LATEST CHATTY HEADER
Subscribe to Shacknews Mercury starting at $1/month!
Chrome Shack Community Guidelines Chatty Search
Scroll down to join the conversation.
New to Shacknews? Signup for a Free Account
Already have an account? Login Now
Subscribe to Shacknews Mercury starting at $1/month!
Chrome Shack Community Guidelines Chatty Search
Scroll down to join the conversation.
in reply!
Thread Truncated. Click to see all 75 replies.
I've been in business fixing computers for nine years now so just a little qualification of myself. I fix roughly 6 to 7 computers per day and while a few don't have spyware the rest do. I don't format computers to fix them from spyware (weaksauce techs do) and I don't lose people's data. That being said feel free to share any other methods or tools in this thread and we can all grab the pitchforks and do battle.
First off you need a few software tools. You can download them from the interweb. There are of course other tools that work such as Process Explorer and Autoruns that are very similar to HijackThis but this is what I use. I've also included a link to Malware Bytes which I don't use.
As an aside the reason why I don't use it is that if you as a technician rely on automated scans then you are teaching yourself nothing. Not only that but I do this onsite and over the phone. Onsite I charge by the hour and it never looks good when you are doing nothing but watching a scan run. Nothing says ripoff more than paying a tech $80 an hour to install a program and watch it move across the screen. Secondly is that there's nothing stopping the people from watching what you are doing and copying your methods for next time. They won't be able to copy my method below. The people who write the malware know about Malware Bytes and employ methods to get around it. Sure MBAM will catch up but it's always better to train yourself and your eye to watch the ways they hijack computers.
If this is your own computer then feel free to run MBAM as you probably won't need to again. This guide shows how to do it without MBAM.
HijackThis (http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html)
Pocket Killbox (http://www.bleepingcomputer.com/files/killbox.php)
Hoster (http://www.funkytoad.com/download/HostsXpert.zip)
Crap Cleaner (http://www.ccleaner.com)
Dial-A-Fix (http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles)
NOD32 (http://www.eset.com/download/free_trial_download_eav.php)
Avenger (http://swandog46.geekstogo.com/avengernotes.htm)
MalwareBytes Anti-Malware (http://www.malwarebytes.org)
Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Ideally you want to run this in Safe Mode. To easily get there in Windows XP follow these directions:
1. Click Start and choose Run
2. Type in MSCONFIG. Click on the Boot.ini tab and check off Safe Boot. If you want an Internet connection then put the radio button beside Network.
3. Reboot when prompted.
4. In order to change it back you must remove the checkmark beside Safeboot. Vista is very similar but doesn't use radio buttons.
The first thing I do nowadays is run through the Add/Remove programs. There is a lot that get installed in here that are garbage. I usually remove all toolbars such as Ask and Google and Yahoo!. Keep them if you would like but it's just clutter in your browser. If you find things that you don't recognize the best practice is to Google the name of the program. The first few hits on Google will dictate what the program does and if it's rotten or not. I'm not going to list the usual suspects since they change their name like I change my underwear. Once you've done that then reboot to clear the nonsense from future scans.
Open up Hoster and mark your Hosts file read-only. You may want to restore the original HOSTS files and then mark read-only.
Let's move to Pocket Killbox shall we? This program does some great stuff. I initially use it for cleaning out the temp files. You can do this too by clicking on Tools and then Delete Temp Files. Some issues you may run into is an Error 6 when trying to clean. This just means that it's unable to clean everything which is a confirmation that you are infected.
Next thing to do is to run HijackThis. This tool is dangerous but I'll guide you through it. It lists all programs running in your computer good or bad. The latest version is 2.02 so make sure you have that one. The new HijackThis has a feature where you can upload the log and it'll give you an idea of what needs to be removed. I've tried this a couple of times on infected computers and while it found some of them it didn't remove them all so I wouldn't recommend this. Better would be to post the log in here for a Shacker to give you a better idea.
Click scan. You can safely remove all the 01s since those are just homepage redirects and hijacks. The 02s can all go also unless you recognize them. The only ones that I keep are the Google toolbar, MSN toolbar, or else Adobe Acrobat. The rest are usually bad. Again your computer may vary from the hundreds that I fix but I doubt it. The 03s are the various toolbars installed. They only one I would keep is the c:\windows\system\msdxm.ocx one. The rest can go.
Here comes the big one, the 04s. These are the programs that run when Windows starts up and the ones that are in the registry. Again I can't list the ones that you should remove obviously so you have to be careful in removing them. I will list below the standard XP services and programs running on a default installation. This will give you a ground floor on where to start from. Of course installing other programs will change this list and you will have to decide whether or not you want that software from starting up everytime Windows boots. You cannot destroy a XP install by removing all of the 04's. So whatever you remove you can replace by either restoring the HijackThis entries or reinstalling the program.
Below are the standard default programs that show up in the Task Manager. I've separated the XP and Vista list for organizational purposes. There are some differences between the different flavours of Vista so be careful. For a complete list you can visit BlackViper's page which is excellent (http://www.blackviper.com/WinVista/servicecfg.htm)
Explorer.exe
Spoolsv.exe
Svchost.exe (4 or 5 times!)
Alg.exe
Lsass.exe
Services.exe
Winlogon.exe
Csrss.exe
Smss.exe
System
System Idle Process
Beware of spelling differences! They usually target the svchost.exe and make them look like scvhost.exe or something similar. Also beware of location. Services.exe does not run from the Program Files folder or anything else critical.
If you are unsure of anything else running you can always Google it and it will tell you. What you say it doesn't?? Well then delete it because 99.9234856% of the time if Google has not heard of it then you don't need it. You can always restore it from a Backup of HijackThis if needed. You can't blow your computer up using just HijackThis anyways.
Next section is usually the 09s. These are just extra buttons in Explorer. You can leave them if you like or remove them. I've never seen hijackers hit these.
Next up to bat is the 10s and 11s, these are always LSP or Winsock hijacks. HijackThis does not remove them by itself since it would break your internet connection. You need either the Winsock Fix from my site (http://www.five-online.com/files/WinsockFix.exe) or else HijackThis suggests the LSP fix from cexx.org (http://cexx.org/lspfix.htm).
We're almost done the list. The next ones are the 16s and these are all the stuff that IE has downloaded for you in your internet travels. You will see baddies in here like XXX toolbar and the like. You can tell which ones are bad and good by looking at the website on the right hand side. If it's something you like then keep it.
If the above hasn't helped you then you missed something in the 04 section of HijackThis, check it again. If you're absolutely positively sure then you may have a .dll hijack which are pretty retarded but solvable. You need to boot into Safe Mode and turn on your hidden system files.
Go to your C:\Windows\system32 folder and sort by Date Modified. You can move all .dll's created recently to a folder on your Desktop. Reboot normally and keep an eye on your computer. If it complains of any missing .dll's then don't worry. It might be the spyware asking. Usually they are randomally named .dll's so they are pretty identifiable.
Also check your Drivers folder under C:\Windows\system32\drivers and sort by Date Modified. You're not going to be used to seeing anything in here so my advice would be to check the latest created drivers and see if there's anything that's created in the last three weeks or so. Google the ones that are there. You will need Avenger to get rid of those. Alternatively on really infected machines they may hide themselves in the Device Manager. Go there and click View and Show Hidden Devices and check under Non-Plug and Play Devices. Again you will have to rely on visual inspection looking for randomly named devices. This can be time consuming but necessary on really infected machines.
There is a new character in town and they way it infects is via the AppData folder in XP or Vista. This is done to beat the MBAM scanners and to also beat Firefox users. Telltale signs are Windows Firewall lookalike popups that warn you that you are infected and to click on Clean Now. This will of course launch into the typical Antivirus 2009 installer and completely fuck your box. These do not show up in HijackThis since it's not geared to check those folders. They are usually located in a folder called Google or one called IsolatedStorage. These new types of infections are why you don't rely on any manual tool. This one in particular was messing with me for about an hour before I realized it was only affecting one user.
The other tools listed above like Avenger should only be used if the above process failed.
The other one is Avenger. This is a much more powerful tool than Killbox and can do quite a lot of things. I would suggest that if you need to use this tool you read and then re-read the webpage linked above. I use it for more complex file removal problems. It's fully scriptable so use it carefully. To start you open Avenger and in the text box you type the following without the leading and trailing hyphens.
-----
Files to Remove:
C:\Windows\system32\alwodkfslek.dll <replace with whatever>
Folders to Remove:
C:\Program Files\Antivirus 2009
-----
Put as many entries as you would like in those categories and you can leave out either entry (Folders or Files) based on what you need removed. Make sure you check the box off to automatically remove rootkits!
We're almost there. Next step is to clear out the System Restore points. That's done just by turning it off and then back on again. Simple.
Once you've done this then there's only a reboot waiting. Once you reboot NOD32 should be run through a full system scan.
Now this concludes our stay at the spyware hotel. But wait, how did I get infected redfive? Well most commonly is the porn sites but I've had people swear up and down that they didn't go there (lol, husband). The second most common one is a driveby download from any sort of website running third party banner rotations. How can I prevent this from happening again? Before I had a long tag line with three different links all going for Firefox but that's just as susceptible now because the way their getting in is through the Temp files. I still recommend Firefox but also recommend that you run the unmentionable add-on (make sure you unblock the Shack and click lots of ads) plus the NoScript addon. Final step is to make sure you are running the latest update for Java. This is one of the ways they get in and hardly anybody does this. Yeah that little orange square in your System Tray? Click it!
The post has been reported. Thank you!
You must be logged in to post.
You must be logged in to post.