Browser Hijacked/Infected?....Let's Start To Fix It!

[Crockett]

Seems more and more people are getting hijacked or getting riddled with spyware and can't get rid of the pests.
I put together a little article to help you start fighting back and regaining control of your computer.

** Later on, you'll be asked to stay off the net and close all Windows Applications, including your browser (i.e. Internet Explorer), so you may want to PRINT this out.

=======

01. Update and run any anti-virus (AV), anti-trojan (AT), and anti-spyware (AS) products you already have installed on your computer. Do full scans of your computer.

Record exactly the malware names, and file names and locations, of any malware the scans turn up. Quarantine then repair, rename or delete any malware found.

If the scanners say you have Trojan-Spy.HTML.Smitfraud.c malware infection and/or any of it’s variants, Win32.puper, AVGold, Security iGuard, Spyware Vanisher, quicknavigate.com, updateSearches.com, startsearches.net, Virtual Maid, Search Maid, RazeSpyware, SpySheriff, PSGuard, SpyAxe, WinHound, SpyFalcon, AlfaCleaner, SpywareStrike... SpywareQuake, VirusBurst, Video ActiveX Object, SpyDawn, SpyLocked, then you should download a free tool called SmitRem. http://tinyurl.com/95tzv
Save the file to your desktop. Double click it to extract the contents to a folder of it’s own.
Restart your computer in safe mode, logon to the user account that is infected, open the smitRem folder and double click the RunThis.bat file to start the tool.
Also download Malwarebytes' Anti_malware http://tinyurl.com/ynjtrs to your desktop.
Great removal instructions can be found here: http://tinyurl.com/2pdtb5
Panda ActiveScan online should be run following the use of this tool, since it can detect and often repair anything not found and removed with the tool.
http://tinyurl.com/455j

If you've been infected by Antispyware2008, Antivirus XP 2008, go to this link: http://tinyurl.com/4ooc5t

If the scanners say you have Winfixer / Virtumonde / Msevents / Trojan.vundo.b, then follow the instructions here for removal:
http://www.bleepingcomputer.com/forums/topic18610.html

If you can't access security web sites, check your "Hosts" file: http://www.dslreports.com/faq/10131

If you are having trouble with loss of internet access, then download, install and run LSP-Fix: http://www.cexx.org/lspfix.htm
If you cannot get the LSP-Fix download then an alternate method would be to open a command prompt. (Start > Run...type in cmd and press 'OK' or go to Start > All Programs > Accessories >Command Prompt)
At the flashing cursor (prompt) type in netsh winsock reset and press ENTER on your keyboard. When finished, Reboot.

If your homepage is hijacked to res://random.dll/index.html#random, then download and run About:Buster. The download and tutorial can be found here: http://tinyurl.com/a3stx

02. Run two or three free web based AV scanners.
http://housecall.trendmicro.com/
http://www.ewido.net/en/onlinescan/
http://www.eset.com/threat-center/cac.php
http://www.bitdefender.com/scan8/
http://www.kaspersky.com/virusscanner
http://www.pandasoftware.com/products/ActiveScan.htm
http://security.symantec.com/
http://www.windowsecurity.com/trojanscan/

Record the malware names, and file names and locations, of any malware the scans find. Repair, quarantine or delete any malware found.

03. Download 5 tools...Download:
Trend Micro CWShredder: http://tinyurl.com/auv67
EliteToolbar Remover: http://www.simplytech.it/ETRemover/
McAfee AVERT Stinger: http://vil.nai.com/vil/stinger/
SUPERAntiSpyware: http://tinyurl.com/klkcy
SpyBot S&D: http://tinyurl.com/ziar
An alternate download site for CWShredder and HijackThis is http://tinyurl.com/8pf9v

Save them to your Desktop or folder of your choice. (I prefer to make a folder called "Downloads" in which I place all downloaded files into).

04. Run CWShredder. With it open and ALL other windows closed let CWshredder FIX all problems. Do this from Safe Mode. http://tinyurl.com/pfca
* If CWShredder doesn't run:
* Download PepiMK's CoolWWWSearch.Smartsearch killer. http://www.safer-networking.org/files/delcwssk.zip
* Run CoolWWWSearch.Smartsearch.
* Then return to CWShredder to clean up.
* In CWShredder, click "check for update".
* If an update is available, click "Download and open the update".
* Click "Scan only".
* If Coolwebsearch keeps returning, or if a scanner says you have cws.searchx, you need to take some extra steps before you carry on to see what else you have: http://www.spywareinfo.com/~merijn/cwschronicles.html
*If you need to find the "hidden appinit value" used by certain versions of CoolWebSearch, then go here:
http://forums.subratam.org/index.php?showtopic=583 for step-by-step instructions.

05. Run EliteToolbar Remover.
*Unzip (extract) into a newly created folder made by you.
*Reboot your machine in Safe Mode (just click the F8 key as the PC is starting, just before the MS Windows flag screen appears) and run the EliteToolbar Remover.
*Click the "Kill Elite Toolbar" button and wait until it finishes its work.
*Occasionally a DOS box may appear asking your permission to delete some files in temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware!

06. Run McAfee AVERT Stinger.
*If necessary, click the Add or Browse button to add additional drives/directories to scan. By default the C: drive will be scanned.
*Click the "Scan Now" button to begin scanning.
*By default Stinger will repair all infected files found.

07. Run SUPERAntiSpyware. Make sure all other windows, including your browser, is closed.

*Click the Check for Updates button.
*Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!
*Open SUPERAntiSpyware and click the Scan your Computer button.
*Check Perform Complete Scan and then click Next.
*Make sure that all items found have a check next to them, and then click Next.
*Click 'Finish' and you will be taken back to the main interface.
*It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
*To get the log which you should post, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.

08. Run SpyBot S&D. Make sure all other windows are Closed and your browser isn't running.

* Click on "Update" in the left column.
* Click on "Search for Updates".
* Select a download location (usually one close to you).
* Click "Download Updates" and wait of the updating process to finish.
* Check that all Internet Explorer (web browser) windows are closed.
* Click "Search and Destroy" in the left column.
* Click "Check for Problems".
* Have Spybot remove/fix all the problems it identifies in RED. The items not listed in red should not be touched at this time.

Spybot S&D Tutorial: http://tinyurl.com/5wssa

09. Download, install, update and run an Anti-Trojan Application. Choose one of these:

Comodo BOClean: http://www.comodo.com/boclean/boclean.html (This only runs in the background)

TrojanHunter (30-day free trial): http://www.misec.net/trojanhunter/
Update it, then reboot into safe mode and run the program.

10. If there is still a problem, download HijackThis: http://tinyurl.com/3byxku
Run HJT and click on the "Open the misc tools section".
Click on "open uninstall manager".
Then Click "save list". This will create a log called uninstall_list.txt. Save it where you wish.
Once saved, it will open in Notepad.
Please Copy and paste or post the contents of "uninstall_list.txt" as well as the HJT log into any thread started by you.
To post a HJT log, open the program and click on "Do a System scan and save a logfile". There will be a pause in the scan during 015 Trusted Zone enumeration.....
When the scan is finished, the logfile will open up in Wordpad.
Copy and paste the contents of that into the thread.
Once done, go to File > SAVE AS, and name it today's date_hijackthis.log (2008-09-06_hijackthis.log) and save it in the HJT folder.

Here is a tutorial on how to use it: http://tinyurl.com/2uy4o

Copy and paste this log into a post started by you in PC Questions & Answers Forum (not in this thread) for us to see.

11. Download Find_It_s.zip to your desktop: http://tinyurl.com/6e7jks
Make a new folder in C:\
Unzip/extract the files inside Find_It_s.zip to the new folder you made . Open the folder and run Find_It_s.bat and wait for a text to open. It will take a while ...then post the resulting log. This will search for Aurora entries specifically, among other things.

12. To prevent important system files being deleted accidentally, Windows XP and Windows Me has a feature called System Restore. It makes backups of of these system files and restores the backups if the original file goes missing.

To prevent malware being restored by the operating system, it is often necessary to clear the backup files from System Restore AFTER the malware is deleted. (This is called "clearing the System Restore points". To do this, turn System Restore off, wait 30 seconds, and then turn System Restore back on.

Waiting until after your computer is clean of malware to clear the System Restore points is because if there is a problem during cleaning, System Restore can be used to try to correct it.

Instructions for turning System Restore on and off:
Enabling/Disabling System Restore: http://tinyurl.com/dm4u3
Symantec - System Restore: http://tinyurl.com/84kov

If you do a scan and get a virus detected in the _RESTORE or the System Volume Information folder (System Restore), but it cannot repair, quarantine, or delete the infected file....DO NOT WORRY ABOUT IT UNTIL THE REST OF YOUR SYSTEM IS CLEAN.

13. Empty out these three(3) folders once your system is clean. (just the contents and not the folder itself):

Go to Start | Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press "ok" to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
....or....
* Temporary Internet Files. In the Control Panel, open Internet Options, and under the general tab, click on "Delete Files".
In the next window, put a check to "Delete all offline content" too. OK out to save.
* Temp folder contents. In XP, that's C:\Documents and Settings\User Name\ Local Settings\Temp. In Windows 98, it's found in C:\Windows\Temp.
* Empty the Recycle Bin.

If you don't own a firewall or use Xp's Windows Firewall, I would really recommend downloading a free one off the internet and disable Windows Firewall http://support.microsoft.com/kb/283673

The best free firewalls are:
Online Armor: http://www.tallemu.com/free-firewall...-software.html
Zone Alarm Free: http://tinyurl.com/dqs5h
Comodo Firewall: http://www.comodo.com/products/free_products.html
Kerio Personal Firewall: http://www.kerio.com/kpf_home.html
Sygate Personal Firewall: http://smb.sygate.com/download_buy.htm
Outpost Firewall Free: http://www.agnitum.com/download/

Then, make sure you visit the Microsoft Windows Update site: http://tinyurl.com/c36nx and get all "High Priority" updates.

Copyright © 2004 Crockett

So How Did I get Infected In The First Place?
http://computercops.biz/postt7736.ht...643c98774ed683

[hal9000]

Excellent post. Very helpful. Thanks Crockett.

[ShadowThomas]

A great deal of information, thank you. I can only think of one other thing one could ad and that would be SpywareBlaster. The reason I say this is because in SpywareBlaster comes with system snapshot which might help in the event one should get hyjacked. It is like system restore in XP only for your browser.

[MaryLou]

Thanks for compiling that Crockett!

I don't have all those utilities but I'll save the info to check more out.

This may have already been posted somewhere here, but I found a site on another forum that you can use to test your browser vulnerability:

http://secunia.com/multiple_browsers...rability_test/

[three lions]

Excellent Advice Crockett and one to keep for sure. Thanks for taking the time to put it together

TL

[Crockett]

Quote:

Originally Posted by ShadowThomas

A great deal of information, thank you. I can only think of one other thing one could ad and that would be SpywareBlaster. The reason I say this is because in SpywareBlaster comes with system snapshot which might help in the event one should get hyjacked. It is like system restore in XP only for your browser.

I was thinking of that Shadow, but if they don't already have it installed and they are already infected, then installing it after the fact is too late.
This application is more of a preventative measure than something that will get rid of spyware.
If they already have it installed, chances are they won't get hijacked and won't need this article.
I am making a thread on preventing Browser Hijacking that will include this.

You guys are welcome. Every little bit helps.

[sj1183]

Nice bro.
Take care.

[HARLEY]

Or use another browser.......................

[dandeboo]

Thanks Crockett, I have it on paper now. Thanks again.

[Crockett]

Since we don't have stickys, just a BUMP!

[phicks]

Very good post so i'll guess i'll bump it for you.

[MMFELL]

What a great post, this will bump it back up.

[Owbist]

Thank you Crockett.

[Crock]

Just a quick question, What is CWShredder? Is it something needed?

[Crockett]

Quote:

Originally Posted by Crock

Just a quick question, What is CWShredder? Is it something needed?

It's a small tool for removing CoolWebSearch hijacks as programs like SpyBot S&D or Ad-Aware do not remove all of the essential parts of a hijack.

[thedolphinlady]

Made a copy of your great instructions............again thank you so much for all your help and especially your time...........much appreciated...........I volunteer at a Dolphin Center in the Keys, so appreciate your effort with great respect.
The Dolphin Lady

[Crockett]

Quote:

Originally Posted by thedolphinlady

Made a copy of your great instructions............again thank you so much for all your help and especially your time...........much appreciated...........I volunteer at a Dolphin Center in the Keys, so appreciate your effort with great respect.
The Dolphin Lady

You're quite welcome.

[computerproblem12]

This is very helpful. Thanks for your time putting it together.

I got to step 6, and it got rid of a lot of crap yet my home page is still hijacked and I have some kind of popup/virus thing still hanging around. Will finish the rest of the steps tonight and see if it gets rid of it

[Crockett]

Quote:

Originally Posted by computerproblem12

This is very helpful. Thanks for your time putting it together.

I got to step 6, and it got rid of a lot of crap yet my home page is still hijacked and I have some kind of popup/virus thing still hanging around. Will finish the rest of the steps tonight and see if it gets rid of it

You're welcome......if a problem still persistes, post your problem in a new thread in PC Questions & Answers.

[COOKIE]

Hey Crockett

Very, very nice of you to take all that time to explain all this...been very helpful to me and i see, many others
God Bless you..

Cookie