Good instructions for getting rid of spyware and malware and
I hope this can be useful for any of you who might run into problems in the future. It is a lot of steps, but worth it. (Oh, it will also get rid of things like the yahoo and google search bars, so watch that when going through the steps if you like those things.)
Don
Browser Hijacked/Infected?....Let's Start To Fix It!
Seems more and more people are getting hijacked or getting riddled with spyware and can't get rid of the pests.
I put together a little article to help you start fighting back and regaining control of your computer.
** Later on, you'll be asked to stay off the net and close all Windows Applications, including your browser (i.e. Internet Explorer), so you may want to PRINT this out.
=======
01. Update and run any anti-virus (AV), anti-trojan (AT), and anti-spyware (AS) products you already have installed on your computer. Do full scans of your computer.
Record exactly the malware names, and file names and locations, of any malware the scans turn up. Quarantine then cure (repair, rename or delete) any malware found.
If the scanners say you have Sasser, you need to take some extra steps before you carry on to see what else you have: [url=http://www.microsoft.com/security/incident/sasser.asp:5bd15]Sasser[/url:5bd15]
If you can't access security web sites, [url=http://www.dslreports.com/faq/10131:5bd15]Check your "Hosts" file[/url:5bd15]
If you are having trouble with loss of internet access, then download, install and run [url=http://www.cexx.org/lspfix.htm:5bd15]LSP-Fix[/url:5bd15].
If your homepage is hijacked to res://random.dll/index.html#random, then download and run about:Buster. The download and tutorial can be found [url=http://www.besttechie.net/forums/index.php?showtopic=1488:5bd15]here[/url:5bd15].
02. Run two or three free web based AV scanners.
[url=http://housecall.trendmicro.com/:5bd15]http://housecall.trendmicro.com/[/url:5bd15]
[url=http://www.ewido.net/en/onlinescan/:5bd15]http://www.ewido.net/en/onlinescan/[/url:5bd15]
[url=http://www.bitdefender.com/scan8/:5bd15]http://www.bitdefender.com/scan8/[/url:5bd15]
[url=http://www.kaspersky.com/virusscanner:5bd15]http://www.kaspersky.com/virusscanner[/url:5bd15]
[url=http://security.symantec.com/:5bd15]http://security.symantec.com/[/url:5bd15]
[url=http://www.windowsecurity.com/trojanscan/:5bd15]http://www.windowsecurity.com/trojanscan/[/url:5bd15]
Record exactly the malware names, and file names and locations, of any malware the scans turn up. Quarantine then cure (repair, rename or delete) any malware found.
03. Download 5 tools...Download [url=http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe:5bd15]Trend Micro CWShredder[/url:5bd15], [url=http://www.simplytech.it/ETRemover/:5bd15]EliteToolbar Remover[/url:5bd15], [url=http://download.nai.com/products/mcafee-avert/s_t_i_n_g_e_r.exe:5bd15]McAfee AVERT Stinger[/url:5bd15], [url=http://www.lavasoft.de/:5bd15]Ad-Aware SE[/url:5bd15] and [url=http://www.safer-networking.org/index.php?page=download:5bd15]SpyBot S&D[/url:5bd15].
An alternate download site for CWShredder and HijackThis is [url=http://subratam.org/main/index.php?option=com_content&task=view&id=19&Itemi d=41:5bd15]Subratam.org[/url:5bd15]
Save them to your Desktop or folder of your choice. (I prefer to make a folder called "Downloads" in which I place all downloaded files into.
04. Run CWShredder. With it open and ALL other windows closed let CWshredder FIX all problems. Do this from [url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam:5bd1 5]Safe Mode.[/url:5bd15]
* If CWShredder immediately shuts-down, try running it again.
* If CWShredder still doesn't run:
* Download PepiMK's CoolWWWSearch.Smartsearch killer. [url=http://www.safer-networking.org/files/delcwssk.zip:5bd15]http://www.safer-networking.org/files/delcwssk.zip[/url:5bd15]
* Run CoolWWWSearch.Smartsearch.
* Then return to CWShredder to clean up.
* In CWShredder, click "check for update".
* If an update is available, click "Download and open the update".
* Click "Scan only".
* If Coolwebsearch keeps returning, or if a scanner says you have cws.searchx, you need to take some extra steps before you carry on to see what else you have: [url=http://www.spywareinfo.com/~merijn/cwschronicles.html:5bd15]http://www.spywareinfo.com/~merijn/cwschronicles.html[/url:5bd15]
*If you need to find the "hidden appinit value" used by certain versions of CoolWebSearch, then go here:
[url=http://forums.subratam.org/index.php?showtopic=583:5bd15]http://forums.subratam.org/index.php?showtopic=583[/url:5bd15] for step-by-step instructions.
05. Run EliteToolbar Remover.
*Unzip (extract) into a newly created folder made by you.
*Reboot your machine in Safe Mode (just click the F8 key as the PC is starting, just before the MS Windows flag screen appears) and run the EliteToolbar Remover.
*Click the "Kill Elite Toolbar" button and wait until it finishes its work.
*Occasionally a DOS box may appear asking your permission to delete some files in temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware!
06. Run McAfee AVERT Stinger.
*If necessary, click the Add or Browse button to add additional drives/directories to scan. By default the C: drive will be scanned.
*Click the "Scan Now" button to begin scanning.
*By default Stinger will repair all infected files found.
07. Run Ad-Aware SE. Make sure all other windows, including your browser, is closed.
* Click "Check for updates now" in the lower right.
* Click "Connect" and then "OK".
* When the updating process finishes, click "Finish".
* Click on the gear icon in the upper right (Settings).
* Click "Scanning".
* Select:
- "Scan within archives"
- "Scan my IE Favorites for banned URLs"
- "Scan my hosts file"
* Click "Tweaks".
* Click "Cleaning Engine".
* Select "Automatically try to unregister objects prior to deletion".
* Click "Proceed".
* Click "Start".
* Select "Use custom scanning options".
* Click "Next" and wait for the scanning process to complete.
* Select all the items found for removal. ("Removal" actually puts things in quarantine, so you can generally recover them if you need to.)
* Reboot your computer.
* Repeat the last 5 steps from "Start" until no more items are found.
[url=http://www.bleepingcomputer.com/forums/index.php?showtutorial=48:5bd15]Ad-Aware SE Tutorial[/url:5bd15]
08. Run SpyBot S&D. Make sure all other windows are Closed and your browser isn't running.
* Click on "Update" in the left column.
* Click on "Search for Updates".
* Select a download location (usually one close to you). I usually choose the Rootboxen.net(USA)
* Click "Download Updates" and wait of the updating process to finish.
* Check that all Internet Explorer (web browser) windows are closed.
* Click "Search and Destroy" in the left column.
* Click "Check for Problems".
* Have Spybot remove/fix all the problems it identifies in RED. The items not listed in red should not be touched at this time.
[url=http://www.bleepingcomputer.com/forums/Using_Spybot_Search_&_Destroy_to_remove_Spyware_fr om_Your_Computer-tut43.html:5bd15]Spybot S&D Tutorial[/url:5bd15]
09. Download, install, update and run an Anti-Trojan Application. Choose one of these:
[url=http://www.ewido.net/en/download/:5bd15]Ewido Security Suite[/url:5bd15] (Free 14-day test version)
First update it by clicking the UPDATE button on the left side panel, then pressing "Start Update".
Then do a scan while in [url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam:5bd1 5]SAFE MODE[/url:5bd15]. Press the SCANNER button on the left side panel, then press "Complete System Scan".
[url=http://www.misec.net/trojanhunter/:5bd15]TrojanHunter[/url:5bd15] (30-day free trial)
Update it, then reboot into safe mode and run the program.
10. If there is still a problem, download [url=http://www.spywareinfo.com/~merijn/files/HijackThis.exe:5bd15]HijackThis[/url:5bd15].
Open up My Computer or Windows Explorer and on the toolbar go to File | New Folder. Create a new permanent folder called HijackThis. Copy and paste hijackthis.exe into that new folder, then double click it to run the program.
* DO NOT RUN IT FROM YOUR DESKTOP OR TEMP FOLDER.
Backups will be stored there for products removed, just in case.
When you run HijackThis, close ALL other windows and click on SCAN at the bottom left.
When it is finished scanning, click on SAVE LOG. Where it says "Save In" at the top of the save window, browse to your newly created HijackThis folder and name it HijackThis_TODAY'S DATE.log.
[url=http://www.bleepingcomputer.com/forums/index.php?showtutorial=42:5bd15]Here is a tutorial[/url:5bd15] on how to use it.
Copy and paste this log into a post started by you in PC Questions & Answers Forum (not in this thread) for us to see.
11. Download [url=http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443:5bd15]Find_It_s.zip[/url:5bd15] to your desktop.
Make a new folder in C:\
Unzip/extract the files inside Find_It_s.zip to the new folder you made . Open the folder and run Find_It_s.bat and wait for a text to open. It will take a while ...then post the resulting log. This will search for Aurora entries specifically, among other things.
12. To prevent important system files being deleted accidentally, Windows XP and Windows Me has a feature called System Restore. It makes backups of of these system files and restores the backups if the original file goes missing.
To prevent malware being restored by the operating system, it is often necessary to clear the backup files from System Restore AFTER the malware is deleted. (This is called "clearing the System Restore points". To do this, turn System Restore off, wait 30 seconds, and then turn System Restore back on.
Waiting until after your computer is clean of malware to clear the System Restore points is because if there is a problem during cleaning, System Restore can be used to try to correct it.
Instructions for turning System Restore on and off:
[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam:5bd1 5]Enabling/Disabling System Restore[/url:5bd15]
[url=http://service1.symantec.com/SUPPORT/nav.nsf/pfdocs/2000092513515106?Open:5bd15]Symantec - System Restore[/url:5bd15]
If you do a scan and get a virus detected in the _RESTORE or the System Volume Information folder (System Restore), but it cannot repair, quarantine, or delete the infected file....DO NOT WORRY ABOUT IT UNTIL THE REST OF YOUR SYSTEM IS CLEAN.
13. Empty out these three(3) folders once your system is clean. (just the contents and not the folder itself):
Go to Start | Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press "ok" to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
....or....
* Temporary Internet Files. In the Control Panel, open Internet Options, and under the general tab, click on "Delete Files".
In the next window, put a check to "Delete all offline content" too. OK out to save.
* Temp folder contents. In XP, that's C:\Documents and Settings\User Name\ Local Settings\Temp. In Windows 98, it's found in C:\Windows\Temp.
* Empty the Recycle Bin.
If you don't own a firewall or use Xp's Windows Firewall, I would really recommend downloading a free one off the internet and [url=http://support.microsoft.com/kb/283673:5bd15]Disable Windows Firewall[/url:5bd15]
The best free firewalls are:
[url=http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp:5bd15]Zone Alarm Free[/url:5bd15]
[url=http://www.kerio.com/kpf_home.html:5bd15]Kerio Personal Firewall[/url:5bd15]
[url=http://smb.sygate.com/download_buy.htm:5bd15]Sygate Personal Firewall[/url:5bd15]
[url=http://www.agnitum.com/download/:5bd15]Outpost Firewall Free[/url:5bd15]
Then, make sure you visit the [url=http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en-us:5bd15]Windows Update[/url:5bd15] site and get all "High Priority" updates.
[url=http://computercops.biz/postt7736.html&sid=3ec42cd50600739e06643c98774ed68 3:5bd15]So How Did I get Infected In The First Place?[/url:5bd15]
[This message has been edited by drolfson (edited 07 December 2005).]
Reply With Quote
)
