Make your own free website on Tripod.com

Spyware Malware
Basic Removal

Use Spybot and Ad-Aware programs......as they catch things the other programs do not.

SpyBot, also has a feature that locks the Hosts file against malicious changes. You set the program to Advanced mode, then navigate to "IE Tweaks" and turn on "Lock Hosts File." SpyBot also can create its own, protected Hosts file, which eliminates browser access to known hacker Web sites.


1.  First  you should run BOTH programs in Safe Mode:

      Ctl Key or F8 key or F5 key on some

If you receive a "stuck key" error message, you've probably pressed the Ctrl key too early in the boot process. Try again with slightly more delay

2. Next  check your startup for stuff that still is starting at bootup.

     Click Start, Run and type    msconfig.
     uncheck everything that isn't necessary

msconfig01.jpg (17366 bytes)       msconfig01a.jpg (11569 bytes)


Unchecking Startup items does not disable the programs.  It just doesn't "start them at bootup"....
Next go thru them and trace them thru to each folder and you may find your malware culprit

msconfig02.jpg (40780 bytes)

The bare minimum checked would be

scanregistry
systemtray
LoadPowerProfile
task monitor (only if you use it - I don't)

Here is a page of "some" items in startup that might help you decide.

http://www2.whidbey.com/djdenham/Uncheck.htm


If you are running just for general purposes, then this should do it. IF you have a real pesky problem, then there are further steps which I can go over if you need help.   Scroll Down

 

For Seriously Infected PC's

Malware removal


At each step, document the files you rename and remove, and registry settings.

1.  On another PC, download the following tools:

      Spywareblaster, Hijackthis, CWShredder, Spybot S&D, Spywseeper, LSPFix.

      Update if possible or DL update files. Burn to CD etc.

2.   Copy files to infected PC to separate directory.

      Be aware that some files (such as Spybot & Hijack) may have to be renamed to allow this.

3.   Reboot to recovery console, check startup services and disable things that don't belong.       

      i.e. the hackerdefender rootkit sometimes masquerades as the "Microsoft uninstaller service"

4.   Boot into safe mode. - do full registry backup (export).

5.   Edit registry/msconfig startup items and remove bad items (use your judgement).

      Some items will keep re-appearing (such as http prefixing) even in safe mode.

6.   Run Hijackthis and kill off startup items. (the reason these programs should be copied into a separate directory is that they create backup items in the directory they are run from)

7.   Run
Cwshredder, search and remove Coolweb variants. Re-run until clean.

8.   Uninstall spyware-installing and known bugs, such as

      gator/gain apps,
      google toolbar, and
      web tools or search tools,
      webshots,
      filesharing apps etc etc ad infinitum.

9.   Check the wsock2 stacks in the registry and use
LSPfix to remove any extra layers such as newdotnet.

10.  In the windows/winnt and system\system32 directories, at DOS, do a dir /od (order by date). 

        Rename items that shouldn't be there. They are generally easy to spot.
        Check the properties of files for more info - no info, its probably spyware.


       The standard method I use is to rename the files to the extension RENAMED.
       example: myupdate.dll = change to myupdatedll.RENAMED.

Later you can search and delete all .RENAMED files. Also do /as and /ah and reset attributes if needed.

11.  Check the windows\downloaded program files directories and remove activeX controls:    

       right-click, scroll to properties, the URL will tell you where it's from.

12.  Check and remove suspect items from program files\IE\plugins and program files\common files\*.

       Use the .RENAMED scheme if you are unsure.

13.   Install
Spybot  and run it, clean items.

14.   Check the HOSTS file and remove redirections (windows\system32\drivers\etc)

        also check for a dropped HOSTS file in windows/winnt.

At this point you should have disabled or removed enough malware to get a relatively clean boot.

15.   Boot normally, re-run
Spybot and update.
        Install & update
Spysweeper.
        Install & run
Spywareblaster (resets registry items etc)

16. Re-run
CWshredder & Hijack This to make sure
No more redirections are taking place.

17. Ensure Anti Virus software is up to date.

18. Run windowsupdate. (optional)

You will probably have to repeat some steps a number of times, and reboot into DOS mode to rename a number of files.


Most of the steps require knowledge of what should and should not be in the registry and system directories, so be careful.

When you have identified what was removed, search through the registry for references.

In the case of NT root kits, identifying and stopping the services are the hard bit. Googling on files found may help you ID what is there.

Hijacked Browsers

1.  Here is one place to read up on the  about.blank Hijacker if you have it

      http://www.securiteam.com/securityreviews/5RP0L0UD5U.html

2.  If you use IE, you can use Internet Explorer's Internet Options dialog box to reset your home and search pages back to what they were before.

IEDefault.jpg (65344 bytes)

3.  Next go to

     Start, choose Run, type msconfig, and press Enter.   Click the Startup tab.
     In the resulting list

msconfig03.jpg (66577 bytes)

 

Look for a command with either the word 'regedit' or '.reg' in it
    (the command Zorko found was 'C:\Windows\regedit.exe/s C\Windows\System\radB9819.tmp').
     When you find it, uncheck it, then click OK.



It wouldn't hurt to delete the file mentioned in that line. Don't delete regedit.exe -- you need that -- but delete the other file referenced there. And it wouldn't hurt to edit the Registry, searching for and removing all references to the offending site.  BACK UP A COPY of your REGISTRY FIRST!!!!!!

4.  If possible, run a full system scan with your antivirus software. You need to know what the threat is in order to remove it.

5.  After you identify the threat, you will then head on over to a Web site like Symantec or something similar to that in order to locate the needed removal tool. From there, download it and copy it to a floppy disk.

6.  Now, you will need to reboot the troubled PC into safemode. Once you arrive there, insert the floppy disk with your downloaded removal tool into the floppy drive. (ME and XP users, be sure to disable system restore )

7.  Double-click the removal program icon and start the removal process.  It will take awhile for the program to complete the removal process. Once it has finished, it should give you a little report of what was removed, repaired, etc.

 

Things to keep in mind:

In some rare cases, system files may be damaged.   In this case, running a repair install of the OS will help to take care of the problem versus trying to repair each individual file.

XP Users: After running your antivirus to double check that the virus is in fact removed, be sure to turn on your system restore feature and then set a new restore point. This is not "mandatory", but it is a good idea in case of miscellaneous. PC errors in the future.



8.  Once you have cleaned the item off..... go here:     http://www.mvps.org/winhelp2002/hosts.htm

Scroll down to the section on Locking the HOSTS File.  Get the "Host file" and use it.  I keep a shortcut of it on my desktop.  This should prevent a takeover next time

SpyBot , also has a feature that locks the Hosts file against malicious changes.
Click on Advanced mode, then navigate to "IE Tweaks" and turn on "Lock Hosts File."

Spybot01.jpg (58460 bytes)

SpyBot also can create its own, protected Hosts file, which eliminates browser access to known hacker Web sites.

 

LINKS

Ad-Aware Spyware removal tool


ADS Spy: by Merjin.org    A small tool to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems


BugOff: by Merjin.org       This little app disables a few exploits that are commonly used by browser hijackers (including CWS), thus protecting you from infection


CWShredder: by Merijn.org       A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D and Ad-aware tend to forget essential parts of the hijack, so until they update, you can use this to completely remove the hijack

HijackThis : by Merijn.org       A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks


LSPFix:  Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet software, that result in loss of Internet access


Spybot:   Spyware removal tool


Spysweeper: Anti spyware Detect and remove spyware and adware


Spywareblaster:   Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.  Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox./  Restrict the actions of potentially dangerous sites in Internet Explorer


StartupList : by Merjin.org     Simple tool that lists all and every auto starting program on your system. This is better than Msconfig. The newest version of the efficient and effective program by Merijn that lists all and every autostarting app on your system. Checks Autostart folders, the Registry Run keys, Autoexec.bat, Stub Paths, ICQ Agent, Program extensions, Win.ini, System.ini, Wininit.ini, Wininit.bak, Winstart.bat, Dosstart.bat, as well as checking for duplicate instances of Explorer.exe and checking for superhidden extensions. Very simple program - when launch it create a list of all startup entries in the Registry and various Windows files and display them in a Notepad window

 

More on Hijacked Page Help