Sunday, February 25, 2007

Fighting Malware with Standard Windows Tools

While you are looking around for a solution to your computer's malware problem it is important to remember that Windows and Internet Explorer have their own standard management tools that can help you get your situation under control. They may even be able to help you remove your computer's infection.

Windows comes with a System Configuration Utility installed. This utility can be used to disable malware items from starting up. Generally, if malware does not launch at start up it does not run at all. While disabling the infection removes none of it, your job will be easier without the malware being in control of your computer while your effort at removal is underway. To use the System Configuration Utility to this end:

  • Go to your start page

  • Click Start. Your Start Up Menu will deploy.

  • Click Run. A pop-up window wil appear.

  • Type "msconfig" in pop-up window.

  • Click OK. The System Configuration Utility window will appear.

  • Click Start Up tab.

  • Scroll to find offending program.

  • Click on program name to remove check-mark from box.

  • Click Apply.

  • When you exit the System Configuration Utility you will be prompted to restart your system.

  • Click Restart.

  • Your system will be in "Selective Restart mode" so long as a start up item is disabled.

Many malware products are designed to be hidden, from or to disable, the System Configuration Utility, it is true, but it is certainly worth checking to see if your computer's infection is listed or not. If your System Configuration Utility will not deploy it is a good bet that your malware infection has disabled it in order to prevent being removed.

If your infection has registered on your machine as a Browser Helper Object (BHO), and you have a recent version of the Internet Explorer Browser, it should appear as an entry in Explorer's Manage Add Ons utility. Your Explorer toolbar may be hidden in the most recent versions. If so, press the Alt button on your keyboard and it will appear. When the toolbar is displayed, in order to Manage Add Ons:

  • Click Tools.

  • Roll your mouse-pointer down to the "Manage Add Ons" entry.

  • Click Enable or Disable Add Ons

  • Click on name of add on to be disabled. The item will be highlighted, as a result.

  • Click Disable

  • Click OK.

By no means are all malware infections registered as BHOs. Nor is it clear how many may be programmed to interfer with the operation of the Manage Add Ons utility. Again, it is certainly worth checking to see if your computer's infection is listed or not. While disabling the infection removes none of it, your job will be easier without the malware being in control of your computer while your effort at removal is underway.

What may be able to remove at least most of your infection is Window's Add or Remove Program utility. To remove a program by the Add or Remove Programs:

  • Click Start

  • Click Control Panel

  • Click Add or Remove Programs. Wait for the list of programs to load.

  • Click name of program to be removed.

  • Click Change Remove (You may be offered the opportunity to click on Support Information if available to learn more about the program you are removing).

Most malware will not appear in your Add or Remove Programs utility but some adware companies do include an uninstall feature for their software in this area. It is important to remember that the uninstall may still leave tracking and other passive files in your computer. After removal you should check your start up listing with the System Configuration Utility. If you do not find it listed, you should check your start up listing using HijackThis and/or scan your system with your preferred anti-virus scanner(s).

Tuesday, February 20, 2007

SpyWall Information Page

The information in Virtual Grub Street's computer postings is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.


Intro. According to its creator, Trlokom:

SpyWall is the first true browser firewall and most powerful anti-spyware solution in the market. It sandboxes Internet Explorer to block spyware/rootkits/keyloggers from infecting and damaging your computer.

SpyWall can:

  • Scan and clean spyware and rootkits;
  • Monitor employee Web usage;
  • Block Web based attacks;
  • Block spyware sites;
  • Block download of executable content without user permission; and,
  • Prevent modification of key registry items.

Remote management features are included for administrators of area networks. Trlokom's SpyWall is available free on a 15-day trial basis.

According to a September 2005 review at IT Observer:

More sophisticated features are DLL usage monitor that examines which DLLs are loaded by the web browser, and a file system access monitor that can limit access to file systems that the web browser is allowed.


Latest Version Covered:

File Size: 3.86 MB.

File Name: spywall_installer.exe.

Most recent update: approx. 02/16/07

Compatible Operating Systems: -- SpyWall is an Internet Explorer add-on.

Compatible Browsers: -- SpyWall is an Internet Explorer add-on.


  • "Trlokom, Inc.'s SpyWall took top honors in the Enterprise Security category of Datamation's Product of the Year 2006 awards."
  • Advanced features may require a higher level of knowledge than the average user possesses.
  • To remove Aurora or Cool Web Search: "Run the regular scan and enable the "System Freeze" option after the scan. Delete all malicious entries found by SpyWall. Audit the BHOs and "Startup" area. Delete the entries you find suspicious. Click on the "Reboot now" button."
  • The following is SpyWalls key file and its location: C:\Program Files\SpyWall\ TrlIETool.dll.
  • Example Spywall logs are available at Trlokom's SpyWall forum. The logs clearly require a level of familiarity with the files resident in the user's system.
  • This software should not be confused with ContraVirus's Spywall software.

Latest Version. SpyWall can be downloaded from the following locations:

Version 4.5.2:

Previous Versions. Previous versions of SpyWall can be downloaded from the following locations:

  • Pending.

Other VGS Freeware/Trialware Information Pages:

Friday, February 16, 2007

Mirar Toolbar's New Uninstall Pages

I have not been to the Mirar Toolbar Uninstall Pages for quite some time and cannot say when exactly its purveyor, NetNucleus, changed its uninstallation format. If the pages are not a direct reply to Sunbelt Software's letter of January 31, 2007, they certainy address most of the uninstall issues cited in the letter.

As of February 16, 2007, there are two uninstall pages for Mirar Toolbar (a.k.a. Related Page). The traditional uninstall page ( uninstall.html) provides a step-by-step removal that one apparently can no longer follow without the site detecting that Mirar Toolbar is installed in one's computer. For this reason, I can not presently describe the uninstall further from direct experience. A check-off box is provided for the user to declare: "I know Mirar Toolbar doesn't launch popups or any other advertising, or modify search settings, but I would still like to uninstall it."

There is also now a "Mirar Support" page (
) that describes uninstalling the toolbar from the Windows "Add or Remove Programs" utility. The "remove" command does not actually remove the software but instead it establishes a link with the Mirar Uninstall page(s). Removal must therefore be accomplished while connected to the Internet.

The uninstall procedure by all appearances still includes a series of advertisements as described in the Sunbelt letter:
...even when the Mirar uninstall entry does successfully open the Mirar web site to download the uninstaller, users are not immediately given the uninstaller. Rather, users are confronted with a long web page imploring them to click through still more advertising for "online offers" (see Figure 4 above). At the bottom of the page is a prominent graphic button to "Submit" the form containing the offers, which users might mistake for a button to continue with the uninstallation. Only users who notice the comparatively small "No Thanks" link at the very bottom of the page will be able to continue the uninstall.
This would seem to be the "survey" described in the text for Step 6 of the support page's step-by-step instructions:
The uninstaller will ask you to complete a survey, if you wish to skip this
step you may do so by clicking "no thanks" at the bottom of the page.
The support page now clearly brings the users attention to the "No Thanks" link but does not describe the nature of the "survey" (a series of product offerings).

What is not clear is whether the uninstall still does not remove all of the toolbar-related files. According to Sunbelt:
...the uninstaller provided to users does not even perform a complete
uninstallation, as it fails to remove the NetNucleus domain additions to the Internet Explorer Trusted sites zone.
NetNucleus has clearly tried to upgrade the public face of its Mirar Toolbar uninstallation process while retaining the advertising advantages it has built into the process. The extent of legitimate improvement remains to be seen. The complete removal of all Mirar-related files would seem to be a key indicator.

It has also added an actual online survey/complaint page at The survey is cognizant of the complaints that have been made against Mirar Toolbar and invites user feedback.

Also See:
  • Sunbelt Tangles with NetNucleus. (February 7, 2007) NetNucleus, purveyor of the Mirar Toolbar, threatens to sue Sunbelt Software for labeling it's product "Adware". Sunbelt replies with a devastating overview of Mirar's stealth installation methods (and more).
  • Is Google Associated with a SearchMiracle Knock-Off? (April 27, 2005). "A question begs the asking: How does NetNucleus generate revenue from its Mirar Toolbar search directory if it enters search terms in the Google Search Engine?"
  • How to Remove Mirar Toolbar. Don't want to uninstall? Then remove it yourself!