wasn’t enough, prepare for more. The dialer will now download another downloader (are we getting lost in all this?), http://207.226.177.110/[REMOVED].

Back to the spam bot. What’s interesting is that it will download and replace the machine’s hosts file. Big deal, we’ve seen that a million times. Among all the standard AV vendors’ web sites, and Microsoft Windows Update, the newly downloaded hosts file prevents user from visiting about 50 .biz sites, well known for spreading malware (for example, www.iframebiz.biz, www.toolbarbiz.biz, etc.).

As always learning lessons is the most important part of handling incidents. Anti-virus doesn’t do much for you when the malware is not detected obviously. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. Use windows internal firewall or another free(pay) (look my Free Programs category). Also use Hosts Secure for block and manage HOSTS file.

Wanna download free movies ? STOP !!! ADWARE !!!

Are you interested to downloadable movie clips? Many peoples are give answer “YES ”

But download free movies you can got for free adware and spyware also!

SpywareGuide have made small recearch:

I tried googling for some popular video albums, I came across a forum that holds many articles and download links based on the users interests. More than ten thousand members are sharing their articles and download links in this forum. Many of these are what you might call spicy material. I suddenly paused when I found a fellow who was posting many adult video clips. Most of the download links are from Rapidshare …

He received two download links, which hold the same video clips and selected via the rapidshare link. The clip has been downloaded and played using Windows Media Player. It suddenly began acquiring a license rather than opening the media. Netpeeker showed the Windows Media Player making contact with ysbwebcom to install IST Adware products - makers of http://www.slotch.com/, http://www.xxxtoolbar.com/, AzeSearch, DLSearchBar, ISTbar, PowerScan, Sidefind, Slotchbar, xxxtoolbar, YourSiteBar.

They did not allow to view the video without installing the IST adware.

The EULA was last updated on May 4, 2006 , which is a very recent move by Integrated Search Technologies to distribute their Advertisements. People can also check out EULA Analyzer to help analyze agreements.

Users will need to agree to a license that enables the installment of several applications. These include ISTbar , SlotchBar , YourSitebar and Xxxtoolbar. This is just to view one movie!

They may also install their third parties adware products like Internet Optimizer and SurfAccuracy.

The lesson here is that free often carries a steeper price tag than what you might think- the trade-offs are often hidden. Think before you click and ask yourself is downloading several applications that will throw pop-up ads, make trade-offs in your privacy, and slowing down your computer worth the video you are about to download? Also consider you will have to endure this software long after the video is gone.

A popular way for push exploit to your PC

Hidden IFrame elements continue to be a popular way for targeting website visitors. After breaking into a server, the attacker modifies its HTML code, using a hidden IFrame tag to retrieve exploit code from another system. Maintainers of the compromised website typically don’t know that they are infecting their visitors for quite some time.

ISC reader Glenn Jarvis reported about a website that installs a malicious executable in the temporary folder of the victim’s system. A look at the source code of the website’s top page revealed a tiny IFrame tag that retrieved another page from a remote server. The size of the in-line frame is 1 pixel by 1 pixel, so it is not visible to the visitor of the site unless the person looks at the source code.

The remote server’s index.html file contained JavaScript code that attempted to exploit a recent Internet Explorer vulnerability to download, install, and run a malicious executable on the website visitor’s computer. The executable was recognized by about half of anti-virus tools as a spyware trojan, and was assigned names such as Downloader-ASQ, TR/Spy.Small.EE.2, Win32/SillyDL.2fy, Trojan.Spy.Win32.Small, and Downloader.

The exploit itself targeted a vulnerability that was patched in the update to Internet Explorer that Microsoft released on April 11, 2006. Microsoft Security Bulletin MS06-014 briefly describes the problem:

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)A remote code execution vulnerability exists in the RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Cumulative Security Update for Internet Explorer (912812), which was also released on April 11th, according to Microsoft Security Bulletin MS06-013, strengthens security settings for the Internet zone on Internet Explorer. These settings render the exploit ineffective even if the potential victim did not apply the 911562 patch referenced above. The cumulative update sets the following settings to Disable:

Initialize and script ActiveX controls not marked as safe for scripting
Access data sources across domains

The exploit we observed operates by instantiating a series of objects, including Microsoft.XMLHTTP, Adodb.Stream, and WScript.Shell. When looking for correlating activities related to this exploit, we came across web forum discussions that suggest that this exploited existed as early as April 26th, two weeks after the release of Microsoft’s patch.

For protect your PC:

if you can`t install Cumulative Security Update for Internet Explorer (912812), make next - Run Internet Explorer, Click Tools, chouse Internet Options…, click Security tab, click Custom Level Button, set Initialize and script ActiveX controls not marked as safe for scripting to Disable, set Access data sources across domains to Disable, click OK, click OK.

For more protection, read the howto: How to drop rights for safe surf

Good tool for manage your HOSTS file

HOSTS Secure is a utility that you can use to automatically download, unzip,
and install the MVPS HOSTS file.

The Hosts file contains the mappings of IP addresses to host names. This file is loaded into memory (cache) at startup, then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local machine. Another feature of the HOSTS file is its ability to block other applications from connecting to the Internet, providing the entry exists.

You can use a HOSTS file to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the Server that supplies these little gems.

hosts secure

Features include a scheduler to keep the file
up to Date.
Note: requires “.Net Framework 1.1″

YapBrowser and Yapsearch(dot)com

Sunbelt reported about YapBrowser, potentially dangerous application that pre-installs 180Solutions Zango and does nothing but apparently redirect you to a porn site. For example url “microsoft.com” is redirected to a porn page.
Also YapBrowser will be used for some very nasty spyware installs.

Don`t install YapBrowser!

SpywareQuake Automatic removal

Good news for us
Now you can remove Spyware Quake from your system using CounterSpy.

If you have problems with SpywareQuake you can use manual removal instructions: How to remove SpywareQuake or try free trial version CounterSpy.

Nyxem/Kama Sutra/Blackworm return again

Today is the third day of the month, and “this destructive virus will delete files from a number of popular programs on February 3rd, and on the 3rd day of the month thereafter”.

More info about Nyxem/Kama Sutra/Blackworm
How to remove Nyxem/Kama Sutra/Blackworm
How to recovery lost files (due to W32.Blackmal.E@mm - BlackWorm virus or other reasons)