Here is something we use on the agent machines to help block some common spyware sites we bought 150 licenses and set up WGET to update it automatically nightly.
http://www.spywareguide.com/blockfile.php We also use spyware blaster, spybot, ms Anti-spy and have written some custom reg blocks that prevent some things from running, like AOL IM so that someone doesn't install wild tangent. This is what we use, on XP only: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explor er] "DisallowRun"=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explor er\DisallowRun] "1"="aim.exe" "2"="stcloader.exe" "3"="sahagent.exe" "4"="wsup.exe" "5"="wintoolsA.exe" "6"="wintoolsS.exe" "7"="datemanager.exe" "8"="precisiontime.exe" "9"="gmt.exe" "10"="ymsgr_tray.exe" "11"="ypager.exe" "12"="waol.exe" "13"="aol.exe" "14"="YServer.exe" "15"="Ymsgr_tray.exe" "16"="yupdater.exe" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, July 26, 2005 3:38 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] OT: Online file check? Oooh, the thread injection by the dll would make it hard to kill; you'd have to use a tool like Process Spy that shows you dll files as well as the executables. That tool you downloaded probably didn't do the full job, though. It's the Kill2Me tool by Merjin, author of HijackThis, and it's more than a year out of date. For most spyware (as opposed to malware) you're better off running their Add/Remove Control Panel applet or going to their website for a removal tool. And *then* get out the medieval tools to strip the surviving stuff out. Here's the Look2Me removal tool: http://www.look2me.com/cgi-bin/UnInstaller http://www.ad-w-a-r-e.com/cgi-bin/UnInstaller If you're going to do ad and spyware blocking via DNS, you'll definitely want to check out this project from the Snort guys at: http://www.bleedingsnort.com/blackhole-dns/ Which references the MVPS site as one source for a hosts. file, and also references the excellent Peter Lowe site at http://pgl.yoyo.org Also check out http://www.bluetack.co.uk/ which has excellent converter utilities and yet another hosts. file compilation. If you're running a web proxy server for your users, you might consider installing their ProtoWall software instead, or the similar software Peer Guardian 2 from http://methlabs.org/ Take care with adblocking though, as some of these lists get carried away. For example, I've seen that using a hosts. file entry like: 127.0.0.1 media.fastclick.net Causes a login popup box when IE tries to display one of those pages. Good luck, and let us know what you decide to do in your Enterprise! Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of William > Stillwell > Sent: Tuesday, July 26, 2005 6:03 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] OT: Online file check? > > hehe.. killbox = no good, nothing would drop the running dll, > i couldn't copy it, delete it, rename it, or kill the registry entry. > > here is a nice add in for people: > > http://mvps.org/winhelp2002/hosts.htm > > I am thinking of parsing the file and putting it into our dns > servers to prevent all the corporate computers for accessing > any of those sites. > > here is the tool i downloaded to remove the thing.. > http://www.atribune.org/downloads/l2mfix.exe > > here is the virustotal response from this morning (its up > from yesterdays 3) > > Its pretty much being deteced as "W32/Look2Me.ag.6" or > "VeryLince" the VeryLince google search pointed me to a > geekstogo forum where someone else had it running. > > here is the URL to the geekstogo thread > http://www.geekstogo.com/forum/VeryLince_Help_-t44719.html > > you can look at the l2mfix find log and see what it actually > hooked itself into. > > ---- THis was officially the WORST malware/spyware i have > seen, it totally took over the machine. and downloaded just > about everything on the net and installed it on the users machine. > > I would technically call this "Computer" Trespassing.. Maybe > I need to put a "No Trespassing" Sign on this computer :=] > > > > > ----- Original Message ----- > From: "Greg Little" <[EMAIL PROTECTED]> > To: <Declude.Virus@declude.com> > Sent: Monday, July 25, 2005 5:07 PM > Subject: Re: [Declude.Virus] OT: Online file check? > > > > Keep it off the network as much as possible. > > Also a software firewall (like Zone Alarm) will help > control the "phone > > home for updates". > > > > Another tool I used for those "really hard to remove > stains", is KillBox. > > You can give it a list of files to be deleted at the start > of the next > > boot. > > > > I've had one that was still locked in memory (and > recreating itself to new > > file names and restoring reg keys) in safe mode with > explorer exited. > > (You have to start a Dos Window before killing the Explorer > process. Then > > "explorer" to start it again.) > > It hooked into login, but KillBox got it on bootup before > it could install > > its memory resident program. > > > > SysInternals has some great tools for Watching processes, > Controlling > > startups, etc. > > http://www.sysinternals.com/SystemInformationUtilities.html > > > > Greg Little > > > > PS Does this pest have a name? > > > > --- > > [This E-mail scanned for viruses by Findlay Internet] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > > This email has been scanned for possible viruses by Declude > Antivirus. > > For more information on Declude Antivirus, Visit www.declude.com > > > > > > --- > This email has been scanned for possible viruses by Declude Antivirus. > For more information on Declude Antivirus, Visit www.declude.com > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
