This artical came from this website
http://inetexplorer.mvps.org/Darnit.htm
Read the advice at my prevention link
(
http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances of
your computer being infected.
Before trying to remove spyware:
1. Back up all essential data.
2. Download the recommended software (points 1 to 6 below)
3. After all software has been downloaded, installed and updated disconnect
the computer from the internet and/or any network to which it may be attached.
The software you should download and have ready to use is:
1. CWShredder -
http://www.intermute.com/spysubtract/cwshredder_download.html
2. AdAware (note that Lavasoft have now released Ad-Aware SE Personal
Edition, available from
http://www.lavasoftusa.com/support/download/ AdAware
6 users should update to SE as soon as possible. All previous versions are NO
LONGER SUPPORTED)Lspfix and Winsockfix, available at
http://www.cexx.org/lspfix.htm and
http://www.spychecker.com/program/winsockxpfix.html
3. Spybot Search and Destroy -
http://spybot.eon.net.au
4. A BHO disabler such as BHO Cop, BHO Demon or BHOCaptor (non XP SP2 users
only)
5. Microsoft Antispyware Beta -
http://www.microsoft.com/athome/security/spyware/software/default.mspx
6. LSPFix and Winsockxpfix (XP only) Note: Windows 95 users must install
Winsock 2.
7. HijackThis -
http://aumha.org/downloads/hijackthis.exe. You can also find
the latest version at the author's home site, being
http://www.merijn.org/downloads.html
Get the latest information about updates to various anti-spyware
productions from Siljaline (aka Microsoft MVP Randy Knobloch) at Security
Tools Updates and
http://www.msmvps.com/
Malware removal (beginner's step-by-step guide)
Some of the following advice may seem pedantic, or unnecessary, but I
strongly advise you to do everything in the order given to maximise your
chances of a successful outcome. A lot of modern malware, if given the
chance, will try to reinstall itself automatically. The steps below are
designed to minimise the chance of this happening.
A. Getting ready to disinfect....
1. Go to Control Panel, Folder Options, View Tab. Turn on the option to show
hidden files. Turn off the option to hide protected system files.
***WARNING!! Files are hidden by Windows for a very good reason. It is not
wise to 'experiment' with these files. Unfortunately, to successfully remove
modern malware we must turn this protection off. There is a risk to doing
this. Please turn the protection back on when you have finished cleaning
your system.***
2. Go to Control Panel, add/remove programs. Check for malware entries, use
the uninstall programs.
3. Reboot into safe mode:
Start the computer in safe mode - Windows XP
Start the computer in safe mode - Windows 2000
Start the computer in safe mode - Windows 98 and Windows 95 - hold down the
Ctrl key while you restart the computer, then choose 'safe mode' from the
menu that will appear
Start the computer in safe mode - Windows 95
4. Check all 'startup' folders for unwanted malware entries. Windows 95 and
98 users can examine their startup folder via the Start Menu. Those of us
who are using a later operating system should check ..\Documents and
Settings\All Users\Start Menu\Programs\Startup and ..\Documents and
Settings\<username>\Start Menu\Startup. Move any that you find on to your
desktop.
5. Right click the shortcuts that you have moved out of the startup folders
and select 'Properties'. Write down the target path. Use Windows Explorer to
navigate to the file being targeted, and rename JUST that file. Do NOT
delete it. ***WARNING!! Some people have been known to delete an entire
folder, or all the contents of a folder, if just one file is malware. DO NOT
DO THIS!!
A target path has been highlighted with a red box in this screen shot
6. Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programs can be hidden in there.
7. Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Program Files. A Windows Explorer window
will open. Obvious malware can be removed by right clicking on the object,
and selecting 'remove'.
8. If you are running Windows XP SP2, go to Tools, Manage Add-Ons. Examine
the list of 'Add-ons that have been used by Internet Explorer' and disable
anything that you do not want Internet Explorer to use. If you wish, the
add-ons can be re-enabled at a later time. If you are not running XP SP2,
you can use one of the third party BHO disablers recommended above.
Make sure you download and install Update KB888240 to solve a known problem
for XP SP2 where add-ins will sometimes hide themselves from the Add-On
Manager. The hotfix is available from:
http://www.microsoft.com/downloads/...9e-b116-4d38-b00c-ff1d529106c8&displaylang=en
9. Go to IE Tools, Internet Options, Accessibility. Make sure there is no
style sheet chosen (under User Style Sheet - format documents using my style
sheet). If the option is turned on, turn it OFF.
10. Once finished, reboot into safe mode.
B. Cleaning your computer - first sweep
1. Start CWSHREDDER and fix anything it finds.
2. Once finished, reboot into safe mode.
C. Cleaning your computer - second sweep
1. Start AdAware. Remember you should have updated it as soon as it was
installed, and you should also update it every time it is run (unless you
have already checked for updates that day).
2. Make sure that 'search for negligible risk entries' is turned on. Select
'use custom scanning options' then select 'customise'. Make sure the
following options are enabled: 'scan within archives', 'scan active
processes', 'scan registry', 'deep scan registry', 'scan my IE favorites for
banned URLs', 'scan my Hosts file'.
3. Select the 'tweak' option. Under 'scanning engine', make sure 'unload
recognized processes and modules during scan' is enabled. Enable 'scan
registry for all users instead of current users'.
4. Under 'cleaning engine' turn on 'always try to unload modules..', 'during
removal unload explorer and IE if necessary', 'let windows remove files in
use at next reboot', 'delete quarantined items after restoring'.
5. Use the 'select drives and folders to scan' option to ensure that your
ENTIRE hard drive is scanned (if you have more than one hard drive, scan all
of them (of course, do not include floppy and CD/DVD).
6. Once finished, reboot into safe mode.
D Cleaning your computer - third sweep
1. Run Spybot S&D. "Fix" anything marked red.
2. Once finished, reboot into safe mode.
E Cleaning your computer - fourth sweep
1. Run a full system scan using Microsoft AntiSpyware.
2. Once finished reboot into safe mode.
3. Complete a second full system scan.
4. Reboot into normal mode.
If you are unable to get on to the internet after cleaning up your
computer, run LSPfix. If that doesn't work, run Winsockfix. If you are using
XP SP2 and are unable to access the internet after removing malware, the
following commandline may help - it will reset the winsock catalogue:
netsh winsock reset
Once the computer is clean, and if it applies to the operating system,
create a new restore point. The old ones may, of course, be infected with
the malware and cannot be used. Once the old restore points have been
flushed, create a new (clean) one.
Windows XP - Start, All Programs, Accessories, System Tools, Disk Cleanup.
Options Tab, Clean Up.
or
Windows XP - Control Panel, System. System Restore Tab. Enable 'turn off
system restore on all drives'. Apply. Uncheck box. Click ok.
Windows ME - right click My Computer, select Properties. Performance tab,
File System. Troubleshooting tab. Enable 'Disable System Restore'. Ok
twice, then click yes to reboot your computer. After rebooting, turn System
Restore back on.
If the malware problem comes back further specialised assistance is
available via various anti-spyware forums, my preferred forum being
http://aumha.net. Alternative forums include
www.lavasoftsupport.com and
www.spywareinfo.com.
You will need to post a HijackThis log at the anti-spyware forums for
analysis, but please make sure that you have attempted to clean your system
as per the advice above before generating the log file.
The following information is for advanced users and for professional
technical support - these steps are NOT recommended for the inexperienced. I
have not provided detailed instructions or advice and have assumed a higher
than average level of skill....
Remember, do as much as you can in safe mode.
Examine win.ini, autoexec.bat, system.ini, config.nt, autoexec.nt as
relevant. Pay specific attention to shell= and load= Fire up services.msc.
Search for unusual or unexpected *.bat files and unexpected autostart entries
in the Run, RunOnce, RunOnceEx, RunServices, Services, Winlogon and Scripts
registry keys. MSCONFIG, (Services Tab - hide all Microsoft Services) can be
helpful. Search the rest of the registry for any further references to
discovered malware files, in hopes you will find pointers to other files or
CLSIDs that can searched for to reveal other keys or pointers. Invariably if
you find a malware key in one of those keys, you'll find a further reference
to the component elsewhere.
Also watch out for entries at:
HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
I strongly recommend that unless you have a lot of experience working in
this area that until such time as I am able to track down a comprehensive
list of legitimate services (or put one together myself), that you post
details of the services revealed by services.msc to aumha.net for
professional guidance. If you turn off the wrong service you could cause
serious problems, and at the very worst, leave the computer unbootable.
An experienced computer technician can use programme such as AutoStart
Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer
Or Process Viewer for Windows:
http://www.teamcti.com/pview/
Or 'Silent Runners':
http://www.aaronoff.com/silent_runners/
Or APM (Advanced Process Manipulation):
http://www.diamondcs.com.au/index.php?page=apm
StartupTracker
www.dougknox.com
Fighting virus.win32.bube/troj/down.admincash? This utility may be of
assistance in replacing the infected explorer.exe
http://www3.telus.net/_/replacer/. More info about this nasty adware can be
found at
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41518,
http://securityresponse.symantec.com/avcenter/venc/data/downloader.admincash.html
The Microsoft Giant Antispyware beta saved my butt the other day, protecting
my system from attempted 180Solution reinstalls that were part of the
crapware Intelligent Explorer (aka IEPLUGIN).
