Go Back   Overclock3D Forums > [OC3D] Hardware & Software > Networks & Security
Reply
 
Thread Tools Display Modes
 
  #1  
Old 16-03-05, 06:25 AM
PV5150 PV5150 is offline
OC3D Elite
 
Join Date: Mar 2005
Posts: 9,934
How To Remove Browser Hijacks, Virus's, Spyware

Hi Guys

There seems to be an increase in the number of people falling victim to browser hijacks, popup ads and the like recently so I thought I might share a little knowledge and provide some steps for removing these nasties. This guide has been split in two, as I can't fit into the word count allocated-sorry LOL

There are a number of different type of programs that could be causing the mayhem on your system. I'll provide steps for removing each type in the order I would follow. At the end will be some steps you can take to prevent this from happening again.

Note: If you are using Spyware Eliminator or any other software from Aluria software stop using the software, you are not being protected. Read the warning at the end of this post.

Removal

1. Uninstall


Open the Add/Remove Programs control panel and read through the list of installed software for anything you don't recognise. If there's anything you don't recognise it's probably best to uninstall it. If you want to find out what it is try http://www.google.com and search for the name. While you're here you may as well uninstall anything you no longer need.

2. MSConfig

Click on Start and then Run. Type msconfig and press Enter. Click on the Startup tab. Here you have a list of all the programs that run when you start Windows. Untick anything you don't recognise. Be aware that some of these things may be required by some other software/hardware you have installed. For a very comprehensive, searchable list of possible startup items check out http://www.sysinfo.org/startuplist.php When you have made your changes click Ok and restart. When Windows loads a window will pop up reminding you that you have used MSConfig to make changes to your system. Tick the don't remind me box and click Ok. If something has stopped working run MSConfig again and enable it again.

3. System Restore

If you are running Windows ME or XP it's possible that some of the programs you'll be working hard to remove will be hiding in an old System Restore point. Probably the easiest way to remove your old restore points is to turn System Restore off. Open the System control panel and click on the System Restore tab. Tick the box "Turn off System Restore on all devices". Click Ok and reboot your computer. All previous restore points have now been removed. Leave System Restore off for the time being. We'll turn it back on later.

4. Viruses

One of the better options for virus removal is to take the infected drive and install it into another computer with up to date antivirus software. I'm not including details on how to do this as I consider it outside the scope of this how to. If you are not comfortable doing this skip down to the next paragraph. Provided you don't start opening files from the infected drive this will prevent the virus from activating. Some viruses may not be completely removed, or not be removed at all if they are active.

With or without the second computer it's best to scan for viruses with Windows booted into Safe Mode. To enter Safe Mode reboot your computer. After the BIOS has finished checking your RAM, drives and so forth it will hand over to your operating system. For Windows 98 this is the point where you need to hit F8, just before the Windows 98 splash screen is displayed. If you timed it right a menu will show up with a number of different startup options. Select Safe Mode. Windows 2000 and XP both have a prompt to say you can press F8 now to access the menu.

Under Safe Mode Windows will only load the bare minimum it needs to run. This can help prevent viruses from working and make them easier to remove. Because of this your resolution will be set to 640x480 and the number of colours dropped to 16. Do not worry, this is only temporary. It will return to normal when you reboot.

Note: Safe mode was suggested knowing that this is best for Norton Anti Virus but not all virus scanners work under safe mode. As at 21/7/2004 Trend Micro's PC-Cillin does not work if you have booted into safe mode and are running Windows 2000 or XP. Trend Micro appear to be aware of this problem. Their current fix is to visit http://www.trendmicro.com/download/dcs.asp and download the Damage Cleanup Engine. There is no mention of this problem on that page and searching for "safe mode" in their Knowledge Base turned up no more relevant info. There are instructions on how to use the Damage Cleanup Engine on that page.

Once in Safe Mode open up your favourite antivirus software. What! you don't have a virus scanner! There are some free scanners out there. One popular free scanner is AVG Anti Virus Free Edition. You can download it from AVG's site here http://www.grisoft.com/us/us_dwnl_free.php Updates for AVG Anti Virus Free Edition are available here http://www.grisoft.com/us/us_updt6.php?lng=fe

If, for whatever reason you don't have a virus scanner and don't want to install one some antivirus companies provide a free online scan. Trend Micro http://housecall.trendmicro.com/ and Symantec http://securityresponse.symantec.com/ are two such companies.

Before you even think about running a scan update your virus definitions. Depending on your setup you may have to do this before you boot into safe mode. There's no point trying to scan for the latest virus if your definitions are several months out of date.

Some antivirus software gives you the option to scan all files rather than just executable files, eg. .exe and .com files. Enable this option. While most viruses are hiding in executables there are some that infect non-executable files. Also, if you have the option, scan inside zip/archive files.

Ok, now you can run the virus scan. All clean? Great move on to the next step.

Found a virus? Better clean it up first. Depending on the virus your antivirus software may or may not be able to remove it. Follow any removal instructions given by your antivirus software. When you try to remove the virus there are three possible outcomes:

1. Your antivirus software removes the virus and all is good.

2. The virus won't go quietly and infected file may have to be deleted or replaced with a clean copy.

3. Your antivirus software can't remove the virus.

In the event of number 3 you may be able to remove it manually or with a removal tool designed to target that specific virus. Removal instructions and removal tools can be found at Symantec. http://www.symantec.com/avcenter/ Search for the virus and see what's available.

Once you have removed any viruses run a second scan to make sure nothing comes up again.

5. SmartKiller

SmartKiller is part of a variant of the CoolWebSearch browser hijacker. SmartKiller will try to close various tools that have been designed to remove spyware and adware. All the gory details are here http://www.spywareinfo.com/~merijn/c...ml#smartsearch We will need to check for and remove SmartKiller first. Download http://www.safer-networking.org/files/delcwssk.zip and unzip the removal tool. Run the tool and remove SmartKiller.

6. CoolWebSearch

The CoolWebSearch has many variants and isn't always completely removed by the other programs used in this how to. Before attempting to remove CoolWebSearch make sure you have followed the steps in the SmartKiller section above. "The CoolWebSearch Chronicles" has info on all the different variants and a link to CWShredder which will remove CoolWebSearch from your computer. The chronicles can be found here http://www.spywareinfo.com/~merijn/cwschronicles.html Download CWShredder, run it and click Fix to remove CoolWebSearch from your computer.

7. Home Search

Another little hijacker that may not be cleaned up properly is Home Search, AKA Home Search Assistant. Home Search uses a random filename which can make it harder to track down. There is a tool avaliable at http://www.hsremove.com/ which will remove Home Search.

8. Adware

To remove adware your best bet is Adaware, available here http://www.lavasoftusa.com/software/adaware/ Just like a virus checker this will need to be updated. Once updated click on Start. I prefer to use the "Select drives\folders to scan" mode. Click on select and tick all your drives. Click on Proceed to return to the previous window. Make sure in-depth scanning is enabled. Click on Next to start the scan. When the scan has finished click Next and Adaware will display a list of the items it found. Tick all the items you want to remove, right click will give you the option to select all objects. For info on a specific item right click on it and select Item details. If you want to backup the selected items before you remove them click on the Quarantine button. Click on the Finish button to remove the selected items.

Part 2 below

__________________
Quote:
Originally Posted by name='Jim'
"Jonathan 'Fatal1ty' Wendel may be 12-time world gaming champ, but how does he cope inside a 50c hot box sucking on a heavy load?":rocker::rocker:
Reply With Quote
  #2  
Old 16-03-05, 06:32 AM
PV5150 PV5150 is offline
OC3D Elite
 
Join Date: Mar 2005
Posts: 9,934
Part 2

9. Spyware

Grab your self a copy of Spybot Search and Destroy from http://www.safer-networking.org/index.php?page=download The latest version of Spybot runs a wizard the first time you open Spybot This wizard will ask you to create a backup of your registry and ask if you want to update as well as a few other options. These are good things. Get the wizard to do them. The wizard will also ask if you want to immunise your computer I'll talk about this later. At the end of the wizard you can read the help file and a tutorial if you want to. Now that you are in Spybot click on Check for problems. Once it's finished a list of all the items it found will be displayed. To get info on an item click on it and drag the arrows in from the right hand side of the window. An information window will open behind the arrows. Just like Adaware select what you want to remove and click Fix selected problems.

Spybot and Adaware both pick up some of the same things but neither picks up everything because they are targeted at different types of programs.

10. System Restore

Now it's time to turn System restore back on. Open the System control panel. Go back into the System Restore tab and untick the box "Turn off System Restore on all devices". A new restore point will be created.

11. HijackThis

#WARNING

While the other tools are pretty much foolproof HijackThis is not. Be careful when using it.


It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks before deleting anything.

HijackThis is available at http://www.spywareinfo.com/~merijn/downloads.html Run it and click Scan. It will display a list of items that have the potential to redirect your browser. Not everything there is bad. Read through each item one by one to find anything suspect or out of place. If you are unsure of anything click on Save log. Then point your browser at http://hijackthis.de and give the HijackThis Log Analyser a spin. You can copy the text from the log into the textbox or browse for a log saved on your computer. Click Analyze and the analyser will give you a line by line run down on everything in the log. If you are still worried by something in the HijackThis log open the log with Notepad or similar, copy everything in the log and paste it in a new thread (within the security section) asking for help. Please do not post a HijackThis log until you have tried the previous steps. Also include a description of the problem and any errors or windows that popup. This will make things easier for people reading through your log.

There is also a fairly detailed explanation of HijackThis here

Prevention

As they say prevention is better than cure. Here are a few tips to help prevent spyware, adware, viruses etc... from getting into your computer in the first place.

Change your browser

Ditch Internet Explorer and use something like Mozilla http://www.mozilla.org/products/mozilla1.x/ or Firefox http://www.mozilla.org/products/firefox/ They are more secure and come with built in popup blocking and ad blocking via a plugin called Adblock http://adblock.mozdev.org Older versions of FireFox were not recognised by some plugin installers, eg the Flash installer. If you experience problems installing plugins you may need to use Mozilla or another browser.

Change your E-mail client

Along with Internet Explorer give Outlook it's marching orders. There's a lot of viruses and the like that are written to use Outlook and/or the Windows Address Book. Try something like Thunderbird http://www.mozilla.org/products/thunderbird/ or Eudora http://www.eudora.com/

Be alert

Know what you are installing. Some programs come bundled with spyware, adware etc. eg. I'm not sure if this is still the case but the DivX codec used to come with GAIN/Gator adware. Also read any warnings that your browser displays. A program may be attempting to install it's self without your approval.

Stay up to date

http://www.windowsupdate.com Need I say more? Ok, maybe I do. If you want to save a whole chunk of downloads you can order the Security Update CD from Microsoft's website. It includes Service Pack 1 for XP as well as a number of updates released after SP1. There is also updates for Windows ME, 2000 Professional, 98SE and 98. Also on the CD is Direct X 9.0b and Windows Media Player 9. The Securtiy Update CD is free. To have a copy sent to you fill out this form on Microsoft's website http://www.microsoft.com/athome/secu.../cd/order.mspx The Security Update CD comes with a second CD as well. On the second disc is a trial version of eTrust EZ Armor, a firewall and anti virus program. Or if you are running XP you can order Service Pack 2 on CD. Fill out this form http://www.microsoft.com/windowsxp/d...s/default.mspx and Microsoft will send it out to you. Some people have had problems with SP2 but I recommend you install it. If possible install it on a fresh install or better yet create a new XP install CD with SP2 slipstreamed and install from that. A forum search will turn up a number of threads to help with slipstreaming. If you want to stay with Internet Explorer SP2 will also provide popup blocking and help prevent sites installing software without your consent

Block bad programs

Spybot has an option to immunize your computer. This will block spyware before it gets onto your computer. This is aimed at Internet Explorer but can still help. Open Spybot and click on Immunize. A window will come up telling you how many bad products are already blocked. Click on Ok. Use the Immunize button at the top of the window to block these products. You can also enable blocking of bad addresses in Internet Explorer. If enable this option you can choose to block pages silently, display a dialog box when the page is blocked or ask for confirmation before blocking.

Adaware has an "Ad-watch" program which can intercept bad programs before they make it onto your computer but you need a licensed version of Adaware.

SpywareBlaster is another product aimed at preventing spyware from installing it's self. I haven't used this program myself so I can't offer any more info. The website is here http://www.javacoolsoftware.com/spywareblaster.html

Another product that works similar to Adaware and Spybot is Pestpatrol. It can scan for and remove spyware, adware and other similar programs. You can download an evaluation copy from the website http://www.pestpatrol.com/Products/PestPatrolHE/ To obtain the full copy, including a years worth of updates, you must purchase it. I haven't used this program so I can't say if it's worth the $US39.95. Pestpatrol also offer an online scan for spyware, adware, etc called PestScan. Find it here http://www.pestscan.com/

Increase security with a firewall

A firewall of some description can be very useful. Especially if you have a permanent connection to the net. A properly configured firewall will prevent unauthorised access to your machine/network while allowing you to browse to your heart's content. There are a few different options available.

A hardware firewall.

You can find these inside routers, broadband modems and similar devices. They tend to be plug and play but can be configured if needed.

A firewall on a separate computer.

This is more for protecting a network. The computers on network would get their net access through a single server with a connection to the outside world. A connection sharer of some sort. There are a couple of different paths you could go down here. Some examples are a dedicated firewall/connection sharing computer. One popular setup for this is Smoothwall, http://www.smoothwall.org/ Smoothwall is based on Linux and can be configured across the network. A similar approach would be Windows 2000/XP with Internet Connection Sharing. Not everyone's kettle of fish but still a possibility. A firewall for the DIYers would be more along the lines of a Linux box with connections to both your network and the internet. The DIYer would write up a set of rules using something like iptables, http://www.linuxguruz.com/iptables/h...les-HOWTO.html , that would specify what data is allowed in and out. A different option for DIY firewalls is Network Address Translation or NAT. NAT covers connection sharing and firewalls in one. NAT can be easy to set up and just works. A good page for info on setting up NAT can be found at http://netfilter.org/

A firewall on your own computer.

Probably the easiest to keep an eye on this would consist of a program you have installed and have running in the background. A popular firewall for this sort of use is Zone Alarm. A free download is available at http://www.zonelabs.com/ There is also a Zone Alarm Pro which is more configurable and includes "Powerful Identity & Privacy Protections". A 15 day trial download is available, if you want to use it after that you'll need $US39.95. Windows XP has a built in firewall but it isn't very good to say the least. Currently it is best to use a seperate program. Part of Service Pack 2 is a greatly improved firewall.

Regular virus scans

If you do nothing else regular virus scans are a must. Your antivirus software should be able to schedule scans so you don't have to remember to run them.

Speaking of software Microsoft is working on an anti-spyware program called Windows Antispyware. It's based on Giant Software's Antispyware and at the moment is still in beta. Early reviews are coming out very favourably for Windows Antispyware and not just for the amount of spyware detected but also for it's look and ease of use. One drawback though is that it will require a subscription fee while other products like Spybot and Adaware are still completely free. If you want to download the beta and check it out it can be found at http://www.microsoft.com/athome/secu...e/default.mspx

Warning!

Do not use Spyware Eliminator from Aluria Software. Aluria has partnered with spyware company WhenU and removed WhenU's spyware from their spyware definitions. As a result Aluria's products, including Spyware Eliminator, regard WhenU's spyware as safe and will NOT remove it. More info can be found on Slashdot http://yro.slashdot.org/yro/04/11/02...id=172&tid=185

Cheers PV
__________________
Quote:
Originally Posted by name='Jim'
"Jonathan 'Fatal1ty' Wendel may be 12-time world gaming champ, but how does he cope inside a 50c hot box sucking on a heavy load?":rocker::rocker:
Reply With Quote
  #3  
Old 16-03-05, 08:26 AM
JN JN is offline
OC3D Elite
 
Join Date: Mar 2005
Posts: 13,678
Yet another great guide. Reps coming your way
Reply With Quote
  #4  
Old 16-03-05, 08:30 AM
PV5150 PV5150 is offline
OC3D Elite
 
Join Date: Mar 2005
Posts: 9,934
Thanks XMS, I had to cull it a little. But still plenty of info for peeps

PV
__________________
Quote:
Originally Posted by name='Jim'
"Jonathan 'Fatal1ty' Wendel may be 12-time world gaming champ, but how does he cope inside a 50c hot box sucking on a heavy load?":rocker::rocker:
Reply With Quote
  #5  
Old 16-03-05, 09:43 AM
enVias enVias is offline
OC3D Elite
 
Join Date: Mar 2005
Posts: 2,923
XMS, PV said you don't have to rep him.. So you could just give the reps to me?
Reply With Quote
  #6  
Old 16-03-05, 10:30 AM
JN JN is offline
OC3D Elite
 
Join Date: Mar 2005
Posts: 13,678
LOL...Do one of those guides and i'll give you some juicy reps

I enjoy embarrasing PV tho
Reply With Quote
  #7  
Old 16-03-05, 10:49 AM
PV5150 PV5150 is offline
OC3D Elite
 
Join Date: Mar 2005
Posts: 9,934
Thanks XMS lol

PV
__________________
Quote:
Originally Posted by name='Jim'
"Jonathan 'Fatal1ty' Wendel may be 12-time world gaming champ, but how does he cope inside a 50c hot box sucking on a heavy load?":rocker::rocker:
Reply With Quote
  #8  
Old 23-03-05, 06:02 AM
vice vice is offline
Advanced Member
 
Join Date: Mar 2005
Posts: 272
Nice guide, has a large amount of stuff tied up nicely. I wish I had this instead of 1 year hard experience, 5 reformats, near suicides, and lots of lost data.
Reply With Quote
  #9  
Old 23-03-05, 06:31 AM
JN JN is offline
OC3D Elite
 
Join Date: Mar 2005
Posts: 13,678
Quote:
Originally Posted by name='vice'
Nice guide, has a large amount of stuff tied up nicely. I wish I had this instead of 1 year hard experience, 5 reformats, near suicides, and lots of lost data.
Amen to that. I learned the hard way too.
Reply With Quote
  #10  
Old 23-03-05, 07:21 AM
Toxic_Flo Toxic_Flo is offline
Member
 
Join Date: Mar 2005
Posts: 229
Wicked info yet again PV. nice one.
__________________


Toxic_Flo


"Make it idiot proof and someone will make a better idiot."
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump






All times are GMT. The time now is 11:48 PM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.