Use Spybot and Ad-Aware
programs......as they catch things the other programs do not.
SpyBot, also has a feature that locks the Hosts file against malicious changes. You set the program to Advanced mode, then navigate to "IE Tweaks" and turn on "Lock Hosts File." SpyBot also can create its own, protected Hosts file, which eliminates browser access to known hacker Web sites.
1. First you should run BOTH programs in Safe Mode:
Ctl Key or F8 key or F5 key on some
If you receive a "stuck key" error message, you've probably pressed the Ctrl key too early in the boot process. Try again with slightly more delay
2. Next check your startup for stuff that still is starting at bootup.
Click Start, Run and type msconfig.
uncheck everything that isn't necessary
Unchecking Startup items does not disable the programs. It just doesn't "start them at bootup"....
Next go thru them and trace them thru to each folder and you may find your malware culprit
The bare minimum checked would be
task monitor (only if you use it - I don't)
Here is a page of "some" items in startup that might help you decide.
If you are running just for general purposes, then this should do it. IF you have a real pesky problem, then there are further steps which I can go over if you need help. Scroll Down
For Seriously Infected PC's
At each step, document the files you rename and remove, and registry settings.
1. On another PC, download the following tools:
Spywareblaster, Hijackthis, CWShredder, Spybot S&D, Spywseeper, LSPFix.
if possible or DL update files. Burn to CD etc.
2. Copy files to infected PC to separate directory.
that some files (such as Spybot & Hijack) may have to be renamed to allow this.
3. Reboot to recovery console, check startup services and disable things that don't belong.
hackerdefender rootkit sometimes masquerades as the "Microsoft uninstaller
4. Boot into safe mode. - do full registry backup (export).
5. Edit registry/msconfig startup items and remove bad items (use your judgement).
Some items will keep re-appearing (such as http prefixing) even in safe mode.
6. Run Hijackthis and kill
off startup items. (the reason these programs should be copied into a separate directory
is that they create backup items in the directory they are run from)
7. Run Cwshredder, search and remove Coolweb variants. Re-run until clean.
8. Uninstall spyware-installing and known bugs, such as
google toolbar, and
web tools or search tools,
filesharing apps etc etc ad infinitum.
9. Check the wsock2 stacks in the registry and use LSPfix to remove any extra layers such as newdotnet.
10. In the windows/winnt and system\system32 directories, at DOS, do a dir /od (order by date).
Rename items that shouldn't be there. They are generally easy to spot.
Check the properties of files for more info - no info, its probably spyware.
The standard method I use is to rename the files to the extension RENAMED.
example: myupdate.dll = change to myupdatedll.RENAMED.
Later you can search and delete all
.RENAMED files. Also do /as and /ah and reset attributes if needed.
11. Check the windows\downloaded program files directories and remove activeX controls:
right-click, scroll to properties, the URL will tell you where it's from.
12. Check and remove suspect items from program files\IE\plugins and program files\common files\*.
Use the .RENAMED scheme if you are unsure.
13. Install Spybot and run it, clean items.
14. Check the HOSTS file and remove redirections (windows\system32\drivers\etc)
also check for a dropped HOSTS file in windows/winnt.
At this point you should have disabled or removed enough malware to get a relatively clean boot.
15. Boot normally, re-run Spybot and update.
Install & update Spysweeper.
Install & run Spywareblaster (resets registry items etc)
16. Re-run CWshredder & Hijack This to make sure
No more redirections are taking place.
17. Ensure Anti Virus software is up to date.
18. Run windowsupdate. (optional)
You will probably have to repeat some steps a number of times, and reboot into DOS mode to rename a number of files.
Most of the steps require knowledge of what should and should not be in the registry and system directories, so be careful.
When you have identified what was removed, search through the registry for references.
In the case of NT root kits, identifying and stopping the services are the hard bit. Googling on files found may help you ID what is there.
1. Here is one place
to read up on the about.blank Hijacker if you have it
2. If you use IE, you can use Internet Explorer's Internet Options dialog box to reset your home and search pages back to what they were before.
3. Next go to
Start, choose Run, type msconfig, and press Enter. Click the Startup tab.
In the resulting list
Look for a command with
either the word 'regedit' or '.reg' in it
(the command Zorko found was 'C:\Windows\regedit.exe/s C\Windows\System\radB9819.tmp').
When you find it, uncheck it, then click OK.
It wouldn't hurt to delete the file mentioned in that line. Don't delete regedit.exe -- you need that -- but delete the other file referenced there. And it wouldn't hurt to edit the Registry, searching for and removing all references to the offending site. BACK UP A COPY of your REGISTRY FIRST!!!!!!
4. If possible, run a full system scan with your antivirus software. You need to know what the threat is in order to remove it.
5. After you
identify the threat, you will then head on over to a Web site like Symantec or something
similar to that in order to locate the needed removal tool. From there, download it and
copy it to a floppy disk.
6. Now, you will need to reboot the troubled PC into safemode. Once you arrive there, insert the floppy disk with your downloaded removal tool into the floppy drive. (ME and XP users, be sure to disable system restore )
7. Double-click the removal program icon and start the removal process. It will take awhile for the program to complete the removal process. Once it has finished, it should give you a little report of what was removed, repaired, etc.
Things to keep in
In some rare cases, system files may be damaged. In this case, running a repair install of the OS will help to take care of the problem versus trying to repair each individual file.
XP Users: After running your antivirus to double check that the virus is in fact removed, be sure to turn on your system restore feature and then set a new restore point. This is not "mandatory", but it is a good idea in case of miscellaneous. PC errors in the future.
8. Once you have cleaned the item off..... go here: http://www.mvps.org/winhelp2002/hosts.htm
Scroll down to the section on Locking the HOSTS File. Get the "Host file" and use it. I keep a shortcut of it on my desktop. This should prevent a takeover next time
SpyBot , also has a feature that locks the Hosts file against malicious changes.
Click on Advanced mode, then navigate to "IE Tweaks" and turn on "Lock Hosts File."
SpyBot also can create its own, protected Hosts file, which eliminates browser access to known hacker Web sites.
Ad-Aware Spyware removal tool
ADS Spy: by Merjin.org A small tool to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems
BugOff: by Merjin.org This little app disables a few exploits that are commonly used by browser hijackers (including CWS), thus protecting you from infection
CWShredder: by Merijn.org A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D and Ad-aware tend to forget essential parts of the hijack, so until they update, you can use this to completely remove the hijack
HijackThis : by
Merijn.org A general homepage hijackers detector and
remover. Initially based on the article Hijacked!, but expanded with almost a dozen other
checks against hijacker tricks
LSPFix: Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet software, that result in loss of Internet access
Spybot: Spyware removal tool
Spysweeper: Anti spyware Detect and remove spyware and adware
Spywareblaster: Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox./ Restrict the actions of potentially dangerous sites in Internet Explorer
StartupList : by Merjin.org Simple tool that lists all and every auto starting program on your system. This is better than Msconfig. The newest version of the efficient and effective program by Merijn that lists all and every autostarting app on your system. Checks Autostart folders, the Registry Run keys, Autoexec.bat, Stub Paths, ICQ Agent, Program extensions, Win.ini, System.ini, Wininit.ini, Wininit.bak, Winstart.bat, Dosstart.bat, as well as checking for duplicate instances of Explorer.exe and checking for superhidden extensions. Very simple program - when launch it create a list of all startup entries in the Registry and various Windows files and display them in a Notepad window
More on Hijacked Page Help