Good instructions for getting rid of spyware and malware and

I hope this can be useful for any of you who might run into problems in the future. It is a lot of steps, but worth it. (Oh, it will also get rid of things like the yahoo and google search bars, so watch that when going through the steps if you like those things.)

Don

			[b]Browser Hijacked/Infected?....Let's Start To Fix It![/b]

	Seems more and more people are getting hijacked or getting riddled with spyware and can't get rid of the pests.

I put together a little article to help you start fighting back and regaining control of your computer.

** Later on, you’ll be asked to stay off the net and close all Windows Applications, including your browser (i.e. Internet Explorer), so you may want to PRINT this out.

  1. Update and run any anti-virus (AV), anti-trojan (AT), and anti-spyware (AS) products you already have installed on your computer. Do full scans of your computer.

Record exactly the malware names, and file names and locations, of any malware the scans turn up. Quarantine then cure (repair, rename or delete) any malware found.

If the scanners say you have Sasser, you need to take some extra steps before you carry on to see what else you have: [url=http://www.microsoft.com/security/incident/sasser.asp:5bd15]Sasser[/url:5bd15]

If you can’t access security web sites, [url=http://www.dslreports.com/faq/10131:5bd15]Check your “Hosts” file[/url:5bd15]

If you are having trouble with loss of internet access, then download, install and run [url=http://www.cexx.org/lspfix.htm:5bd15]LSP-Fix[/url:5bd15].

If your homepage is hijacked to res://random.dll/index.html#random, then download and run about:Buster. The download and tutorial can be found [url=http://www.besttechie.net/forums/index.php?showtopic=1488:5bd15]here[/url:5bd15].

  1. Run two or three free web based AV scanners.
    [url=http://housecall.trendmicro.com/:5bd15]http://housecall.trendmicro.com/[/url:5bd15]
    [url=http://www.ewido.net/en/onlinescan/:5bd15]http://www.ewido.net/en/onlinescan/[/url:5bd15]
    [url=http://www.bitdefender.com/scan8/:5bd15]http://www.bitdefender.com/scan8/[/url:5bd15]
    [url=http://www.kaspersky.com/virusscanner:5bd15]http://www.kaspersky.com/virusscanner[/url:5bd15]
    [url=http://security.symantec.com/:5bd15]http://security.symantec.com/[/url:5bd15]
    [url=http://www.windowsecurity.com/trojanscan/:5bd15]http://www.windowsecurity.com/trojanscan/[/url:5bd15]

Record exactly the malware names, and file names and locations, of any malware the scans turn up. Quarantine then cure (repair, rename or delete) any malware found.

  1. Download 5 tools…Download [url=http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe:5bd15]Trend Micro CWShredder[/url:5bd15], [url=http://www.simplytech.it/ETRemover/:5bd15]EliteToolbar Remover[/url:5bd15], [url=http://download.nai.com/products/mcafee-avert/s_t_i_n_g_e_r.exe:5bd15]McAfee AVERT Stinger[/url:5bd15], [url=http://www.lavasoft.de/:5bd15]Ad-Aware SE[/url:5bd15] and [url=http://www.safer-networking.org/index.php?page=download:5bd15]SpyBot S&D[/url:5bd15].
    An alternate download site for CWShredder and HijackThis is [url=http://subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41:5bd15]Subratam.org[/url:5bd15]

Save them to your Desktop or folder of your choice. (I prefer to make a folder called “Downloads” in which I place all downloaded files into.

  1. Run CWShredder. With it open and ALL other windows closed let CWshredder FIX all problems. Do this from [url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam:5bd15]Safe Mode.[/url:5bd15]
  1. Run EliteToolbar Remover.
    *Unzip (extract) into a newly created folder made by you.
    *Reboot your machine in Safe Mode (just click the F8 key as the PC is starting, just before the MS Windows flag screen appears) and run the EliteToolbar Remover.
    *Click the “Kill Elite Toolbar” button and wait until it finishes its work.
    *Occasionally a DOS box may appear asking your permission to delete some files in temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware!

  2. Run McAfee AVERT Stinger.
    *If necessary, click the Add or Browse button to add additional drives/directories to scan. By default the C: drive will be scanned.
    *Click the “Scan Now” button to begin scanning.
    *By default Stinger will repair all infected files found.

  3. Run Ad-Aware SE. Make sure all other windows, including your browser, is closed.

  • Click “Check for updates now” in the lower right.
  • Click “Connect” and then “OK”.
  • When the updating process finishes, click “Finish”.
  • Click on the gear icon in the upper right (Settings).
  • Click “Scanning”.
  • Select:
  • “Scan within archives”
  • “Scan my IE Favorites for banned URLs”
  • “Scan my hosts file”
  • Click “Tweaks”.
  • Click “Cleaning Engine”.
  • Select “Automatically try to unregister objects prior to deletion”.
  • Click “Proceed”.
  • Click “Start”.
  • Select “Use custom scanning options”.
  • Click “Next” and wait for the scanning process to complete.
  • Select all the items found for removal. (“Removal” actually puts things in quarantine, so you can generally recover them if you need to.)
  • Reboot your computer.
  • Repeat the last 5 steps from “Start” until no more items are found.

[url=http://www.bleepingcomputer.com/forums/index.php?showtutorial=48:5bd15]Ad-Aware SE Tutorial[/url:5bd15]

  1. Run SpyBot S&D. Make sure all other windows are Closed and your browser isn’t running.
  • Click on “Update” in the left column.
  • Click on “Search for Updates”.
  • Select a download location (usually one close to you). I usually choose the Rootboxen.net(USA)
  • Click “Download Updates” and wait of the updating process to finish.
  • Check that all Internet Explorer (web browser) windows are closed.
  • Click “Search and Destroy” in the left column.
  • Click “Check for Problems”.
  • Have Spybot remove/fix all the problems it identifies in RED. The items not listed in red should not be touched at this time.

[url=http://www.bleepingcomputer.com/forums/Using_Spybot_Search_&_Destroy_to_remove_Spyware_from_Your_Computer-tut43.html:5bd15]Spybot S&D Tutorial[/url:5bd15]

  1. Download, install, update and run an Anti-Trojan Application. Choose one of these:

[url=http://www.ewido.net/en/download/:5bd15]Ewido Security Suite[/url:5bd15] (Free 14-day test version)
First update it by clicking the UPDATE button on the left side panel, then pressing “Start Update”.
Then do a scan while in [url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam:5bd15]SAFE MODE[/url:5bd15]. Press the SCANNER button on the left side panel, then press “Complete System Scan”.

[url=http://www.misec.net/trojanhunter/:5bd15]TrojanHunter[/url:5bd15] (30-day free trial)
Update it, then reboot into safe mode and run the program.

  1. If there is still a problem, download [url=http://www.spywareinfo.com/~merijn/files/HijackThis.exe:5bd15]HijackThis[/url:5bd15].
    Open up My Computer or Windows Explorer and on the toolbar go to File | New Folder. Create a new permanent folder called HijackThis. Copy and paste hijackthis.exe into that new folder, then double click it to run the program.
  • DO NOT RUN IT FROM YOUR DESKTOP OR TEMP FOLDER.
    Backups will be stored there for products removed, just in case.
    When you run HijackThis, close ALL other windows and click on SCAN at the bottom left.
    When it is finished scanning, click on SAVE LOG. Where it says “Save In” at the top of the save window, browse to your newly created HijackThis folder and name it HijackThis_TODAY’S DATE.log.

[url=http://www.bleepingcomputer.com/forums/index.php?showtutorial=42:5bd15]Here is a tutorial[/url:5bd15] on how to use it.

Copy and paste this log into a post started by you in PC Questions & Answers Forum (not in this thread) for us to see.

  1. Download [url=http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443:5bd15]Find_It_s.zip[/url:5bd15] to your desktop.
    Make a new folder in C:
    Unzip/extract the files inside Find_It_s.zip to the new folder you made . Open the folder and run Find_It_s.bat and wait for a text to open. It will take a while …then post the resulting log. This will search for Aurora entries specifically, among other things.

  2. To prevent important system files being deleted accidentally, Windows XP and Windows Me has a feature called System Restore. It makes backups of of these system files and restores the backups if the original file goes missing.

To prevent malware being restored by the operating system, it is often necessary to clear the backup files from System Restore AFTER the malware is deleted. (This is called “clearing the System Restore points”. To do this, turn System Restore off, wait 30 seconds, and then turn System Restore back on.

Waiting until after your computer is clean of malware to clear the System Restore points is because if there is a problem during cleaning, System Restore can be used to try to correct it.

Instructions for turning System Restore on and off:
[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam:5bd15]Enabling/Disabling System Restore[/url:5bd15]
[url=http://service1.symantec.com/SUPPORT/nav.nsf/pfdocs/2000092513515106?Open:5bd15]Symantec - System Restore[/url:5bd15]

If you do a scan and get a virus detected in the _RESTORE or the System Volume Information folder (System Restore), but it cannot repair, quarantine, or delete the infected file…DO NOT WORRY ABOUT IT UNTIL THE REST OF YOUR SYSTEM IS CLEAN.

  1. Empty out these three(3) folders once your system is clean. (just the contents and not the folder itself):

Go to Start | Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press “ok” to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
…or…

  • Temporary Internet Files. In the Control Panel, open Internet Options, and under the general tab, click on “Delete Files”.
    In the next window, put a check to “Delete all offline content” too. OK out to save.
  • Temp folder contents. In XP, that’s C:\Documents and Settings\User Name\ Local Settings\Temp. In Windows 98, it’s found in C:\Windows\Temp.
  • Empty the Recycle Bin.

If you don’t own a firewall or use Xp’s Windows Firewall, I would really recommend downloading a free one off the internet and [url=http://support.microsoft.com/kb/283673:5bd15]Disable Windows Firewall[/url:5bd15]

The best free firewalls are:
[url=http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp:5bd15]Zone Alarm Free[/url:5bd15]
[url=http://www.kerio.com/kpf_home.html:5bd15]Kerio Personal Firewall[/url:5bd15]
[url=http://smb.sygate.com/download_buy.htm:5bd15]Sygate Personal Firewall[/url:5bd15]
[url=http://www.agnitum.com/download/:5bd15]Outpost Firewall Free[/url:5bd15]

Then, make sure you visit the [url=http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en-us:5bd15]Windows Update[/url:5bd15] site and get all “High Priority” updates.

[url=http://computercops.biz/postt7736.html&sid=3ec42cd50600739e06643c98774ed683:5bd15]So How Did I get Infected In The First Place?[/url:5bd15]

[This message has been edited by drolfson (edited 07 December 2005).]

Thanks John,

I made a copy of your posting and put it
in my computer folder. Hope I never need it
again, but believe me, I sure could have
used all that info a couple of weeks ago.
Thanks! Warm regards, Jim

Oops, Sorry Don,

I don’t know why I persist in calling
you John. Don it is and thanks again for
the help. Warm regards, Jim

Don kindly gave us permission to highjack his post. It will be in the CyberAngler section on Monday…that way it will remain easily available to all. Thanks again Don.


LadyFisher, Publisher of
FAOL

With AOL I need not worry of such things as it’s free spyware protection wipes out ALL spyware…AOL is getting much better security wise…I’d not switch to any other again…no matter the price…I get very very little spam these days…

Hey Folks,

Deanna, I’m pleased that you are going
to include Don’s info on FAOL. It’s pretty
much info we may all need without warning.
Much appreciated.

Bilknepp, My isp has virus protection
too. And I just spent a lot of time getting
my computer back on track. I’m not sure
your isp can protect you from everything,
but I may be wrong. Anyway, can’t hurt to
have the info handy, just in case.G
Warm regards, Jim

Don,…

Thanks for the resources.

I guess folks just gotta be carefull on the Web and with e-mail.

I have good virus stuff and the firewalls at work and at home help lots too.

Then again, … I rarely open attachments, hundreds of e-mails per DAY get filtered out and I rarely let sites install “plugins”.

I also rarely use Microsoft’s Internet Explorer.

So far I’ve been pretty lucky I guess. If juniour can’t get the home computer infected, I guess the protection I set up at home is fairly good.


Christopher Chin, Jonquiere Quebec
[url=http://pages.videotron.com/fcch/:c7858]Fishing the Ste-Marguerite[/url:c7858]

[This message has been edited by fcch (edited 08 December 2005).]

“Deanna, I’m pleased that you are going
to include Don’s info on FAOL. It’s pretty
much info we may all need without warning.
Much appreciated.”

Jim, I agree but we should remember that stuff like that that we need in the crisis will be locked in cyber space which we will not have access to because the darn computer isn’t working…been there…

Never test the depth of the water with both
>feet.

Just a couple of notes on this.

1st) Many times you DO install something ‘innocent’ that will allow malicious attacks. One of the best examples of thisare the various ‘Browser Search Bars’. (ie, google, yahoo) They do some tracking themselves and have some agreements to piggyback other spyware with them. These are sometimes even installed with another program. (My wife accidentally installed Yahoo’s the other day with a kids game. Thanks Reading Rabbit! )

2nd) Print the instructions, or better yet, save them to a folder on the HDD. Then go download the tools into the same folder and burn it all to a CD. Install the things like Ad-Aware and get the immunization running now! You will not be sorry.

Oh, I also did not mention, but probably should, there is a wonderful FREE Anti Virus software at [url=http://www.avast.com/eng/download-avast-home.html:9cc8b]http://www.avast.com/eng/download-avast-home.html[/url:9cc8b] that will help to keep you from catching the bad bugs (even thru e-mail) to begin with.

Don

PS. For many of us, AOL is the original spyware/malware and is still one of the worst. The ‘free’ spam and virus they ‘give’ you is really to help them cut their costs, not to help you. Imagine all the e-mail they don’t have to transfer by doing this.

Don, … (et.al) …

Add to the actions, … for those who use a computer at work, … MANY companies offer FREE antivirus software to emplyees who own a computer at home.

Our company offers licenced software to employees for installation at home. Upgrades and DAT files updates are also free.

Seems, … the cost of these types of initiatives is less than unscrambling computers at the office when an emplyee accidentally brings an infected disk to the office from home.

Ask your IT departement if this is offered.


Christopher Chin, Jonquiere Quebec
[url=http://pages.videotron.com/fcch/:c82e4]Fishing the Ste-Marguerite[/url:c82e4]

Anti-virus software? anti-Spyware? anti-Adware? Gosh, I’ve never used them. I DO have a great firewall, tho, but it came free with the OS. I switched to Linux 5 years ago, and as IT director for our company, I decreed ALL company computers run Linux, no Windows allowed. If we were running windows, I’d never have time to fly fish.

Seriously, though, Linux is not for everyone. You may not be able to play all of the cutesy movie clips the people email to you (though, most work fine), and some specialized windows applications don’t have an equivilant and won’t run on a windoze emulator. But all basic and most advanced business applications work just fine on it.

The Linux community reminds me a lot of the ham radio community. If you can find an “Elmer” locally that can help you thru the few windows-specific things you find that won’t run, you’ll never turn back.

DANBOB