Before trying to remove spyware:
Back up all essential data.
Download the recommended software listed below.
After all software has been downloaded, installed and
updated disconnect the computer from the internet and/or
any network to which it may be attached.
The software you should download and have ready to use is:
Lspfix and Winsockfix, available at
http://www.cexx.org/lspfix.htm and
http://www.spychecker.com/program/winsockxpfix.html
A BHO disabler such as BHO Cop, BHO Demon or BHOCaptor
(non XP SP2 users only)
http://www.pcmag.com/article2/0,4149,270,00.asp
http://www.definitivesolutions.com/bhodemon.htm
http://www.webattack.com/get/bho.shtml
AdAware (note that Lavasoft have now released Ad-Aware SE
Personal Edition, available from
http://www.lavasoftusa.com/support/download/ AdAware 6
users should update to SE as soon as possible. All
previous versions are NO LONGER SUPPORTED)
Spybot Search and Destroy -
http://spybot.eon.net.au
HijackThis -
http://209.133.47.12/~merijn/files/HijackThis.exe
CWShredder -
http://www.intermute.com/spysubtract/cwshredder_download.ht
ml
HackerDefender Disabler -
http://www.aumha.org/downloads/unhackdef.zip
Extract the BAT file to your desktop.
After obtaining the required software above, make sure you
check for updates and run the programmes in safe mode.
Malware removal (beginner's guide):
Go to Control Panel, Folder Options, View Tab. Turn on the
option to show hidden files. Turn off the option to hide
protected system files.
***WARNING!! Files are hidden by Windows for a very good
reason. It is not wise to 'experiment' with these files.
Unfortunately, to successfully remove modern malware we
must turn this protection off. There is a risk to doing
this. Please turn the protection back on when you have
finished cleaning
your system.***
Run HackerDefender Disabler. A DOS window will flash onto
your screen and then disappear. This is normal.
If you are using Windows XP SP2 download and install
Update KB888240 to solve a known problem where add-ins
will sometimes hide themselves from the Add-On Manager.
The hotfix is available from:
http://www.microsoft.com/downloads/details.aspx?
familyid=d788c59e-b116-4d38-b00c-
ff1d529106c8&displaylang=en
Go to Control Panel, add/remove programs. Check for
malware entries and use the uninstall programs, then
reboot. Check all 'startup' folders at
...\Documents and Settings\All Users\Start
Menu\Programs\Startup or
...\Documents and Settings\<username>\Start Menu\Startup
Go to start/run and type MSCONFIG. Go to the startup tab.
Disable everything that you do not recognise as legitimate
(do not disable any power profile options).
Now go to the Services tab. Turn on the option to 'hide
all Microsoft Services'. Disable everything that remains.
If you don't have this option, don't worry about it.
Reboot your computer and hold down the F8 key until the
boot menu options appear. Choose Safe Mode as your startup
choice. You will find information about what safe mode is,
and what it does, at this link
[
http://inetexplorer.mvps.org/data/safe_mode.htm]
If you are using Windows XP, go to Tools, Manage Add-Ons
and disable anything you don't want or recognise. If you
are not running XP SP2 use one of the BHO disablers
mentioned earlier.
Empty your IE cache and your other temporary file folders,
eg: c:\temp, c:\windows\temp or C:\Documents and
Settings\<name>\Local Settings\Temp (the path to your temp
folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for
mysterious *.exe files or *.dll files in those folders.
Go to IE Tools, Internet Options, Temporary Internet Files
{Settings Button}, View Objects, Downloaded Program Files.
Check for unrecognised objects there.
Go to IE Tools, Internet Options, Accessibility. Make sure
there is no style sheet chosen (under User Style Sheet -
format documents using my style sheet). If the option is
turned on, turn it OFF.
Start CWSHREDDER and fix anything it finds. Reboot back
into safe mode.
Start AdAware.
Remember to update using the 'check for updates now'
button. Update, then select 'start' option.
Make sure that 'search for negligible risk entries' is
turned on. Select 'use custom scanning options' then
select 'customise'. Make sure the following options are
enabled: 'scan within archives', 'scan active
processes', 'scan registry', 'deep scan registry', 'scan
my IE favorites for banned URLs', 'scan my Hosts file'.
Select the 'tweak' option. Under 'scanning engine', make
sure 'unload recognized processes and modules during scan'
is enabled. Enable 'scan registry for all users instead of
current users'.
Under 'cleaning engine' turn on 'always try to unload
modules..', 'during removal unload explorer and IE if
necessary', 'let windows remove files in use at next
reboot', 'delete quarantined items after restoring'.
Use the 'select drives and folders to scan' option to
ensure that your ENTIRE hard drive is scanned (if you have
more than one hard drive, scan all of them (of course, do
not include floppy and CD/DVD).
Once finished, reboot again into safe mode. Run Spybot
S&D. "Fix" anything marked red.
If you are unable to get on to the internet after cleaning
up your computer, run LSPfix. If that doesn't work, run
Winsockfix.
If you are using XP SP2 and are unable to access the
internet after removing malware, the following commandline
may help - it will reset the winsock catalogue:
netsh winsock reset
If the malware problem comes back further specialised
assistance is available via the Hijackthis forum at
http://forum.aumha.org - make sure you read the top
announcements about pre-post steps you should take before
generating a hijackthis log.
-----Original Message-----
I really need help, Spyware is not allowing me to use
much of my computer it is blocking a lot of my computer
functions. Do I disconnect or what?????????The computer
doctor program informs me its the spyware. Please reply..
or is this excercise a waste of my lime, as you guys
never answer
.
