• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Spyware/Malware & Security

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

Mr. Chambers

Member
Joined
Feb 25, 2001
Location
Iowa
Getting Rid of Spyware/Adware/Trojans

Moderator Note: This sticky is an amalgamation of several sticky worthy posts which fall under the category of "Spyware/Malware & Security". Below is a table of contents for this sticky, as well as links to the full original threads the posts appeared in. Please direct any comments and questions to the original thread -- any new posts appearing in this thread will be deleted.



Programs Needed:
Download AdAware SE
Download SpyBot Search & Destroy
Download X-Cleaner
Download SpySweeper
Download CWS Shredder
Download HiJackThis!
Download TDS-3
Download Spyware Doctor

Microsoft has released a beta of it's new Spyware tool, called AntiSpyware. Here is a link to an overview of the beta, and you can download it here: Microsoft AntiSpyware (Beta). Please be aware it is in BETA form - it may have bugs, use at your own risk for now!

Quick Instructions:
Disable System Restore first. Then download and run the programs, get the latest update files for each of them, then restart into safemode. Do full scans with each of them, deleting any spyware/adware found. I find X-Cleaner (which also cleans some temp files out), then Ad-Aware, with Spybot next, and finishing with SpySweeper and Spyware Doctor, and TDS-3 for good measure - cleans 99% of infections.

Finish up with CWShredder for good measure, and finally HijackThis if nessecary.

Please be aware, that if you are using shareware or other programs that are supported by ads/spyware, they may not function correctly, or possibly not at all, after removing spyware entries from your system with these programs.

Other Helpful PC Computing Tips:
If you're having trouble with long boot/load times/slow system response times, try some of the following:

Make sure that you dont have any unnecessary programs running in the background. WindowsXP is a resource hog anyway, you definately dont want/need more programs slowing you down, especially if you dont need them running all the time. type "msconfig" in the run box, and disable any programs you know you dont need in the "startup" tab.

Do a virus check, with the latest definitions if you havent already done so. Trojans and Virii run rampant on the 'net. Below are links to free, online virus scanners.

If you're running Windows 2000/XP, disable any unnesessary services. check out www.blkviper.com - for a great guide on which services you dont need, and how to keep them from running.

If you're running Windows XP, download and run the BootVis.exe tool from MS. you can find it by doing a search on their site, or on www.google.com. This program can improve your boot and restart times considerably.

Download RegCleaner from www.jv16.org and use it. It cleans up your registry and removes unnessecary file fragments.

Using HijackThis:
Here is a great guide for how to read HijackThis! log files (Thanks to Kendan for the link!):
http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm

Online Virus Scanners:
Trend Micro Housecall
Symantec Security Response
Panda ActiveScan
BitDefender Online Scan
Computer Associates eTrust Online Scan

There are also stand-alone virus removal tools - if you know which infection you have, available here. (Thanks Cowboy X)

Other Useful Programs:
KazaaBegone
LSP-Fix
 
Last edited:
OP
M

Mr. Chambers

Member
Joined
Feb 25, 2001
Location
Iowa
Deleting Temporary Files:
I highly suggest downloading and installing the freeware application Crap Cleaner to delete unnecessary temporary files from your system - allowing Windows to run faster, more efficiently and giving you more hard disk space. The benefit here is that alot of malware resides in these temp folders.

----------------------------------------------------
Cleaning Up Your System:
Go to Start -> Run, and type: "cleanmgr /sageset:1" (without the quotes) this lets you choose what is to be cleaned up. I recommend selecting everything except the last two. Then go to Start -> Run again, and type "cleanmgr /sagerun:1" (again, without the quotes), to run the Advanced Disk Cleanup.

----------------------------------------------------
Prevenative Maintance Against Spyware:
Download/Install/Update/Run the latest version of SpywareBlaster, a great little freeware program that prevents spyware/adware from ever installing! Be sure to keep it updated, and to "Enable All Protection".

You can also block adware/spyware by editing your HOSTS file, or by using a program which does all the work for you, such as NoAdHOSTS.exe - which is available for free. (Thanks to UnseenMenace for the link!)

----------------------------------------------------
Switching Browsers:
Lets face it, IE is full of security holes, and most hackers/malware writers code for IE, because such a majority of users still use it. I made the switch to Firefox three months ago, and haven't looked back. Great browser, very fast, and the best part - ALOT more secure than IE. Built in popup/adblockers, skinning, and plug-in support are a few other neat features. I suggest you take a look!

If you decide to switch to firefox, be sure to check out the Firefox Tweaks Thread for helpful tips and speed tweaks!

---------------------------------------------------
Also, there is another well-written guide about spyware/adaware removal found here:

Malware Warfare
 

I.M.O.G.

Glorious Leader
Joined
Nov 12, 2002
Location
Rootstown, OH
Malware Warfare - A Step-By-Step Infantry Training Camp

Original Article

I wrote this for the frontpage, and I think many of you are already familiar with it, however since Newbie_Doo has recently made it clear that this is the official forum for malware trouble, I wanted to post it here...

Overclockers.com said:
Malware Warfare – A Step-By-Step Infantry Training Camp

***Disclaimer: Take note that the intended audience for this guide is the techno-geek. Those less geek than myself may find the following instructions somewhat obtuse, but I am assuming that expending my efforts on anyone less geek than myself is likely working towards a lost cause. Joe Sixpack doesn't know or care about the malware infecting his system, at least not until it doesn't turn on anymore – and at that point, he'll bring his system to the techno-geek with wallet in hand***

Does the computer you know and love have the malware blues? How about your “PC-savvy” friends or family – you know the ones who figured out how to use ctrl-alt-delete and believe they know whats good for their computer?

When it comes time for a good old-fashioned passionate PC ***-whooping, your best to not step onto the field of battle without the proper arsenal at your disposal. How best to beat the odds when your outnumbered by these techno-nasties?

Call in the reinforcements – pay a visit to the OC Forums and let them make sure you are getting the following procedure correct – there's no reason to go in alone as the people there are a welcoming and extensively knowledgeable group.

Required Software – Go to MajorGeeks and Download, Install, and Update all of these:

Mcafee Stinger
CWShredder
Spybot Search and Destroy
Lavasoft Adaware
SpySweeper
HiJackThis!
SpywareBlaster
jv16 Powertools
___________________________________________________

Procedure:

Disable System Restore and reboot into Safemode.

  • Step 1: Clear all temp files.

    Clear internet and system temp files, along with cookies files.
  • Step 2: Run Mcafee Stinger.

    This step has the potential to detect and remove 40+ viral attacks and all of their known variants from your computer. It is a good standalone program that is quick to find common infections.
  • Step 3: Run the Online Virus Scan at Symantec Security Response.

    On the Security response mainpage, you will find an image labeled Check for Security Risks. Click on that and choose to run the online Virus Scan. This is an extensive scan which will find all known virii hiding within your system. Removal instructions are available on site at Security Response if you search for the virus name – help is ready and waiting at OCF also.
  • Step 4: Run CWShredder

    This program is a sign from the heavens that we are not forsaken on this planet. The CoolWWWSearch/CoolWebSearch malware component is one of the hardiest, nastiest nasties around. This program automatically finds and fixes a CWS infection, seemingly effortlessly... Doing this manually would not only require some extensive education as to the nature of this beast, but a single mistake could bring down your system as CWS has its claws hooked into some vital system components. Be thankful for this tool, and be certain to run its latest version as CWS seems to constantly be released in new variants.

    I want to re-emphasize how important it is to download and run the latest version of this software... Any battle waged against Malware without this utility in hand is fated for defeat. CWS is tremendously common, and this is THE tool to remove it. (The semi-final release of this software is from 6-28-04)
  • Step 5: Run Spybot Search and Destroy, Lavasoft Adaware, and SpySweeper.

    Run these programs, one after the other, finding and removing everything they find. If you need help on specifics in doing this, visit OCF... These programs are fairly intuitive and self explanatory however, so you should have no problem. It is known throughout the online community that each of these programs all can potentially recognize malware which the other two programs may miss – so yes you should run them all.
  • Step 6: Run HiJackThis.

    This software application creates a log file which outlines what is going on behind the scenes of the system and can remove problem entries. This is the trickiest part of this article as it may be hard to recognize problem entries – once again, visiting OCF for assistance here would be wise. Take a look through and remove only things you are certain should be removed – this tool is a powerful weapon in this battle and it has the potential to cause serious damage if wielded incorrectly.
  • Step 7: Run SpywareBlaster.

    This application has protection schemes for common vulnerabilities within IE and Firefox, and it also protects the computer from restricted sites which are known to cause problems. It will not protect you from the computing catastrophe which is Joe Sixpack, but it will ease the pain and make up for any accidental deviances you have from techno-geekdom.
  • Step 8: Run jv16 Powertools

    The registry cleaner in this package does the best job of any application I have come across and comes with other powerful features also. Running this can remove many errant or no longer valid entries from the windows registry. A popular alternative to this is RegSupreme, but I prefer jv16.
  • Step 9: Run a HDD Defragmenter.

    I believe diskeeper to be the best, however the windows defragmentation utility will work fine on a client's system. Running this often gives them a performance difference they can feel after you've worked on their system, and setting up a defragmentation task can keep their disk in good working order in the future.
  • Step 10: Run Services.msc from the run prompt.

    Tweaking the systems service configuration can free up suprising amounts of RAM – 40 MB's more of available ram in a system with 512MB RAM is not unheard of. This will also make the users performance appear much better.

    A great site for referencing in this respect is www.blackviper.com as he has a feature called Windows Service Configurations which explains and outlines what is safe to disable and what is not. Here is a quick breakdown of services you can disable - Alerter, Error Reporting, Human Interface Device, Messenger, Remote Desktop Helper, Remote Registry, Telnet, WebClient, and Wireless Zero. Be sure to disable messenger as this service can be responsible for receiving pop-ups, and it is never used for its intended purpose (this service has nothing to do with MSN).
  • Step 11: Tweak windows configurations

    After right clicking on my computer, go to advanced tab, then performance settings, set XP to best performance and then recheck “use visual styles” to preserve appearance.
    Set the pagefile to a custom static size by setting min and max to equal values and be sure to click on the “set” button to apply those settings.
    Schedule automatic windows updates while you are here and tell it not to ask, but just install.
    Change their browser homepage to something useful like google if it is at a default setting.
    Run devmgmt.msc from the run prompt and ensure system devices are using the latest drivers.
    Go to control panel>Add/Remove Programs and “slap anything that looks as shifty as a politician in a sorority house.”
    Consider setting up a schedule for antivirus, defragmentation, and spyware scans.
    Consider installing/discussing a better firewall application for the user, like BlackIce.
Reboot normally and re-enable system restore if you wish.
___________________________________________________

Conclusion:

Each one of these applications are essential to waging this war – if any one of them are overlooked or not included, a major component is being left out. Steps 6 thru 9 may not directly involve malware solutions, but they will give the end user a tangible improvement which will help to get them cooperating with what you tell them they need to do.

After running them, task manager and msconfig should be checked to confirm they are free from any abnormalities. For systems running anything aside from windows 2k or XP, walk to any top floor window and just toss them out – the user's computing experience, from this point-in-time forward, will be a far more positive one.

Another closing point of interest - Running Mozilla Firefox is a good alternative to continually trying to fix IE vulnerabilities – it isn't susceptible to BHO's and ActiveX controls the way IE is, and it makes popups history.

Keep in mind that switching from IE to Firefox is a functional solution, but its a lot like putting a band-aid on a bullet wound – its not fixing the problem, its just covering it up. It can be a great alternative to use when waiting for an application update to include a detection for a new variant of Malware infection that isn't currently recognized, and I have used this for clients in the past.

Ultimately, there are many malware problems which require personal attention to resolve, much like a virus can... I would not install any program not on my list here as many anti-malware programs themselves come with infections, or adware – so just installing everything and running it is a VERY poor option. Which brings me to my next point - often times, in particularly difficult malware situations, it is necessary to consult a group of knowledgeable peers...

I can't fully impart to you just how important of a role OC Forums has played in my techno-geekness and solving issues for me in the past. Stop by and introduce yourself, and let us help you solve any problem you may have!
___________________________________________________

Acknowledgements to the OCForums members who have contributed to this information, especially Wedo and Kendan, amongst countless others.
 
Last edited by a moderator:

anon1

Member
Joined
Jun 8, 2005
I would not use AdAware. At TV Studio at school, it screwed up our computer. I recommend using Spybot: Search and Destroy. It gets everything from the Registry errors to Internet cookies.
 
OP
M

Mr. Chambers

Member
Joined
Feb 25, 2001
Location
Iowa
tspier2 said:
I would not use AdAware. At TV Studio at school, it screwed up our computer. I recommend using Spybot: Search and Destroy. It gets everything from the Registry errors to Internet cookies.

Believe me there is nothing wrong with AdAware, it is still one of the best scanners out there, way ahead of Spybot in terms of updates in the past few months as well.

Sorry to hear about your problems with AdAware, I've used it on hundreds of machines, and haven't had one problem. Do you care to elaborate what "screwed up our computer" entails exactly?

[edit]
Added link to Spyware Doctor in first post, seems to be a very good up-and-coming tool, has a free version and a pay version with more features - but the free version is not time-limited like Spy Sweeper.
 

theMonster

Disabled
Joined
Jul 22, 2004
Location
At the pub
While true I've never seen an issue with AdAware it is really just a glorified cookie-finder. Spybot does a bit better. SpySweeper does really well and from what I've heard CounterSpy is the cream of the crop. I've really had the problem pretty much licked since switching to SP2 with firewall, pop-up blocker and firefox
 
OP
M

Mr. Chambers

Member
Joined
Feb 25, 2001
Location
Iowa
theMonster said:
While true I've never seen an issue with AdAware it is really just a glorified cookie-finder. Spybot does a bit better. SpySweeper does really well and from what I've heard CounterSpy is the cream of the crop. I've really had the problem pretty much licked since switching to SP2 with firewall, pop-up blocker and firefox

I'm not sure if you guys are using a different version or WHAT, but with each release Lavasoft continues to impress me. It is far more than a "glorified cookie finder" - in fact I have great results with it picking up spyware, adware, rootkits, dialers, trojans, and even some viruses.

I will admit a year or so ago, Spybot was neck and neck with AdAware in terms of what it picked up from a full scan, but lately AdAware will find and fix MANY more positives than Spybot. Do a full scan with Spybot after AdAware, and I hardly find anything. Do a scan with AdAware after doing one with Spybot, and I almost always find more positives... Obviously the moral here is that you *must* use more than one scanner.

Spy Sweeper finds more than either, however it isn't free, just a 30 day trial. I haven't heard much on CounterSpy, I will be looking into it.
 

kill me2

Member
Joined
Jul 12, 2004
Is it possible to make the programs listed below stand-alone, so prople can put it into a small usb stick, and just drive to the friends house to use w/o red/ling the program from the internet and hope the virus doesnt change the code.
 

Kendan

Senior Punk
Joined
Aug 27, 2001
Location
Dark side of hell
kill me2 said:
Is it possible to make the programs listed below stand-alone, so prople can put it into a small usb stick, and just drive to the friends house to use w/o red/ling the program from the internet and hope the virus doesnt change the code.

Just download the programs and copy them to a usb stick. You just have to keep an eye out to make sure you have the latest version on the thumb drive.
 
OP
M

Mr. Chambers

Member
Joined
Feb 25, 2001
Location
Iowa
Kendan said:
Just download the programs and copy them to a usb stick. You just have to keep an eye out to make sure you have the latest version on the thumb drive.

That's exactly what I do. I download all those programs (and a few others actually), along with their definition files if you can download those seperate - which you can for most of those programs - to my USB thumbdrive.

I replace with the newer versions as they are released, or about every 2-4 weeks. Also I have a CD-RW disc for those older computers which my thumbdrive will not work with easily (installing drivers).
 

kill me2

Member
Joined
Jul 12, 2004
Cool! Are there also stand alone virus scanners? It would be good to shove in NOD32 or kaspersky into the stick.
 

pik4chu

Senior Yellow Forum Rat
Joined
Jan 17, 2003
Location
Centennial, Colorado
I'll throw this on here as well, this is my documentation on teh cleanprivacy.info spyware mess and how to manually remove it (since as of last week there was still no documented way) anyways, here it is.

Ok, recently got this NASTY spyware app on a clients computer and finally managed to get it all off. The reason I post this is so if others come across it they will know how to remove it, as searching for the associated files and links returns NOTHING on google(or any anti-spyware apps). So here it is.

Identification: This one will be really obvious, it is another desktop Hijacker. The screen it gives you is bright red with black and white lettering. The first line says "You have been visiting illegal porn sites!" And it has a couple links on it to clean, and a button at the bottom about "click to run clean tracks cleaner" or something similar. There is even text that says "Your life is in danger!" ROFL! anyways.

Issues, this thing is very nasty, it messes with what you try to run, as in control panel, explorer windows, IE, control panel applets, property pages may or may NOT even open. In order to get them to open you want to open task manager and end all the 6668e3d748.exe processes (there are usually 3 of them)

File locations and info

The active desktop is located in your Temp directory (be it under C:\documents and settings\%username%\Local Settings\Temp or just C:\Temp depending on OS) it is called d0d61686.html, just make note of it as deleting it now wont help.
There is
C:\WINNT\6668e3d748.exe
C:\WINNT\%System%\6668e3d748.exe (set to hidden attribute)
C:\WINNT\6668e3d748.ini
C:\WINNT\6668e3d748drv.sys

This also installs a windows service using the LocalSystem account
The service name is WindowsInstallService

Those are the only locations of the files. Now for the registry. For your amusement this will put itself into any startup type, even safemode, it also installs itself as a device driver, ok:
HKEY_CurrentUser\Software\Microsoft\Windows\CurrentVersion\Run\ "C:\WINNT\6668e3d748.exe"

HKEY_CurrentUser\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D41D8CD9-8F00-B204-E9800998ECF8427E} "C:\WINNT\6668e3d748.exe" -un

HKEY_LocalMachine\Software\Microsoft\Windows\CurrentVersion\Run\ "C:\WINNT\6668e3d748.exe"

Note: This will also be listed in any CurrentVersion\Runlocation thruought the registry for every user

HKEY_LocalMachine\CurrentControlSet001\Control\Safeboot\Minimal\6668e3d748SVR

HKEY_LocalMachine\CurrentControlSet001\Control\Safeboot\Network\6668e3d748SVR

HKEY_LocalMachine\CurrentControlSet001\Enum\Root\LEGACY_6668e3d748DRV.SVR

HKEY_LocalMachine\CurrentControlSet001\Services\6668e3d748DRV.SVR

HKEY_LocalMachine\CurrentControlSet002\Control\Safeboot\Minimal\6668e3d748SVR

HKEY_LocalMachine\CurrentControlSet002\Control\Safeboot\Network\6668e3d748SVR

HKEY_LocalMachine\CurrentControlSet002\Enum\Root\LEGACY_6668e3d748DRV.SVR

HKEY_LocalMachine\CurrentControlSet002\Services\6668e3d748DRV.SVR

HKEY_LocalMachine\CurrentControlSet\Control\Safeboot\Minimal\6668e3d748SVR

HKEY_LocalMachine\CurrentControlSet\Control\Safeboot\Network\6668e3d748SVR

HKEY_LocalMachine\CurrentControlSet\Enum\Root\LEGACY_6668e3d748DRV.SVR

HKEY_LocalMachine\CurrentControlSet\Services\6668e3d748DRV.SVR

Now for the good news! The keys above are for after-math cleanup. Removing or changing wont do any good initially. All you have to do to remove this is the following.

First go into the services console and find the windows service. DONT disable/delete it or it will just come back, what you need to do is change the username it uses to run to something that is disabled, such as guest. With that done Open an explorer window and goto the tools>folder options menu, in there choose "restore to defaults" the item you are looking for is the first one that handles the active desktop view, setting to defaults should set it to "windows classic". Next go to desktop properties and goto the Web tab and deselect the d0d61686.html item and click apply. Now once this is done simply search the hard drive for all those files I listed above and delete them. Its best to delete in one fel swoop the 666*.* files and then the html file so there is no chance of regrowth. Then you can go through and clean up the registry and all that.

Enjoy and I pray that no one gets stuck with this :)

*edit* ok wtf is up with that line break in the middle of the text? copying it out of the page, into word, removing the spaces and copying it back over doesnt do anything, even tried CODE tags
 
OP
M

Mr. Chambers

Member
Joined
Feb 25, 2001
Location
Iowa
Thanks for posting that pik4chu, I personally haven't come across that particular malware, but it does sound like quite a chore to remove.
 

@[email protected]

Senior Member
Joined
Dec 18, 2000
Location
Chapecó-SC
tspier2 said:
I would not use AdAware. At TV Studio at school, it screwed up our computer. I recommend using Spybot: Search and Destroy. It gets everything from the Registry errors to Internet cookies.


It screwed my internet access 2 times needing a reformat and one time again in a hospital computer from the ICU wher i was trying to "Help" the infested computer performance..... 3 reinstalls...!!!! :shrug:
 

Xtreme Barton

Member
Joined
Jan 17, 2004
i have to disagree with ad-aware being a bad tool.


i would also like to point out that there should be two seperate list.

one for free removal and the other for paid removal...



i used to just run microsoft antispyware and spybot. now i have added a couple more to ensure my protection.


and for those who had there system muffed up ... did you not bother to look and see what it was going to remove ? a simple look through the results list might have saved you a big head ache..
 

ZhengHe

Member
Joined
Jul 2, 2004
Just one question. Do you think X-Cleaner is worth an install in its freeware version or only as a payed program and how can/should/could CCleaner fit into this list, since I think it makes a good follow up to X-Cleaner when used correctly.
 

Xtreme Barton

Member
Joined
Jan 17, 2004
x-cleaner is worth it either way .... and i have not used ccleaner yet.. ive been testing a ton of the new apps out ..