Hi Guys
There seems to be an increase in the number of people falling victim to browser hijacks, popup ads and the like recently so I thought I might share a little knowledge and provide some steps for removing these nasties. This guide has been split in two, as I can't fit into the word count allocated-sorry LOL
There are a number of different type of programs that could be causing the mayhem on your system. I'll provide steps for removing each type in the order I would follow. At the end will be some steps you can take to prevent this from happening again.
Note: If you are using Spyware Eliminator or any other software from Aluria software stop using the software, you are not being protected. Read the warning at the end of this post.
Removal
1. Uninstall
Open the Add/Remove Programs control panel and read through the list of installed software for anything you don't recognise. If there's anything you don't recognise it's probably best to uninstall it. If you want to find out what it is try http://www.google.com and search for the name. While you're here you may as well uninstall anything you no longer need.
2. MSConfig
Click on Start and then Run. Type msconfig and press Enter. Click on the Startup tab. Here you have a list of all the programs that run when you start Windows. Untick anything you don't recognise. Be aware that some of these things may be required by some other software/hardware you have installed. For a very comprehensive, searchable list of possible startup items check out http://www.sysinfo.org/startuplist.php When you have made your changes click Ok and restart. When Windows loads a window will pop up reminding you that you have used MSConfig to make changes to your system. Tick the don't remind me box and click Ok. If something has stopped working run MSConfig again and enable it again.
3. System Restore
If you are running Windows ME or XP it's possible that some of the programs you'll be working hard to remove will be hiding in an old System Restore point. Probably the easiest way to remove your old restore points is to turn System Restore off. Open the System control panel and click on the System Restore tab. Tick the box "Turn off System Restore on all devices". Click Ok and reboot your computer. All previous restore points have now been removed. Leave System Restore off for the time being. We'll turn it back on later.
4. Viruses
One of the better options for virus removal is to take the infected drive and install it into another computer with up to date antivirus software. I'm not including details on how to do this as I consider it outside the scope of this how to. If you are not comfortable doing this skip down to the next paragraph. Provided you don't start opening files from the infected drive this will prevent the virus from activating. Some viruses may not be completely removed, or not be removed at all if they are active.
With or without the second computer it's best to scan for viruses with Windows booted into Safe Mode. To enter Safe Mode reboot your computer. After the BIOS has finished checking your RAM, drives and so forth it will hand over to your operating system. For Windows 98 this is the point where you need to hit F8, just before the Windows 98 splash screen is displayed. If you timed it right a menu will show up with a number of different startup options. Select Safe Mode. Windows 2000 and XP both have a prompt to say you can press F8 now to access the menu.
Under Safe Mode Windows will only load the bare minimum it needs to run. This can help prevent viruses from working and make them easier to remove. Because of this your resolution will be set to 640x480 and the number of colours dropped to 16. Do not worry, this is only temporary. It will return to normal when you reboot.
Note: Safe mode was suggested knowing that this is best for Norton Anti Virus but not all virus scanners work under safe mode. As at 21/7/2004 Trend Micro's PC-Cillin does not work if you have booted into safe mode and are running Windows 2000 or XP. Trend Micro appear to be aware of this problem. Their current fix is to visit http://www.trendmicro.com/download/dcs.asp and download the Damage Cleanup Engine. There is no mention of this problem on that page and searching for "safe mode" in their Knowledge Base turned up no more relevant info. There are instructions on how to use the Damage Cleanup Engine on that page.
Once in Safe Mode open up your favourite antivirus software. What! you don't have a virus scanner! There are some free scanners out there. One popular free scanner is AVG Anti Virus Free Edition. You can download it from AVG's site here http://www.grisoft.com/us/us_dwnl_free.php Updates for AVG Anti Virus Free Edition are available here http://www.grisoft.com/us/us_updt6.php?lng=fe
If, for whatever reason you don't have a virus scanner and don't want to install one some antivirus companies provide a free online scan. Trend Micro http://housecall.trendmicro.com/ and Symantec http://securityresponse.symantec.com/ are two such companies.
Before you even think about running a scan update your virus definitions. Depending on your setup you may have to do this before you boot into safe mode. There's no point trying to scan for the latest virus if your definitions are several months out of date.
Some antivirus software gives you the option to scan all files rather than just executable files, eg. .exe and .com files. Enable this option. While most viruses are hiding in executables there are some that infect non-executable files. Also, if you have the option, scan inside zip/archive files.
Ok, now you can run the virus scan. All clean? Great move on to the next step.
Found a virus? Better clean it up first. Depending on the virus your antivirus software may or may not be able to remove it. Follow any removal instructions given by your antivirus software. When you try to remove the virus there are three possible outcomes:
1. Your antivirus software removes the virus and all is good.
2. The virus won't go quietly and infected file may have to be deleted or replaced with a clean copy.
3. Your antivirus software can't remove the virus.
In the event of number 3 you may be able to remove it manually or with a removal tool designed to target that specific virus. Removal instructions and removal tools can be found at Symantec. http://www.symantec.com/avcenter/ Search for the virus and see what's available.
Once you have removed any viruses run a second scan to make sure nothing comes up again.
5. SmartKiller
SmartKiller is part of a variant of the CoolWebSearch browser hijacker. SmartKiller will try to close various tools that have been designed to remove spyware and adware. All the gory details are here http://www.spywareinfo.com/~merijn/cwschronicles.html#smartsearch We will need to check for and remove SmartKiller first. Download http://www.safer-networking.org/files/delcwssk.zip and unzip the removal tool. Run the tool and remove SmartKiller.
6. CoolWebSearch
The CoolWebSearch has many variants and isn't always completely removed by the other programs used in this how to. Before attempting to remove CoolWebSearch make sure you have followed the steps in the SmartKiller section above. "The CoolWebSearch Chronicles" has info on all the different variants and a link to CWShredder which will remove CoolWebSearch from your computer. The chronicles can be found here http://www.spywareinfo.com/~merijn/cwschronicles.html Download CWShredder, run it and click Fix to remove CoolWebSearch from your computer.
7. Home Search
Another little hijacker that may not be cleaned up properly is Home Search, AKA Home Search Assistant. Home Search uses a random filename which can make it harder to track down. There is a tool avaliable at http://www.hsremove.com/ which will remove Home Search.
8. Adware
To remove adware your best bet is Adaware, available here http://www.lavasoftusa.com/software/adaware/ Just like a virus checker this will need to be updated. Once updated click on Start. I prefer to use the "Select drives\folders to scan" mode. Click on select and tick all your drives. Click on Proceed to return to the previous window. Make sure in-depth scanning is enabled. Click on Next to start the scan. When the scan has finished click Next and Adaware will display a list of the items it found. Tick all the items you want to remove, right click will give you the option to select all objects. For info on a specific item right click on it and select Item details. If you want to backup the selected items before you remove them click on the Quarantine button. Click on the Finish button to remove the selected items.
Part 2 below
There seems to be an increase in the number of people falling victim to browser hijacks, popup ads and the like recently so I thought I might share a little knowledge and provide some steps for removing these nasties. This guide has been split in two, as I can't fit into the word count allocated-sorry LOL
There are a number of different type of programs that could be causing the mayhem on your system. I'll provide steps for removing each type in the order I would follow. At the end will be some steps you can take to prevent this from happening again.
Note: If you are using Spyware Eliminator or any other software from Aluria software stop using the software, you are not being protected. Read the warning at the end of this post.
Removal
1. Uninstall
Open the Add/Remove Programs control panel and read through the list of installed software for anything you don't recognise. If there's anything you don't recognise it's probably best to uninstall it. If you want to find out what it is try http://www.google.com and search for the name. While you're here you may as well uninstall anything you no longer need.
2. MSConfig
Click on Start and then Run. Type msconfig and press Enter. Click on the Startup tab. Here you have a list of all the programs that run when you start Windows. Untick anything you don't recognise. Be aware that some of these things may be required by some other software/hardware you have installed. For a very comprehensive, searchable list of possible startup items check out http://www.sysinfo.org/startuplist.php When you have made your changes click Ok and restart. When Windows loads a window will pop up reminding you that you have used MSConfig to make changes to your system. Tick the don't remind me box and click Ok. If something has stopped working run MSConfig again and enable it again.
3. System Restore
If you are running Windows ME or XP it's possible that some of the programs you'll be working hard to remove will be hiding in an old System Restore point. Probably the easiest way to remove your old restore points is to turn System Restore off. Open the System control panel and click on the System Restore tab. Tick the box "Turn off System Restore on all devices". Click Ok and reboot your computer. All previous restore points have now been removed. Leave System Restore off for the time being. We'll turn it back on later.
4. Viruses
One of the better options for virus removal is to take the infected drive and install it into another computer with up to date antivirus software. I'm not including details on how to do this as I consider it outside the scope of this how to. If you are not comfortable doing this skip down to the next paragraph. Provided you don't start opening files from the infected drive this will prevent the virus from activating. Some viruses may not be completely removed, or not be removed at all if they are active.
With or without the second computer it's best to scan for viruses with Windows booted into Safe Mode. To enter Safe Mode reboot your computer. After the BIOS has finished checking your RAM, drives and so forth it will hand over to your operating system. For Windows 98 this is the point where you need to hit F8, just before the Windows 98 splash screen is displayed. If you timed it right a menu will show up with a number of different startup options. Select Safe Mode. Windows 2000 and XP both have a prompt to say you can press F8 now to access the menu.
Under Safe Mode Windows will only load the bare minimum it needs to run. This can help prevent viruses from working and make them easier to remove. Because of this your resolution will be set to 640x480 and the number of colours dropped to 16. Do not worry, this is only temporary. It will return to normal when you reboot.
Note: Safe mode was suggested knowing that this is best for Norton Anti Virus but not all virus scanners work under safe mode. As at 21/7/2004 Trend Micro's PC-Cillin does not work if you have booted into safe mode and are running Windows 2000 or XP. Trend Micro appear to be aware of this problem. Their current fix is to visit http://www.trendmicro.com/download/dcs.asp and download the Damage Cleanup Engine. There is no mention of this problem on that page and searching for "safe mode" in their Knowledge Base turned up no more relevant info. There are instructions on how to use the Damage Cleanup Engine on that page.
Once in Safe Mode open up your favourite antivirus software. What! you don't have a virus scanner! There are some free scanners out there. One popular free scanner is AVG Anti Virus Free Edition. You can download it from AVG's site here http://www.grisoft.com/us/us_dwnl_free.php Updates for AVG Anti Virus Free Edition are available here http://www.grisoft.com/us/us_updt6.php?lng=fe
If, for whatever reason you don't have a virus scanner and don't want to install one some antivirus companies provide a free online scan. Trend Micro http://housecall.trendmicro.com/ and Symantec http://securityresponse.symantec.com/ are two such companies.
Before you even think about running a scan update your virus definitions. Depending on your setup you may have to do this before you boot into safe mode. There's no point trying to scan for the latest virus if your definitions are several months out of date.
Some antivirus software gives you the option to scan all files rather than just executable files, eg. .exe and .com files. Enable this option. While most viruses are hiding in executables there are some that infect non-executable files. Also, if you have the option, scan inside zip/archive files.
Ok, now you can run the virus scan. All clean? Great move on to the next step.
Found a virus? Better clean it up first. Depending on the virus your antivirus software may or may not be able to remove it. Follow any removal instructions given by your antivirus software. When you try to remove the virus there are three possible outcomes:
1. Your antivirus software removes the virus and all is good.
2. The virus won't go quietly and infected file may have to be deleted or replaced with a clean copy.
3. Your antivirus software can't remove the virus.
In the event of number 3 you may be able to remove it manually or with a removal tool designed to target that specific virus. Removal instructions and removal tools can be found at Symantec. http://www.symantec.com/avcenter/ Search for the virus and see what's available.
Once you have removed any viruses run a second scan to make sure nothing comes up again.
5. SmartKiller
SmartKiller is part of a variant of the CoolWebSearch browser hijacker. SmartKiller will try to close various tools that have been designed to remove spyware and adware. All the gory details are here http://www.spywareinfo.com/~merijn/cwschronicles.html#smartsearch We will need to check for and remove SmartKiller first. Download http://www.safer-networking.org/files/delcwssk.zip and unzip the removal tool. Run the tool and remove SmartKiller.
6. CoolWebSearch
The CoolWebSearch has many variants and isn't always completely removed by the other programs used in this how to. Before attempting to remove CoolWebSearch make sure you have followed the steps in the SmartKiller section above. "The CoolWebSearch Chronicles" has info on all the different variants and a link to CWShredder which will remove CoolWebSearch from your computer. The chronicles can be found here http://www.spywareinfo.com/~merijn/cwschronicles.html Download CWShredder, run it and click Fix to remove CoolWebSearch from your computer.
7. Home Search
Another little hijacker that may not be cleaned up properly is Home Search, AKA Home Search Assistant. Home Search uses a random filename which can make it harder to track down. There is a tool avaliable at http://www.hsremove.com/ which will remove Home Search.
8. Adware
To remove adware your best bet is Adaware, available here http://www.lavasoftusa.com/software/adaware/ Just like a virus checker this will need to be updated. Once updated click on Start. I prefer to use the "Select drives\folders to scan" mode. Click on select and tick all your drives. Click on Proceed to return to the previous window. Make sure in-depth scanning is enabled. Click on Next to start the scan. When the scan has finished click Next and Adaware will display a list of the items it found. Tick all the items you want to remove, right click will give you the option to select all objects. For info on a specific item right click on it and select Item details. If you want to backup the selected items before you remove them click on the Quarantine button. Click on the Finish button to remove the selected items.
Part 2 below