[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 235
  • Last Modified:

To Delete or to Not Delete?

Another question about adware.  I recently ran "NoAdware" on my old computer.  It came up with hundreds of problems.  I deleted the all as recommended but then I lost Windows COMPLETELY!  I had to use my recovery disk that left me without files and email or email addresses.  Is there a rule of thumb for files that CANNOT be deleted?  Thanks!
0
Laydeeo
Asked:
Laydeeo
2 Solutions
 
blue_zeeCommented:

NoAdware is a dubious software:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

I have used these for years and NEVER faced the problem you mention (standard text follows):

First of all, download NOW this Winsock fix (FREE):
http://downloads.subratam.org/WinsockFix.zip
If you lose internet access after the cleanup, run this tool.

After that, download the fully functional trial version of Spy Sweeper:
http://www.webroot.com/downloads/?WRSID=595f27d74dd2795a56af83b763c321e1
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').

Download Ad-Aware (FREE) from here:
http://lavasoft.element5.com/support/download/
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').

Also excellent is SpyBot Search & Destroy (FREE) available here:
http://www.spychecker.com/download/download_spybot.html
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').
You should also apply the 'immunize' function, since it blocks roughly 1900 known 'bad' runs/apis/apps.

Even if Ad-Aware and SpyBot S&D are similar, they do clean different things. You should have both of them and use REGULARLY.

You can also install 'preventive' software that will help you control these nasties:

SpywareBlaster (FREE):
http://www.javacoolsoftware.com/spywareblaster.html
Prevents the installation of Active-X based spyware, malware, dialers, etc
Currently protects you against 3500+ nasties.
Advantage: no system resources used!!!
Just download, install and UPDATE.

All of them extremely useful but you must keep them UPDATED.

Suggestion: Make sure you can see all files and folders and run Ad-aware and Spybot S&D in Safe Mode.

Zee

0
 
gonzal13RetiredCommented:
Generally when a program such as you used and some registry cleaners that I have used come up with 100s of errors, take the program and erase it. One is Registry Mechanic that came up with about three hundred errors. Being foolish that time and inexerienced, I just let the program erase the list of items. Well I coud not use Win 98 again! Not knowing that I can use a backup scanreg software, I reinstalled the windows.

Use the proven ones that Zee mentioned. I also use them without a problem. Normally if you use them once a month you should stay out of trouble. They normally come out with a maximum of 10 items.

See if that program you used has a restore feature.

Another suggestion:
Back up your data to cd roms.
Back up your e-mail addresses to a floppy by going to Outlook Express
Go to tools, address book, files and export *.wab to a floppy.

gonzal13(joe)



gonzal13(joe)

0
 
BillDLCommented:
There are some very good tutorials for some of these utilities, and it also pays to configure them BEFORE running them.

Be aware that some Adware Removal utilities may miss some items where others will catch them, so no single program will find everything.  My preference is Adaware from Lavasoft, and I have used the "SE Personal Edition" successfully for quite some time without adverse effects by configuring it to do what I want, keeping it updated online, and watching very carefully what it reports.  I never let any utility automatically remove anything, but I generally have a very good idea what something is when it is found.

Adaware Tutorial:
----------------------

Read the adaware Help File also before running it.

http://www.bleepingcomputer.com/forums/index.php?showtutorial=48

One setting they missed out is the one that checks all listed items after the scan is complete.  My advice is to uncheck this option, because the temptation is to click Next.

Take a look at the last screenshot, and you will see the "Quarantine" area of the program.  This would form the basis of a last-ditch restore of deleted items if something went wrong.

Now, you are partially correct in thinking that deciphering what really is an unwanted and unnecessary finding requires some familiarity with the Windows Registry and system processes.  The rule of thumb is that if you are in any doubt, leave the item and seek advice first before removing it.  You can always run the scan again, and you have the logfile to consult when finding out about the puzzling ones.

Cookies are safe to delete, but some might be required to allow you to automatically be recognised and logged into some web sites.

MRU's are "Most Recently Used" listings held in the registry.  For instance, the last-used folder or accessed file from certain programs, the listing of last accessed files under the "File" menu of most programs.  You don't need any of these so delete them.

Those above 2 types are negligible risks, and are most often not a risk at all but just unwanted clutter.  What you are really interested in are the "Critical" items, amongst which there will be registry entries and items found in your Temporary Internet Files folder (referred to in the Adaware list as "IECache" and items show as "Cookie:whatever") - see the 3rd last screenshot on that tutorial page.

Where Adaware finds FILES, then this is where care must be taken to ascertain exactly what the file was installed by, what it does, and whether it is currently listed as a running module having been launched at startup, or by some other process.

This is where the Adaware Helpfile is particularly useful.  Look particularly at the "The Adaware Interface > Scanning Results" section and sub-sections for explanations.

I also suggest that you download and install (just double-click file and follow prompts) the following Adaware add-on that can be run on its own by clicking the "Add-Ons" button, and then from the "Tools" tab.  It gets rid of "VX2" and variants thereof.

http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe

If you wish to fine-tune the configuration of Adaware, then download and install the following file (which is explained here: http://www.lavasoftusa.com/software/addons/tweakse.shtml)

http://download.lavasoft.de.edgesuite.net/public/pltweakse.exe

If you don't like the standard skin, then try this nice yellow one:

http://download.lavasoft.de.edgesuite.net/public/SKIN_testskin.zip

Unzip the file with WinZip, and copy the file "testskin.ask" to the "skins" folder in the Ad-Aware program folder (Usually C:\Program\Lavasoft\Ad-Aware SE Professional\Skins).
Open Ad-Aware and click the "Settings" button.  Click "Interface" and select a skin in the drop down menu under "Select Skin".  Click "Proceed" to apply the new skin, and close "Settings".

Bear in mind that Adaware has the facility to add found items to an "Ignore List" so that they are not listed again.  After it finishes a scan and provides the list with checkboxes, you can Right-Click on an item and "Add to Ignore List", or check the items you wish to add, then right-click and choose "Add checked items to ignore list".  You can view this list at any time, and remove items using the link in the "Status" dialog that Adaware opens at.

The type of things I am talking about here are:

Browser Helper Objects (BHO's) like Adobe Acrobat Reader which allows .pdf files to open in Internet Explorer.  This may appear as:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

Similarly, your AntiVirus program is most likely also configured as a BHO, and you wouldn't want to remove that setting or delete the files.  eg. Norton AntiVirus may appear as:

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

You may see other listings which relate to Shockwave Flash, and are normal settings you should keep:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\SHOCKWAVE 10\DOWNLOAD.DLL
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Windows Update needs the following, which may be listed and can also be added to your "Ignore List" with those above:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38424.8930787037

The HOSTS File:
-------------------

C:\Windows\HOSTS is a file with no file type, and stores text-based settings related to web sites.  It can be used to block unwanted advertising banners, etc, by adding the ad-server's web address, but it is also commonly used by home-page hijacking spyware.

My advice is to right-click on this file, select "Properties", make it "Read-only", and click "Apply".  Optionally, just delete the file as it is not required by Windows or Internet Explorer.

HiJack This!
---------------

A great utility for getting rid of common pests, but again you should not take everything reported as a threat.  In fact, it might be better to run this program BEFORE running Adaware, because it allows to to copy the generated logfile and paste it into a website where it will be automatically analysed, and the items flagged to tell you if they are normal and required, or if they are unwanted.

Download the standalone file HiJackThis.exe and create a folder for it eg.
C:\HiJackThis
C:\Program Files\HiJackThis
Keep it to its own folder and create a shortcut to it, because it will generate backup .REG files that allow you to restore removed settings.

Download (Version 1.99.01:
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
http://www.merijn.org/files/hijackthis.zip

Tutorials here:

http://www.tomcoyote.org/hjt/#Top

http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm
Uses older version screenshots, but does provide good info about the categories of things the program is likely to list, eg.
R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
F0, F1 - Autoloading programs
O1 - Hosts file redirection
O2 - Browser Helper Objects
O3 - Internet Explorer toolbars
O4 - Autoloading programs from Registry
etc, etc.

You can see a brief list of these by clicking the "Info" button in the main HiJack This dialog as it opens.

Hint: If you want to keep your custom home and search pages, Click the "Config" button and enter them into the relevant fields under the "Main" section.  These will be restored if one of those pesky Searchbar parasites redirects your browser and you fix it with HiJack This.

HiJack This allows to to "Add selected items to ignore list", and you should do this for known and wanted items and settings on the first pass, then scan again and copy the log file for pasting into the web page listed below.

Paste logfile created into the text box here:
http://www.hijackthis.de/en

General:
-----------

Some useful info here:
http://forums.spywareinfo.com/

There are literally hundreds of AntiSpyware utilities, but those are the main two that I use regularly.

Hope this info helps you.
 
0
 
_Commented:
You might try running a Recovery/Undelete program and see if you can get the files you need back.

Free and Not Free programs listed here:
http://crazyone.tekmasters.com/datarecovery.html
0
 
BillDLCommented:
Thank you, LeeTutor and DarthMod
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now