Spyware
Malware
Basic Removal
Use Spybot and Ad-Aware
programs......as they catch things the other programs do not.
SpyBot,
also has a feature that locks the Hosts file against malicious changes. You set the
program to Advanced mode, then navigate to "IE Tweaks" and turn on "Lock
Hosts File." SpyBot also can create its own, protected Hosts file, which
eliminates browser access to known hacker Web sites.
1. First you should run BOTH programs in Safe Mode:
Ctl Key or F8 key or F5 key on some
If you receive a "stuck key" error message, you've probably pressed the Ctrl key
too early in the boot process. Try again with slightly more delay
2. Next check your startup for stuff that still is starting at bootup.
Click Start, Run and type msconfig.
uncheck everything that isn't necessary
Unchecking Startup items does not disable the programs. It just doesn't "start
them at bootup"....
Next go thru them and trace them thru to each folder and you may find your malware culprit
The bare minimum checked would be
scanregistry
systemtray
LoadPowerProfile
task monitor (only if you use it - I don't)
Here is a page of "some" items in startup that might help you decide.
http://www2.whidbey.com/djdenham/Uncheck.htm
If you are running just for general purposes, then this should do it. IF you have a real
pesky problem, then there are further steps which I can go over if you need help.
Scroll Down
For Seriously Infected PC's
Malware removal
At each step, document the files you rename and remove, and registry settings.
1. On another PC, download the following tools:
Spywareblaster, Hijackthis, CWShredder, Spybot S&D, Spywseeper, LSPFix.
Update
if possible or DL update files. Burn to CD etc.
2. Copy files to infected PC to separate directory.
Be aware
that some files (such as Spybot & Hijack) may have to be renamed to allow this.
3. Reboot to recovery console, check startup services and disable things that
don't belong.
i.e. the
hackerdefender rootkit sometimes masquerades as the "Microsoft uninstaller
service"
4. Boot into safe mode. - do full registry backup (export).
5. Edit registry/msconfig startup items and remove bad items (use your
judgement).
Some items will keep re-appearing (such as http
prefixing) even in safe mode.
6. Run Hijackthis and kill
off startup items. (the reason these programs should be copied into a separate directory
is that they create backup items in the directory they are run from)
7. Run Cwshredder, search and remove Coolweb variants. Re-run until clean.
8. Uninstall spyware-installing and known bugs, such as
gator/gain apps,
google toolbar, and
web tools or search tools,
webshots,
filesharing apps etc etc ad infinitum.
9. Check the wsock2 stacks in the registry and use LSPfix to remove any extra
layers such as newdotnet.
10. In the windows/winnt and system\system32 directories, at DOS, do a dir /od
(order by date).
Rename items that shouldn't be there. They
are generally easy to spot.
Check the properties of files for more
info - no info, its probably spyware.
The standard method I use is to rename the files
to the extension RENAMED.
example: myupdate.dll = change to
myupdatedll.RENAMED.
Later you can search and delete all
.RENAMED files. Also do /as and /ah and reset attributes if needed.
11. Check the windows\downloaded program files directories and remove activeX
controls:
right-click, scroll to properties, the URL will
tell you where it's from.
12. Check and remove suspect items from program files\IE\plugins and program
files\common files\*.
Use the .RENAMED scheme if you are unsure.
13. Install Spybot and run it, clean items.
14. Check the HOSTS file and remove redirections
(windows\system32\drivers\etc)
also check for a dropped HOSTS file in
windows/winnt.
At this point you should have disabled or removed enough malware to get a relatively clean
boot.
15. Boot normally, re-run Spybot and update.
Install & update Spysweeper.
Install & run Spywareblaster
(resets registry items etc)
16. Re-run CWshredder & Hijack This to make sure
No more redirections are taking place.
17. Ensure Anti Virus software is up to date.
18. Run windowsupdate. (optional)
You will probably have to repeat some steps a number of times, and reboot into DOS mode to
rename a number of files.
Most of the steps require knowledge of what should and should not be in the registry and
system directories, so be careful.
When you have identified what was removed, search through the registry for references.
In the case of NT root kits, identifying and stopping the services are the hard bit.
Googling on files found may help you ID what is there.
Hijacked Browsers
1. Here is one place
to read up on the about.blank Hijacker if you have it
http://www.securiteam.com/securityreviews/5RP0L0UD5U.html
2. If you use IE, you can use Internet Explorer's Internet Options dialog box to
reset your home and search pages back to what they were before.
3. Next go to
Start, choose Run, type msconfig, and press Enter. Click the Startup tab.
In the resulting list
Look for a command with
either the word 'regedit' or '.reg' in it
(the command Zorko found was 'C:\Windows\regedit.exe/s
C\Windows\System\radB9819.tmp').
When you find it, uncheck it, then click OK.
It wouldn't hurt to delete the file mentioned in that line. Don't delete regedit.exe --
you need that -- but delete the other file referenced there. And it wouldn't hurt to edit
the Registry, searching for and removing all references to the offending site. BACK
UP A COPY of your REGISTRY FIRST!!!!!!
4. If possible, run a full system scan with your antivirus software. You need to know what the threat is in order to remove it.
5. After you
identify the threat, you will then head on over to a Web site like Symantec or something
similar to that in order to locate the needed removal tool. From there, download it and
copy it to a floppy disk.
6. Now, you will need to reboot the troubled PC into safemode. Once you arrive there, insert the floppy disk with your downloaded removal tool into the floppy drive. (ME and XP users, be sure to disable system restore )
7. Double-click the removal program icon and start the removal process. It will take awhile for the program to complete the removal process. Once it has finished, it should give you a little report of what was removed, repaired, etc.
Things to keep in
mind:
In some rare cases, system files may be damaged. In this case, running a
repair install of the OS will help to take care of the problem versus trying to repair
each individual file.
XP Users: After running your antivirus to double check that the virus is in fact removed,
be sure to turn on your system restore feature and then set a new restore point. This is
not "mandatory", but it is a good idea in case of miscellaneous. PC errors in
the future.
8. Once you have cleaned the item off..... go here:
http://www.mvps.org/winhelp2002/hosts.htm
Scroll down to the section on Locking the HOSTS File. Get the "Host file"
and use it. I keep a shortcut of it on my desktop. This should prevent a
takeover next time
SpyBot
, also has a feature that locks the Hosts file against malicious changes.
Click on Advanced mode, then navigate to "IE Tweaks" and turn on "Lock
Hosts File."
SpyBot also can create its own, protected Hosts file, which eliminates browser access to known hacker Web sites.
LINKS
Ad-Aware
Spyware removal tool
ADS
Spy: by Merjin.org A
small tool to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with
NTFS file systems
BugOff:
by Merjin.org This little app disables a few exploits
that are commonly used by browser hijackers (including CWS), thus protecting you from
infection
CWShredder: by
Merijn.org A small utility for removing CoolWebSearch
(aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D
and Ad-aware tend to forget essential parts of the hijack, so until they update, you can
use this to completely remove the hijack
HijackThis : by
Merijn.org A general homepage hijackers detector and
remover. Initially based on the article Hijacked!, but expanded with almost a dozen other
checks against hijacker tricks
LSPFix: Repairs Winsock 2
settings, caused by buggy or improperly-removed Internet software, that result in loss of
Internet access
Spybot:
Spyware removal tool
Spysweeper: Anti
spyware Detect and remove spyware and adware
Spywareblaster:
Prevent the installation of ActiveX-based spyware, adware, browser hijackers,
dialers, and other potentially unwanted pests. Block spyware/tracking cookies in
Internet Explorer and Mozilla/Firefox./ Restrict the actions of potentially
dangerous sites in Internet Explorer
StartupList :
by Merjin.org Simple tool that lists all and every auto starting
program on your system. This is better than Msconfig. The newest version of the efficient
and effective program by Merijn that lists all and every autostarting app on your system.
Checks Autostart folders, the Registry Run keys, Autoexec.bat, Stub Paths, ICQ Agent,
Program extensions, Win.ini, System.ini, Wininit.ini, Wininit.bak, Winstart.bat,
Dosstart.bat, as well as checking for duplicate instances of Explorer.exe and checking for
superhidden extensions. Very simple program - when launch it create a list of all startup
entries in the Registry and various Windows files and display them in a Notepad window