LATEST CHATTY HEADER
Subscribe to Shacknews Mercury starting at $1/month!
Chrome Shack Community Guidelines Chatty Search
Scroll down to join the conversation.
New to Shacknews? Signup for a Free Account
Already have an account? Login Now
Subscribe to Shacknews Mercury starting at $1/month!
Chrome Shack Community Guidelines Chatty Search
Scroll down to join the conversation.
I've been in business fixing computers for eight years now so just a little qualification of myself. I fix roughly 6 to 7 computers per day and while a few don't have spyware the rest do. I don't format computers to fix them from spyware (weaksauce techs do) and I don't lose people's data. That being said feel free to share any other methods or tools in this thread and we can all grab the pitchforks and do battle.
First off you need a few software tools. You can download them from the interweb. There are of course other tools that work such as Process Explorer and Autoruns but this is what I use. I've also included a link to Super Antispyware which I don't use but my other techs like it.
HijackThis ( http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html )
Pocket Killbox (http://www.bleepingcomputer.com/files/killbox.php )
Hoster ( http://www.majorgeeks.com/Hoster_d4626.html )
Crap Cleaner (http://www.ccleaner.com/ )
Dial-A-Fix (http://wiki.djlizard.net/Dial-a-fix_beta#Mirrors.2Fdownload_locations.2C_and_articles )
NOD32 ( http://www.eset.com/download/free_trial_download_eav.php )
Rootkit Revealer ( http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx )
Avenger ( http://swandog46.geekstogo.com/avengernotes.htm )
Super Anti-Spyware ( http://www.superantispyware.com/download.html )
Ideally you want to run this in Safe Mode. To easily get there in Windows XP click Start – Run and type in MSCONFIG. Click on the Boot.ini tab and check off Safe Boot. If you want an Internet connection then put the radio button beside Network. In order to change it back you must remove the checkmark beside Safeboot. Vista is very similar but doesn't use radio buttons.
First thing I do now is open up Hoster and mark your Hosts file read-only. You may want to restore the original HOSTS files and then mark read-only.
Let’s move to Pocket Killbox shall we? This program does some great stuff. I initially use it for cleaning out the temp files. You can do this too by clicking on Tools and then Delete Temp Files. After that’s done go to the next step with HijackThis. Don’t close Killbox off just yet, you might need it later.
Next thing to do is to run HijackThis. This tool is dangerous but I’ll guide you through it. It lists all programs running in your computer good or bad. The latest version is 2.02 so make sure you have that one. The new HijackThis has a feature where you can upload the log and it'll give you an idea of what needs to be removed. I've tried this a couple of times on infected computers and while it found some of them it didn't remove them all so I wouldn't recommend this. Better would be to post the log in here for a Shacker to give you a better idea.
Click scan. You can safely remove all the 01’s since those are just homepage redirects and hijacks. The 02 ’s can all go also unless you recognize them. The only ones that I keep are the Google toolbar, MSN toolbar, or else Adobe Acrobat. The rest are usually bad. Again your computer may vary from the hundreds that I fix but I doubt it. The 03’s are the various toolbars installed. They only one I would keep is the c:\windows\system\msdxm.ocx one. The rest can go.
Here comes the big one, the 04’s. These are the programs that run when Windows starts up and the ones that are in the registry. I can’t list the ones that you should remove obviously so you have to be careful in removing them. I will list below the standard XP services and programs running on a default installation. This will give you a ground floor on where to start from. Of course installing other programs will change this list and you will have to decide whether or not you want that software from starting up everytime Windows boots. You cannot destroy a XP install by removing all of the 04's. So whatever you remove you can replace by either restoring the HijackThis entries or reinstalling the program.
For Vista I don't have the standard default ones that only show up in the Task Manager. There are different ones than listed below such as sidebar.exe and the like but they are pretty obvious. I would still keep a close eye out on ones that are misspelled or in the wrong location. Maybe someone else would like to post the list from Vista?
Explorer.exe
Spoolsv.exe
Svchost.exe (4 or 5 times!)
Taskmgr.exe (you’re using it)
Alg.exe
Lsass.exe
Services.exe
Winlogon.exe
Csrss.exe
Smss.exe
System
System Idle Process
Beware of spelling differences! They usually target the svchost.exe and make them look like scvhost.exe or something similar. Also beware of location. Services.exe does not run from the Program Files folder or anything else critical.
If you are unsure of anything else running you can always Google it and it will tell you. It doesn’t?? Well then delete it because 99.9234822% of the time if Google has not heard of it then you don’t need it.
Now be careful of the RunOnce folder because since you’ve been through the Add/Remove panel there may be some uninstallers that want to run next time Windows boots up. Hence the RunOnce part. Don’t remove them or else your work will be for naught.
Next section is usually the 09’s. These are just extra buttons in Explorer. You can leave them if you like or remove them. I’ve never seen hijackers hit these.
Next up to bat is the 10’s 11’s, these are always LSP or Winsock hijacks. HijackThis does not remove them by itself since it would break your internet connection. You need either the Winsock Fix from my site ( http://www.five-online.com/files/WinsockFix.exe ) or else HijackThis suggests the LSP fix from cexx.org ( http://cexx.org/lspfix.htm ).
We’re almost done the list. The next ones are the 16’s and these are all the stuff that IE has downloaded for you in your internet travels. You will see baddies in here like XXX toolbar and the like. You can tell which ones are bad and good by looking at the website on the right hand side. If it’s something you like then keep it.
If the above hasn’t helped you then you missed something in the 04 section of HijackThis, check it again. If you’re absolutely positively sure then you may have a .dll hijack which are pretty retarded but solvable. You need to boot into Safe Mode and turn on your hidden system files.
Go to your C:\Windows\System32 folder and sort by Date Modified. You can move all .dll’s created recently to a folder on your Desktop. Reboot normally and keep an eye on your computer. If it complains of any missing .dll’s then don’t worry. It might be the spyware asking. Usually they are randomally named .dll’s so they are pretty identifiable.
The other tools listed above like Rootkit Revealer and Avenger should only be used if the above process failed.
Rootkit Revealer is pretty straightforward. It just lets you know if there's anything hidden from the Windows API. There are legit entries in this when you scan. Usually you're looking for recent stuff either from a few days ago or a few weeks. It can't remove them for you but it's a good tool to identify what path you need to take to remove them.
The other one is Avenger. This is a much more powerful tool than Killbox and can do quite a lot of things. I would suggest that if you need to use this tool you read and then re-read the webpage linked above. I use it for more complex file removal problems. It's fully scriptable so use it carefully.
Once you've done this then there's only a reboot waiting. Once you reboot NOD32 should be run through a full system scan.
Now this concludes our stay at the spyware hotel. But wait, how did I get infected redfive? Well most commonly is the porn sites but I’ve had people swear up and down that they didn’t go there (lol, husband). The second most common ones is from updating your codec software with infected software. Just stick to VLC and everything will be fine. How can I prevent this from happening again? Seriously install Firefox ( http://www.mozilla.com/en-US/ ). I could go on with how to make IE bulletproof but I’m not. Suck it and install Firefox ( http://www.mozilla.com/en-US/ ). Did I mention to install Firefox yet ( http://www.mozilla.com/en-US/ )?
Updated February 23, 2008
Thread Truncated. Click to see all 108 replies.
The post has been reported. Thank you!
You must be logged in to post.
You must be logged in to post.