| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 49946 | 2004-10-05 20:16:00 | FAQ #16 - Spyware, adware and viruses - how do I get rid of them? | -FAQ- (807) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 278483 | 2004-10-05 20:16:00 | FAQ #16 - Spyware, adware and viruses - how do I get rid of them? Originally written by Susan B SUMMARY: If your computer is infected with spyware, adware, viruses or trojans do the following: • For Windows ME/XP Disable your system restore . Remember to re-enable it after your computer is clean . • Set your computer to show hidden files . • Download, install and run CCleaner ( . majorgeeks . com/download4191 . html" target="_blank">www . majorgeeks . com) (to clear out your temporary internet files, temporary files, history, index . dat files, etc) and McAfee AVERT Stinger ( . com/download4063 . html" target="_blank">majorgeeks . com) • If you have an anti-virus program, ensure it is up-to-date and do a full scan . • If you have no anti-virus program installed download, install and run AVG ( . grisoft . com/freeweb . php/doc/2/" target="_blank">free . grisoft . com) free anti-virus . • Do an online virus scan at one (or more) of the following sites: TrendMicro ( . trendmicro . com/en/home/us/personal . htm" target="_blank">www . trendmicro . com) Panda ( . pandasoftware . com/activescan/com/activescan_principal . htm" target="_blank">www . pandasoftware . com) McAfee ( . mcafee . com/root/mfs/default . asp" target="_blank">us . mcafee . com) Bit Defender ( . bitdefender . com/scan/licence . php" target="_blank">www . bitdefender . com) RAV ( . ravantivirus . com/scan/" target="_blank">www . ravantivirus . com) Kaspersky ( . kaspersky . com/scanforvirus . html" target="_blank">www . kaspersky . com) PC Pitstop ( . pcpitstop . com/antivirus/default . asp" target="_blank">www . pcpitstop . com) • Do an online trojan scan here ( . windowsecurity . com/trojanscan/" target="_blank">www . windowsecurity . com) . • Download, install and run the following programs, preferably from safe mode: Ad-aware SE (http://www . lavasoftusa . com/) (see instructions further down if required) Ad-Aware VX2 Cleaner Plug-In ( . com/download4283 . html" target="_blank">majorgeeks . com) and SpyBot Search and Destroy (http://www . safer-networking . org/) (see instructions further down if required) . • If you still have problems carry on with the following: CWShredder ( . majorgeeks . com/download4086 . html" target="_blank">www . majorgeeks . com) (run the Scan and Fix) Kill2me ( . majorgeeks . com/download4166 . html" target="_blank">www . majorgeeks . com) about:Buster ( . com/download4289 . html" target="_blank">majorgeeks . com) A2 ( . emsisoft . com/en/software/free/" target="_blank">www . emsisoft . com) • If you still have problems you will need to use HijackThis ( . com/download3155 . html" target="_blank">majorgeeks . com) . Be very careful with this tool as incorrect use can cause your computer to not work at all . Ask for help on Press F1 if necessary . For detailed assistance with some of the above tools see below . Ad-aware • Download Ad-aware from here ( . lavasoft . de/support/download/" target="_blank">www . lavasoft . de) or the link further up the page . • Install the program and launch it . • It is strongly recommended that you fully read the included Ad-aware help file to familiarise yourself with the program before removing any files . • Before you scan with Ad-aware, check for updates of the reference file by using the "Webupdate" . • Once Ad-aware has downloaded and installed the latest reference files you are ready to scan . • Click Start and in the next window make sure Full System Scan is ticked then click Next and the scan will begin . • When the scan has finished, right-click in the window and choose Select All everything from the drop down menu to remove all entries . If you wish you can safely ignore any MRU (Most Recently Used) entries though and not delete them . • Restart your computer . Note: After your computer has been completely cleaned of adware, spyware, etc and you are sure you have no problems you can use the faster Smart Scan as your most used scan and just use Full System Scan once monthly . Spybot Search and Destroy • Download Spybot Search and Destroy from here ( . majorgeeks . com/download2471 . html" target="_blank">www . majorgeeks . com), here ( . eon . net . au/en/mirrors/index . html" target="_blank">spybot . eon . net . au) or from link further up the page . • Install the program and launch it . • Before scanning click on the Online tab then Search for Updates . • Put a tick next to all updates then click on Download updates and wait for them to install . • Click on the Spybot-S&D tab then Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED . • Restart your computer . • Be sure to take advantage of the "Immunize" feature in Spybot (see below) . CWShredder and HijackThis • CWShredder ( . majorgeeks . com/download4086 . html" target="_blank">www . majorgeeks . com) utility (by the author of Ad-Aware anti-spyware program and the HijackThis scanning utility) . After installing this small utility, the welcome screen gives you a choice to Scan Only which should be done for safety as well as the educational value, to see where any trojan is hiding . After scanning you may choose Next to procede with removal . Note: CWShredder is no longer being updated and therefore may need to be run only as a last resort . Seek advice prior to using . • HijackThis ( . com/mirror/hjt/" target="_blank">mjc1 . com) is used to examine certain key areas of the Registry and Hard Drive and list their contents . It is advisable to seek help before deleting any entries listed in the HijackThis contents list otherwise you may remove items needed to run legitimate programs and add-ins . Assistance can be found at the links listed on the program's homepage . You need to create a folder for HijackThis on the hard drive (eg in Program Files or My Documents) prior to running . A tutorial for using HijackThis is available here ( . majorgeeks . com/showthread . php?t=38752" target="_blank">forums . majorgeeks . com) . IMPORTANT: After using HijackThis you must update to the very newest versions of these programs before using again so uninstall this utilitity once your system is clean and everything has been running smoothly for a while . This is because new variants on trojans can cause older versions to inflict severe damage on an infected computer . MORE INFORMATION Hijacked homepage • If your Homepage in Internet Explorer has been hijacked with an unwanted webpage that loads everytime you start IE and go online and you have followed the instructions in FAQ #17 - How do I reset my homepage in IE? you will now need to follow the instructions in the Summary above . • CWS (CoolWebSearch) is a trojan that hijacks Internet Explorer's start and search settings to one of several different web sites . Most of these web sites appear to have an affiliate relationship with coolwebsearch . com in which CoolWebSearch pays them for every visitor they refer . There could be other domains involved in the future . To remove CWS you need CWShredder as listed above or seek further advice . New . Net Spyware If you have installed Imesh you will have also installed the associated spyware including NEW . NET which upon removal may cause Internet Explorer to no longer work but bring up the error message "DNS Error" when trying to load web pages . Your computer may also become very slow . The following advice was contributed by Jim B for removal of NEW . NET . This little piece of spyware (NEW . NET) alters the Winsock keys in the Registry to suit its own needs . Go to Add/Remove programs in the Control Panel . If you find new . net listed there, remove it . Reboot when finished and try browsing the internet . If you are still having the problem of being able to connect to the internet but not being able to go anywhere then do the following: If using Win XP you won't have the following in Add/Remove, just delete the Winsock2 file . 1) Go to Control Panel>>Add/Remove Programs>>Windows Setup . Uncheck Communications . Click Apply>>OK . It will ask you to reboot . DO NOT REBOOT . 2) Open up the Registry Editor by going to Start>>Run>>regedit . Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es . At the bottom of that thread you will see a folder called Winsock2 . Right click on it and delete the file . Close the registry editor . 3) Go back to Add/Remove Programs>>Windows Components . Double click on Communications (the word, not the checkmark box) . Put a check in Dial up Networking . Click OK You will be prompted to reboot . This time . . . REBOOT . Upon reboot . . . connect to your ISP and attempt to browse . Preventing future attacks Once you have removed all the spyware from your system the following tips will go a long way toward keeping your PC free of these pests and prevent further homepage hijackings . • Use the Immunize feature in Spybot . Read the Help file in Spybot relating to Immunity to learn what this feature does and how to use it . Be aware however, that it can prevent Windows Updates from working and you will need to temporarily un-immunize your PC to let it work . Remember to re-immunize your PC after running Windows Update . • Download and install SpywareBlaster ( . majorgeeks . com/download2859 . html" target="_blank">www . majorgeeks . com) (link also on Spybot's Immunize page) and SpywareGuard ( . majorgeeks . com/download3045 . html" target="_blank">www . majorgeeks . com) . • Perform weekly scans with Spybot and Ad-aware • Important!: ALWAYS check for updated detections and reference files before scanning with Spybot and Ad-aware . Also be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis and after using HijackThis and/or CWShredder you must update to the very newest versions of these programs before using either of them again . • Make sure Windows Critical Updates have been applied . Some of the more evil spyware/malware uses flaws in Internet Explorer to auto download and install their software . • A computer does not have to go to a site to get infected - if a computer on the same LAN goes to a dodgy site the site can infect the PC that is sharing the internet to the rest on the LAN . If you are running a Windows router/firewall PC make sure it is kept up-to-date . • Using a software firewall can help in alerting you that you have been infected . However a firewall is of little use if the operator lets the spyware in through the firewall . • Using an alternative browser to Internet Explorer such as Mozilla, Mozilla Firebird, Opera, etc will go a long way towards affording good protection against many of the nasties because they do not utilise the ActiveX controls that are used to cause a lot of the damage . • If you do use Internet Explorer ensure that Download signed ActiveX Controls, Run ActiveX controls and plug-ins and Script ActiveX controls marked safe for scripting are set to Prompt in Tools>Internet Options>Security>Custom Level . When you are prompted for these items only accept those that are necessary and you know should be safe . • Download unsigned ActiveX controls should be set to Disable as should Initialize and script ActiveX controls not marked as safe . • For information on how to configure Internet Explorer to allow safe browsing see this page ( . com/safebrowsing . html" target="_blank">hacker-eliminator . com) . • The most important way to preventing being infected is the USER reading and understanding what they are installing or clicking on . A common way to infect a PC is to fool the user into downloading/installing software . Some are easy to spot eg "FREE XXXXX software" or "XXXX dialer", others need more caution . Warning: Not all spyware/virus removal tools are safe to use . Check this page ( . spywarewarrior . com/rogue_anti-spyware . htm#products" target="_blank">www . spywarewarrior . com) to see which ones are recommended and which ones should be left alone . So what is spyware? Spyware can make your computer and/or internet browsing run much slower than it used to and can change your Homepage to something other than one you have chosen yourself, often to porn sites . Other nasties that can install themselves onto your computer are diallers which use your internet connection to dial out to overseas phone numbers and rack up expensive toll calls . For an explanation of what spyware is and what it does have a look at this page ( . simplythebest . net/info/spyware . html" target="_blank">www . simplythebest . net) . A word about Adware Adware is generally different to spyware . Many programs come with adware to support the creation and development of the free program that you would otherwise have to pay for . A scan with Ad-aware lists the adware files and allows you to choose which you wish to delete . You can then check out whether the program's adware is invasive or not by looking it up in Google . If you use an application that contains adware, you know about it and it acts reasonably (ie not covertly but fully explains its functions) then you could consider tolerating it as a small price to pay for a free program . Links to useful information • Net-Integration ( . net-integration . net/tools/index . html" target="_blank">www . net-integration . net): Information on how to tighten your security settings and how to help prevent future attacks . Includes links to Javacool's SpywareBlaster and SpywareGuard . Get them both and check for updates frequently . • Net-Integration ( . net-integration . net/cgi-bin/forum/ikonboard . cgi?;act=ST;f=38;t=3051" target="_blank">www . net-integration . net): So how did I get infected in the first place? • Net-Integration ( . net-integration . net/cgi-bin/forum/ikonboard . cgi?s=8f635058c8038359b837557772c42788;a" target="_blank">www . net-integration . net ct=ST;f=38;t=2710): List of all known Browser Helper Objects (BHOs) . • Spy Checker (http://www . spychecker . com/): Spyware tools . • DarnIt ( . mvps . org/inetexplorer/Darnit . htm#ieplugin" target="_blank">www . mvps . org): List of spyware and other parasites . • SpywareInfo ( . spywareinfo . com/~merijn/index . html" target="_blank">www . spywareinfo . com): Spyware information and tools ( Note: site is not always available) . • Rogue spyware tools ( . spywarewarrior . com/rogue_anti-spyware . htm" target="_blank">www . spywarewarrior . com) Original FAQ available from here ( . pcworld . co . nz/thread . jsp?forum=1&thread=41858&message=220430&q=faq+%238b#220430" target="_blank">pressf1 . pcworld . co . nz) . |
-FAQ- (807) | ||
| 1 | |||||