Courtesy of Robear Dyer
Check for hijackware and Trojans, thoroughly, before installing SP2. If you know your system is malware-befouled already, don't install SP2 until you've either dispatched the malware or you've reinstalled Windows.
Then from me - The following is from my Blog,
http://defendingyourmachine.blogspot.com/, and will provide some more up-to-date information and links:
SysClean - Boot to Safe mode with Network Support (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) or do a Clean Boot as above.
Recommended Approach for SysClean - Ian Kenefick's site here:
http://www.ik-cs.com/got-a-virus.htm contains information and links to a number of useful programs concerned with virus removal including some not listed in this Blog. One in particular of several there written by David H. Lipman, Multi AV, is a "malware removal utility incorporating multiple command line scanners including McAfee, Sophos, Kaspersky and Trend engines" which can be selectively downloaded. See Procedure #2, here:
http://www.claymania.com/removal-trojan-adware.html Note that it must be extracted to C:\AV-CLS, and I strongly recommend that you read the Help before using it. Some of the downloads (Sophos, for example) may be quite slow depending on the server involved, so be patient. This approach has the virtue, of course, of giving you access to a number of excellent AV products from one interface in addition to SysClean with which we are concerned here.
Alternative Approach #1 - Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest released pattern file, here:
http://www.trendmicro.com/download/pattern.asp Be sure to read the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt Place them in a dedicated folder after appropriate unzipping.
Alternative Approach #2 - You might also want to get SYSCLEAN_FE, also written by David H. Lipman , available here:
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe. There's a brief description here:
http://www.ik-cs.com/more_information.htm. (If you download and use the updater from the beginning, it will automatically handle downloading the other files. Note: If you use Sysclean_FE, then it MUST be in the C:\sysclean folder in order to work correctly.) SYSCLEAN_FE offers the option of restarting in order to run SysClean in Safe mode; however, I would recommend that you use a Clean Boot to actually run both the SYSCLEAN_FE and SysClean programs when using the updater. (Note BTW that SYSCLEAN_FE will make a copy of your HOSTS file [see the end of this Blog for more about the HOSTS file], if any, renaming it hosts.bak, and then delete the original HOSTS file. To restore it when you've finished cleaning your machine, just rename hosts.bak back to HOSTS.)
NOTE: For all of the approaches, you can get a somewhat more current interim pattern file, the Controlled Pattern Release, here and manually unzip it to your SysClean folder:
http://www.trendmicro.com/download/patt ... laimer.asp Look for the lptxxx.zip file after you agree to the terms. (Sorry, but Multi AV or the SYSCLEAN_FE Updater won't go get this one for you. However, if you manually download the CPR first and then use the updater, SysClean will automatically use these CPR definitions when it starts. Just be sure you put it in the appropriate SysClean folder.)
Show hidden and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339) then go to Safe mode or, preferably, do a Clean Boot.
If you're using WindowsME or WindowsXP, SysClean (and the other cleaning tools below) may find infections within Restore Points which it will be unable to clean. You may choose to disable Restore if you're on XP or ME (directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) which will eliminate ALL previous Restore Points, or alternatively, you can wait until cleaning is completed and then use the procedure within the *********'s below to delete all older, possibly infected Restore Points and save a new, clean one. This approach is in the sprit of "keep what you've got" so that you can recover to an at least operating albeit infected system if you inadvertently delete something vital, and is the approach I recommend that you take. See here:
http://aumha.net/viewtopic.php?t=15265 Here are MVP Jim Eshelman's specific recommendations from that document (with which I'm in agreement):
(1) Know the risk of reinfection if you SystemRestore before it is cleaned.
(2) Until it is cleaned, don't use it unless you absolutely have to.
(3) Leave SR cache in place during cleaning since a leaky boat in a storm is better than no boat in a storm, and returning to an infected computer state is better than losing everything.
(4) Clean the machine.
(5) After the machine is clean, make a new SR point and purge all the old ones.
(6) Rescan to make sure things remain clean.
I recommend that you run SysClean with "Automatically clean or delete detected files" UNchecked and look in the log after the scan is complete (View Log) to determine what was found in order to handle any false positives and/or any malware found in your email databases. Read tscreadme.txt carefully, then do a complete scan of your system and clean or delete anything it finds EXCEPT EMAIL DATABASES OR FILES. These need special handling. See here:
http://ik-cs.com/v2/virus-emaildatabase.htm
If anything is found (non-false positive or non-email - see below for some links which can help you identify these), then rerun SysClean with "Automatically clean . . ." checked this time. Reboot and re-run SysClean and continue this procedure until you get a clean scan or nothing further can be cleaned/removed.
Now reset things in msconfig if necessary and reboot to normal mode and re-run the scan again.
These scans likely will take a long time, as Sysclean is VERY extensive and thorough. For example, one user reported that Sysclean found 69 hits that an immediately prior Norton AV v. 11.0.2.4 run had missed.
Note that sometimes you need to make a judgement call about what anti-malware programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm They can also sometimes generate "false positives" so look carefully before you delete things. There's a good list of categorized "unknown, safe, optional, spyware/adware, virus" programs to check against here:
http://www.pcpitstop.com/spycheck/SWList.asp Some additional very useful lists are available here:
http://castlecops.com/StartupList.html (Recommended) and here:
http://www.windowsstartup.com/wso/browse.php (Recommended), and here:
http://www.computer-support.nl/Computerhulp/taken.htm and here:
http://www.answersthatwork.com/Tasklist ... sklist.htm and here:
http://www.3feetunder.com/krick/startup/list.html and here:
http://startup.networktechs.com/ There are online tests of possible malware components available here:
http://virusscan.jotti.org/ and here:
http://www.kaspersky.com/virusscanner
Another useful downloadable virus checker is Stinger, here:
http://download.nai.com/products/mcafee ... tinger.exe
Some standard "malware" cleaning tools:
AdAware SE Personal Edition:
http://www.lavasoftusa.com/support/download/
Tutorial here:
http://www.bleepingcomputer.com/forums/ ... utorial=48
SpyBot Search and Destroy:
http://www.safer-networking.org
Tutorial here:
http://www.safer-networking.org/en/index.html
I recommend using both normally. Be sure and use the Default (NOT Advanced or Beta) Mode in Settings. After UPDATING, running from Safe mode or a Clean Boot and fixing ONLY RED things with SpyBot S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle until you get a clean "no red" scan. The reason is that SpyBot sometimes has to remove things which are currently "in use" before it can then clean up others.
Download, UPDATE before running, and run:
http://cwshredder.net/bin/CWSInstall.exe from this page:
http://www.intermute.com/spysubtract/cw ... nload.html (The new v.2+ which will automatically install in C:\Program Files\InterMute\SpySubtract\CWShredder.exe and put a shortcut on the Desktop. UPDATE and run the program from this install location or the shortcut after installation. This recommendation for CWShredder is NOT automatically a recommendation for the other programs adverstised by Intermute in conjunction with this install.) or from here:
http://www.aumha.org/downloads/cwshredder.exe (v.2+ standalone) or here:
http://www.softpedia.com/public/scripts ... 10-17-150/ (v.2+) to remove the parasite. Try to run from Safe mode or a Clean Boot and be sure to close ALL other programs to the extent possible, expecially ALL instances of IE and OE.
There's a good tutorial about CWS and using CWShredder here:
http://www.bleepingcomputer.com/forums/ ... =47#domain See also:
http://cwshredder.net/cwshredder/cwschronicles.html
BE SURE that you get v.1.59.0.1 or later or the new v.2! Note that CWShredder may make deletions/changes to your HOSTS file (sometimes as false positives) if you use your HOSTS file as a DNS cache rather than just for ad blocking, and that after cleanup you may need to restore it with a fresh copy of any local DNS and/or blocking entries or disable it before running CWShredder.
You will need to show Hidden files first and then at the end clear the malware garbage from your System Restore backups after you've cleaned up. It's best to perform CWShredder (and most other malware fixers too) from Safe mode and then reboot. AFTER cleaning things up, then you can disable and then re-enable System Restore. See ******** below.
HiJackThis:
http://aumha.org/downloads/hijackthis.exe or here:
http://www.bleepingcomputer.com/files/s ... ckthis.zip
Before you try to remove spyware using any of the programs below, download both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here:
http://www.tacktech.com/display.cfm?ttid=257
or here for Win2k/XP
http://files.webattack.com/localdl834/WinsockxpFix.exe
Info and download here:
http://www.spychecker.com/program/winsockxpfix.html
Directions here:
http://www.iup.edu/house/resnet/winfix.shtm
The process of removing certain malware may kill your internet connection. If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you to regain your connection.
NOTE: It is reported that in XP SP2, the Run command
netsh winsock reset
will fix this problem without the need for these programs. (You can also try this if you're on XP SP1. There has also been one, as yet unconfirmed, report that this also works there.) Also, one MS technician suggested the following sequence:
netsh int reset all
ipconfig /flushdns
See also:
http://windowsxp.mvps.org/winsock.htm for additional XPSP2 info/approaches using the netsh command.
An alternative approach with necessary .reg files which will often work even when the above doesn't is defined here, courtesy of Bob Cerelli:
http://www.onecomputerguy.com/ie_tips.htm#winsock_fix Recommended.
Remember - you need to do this ahead of time.
Remember that all of these programs need to be UPDATED before use if possible for that program.
*******ONLY IF you've successfully eliminated the malware, you can now make a new, clean Restore Point and delete any previously saved (possibly infected) ones. The following suggested approach is courtesy of Gary Woodruff: For XP you can run a Disk Cleanup cycle and then look in the More Options tab. The System Restore option removes all but the latest Restore Point. If there hasn't been one made since the system was cleaned you should manually create one before dumping the old possibly infected ones.*******
Login
Register
FAQ
Search
