Go Back   WorldStart Tech & Computer Help Forums > Updates, Security, and Scams

Reply
 
Thread Tools Display Modes
  #1  
Old 07-28-2004, 12:05 AM
Crockett's Avatar
Crockett Crockett is offline
Giddy Up!
 
Join Date: Sep 2002
Location: On top of old Smokey
Posts: 24,582
Exclamation Browser Hijacked/Infected?....Let's Start To Fix It!

Seems more and more people are getting hijacked or getting riddled with spyware and can't get rid of the pests.
I put together a little article to help you start fighting back and regaining control of your computer.

** Later on, you'll be asked to stay off the net and close all Windows Applications, including your browser (i.e. Internet Explorer), so you may want to PRINT this out.

=======

01. Update and run any anti-virus (AV), anti-trojan (AT), and anti-spyware (AS) products you already have installed on your computer. Do full scans of your computer.

Record exactly the malware names, and file names and locations, of any malware the scans turn up. Quarantine then repair, rename or delete any malware found.

If the scanners say you have Trojan-Spy.HTML.Smitfraud.c malware infection and/or any of it’s variants, Win32.puper, AVGold, Security iGuard, Spyware Vanisher, quicknavigate.com, updateSearches.com, startsearches.net, Virtual Maid, Search Maid, RazeSpyware, SpySheriff, PSGuard, SpyAxe, WinHound, SpyFalcon, AlfaCleaner, SpywareStrike... SpywareQuake, VirusBurst, Video ActiveX Object, SpyDawn, SpyLocked, then you should download a free tool called SmitRem. http://tinyurl.com/95tzv
Save the file to your desktop. Double click it to extract the contents to a folder of it’s own.
Restart your computer in safe mode, logon to the user account that is infected, open the smitRem folder and double click the RunThis.bat file to start the tool.
Also download Malwarebytes' Anti_malware http://tinyurl.com/ynjtrs to your desktop.
Great removal instructions can be found here: http://tinyurl.com/2pdtb5
Panda ActiveScan online should be run following the use of this tool, since it can detect and often repair anything not found and removed with the tool.
http://tinyurl.com/455j

If you've been infected by Antispyware2008, Antivirus XP 2008, go to this link: http://tinyurl.com/4ooc5t

If the scanners say you have Winfixer / Virtumonde / Msevents / Trojan.vundo.b, then follow the instructions here for removal:
http://www.bleepingcomputer.com/forums/topic18610.html

If you can't access security web sites, check your "Hosts" file: http://www.dslreports.com/faq/10131

If you are having trouble with loss of internet access, then download, install and run LSP-Fix: http://www.cexx.org/lspfix.htm
If you cannot get the LSP-Fix download then an alternate method would be to open a command prompt. (Start > Run...type in cmd and press 'OK' or go to Start > All Programs > Accessories >Command Prompt)
At the flashing cursor (prompt) type in netsh winsock reset and press ENTER on your keyboard. When finished, Reboot.

If your homepage is hijacked to res://random.dll/index.html#random, then download and run About:Buster. The download and tutorial can be found here: http://tinyurl.com/a3stx

02. Run two or three free web based AV scanners.
http://housecall.trendmicro.com/
http://www.ewido.net/en/onlinescan/
http://www.eset.com/threat-center/cac.php
http://www.bitdefender.com/scan8/
http://www.kaspersky.com/virusscanner
http://www.pandasoftware.com/products/ActiveScan.htm
http://security.symantec.com/
http://www.windowsecurity.com/trojanscan/

Record the malware names, and file names and locations, of any malware the scans find. Repair, quarantine or delete any malware found.

03. Download 5 tools...Download:
Trend Micro CWShredder: http://tinyurl.com/auv67
EliteToolbar Remover: http://www.simplytech.it/ETRemover/
McAfee AVERT Stinger: http://vil.nai.com/vil/stinger/
SUPERAntiSpyware: http://tinyurl.com/klkcy
SpyBot S&D: http://tinyurl.com/ziar
An alternate download site for CWShredder and HijackThis is http://tinyurl.com/8pf9v

Save them to your Desktop or folder of your choice. (I prefer to make a folder called "Downloads" in which I place all downloaded files into).

04. Run CWShredder. With it open and ALL other windows closed let CWshredder FIX all problems. Do this from Safe Mode. http://tinyurl.com/pfca
* If CWShredder doesn't run:
* Download PepiMK's CoolWWWSearch.Smartsearch killer. http://www.safer-networking.org/files/delcwssk.zip
* Run CoolWWWSearch.Smartsearch.
* Then return to CWShredder to clean up.
* In CWShredder, click "check for update".
* If an update is available, click "Download and open the update".
* Click "Scan only".
* If Coolwebsearch keeps returning, or if a scanner says you have cws.searchx, you need to take some extra steps before you carry on to see what else you have: http://www.spywareinfo.com/~merijn/cwschronicles.html
*If you need to find the "hidden appinit value" used by certain versions of CoolWebSearch, then go here:
http://forums.subratam.org/index.php?showtopic=583 for step-by-step instructions.

05. Run EliteToolbar Remover.
*Unzip (extract) into a newly created folder made by you.
*Reboot your machine in Safe Mode (just click the F8 key as the PC is starting, just before the MS Windows flag screen appears) and run the EliteToolbar Remover.
*Click the "Kill Elite Toolbar" button and wait until it finishes its work.
*Occasionally a DOS box may appear asking your permission to delete some files in temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware!

06. Run McAfee AVERT Stinger.
*If necessary, click the Add or Browse button to add additional drives/directories to scan. By default the C: drive will be scanned.
*Click the "Scan Now" button to begin scanning.
*By default Stinger will repair all infected files found.

07. Run SUPERAntiSpyware. Make sure all other windows, including your browser, is closed.

*Click the Check for Updates button.
*Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!
*Open SUPERAntiSpyware and click the Scan your Computer button.
*Check Perform Complete Scan and then click Next.
*Make sure that all items found have a check next to them, and then click Next.
*Click 'Finish' and you will be taken back to the main interface.
*It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
*To get the log which you should post, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.

08. Run SpyBot S&D. Make sure all other windows are Closed and your browser isn't running.

* Click on "Update" in the left column.
* Click on "Search for Updates".
* Select a download location (usually one close to you).
* Click "Download Updates" and wait of the updating process to finish.
* Check that all Internet Explorer (web browser) windows are closed.
* Click "Search and Destroy" in the left column.
* Click "Check for Problems".
* Have Spybot remove/fix all the problems it identifies in RED. The items not listed in red should not be touched at this time.

Spybot S&D Tutorial: http://tinyurl.com/5wssa

09. Download, install, update and run an Anti-Trojan Application. Choose one of these:

Comodo BOClean: http://www.comodo.com/boclean/boclean.html (This only runs in the background)

TrojanHunter (30-day free trial): http://www.misec.net/trojanhunter/
Update it, then reboot into safe mode and run the program.

10. If there is still a problem, download HijackThis: http://tinyurl.com/3byxku
Run HJT and click on the "Open the misc tools section".
Click on "open uninstall manager".
Then Click "save list". This will create a log called uninstall_list.txt. Save it where you wish.
Once saved, it will open in Notepad.
Please Copy and paste or post the contents of "uninstall_list.txt" as well as the HJT log into any thread started by you.
To post a HJT log, open the program and click on "Do a System scan and save a logfile". There will be a pause in the scan during 015 Trusted Zone enumeration.....
When the scan is finished, the logfile will open up in Wordpad.
Copy and paste the contents of that into the thread.
Once done, go to File > SAVE AS, and name it today's date_hijackthis.log (2008-09-06_hijackthis.log) and save it in the HJT folder.

Here is a tutorial on how to use it: http://tinyurl.com/2uy4o

Copy and paste this log into a post started by you in PC Questions & Answers Forum (not in this thread) for us to see.

11. Download Find_It_s.zip to your desktop: http://tinyurl.com/6e7jks
Make a new folder in C:\
Unzip/extract the files inside Find_It_s.zip to the new folder you made . Open the folder and run Find_It_s.bat and wait for a text to open. It will take a while ...then post the resulting log. This will search for Aurora entries specifically, among other things.

12. To prevent important system files being deleted accidentally, Windows XP and Windows Me has a feature called System Restore. It makes backups of of these system files and restores the backups if the original file goes missing.

To prevent malware being restored by the operating system, it is often necessary to clear the backup files from System Restore AFTER the malware is deleted. (This is called "clearing the System Restore points". To do this, turn System Restore off, wait 30 seconds, and then turn System Restore back on.

Waiting until after your computer is clean of malware to clear the System Restore points is because if there is a problem during cleaning, System Restore can be used to try to correct it.

Instructions for turning System Restore on and off:
Enabling/Disabling System Restore: http://tinyurl.com/dm4u3
Symantec - System Restore: http://tinyurl.com/84kov

If you do a scan and get a virus detected in the _RESTORE or the System Volume Information folder (System Restore), but it cannot repair, quarantine, or delete the infected file....DO NOT WORRY ABOUT IT UNTIL THE REST OF YOUR SYSTEM IS CLEAN.

13. Empty out these three(3) folders once your system is clean. (just the contents and not the folder itself):

Go to Start | Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press "ok" to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
....or....
* Temporary Internet Files. In the Control Panel, open Internet Options, and under the general tab, click on "Delete Files".
In the next window, put a check to "Delete all offline content" too. OK out to save.
* Temp folder contents. In XP, that's C:\Documents and Settings\User Name\ Local Settings\Temp. In Windows 98, it's found in C:\Windows\Temp.
* Empty the Recycle Bin.

If you don't own a firewall or use Xp's Windows Firewall, I would really recommend downloading a free one off the internet and disable Windows Firewall http://support.microsoft.com/kb/283673

The best free firewalls are:
Online Armor: http://www.tallemu.com/free-firewall...-software.html
Zone Alarm Free: http://tinyurl.com/dqs5h
Comodo Firewall: http://www.comodo.com/products/free_products.html
Kerio Personal Firewall: http://www.kerio.com/kpf_home.html
Sygate Personal Firewall: http://smb.sygate.com/download_buy.htm
Outpost Firewall Free: http://www.agnitum.com/download/

Then, make sure you visit the Microsoft Windows Update site: http://tinyurl.com/c36nx and get all "High Priority" updates.

Copyright 2004 Crockett
So How Did I get Infected In The First Place?
http://computercops.biz/postt7736.ht...643c98774ed683
__________________


Virus Infections/Hijacked?

Reply With Quote
  #2  
Old 07-28-2004, 01:05 AM
hal9000's Avatar
hal9000 hal9000 is offline
Uber Member
 
Join Date: Sep 2002
Posts: 11,069
Excellent post. Very helpful. Thanks Crockett.
__________________
Did I hear that properly? Obama doesn't like how the US Constitution works, because it's getting in his way? -- Daniel Hannan
Reply With Quote
  #3  
Old 07-28-2004, 01:32 AM
ShadowThomas's Avatar
ShadowThomas ShadowThomas is offline
Rock & roll baby.
 
Join Date: May 2004
Location: Upstate New York.
Posts: 16,342
A great deal of information, thank you. I can only think of one other thing one could ad and that would be SpywareBlaster. The reason I say this is because in SpywareBlaster comes with system snapshot which might help in the event one should get hyjacked. It is like system restore in XP only for your browser.
Reply With Quote
  #4  
Old 07-28-2004, 02:04 AM
MaryLou's Avatar
MaryLou MaryLou is offline
Senior Member
 
Join Date: Jul 2003
Location: Arizona
Posts: 1,672
Thanks for compiling that Crockett!

I don't have all those utilities but I'll save the info to check more out.

This may have already been posted somewhere here, but I found a site on another forum that you can use to test your browser vulnerability:

http://secunia.com/multiple_browsers...rability_test/
Reply With Quote
  #5  
Old 07-28-2004, 02:22 AM
three lions's Avatar
three lions three lions is offline
Epic Member
 
Join Date: Jan 2004
Location: England
Posts: 2,129
Thumbs up

Excellent Advice Crockett and one to keep for sure. Thanks for taking the time to put it together

TL
__________________
Apple iMac 2.5GHz, Software OS X 10.8.2, Safari browser.
Reply With Quote
  #6  
Old 07-28-2004, 06:51 AM
Crockett's Avatar
Crockett Crockett is offline
Giddy Up!
 
Join Date: Sep 2002
Location: On top of old Smokey
Posts: 24,582
Quote:
Originally Posted by ShadowThomas
A great deal of information, thank you. I can only think of one other thing one could ad and that would be SpywareBlaster. The reason I say this is because in SpywareBlaster comes with system snapshot which might help in the event one should get hyjacked. It is like system restore in XP only for your browser.
I was thinking of that Shadow, but if they don't already have it installed and they are already infected, then installing it after the fact is too late.
This application is more of a preventative measure than something that will get rid of spyware.
If they already have it installed, chances are they won't get hijacked and won't need this article.
I am making a thread on preventing Browser Hijacking that will include this.

You guys are welcome. Every little bit helps.
Reply With Quote
  #7  
Old 07-28-2004, 08:29 AM
sj1183's Avatar
sj1183 sj1183 is offline
N.C. transplant via Bklyn
 
Join Date: Aug 2002
Location: Spring Lake N.C.
Posts: 12,283
Nice bro.
Take care.
__________________
Sandy


HOME BUILT / Intel I7 940 2.93 GIG / ASUS P6T Deluxe/ Noctua NH-U12P /WD 300 GIG VelociRaptor /GSkill F3 10666CL7 6 GIG/ W-7 Ultimate & Ubuntu 11.04 64 Bit/Rosewill 650W P.S./ 2x XFX 8600GT (SLI) / Xion-101 Case /
Reply With Quote
  #8  
Old 07-28-2004, 10:51 AM
HARLEY's Avatar
HARLEY HARLEY is offline
 
Join Date: Aug 2002
Location: MONTREAL~
Posts: 30,187
Or use another browser.......................
Reply With Quote
  #9  
Old 07-28-2004, 07:11 PM
Jatmon1's Avatar
Jatmon1 Jatmon1 is offline
I'd rather be 'toonin
 
Join Date: Sep 2002
Location: Wish It Was On A Lake
Posts: 1,042
Thanks Crockett, I have it on paper now. Thanks again.
__________________
Windows 7
Homebuilt
2.0 gigs memory
Avast
Spywareblaster
Windows Firewall
Reply With Quote
  #10  
Old 08-03-2004, 09:32 PM
Crockett's Avatar
Crockett Crockett is offline
Giddy Up!
 
Join Date: Sep 2002
Location: On top of old Smokey
Posts: 24,582
Since we don't have stickys, just a BUMP!
Reply With Quote
  #11  
Old 08-04-2004, 10:35 AM
phicks's Avatar
phicks phicks is offline
Senior Member
 
Join Date: Apr 2004
Location: USA
Posts: 237
Very good post so i'll guess i'll bump it for you.
__________________
Patty
Reply With Quote
  #12  
Old 08-04-2004, 09:04 PM
MMFELL's Avatar
MMFELL MMFELL is offline
Retired Computer Techo
 
Join Date: Nov 2003
Location: Sydney. Australia
Posts: 16,655
What a great post, this will bump it back up.
__________________
2.67 GHz Intel Core2 Quad 2GB RAM, 150GB + 500GB + 2TB SATA + 1TB Ext, DVD-RW, WinXP Pro (SP3), IE7, Avira, Outpost Firewall, Nero 7, Office XP. Cable. Pics of my Radar & Parrish now retired therapy dogs below.
Google is your friend


Reply With Quote
  #13  
Old 08-17-2004, 02:26 PM
Owbist Owbist is offline
Senior Member
 
Join Date: Sep 2002
Location: Niagara, Canada
Posts: 371
Thank you Crockett.
Reply With Quote
  #14  
Old 08-17-2004, 02:48 PM
Crock Crock is offline
Member
 
Join Date: Sep 2003
Posts: 34
Just a quick question, What is CWShredder? Is it something needed?
Reply With Quote
  #15  
Old 08-17-2004, 10:02 PM
Crockett's Avatar
Crockett Crockett is offline
Giddy Up!
 
Join Date: Sep 2002
Location: On top of old Smokey
Posts: 24,582
Quote:
Originally Posted by Crock
Just a quick question, What is CWShredder? Is it something needed?
It's a small tool for removing CoolWebSearch hijacks as programs like SpyBot S&D or Ad-Aware do not remove all of the essential parts of a hijack.
Reply With Quote
  #16  
Old 09-08-2004, 03:30 PM
thedolphinlady thedolphinlady is offline
Junior Member
 
Join Date: Sep 2003
Posts: 6
Wink Thank You

Made a copy of your great instructions............again thank you so much for all your help and especially your time...........much appreciated...........I volunteer at a Dolphin Center in the Keys, so appreciate your effort with great respect.
The Dolphin Lady
Reply With Quote
  #17  
Old 09-08-2004, 04:06 PM
Crockett's Avatar
Crockett Crockett is offline
Giddy Up!
 
Join Date: Sep 2002
Location: On top of old Smokey
Posts: 24,582
Quote:
Originally Posted by thedolphinlady
Made a copy of your great instructions............again thank you so much for all your help and especially your time...........much appreciated...........I volunteer at a Dolphin Center in the Keys, so appreciate your effort with great respect.
The Dolphin Lady
You're quite welcome.
Reply With Quote
  #18  
Old 09-14-2004, 02:45 PM
computerproblem12 computerproblem12 is offline
Senior Member
 
Join Date: Jan 2004
Posts: 131
This is very helpful. Thanks for your time putting it together.

I got to step 6, and it got rid of a lot of crap yet my home page is still hijacked and I have some kind of popup/virus thing still hanging around. Will finish the rest of the steps tonight and see if it gets rid of it
Reply With Quote
  #19  
Old 09-14-2004, 03:13 PM
Crockett's Avatar
Crockett Crockett is offline
Giddy Up!
 
Join Date: Sep 2002
Location: On top of old Smokey
Posts: 24,582
Quote:
Originally Posted by computerproblem12
This is very helpful. Thanks for your time putting it together.

I got to step 6, and it got rid of a lot of crap yet my home page is still hijacked and I have some kind of popup/virus thing still hanging around. Will finish the rest of the steps tonight and see if it gets rid of it
You're welcome......if a problem still persistes, post your problem in a new thread in PC Questions & Answers.
Reply With Quote
  #20  
Old 10-30-2004, 10:05 PM
COOKIE COOKIE is offline
cookie
 
Join Date: Nov 2002
Location: florida
Posts: 201
Thumbs up anti ware

Hey Crockett

Very, very nice of you to take all that time to explain all this...been very helpful to me and i see, many others
God Bless you..

Cookie
__________________
Cookie
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 01:16 AM.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 2000-2011 WorldStart, Inc