Talk:Tiers for Fears Cleaning Malware

From CastleCopsWiki

Jump to: navigation, search

Contents

[edit] Page Maintenance

The section of the original article has been posted and is ready for updating.

--Stan_qaz 13:48, 20 May 2005 (EDT)

Resorted the order of discussion topics with the intent of reducing any potential confusion. ;)

--Ikeb 12:41, 23 May 2005 (EDT)

Resorted again to reflect the move of 1st tier to 6th tier

--Ikeb 18:54, 24 May 2005 (EDT)

Resorted yet again due to the added sections and added comments. Thought it best to bring comments in line with the major sections rather than overall chronological order. --Ikeb 22:37, 29 May 2005 (EDT)

Created a "Take 2" copy and write protected this page so that for the time being it will remain as a reference. - --Ikeb 13:27, 8 Jun 2005 (EDT)

Renamed this page from Tiers for Fears Cleaning Malwares --Ikester 13:34, 3 Sep 2005 (EDT)

[edit] Use of Username/timestamp

Folks, when adding your comments to a Talk: page, please add your username/timestamp so the rest of us know who's talking. It's simple too. Just click the second button from the right.

BTW, In case you're wondering, I was able to add the Negster22 and Yellowhammer usernames based on a look throught the history files ... which takes time. Much better to have the sigs there to begin with.

--Ikeb 14:15, 22 May 2005 (EDT)
Is there a wiki page that describes that? Perhaps make a note of it for folks when they come over? --Paul 19:23, 22 May 2005 (EDT)

For those unable to locate the second button from the right, first click on the edit link and you will see all of them at the top.--quietman7 10:55, 23 May 2005 (EDT)

Also please add comments to the bottom of the appropriate section so as to form a chronological discussion for that section. Kindly only add your comments elsewhere if they apply in some other manner. Consider creating a new section if the current sections do not apply. --Ikeb 22:48, 29 May 2005 (EDT)

[edit] Changes

Howdy,

Added some links to exiting page (still several missing) and added 2 tiers. The other links still need to be added by someone having the time to look them up or copy from thier CRs. Additional online scans should be added and maybe a tier with MSAS when we know what`s up with the Beta status.

--Mrrockford 16:01, 21 May 2005 (EDT)

Moved 1st tier to 6th as it only needs to be mentioned before having to clean something up manually and HJT is the next step, if needed. My other thought is to put it in the HJT part right at the beginning of the tier. Also made some typo corrections.

--Mrrockford 01:24, 24 May 2005 (EDT)

Modified Tier contents listing to reflect the title of each, for easy referrence.

--Mere-Mortal 16:24, 29 May 2005 (EDT)

[edit] Suggestions

Hi everyone,

Sorry, I know this is probably in the wrong place but I just wanted to mention this. I hope it is not too late! IMHO, we should supply directions for the Microsoft Windows AntiSpyware Beta as an alternative antispyware scanner.

Why would it be too late? We're just getting started!  :) --Ikeb 14:28, 22 May 2005 (EDT)

We should also supply directions for using Edwido as an alternative antitrojan program, since we often times have posters run that program anyway in the HJT forum because of its effectiveness in the removal of some very stubborn newer infections such as nail.exe. In my own personal experience, I found Edwido to be more effective than TH, as it found seven trojans on my system which TH never found. (and I am a registered user of TH)

We could either have a separate category as I outlined below, in a separate tier or just merge these two solutions into their respective categories. For example, give the user another choice under the category of antispyware scanners and say run two of these three. To me the last method is preferable. Likewise for the anti-trojans programs: Under Anti-trojans say run one of these two.

Be bold! Instead of suggesting what should be done, please make the changes yourself. When making changes, just let everyone else know what you've done and why right here. If others don't like the changes, they can modify from there or if things get out of hand (which I don't expect, but could happen) a sysop (wiki admin) could revert to an agreed-to version.
If you're not sure yourself, just copy the current page, add a link to a new page, paste in the copy and modify from there. If that version now looks preferable, the old "master" can be replaced with your version.
--Ikeb 14:28, 22 May 2005 (EDT)

_________________________________________________________________

[b]Additional resources for Windows 2000 and XP Operating Systems[/b]

[b]The Microsoft Windows AntiSpyware Beta[/b] (Developed for Windows 2000 and XP Operating Systems:) Please understand that this is a Beta test version, but it has been proven to be very effective at spyware detection and removal. It also features real time system monitoring, scheduled scans, and auto updating. You can find information and download links for The Microsoft Windows AntiSpyware Beta at: http://www.microsoft.com/athome/security/spyware/software/default.mspx Here is a very in depth tutorial provided by Grinler of Bleeping Computer: http://www.bleepingcomputer.com/forums/tutorial98.html

Please download and install the program. Install all real time protection agents. Then set it to 'run a full system scan', under scan options and scan everything. Remove any threats found.

______________________________________________

Ewido Security Suite (for Windows 2000 and XP Operating Systems): Please Download a full free 14-day test version of Ewido Security Suite: Edwido is a multi-purpose Trojan and malware detection and removal program that also offers real-time threat protection. Download and install Ewido Security Suite (free): http://www.ewido.net/en/download/ Next update the definitions by clicking->update [b]Reboot after installing defs.[/b]

For greater effectiveness, the scan may be run in safe mode: To boot into SAFE MODE do the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

Now launch Edwido by doubleclicking the yellow 'e' in the system tray. Then run a scan. As each warning screen pops up, clean and quarantine each threat or select 'clean' and check the box to apply to all infections found. _________

I realize these solutions maybe listed in #9 but I think they should be given higher visibility than being tucked away in a hidden tier at the very end because of their superior effectiveness.

Negster22 -- Sig added by Ikeb 14:15, 22 May 2005 (EDT)

_________

Ikeb wrote"Resorted the order of discussion topics with the intent of reducing any potential confusion. ;" I think we should make the same changes in the discussion section rather than use: First Tier (now 6th), 2nd Tier (1st), etc. Leaving the labels like this is confusing as well. --quietman7 12:34, 24 May 2005 (EDT)

Done.
--Mrrockford 13:20, 24 May 2005 (EDT)
I've taken the libery to leave a historical reference for anyone who visits and wonders what happened to the tier order.
--Ikeb 18:54, 24 May 2005 (EDT)

4:38 PM EST Negster22 ______________________- The only thing still bothering me is the fact that it is best to remove certain programs via the control panel prior to using automatic scanners. Examples of such programs: Wild Tangent, Weatherbug Viewpoint MySearch MyWay

It is particularly important to remove the following two programs, or the winsock chain can be corrupted and internet access problems will result: WebHancer New.net (there is an effective uninstaller for this on the new.net website): http://www.newdotnet.com/--Negster22 16:39, 29 May 2005 (EDT)

_____________
Tier numbers:
I have no idea how this thing works, so I don't know how to edit it accordingly. I notice that with the numbers for each tier, the "Introduction" is number one on the list, meaning tier 1 is number two on the list, tier 2 is number three and so forth. I'm thinking that ridding of the numbers altogether might suffice? --Mere-Mortal 00:54, 30 May 2005 (EDT)

MM the section numbers are added by the wiki. We have no control over that. - --Ikeb 01:20, 30 May 2005 (EDT)

[edit] Introduction to the Hijackthis Guidelines & Tiers

I have added the following introduction to our article:


Your computer has been hijacked or infected with malware such as Trojans, viruses and spyware. As such you have been recommended to download and use HijackThis [HJT] to post a log. What kind of log you ask? A log created by the HTJ tool that lists most places on your computer that spyware and malware are known to target.


HIJACKTHIS IS AN ADVANCED TOOL AND REQUIRES ADVANCED KNOWLEGE ABOUT THE WINDOWS OPERATING SYSTEM. MOST OF THE HJT LOG ENTRIES ARE REQUIRED TO RUN YOUR COMPUTER. REMOVING ESSENTIAL ENTRIES WITHOUT KNOWING WHAT THEY ARE CAN POTENTIALLY CAUSE SERIOUS DAMAGE TO YOUR COMPUTER SUCH AS YOUR INTERNET NO LONGER WORKIG OR PROBLEMS WITH RUNNING WINDOWS ITSELF.


But HijackThis is not a stand-alone cleaning tool and it does not scan the entire system. HJT only scans certain areas of your system to help diagnose the presence of undetected malware in known hiding places. As such, it is extremely important to use full system scanning tools like Adaware SE and Spybot S&D first followed by online AV scans for virus, worm or trojan infections prior to fixing anything with HJT. It is not unusual to have Adaware or Spybot find hundreds of infected files and registry items HJT does not target. Just because you "fixed" something in HJT doesn't mean you have a clean system.


If you allow HijackThis to remove entries before another removal tool scans your computer, the files from the malware will still be left on your computer and future removal tools will not be able to find them. In addition, just having HJT fix the listed entries does not complete the cleaning process. There are specific files and folders which must be deleted afterwards. HJT does NOT delete them. If you do not have advanced knowledge about computers you should NOT fix entries using HijackThis without consulting a expert in a security forum as to what to fix.


With this "basic" understanding of what HJT can and cannot do, we have created the following "Hijackthis Guidlines" for performing the preparatory work in separate Tiers that needs to be done prior to posting a HJT log. Please follow the instructions listed in each Tier. When all the steps have been performed you can post a log for evaluation and receive expert assistance with using HJT and cleaning what malware remains on your system.


Now you are ready to procedure to the First Tier. --quietman7 07:44, 25 May 2005 (EDT)


Minor edit to change Adaware to Ad-Aware --Corrine 10:36, 29 May 2005 (EDT)

4:38 PM EST Negster22 Also corrected two two items in intro.--Negster22 16:39, 29 May 2005 (EDT)

Corrected small errors in syntax, spelling and grammar. --Prince Serendip 12:44, 4 Jun 2005 (EDT)

[edit] 1st Tier: Clean out the Clutter

(was originally 2nd Tier) --Ikeb 18:54, 24 May 2005 (EDT)

I added the following:

Instructions for using ccleaner:

1. Run CCleaner using it's default setting's.

2. A pop up box will appear advising this process will permanently delete files from your system.

3. Click OK and it will scan and clean your system.

4. Make sure you clean all three sections: Windows, Aplications and Issues. --quietman7 11:21, 23 May 2005 (EDT)

I changed this section because I don't think we should be so aggressive with the cleaning.

--Yellowhammer 08:00, 29 May 2005 (EDT)

I changed using the default setting to unchecking the the option to only delete temp files older than 48 hours. I disagree any suggestion to not delete cookies. (BillB)

I reformatted this section. Please check that nothing got lost in the translation. ;) - --Ikeb 22:52, 29 May 2005 (EDT)

[edit] 2nd Tier: Online Scans

(was originally 3rd Tier) --Ikeb 18:54, 24 May 2005 (EDT)

I added these trojan scans to 3rd Tier

Sygate Trojan Scan: http://scan.sygatetech.com/pretrojanscan.html

Windowsecurity Trojan Scan: http://windowsecurity.com/trojanscan/

--quietman7 11:39, 23 May 2005 (EDT)

[edit] 3rd Tier: Ad-Aware

Whoever wrote "For more information on how to use a Host file to protect yourself read, "What is the Hosts file?" in the 3rd tier (Ad-aware) - no link was provided for the user to read. There are several links that can be used here but the originator of this section might have had something specific in mind.--quietman7 08:38, 26 May 2005 (EDT)

29-May-2005 9:45 PM Negster22

Under Ad-Aware Tier- changed two items:

1.) if you use a Hosts File --> if you use a blocking Hosts File 

   I think this is what was intended to be said, correct me if I am wrong.

2.) Provided the reference link for this orphan: 

   Formerly: What is the Hosts file? with no link provided. Changed to:

  "What is the Hosts file?": http://www.accs-net.com/hosts/what_is_hosts.html --Negster22 16:39, 29 May 2005 (EDT)

I reformatted this section partly to bring it in line with formatting of other sections. Please check that nothing got lost in the translation. ;) - --Ikeb 22:54, 29 May 2005 (EDT)
I tried out some HTML formatting. Much better. --Ikeb 00:21, 31 May 2005 (EDT)

[edit] 4th Tier: Spybot Search & Destroy

(was originally 5th Tier) --Ikeb 18:54, 24 May 2005 (EDT)

I added this to the 4th Tier

Detailed Instructions for Setup & Configuration are here: http://www.bleepingcomputer.com/forums/tutorial43.html Tutorial & Help is here: http://tomcoyote.org/SPYBOT/index1.php

--quietman7 11:48, 23 May 2005 (EDT)

"Questions or problems with Spybot S&D can be posted here." There was no link provided so I added the one from our Spybot S&D forum. --quietman7 12:26, 24 May 2005 (EDT)

I reformatted this section. Please check that nothing got lost in the translation. ;) - --Ikeb 22:56, 29 May 2005 (EDT)

[edit] 5th Tier: Trojan Removal Programs

(was originally 6th Tier) --Ikeb 18:54, 24 May 2005 (EDT)

I added this to the 5th Tier:

Download and install the free Ewido Security Suite: http://www.ewido.net/en/download/

[Note: The download is a time limited full featured version. The background guard and resident protection install as a service but expire after a week so install it as a stand alone scanner that you can use as part of your regular maintenance.]

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". 2. When running it the first time, you will get a warning "Database could not be found" 3. Click OK. 4. From the main screen, click on update in the menu, then click the Start update button. 5. After the update finishes the status bar at the bottom will display "Update successful" 6. Click on the Scanner button in the left menu, then click on the Start button to begin scan. [This scan can take some time to run so be patient] 7. If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

--quietman7 11:59, 23 May 2005 (EDT)

I reformatted this section. Please check that nothing got lost in the translation. ;) - --Ikeb 22:56, 29 May 2005 (EDT)

--Prince Serendip June 2, 2005 at 09:50 am CDT

I made some minor edits to the Trojan Removal Tier and corrected URLS and grammar.

I am unable to find the timestamp button. I have no buttons on the right, only on left, top and bottom.

In edit window, row of buttons at top, second one in from right. - --Ikeb 23:26, 2 Jun 2005 (EDT)
Found it. The Edit Window Toolbar, 2nd from right. Thanks. --Prince Serendip 12:21, 4 Jun 2005 (EDT)


I added the following: As an alternative for those using Windows 98, ME, NT4 there is a-squarded Free [it also works with Windows 2000, 2000 Server, XP and 2003 Server]

a-squared Free contains only the basic scanner. Background Guard, Automatic Updates and other advanced features are only available with a-squared Personal. The free version can be downloaded here: http://www.emsisoft.com/en/software/download/--quietman7 10:13, 6 Jun 2005 (EDT)

[edit] 6th Tier: Hidden Files and Folders

(was originally 1st Tier) --Ikeb 18:54, 24 May 2005 (EDT)

I added a link to a printable text copy of these instructions. We are recommending that people print copies of these instructions. The imbedded links will not print out properly. Do we need to post the full URL addresses as well as imbedding them?

Yellowhammer -- Sig added by Ikeb 14:15, 22 May 2005 (EDT)
I'm not sure what you mean. The link is to http://castlecops.com/p520740-Guide_Make_your_own_System_Security_Suite_for_Free.html#520740 a post at CastleCops, not a text file.
BTW, why not link to Roll_your_own_Free_Security_Suite? That [currently] is a verbatim copy of the post you referenced. I placed it here a few weeks ago expecting that First Responders and/or Security Experts might want to "fine tune" that page. ;)
--Ikeb 14:47, 22 May 2005 (EDT)
Apologies. For some reason I thought this was in regards to Tier 9. My comments do not apply so I have striken them.
--Ikeb 12:42, 23 May 2005 (EDT)
Or how about making a wiki page whose contents will be Yellowhammer's txt file? --Paul 19:22, 22 May 2005 (EDT)

Why are we including "It will help in cleaning out the malwares if you enable your system to show hidden files and folders". Isn't this a step we ask them to do when providing specific instructions to delete files after using HJT and then provide a reminder to hide them again when we are done to avoid accidental deletion? Why would this be necessary in prep guidelines when none of the tools we are giving them requires this?--quietman7 11:05, 23 May 2005 (EDT)

See changes section Qm
--Mrrockford 01:28, 24 May 2005 (EDT)

I made some minor changes in the 6th Tier and included the instructions for downloading and using the ToggleHiddenExplorerStuff.vbs tool.--quietman7 14:44, 1 Jun 2005 (EDT)

[edit] 7th Tier: HiJackThis

I have modified the section dealing with HJT instructions & How to post a log as follows:

If your problem persists then continue with HOW TO USE HIGHJACKTHIS & POST A LOG:

1. Download "Hijack This!". (http://www.computercops.org/downloads-file-328.html) and save it in a permanent folder such as C:\HJT\. [Note: If you already have HijackThis on your system and it is in a temporary folder, please move it to a permanent one following the same directions as above. If HTJ is used from a temp folder it is in danger of being accidentally deleted by clean up tools.]

2. Double click the HijackThis.exe inside to folder to run the program.

3. Choose "Do a system scan and save a log file." HijackThis will analyze your system, create a log and save it in the HJT folder.

4. When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, Ctrl-A to Select All, and post your log in the Hijackthis - Spyware, Viruses, Worms, Trojans Oh My! (http://www.computercops.org/forum67.html) Forum.

PLEASE DO NOT ATTEMPT TO FIX ANYTHING WITH HIJACKTHIS UNTIL INSTRUCTED TO DO SO. MOST OF THE HJT LOG ENTRIES ARE REQUIRED TO RUN YOUR COMPUTER. REMOVING ESSENTIAL ENTRIES CAN POTENTIALLY CAUSE SERIOUS DAMAGE TO YOUR COMPUTER.

A forum security expert will analyze your log and reply with instructions advising you what to fix. Please be patient.

When you post in the HJT forum please choose an appropriate title for your topic post. Do not use a new topic title like "HJT log" or "Help." Be more specific and original. Please include the following with your HJT log post:

1. A statement that you have read and followed all the procedures listed in the HTJ Guidelines.

2. A brief explanation of your problem.

3. List the above scans that you have completed so that the experts there will have the complete picture --quietman7 07:36, 25 May 2005 (EDT)


I added instructions for turning off (disabling) anti-spyware programs that are known to interfere with HJT fixing problem entries in a log if they are running at the same time the fix is attempted. --quietman7 11:40, 25 May 2005 (EDT)

Should the ewidoguard.exe also be disabled? --Corrine 11:20, 29 May 2005 (EDT)

I reformatted this section. Please check that nothing got lost in the translation. ;) Also note that I added a third-level of headers which added these items to the page header. I plan to look into placing the index at some other spot other than the top of page, ideally just after the HJT log instructions are given and these programs are introduced as needing some form of temporary disabling. - --Ikeb 22:56, 29 May 2005 (EDT)

Prince Serendip did the following: Fixed typos in HJT 7th Tier. -HTJ- changed to -HJT-. Also same in -HJT Guidelines- in instructions how to post.

Changed -was- to -were- in plural contexts.

Added: -Ctrl-C to copy it, using Ctrl-V to paste it- to first instruction for HJT 7th tier

-at the CastleCops Security Professionals web site.- to last line in 1st instruction because people may come to this Wiki from outside CCSP. Note that some dashes used instead of quotemarks.

I have a suggestion, which I will also post at the forum. Screenshots of how to shut off or disable applications which interfere with HJT would be very useful to most newbies. --Prince Serendip 11:44, 8 Jun 2005 (EDT)

[edit] 8th Tier - Update Windows

Do we really want to include this here? I think it is better for the user to have a clean sytem before doing the updates. MS recommends this especially before updating to SP2. I suggest this step be left until after the user has posted his HJT log and the fixes are completed for a clean system. At that point the helper can instruct them to obtain the updates as part of the prevention speech.

quietman7

I was wondering the same thing as I looked through the tiers. If I'm a user, wouldn't it be tempting to move on ahead before finshing up with an earlier tier? So I'm wondering if perhaps each Tier shouldn't have it's own page?
BTW, QM, the timestamp is the second button from the right.  ;)
--Ikeb 18:01, 21 May 2005 (EDT)
I have no problem with doing this on different pages, the end product that is, but i think it should stay together until we get some more input to the different tiers. When they are done you could then split them off to seperate pages.
--Mrrockford 19:49, 21 May 2005 (EDT)
... Good point. Though when done, you -- or anyone else contributing -- could split them. Doesn't need a sysop to do that. :) - --Ikeb 14:36, 22 May 2005 (EDT)

If we split the tiers into separate pages we need to ensure still remains an easy to use step by step process. If not, we may have people clicking links all over the place, going out of order or even skipping some of the tiers. Just something else to consider...--DickT 10:51, 23 May 2005 (EDT)

That's easily done by linking from one tier to the next only. --Ikeb 15:09, 23 May 2005 (EDT)

Just went back to fix my signature.--quietman7 10:56, 23 May 2005 (EDT)


Do we really want to give a prevention speech with tools to download at the bottom of this tier. Again, this project is to to establish prep steps for the user prior to posting a HTJ log.--quietman7 12:13, 23 May 2005 (EDT)

I agree. Perhaps though, we can leave these last two tiers here for now as a future "Followup" section. When this page is better developed and is split, we don't have to link to the last two (or more if anyone has further suggestions) tiers before posting the HJT logs. --Ikeb 15:09, 23 May 2005 (EDT)


I added the following advisory to the Windows Security Update & Patches section:

This step should NOT be performed until you have ensured your system is fully cleaned and all viruses and malware have been removed. This is the recommended procedure by Microsoft before installing SP2. Some computers lock up when SP2 is installed with certain spyware in residence, and spyware programs can interfere with the new security features that SP2 installs by default. See: http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx --quietman7 13:00, 24 May 2005 (EDT)

[edit] 9th Tier: Updating Your Security Programs

4:38 PM EST Negster22
Added a new tier - 9th Tier: Updating Your Security Programs because security programs are only effective if updated on a regular basis. From personal experience, I find that this is the aspect that most computer users most frequently ignore. Unless a security app auto-updates this is a must. --Negster22 16:39, 29 May 2005 (EDT)

[edit] 10th Tier: Roll your own Free Security Suite

(was 9th tier) - --Ikeb 22:27, 29 May 2005 (EDT)

Modified this to refer to the wiki copy of the SwatKat post.

--Ikeb 12:41, 23 May 2005 (EDT)
Retrieved from "http://wiki.castlecops.com/Talk:Tiers_for_Fears_Cleaning_Malware"
Personal tools