Tiers for Fears Cleaning Malware - Take 2

From CastleCopsWiki

Jump to: navigation, search
Image:Hijackthis.gif This article is deprecated and is superceded by the Malware Removal and Prevention Procedure. Image:Hijackthis.gif

Tiers for Fears - Cleaning Malwares

Please Print or Save these Instructions: As this is a lot of information to work with at one time, we suggest you print these instructions so that you can make sure you have done everything. Save it in Notepad or Wordpad for easy reference later. Proposed: (separate pages for each of these levels)

Contents

Introduction:

You think your computer has been hijacked or infected with malware such as trojans, viruses and spyware. As such, you have opted to download and use HijackThis [HJT] to post a log. What kind of log you ask? A log created by the HJT tool that lists the many places on your computer that spyware and malware are known to target.

Before posting your HijackThis log, it is mandatory that you run several malware removal programs and a system cleanup utility. HJT is not a stand-alone cleaning tool and it will not scan your entire system. As such, it is extremely important to use the full system scanning tools we recommend before fixing anything with HJT. These automatic detection and removal programs address a broad spectrum of malware including adware, spyware, trojans, worms, viruses, and browser hijackers. We also require you to run a system cleaning utility intended to improve your computer's overall performance.

This new preliminary scanning procedure will provide a dual benefit: Your computer will benefit from the thorough cleaning it provides. We in return, will benefit from being presented with a cleaner system profile containing only those infections which the automatic removal programs failed to erradicate.

It is possible that you may not even need to post a HijackThis log after completing the scans we suggest. If you are satisfied with your computer's performance, and feel your system is no longer infected, then you may decide to take that option. However, if you still feel that your system is infected or hijacked after completing the entire malware removal process, then we will be happy to have you post a log on the HijackThis forum.

Your compliance with this precleaning requirement, will allow the HijackThis staff to clean your infected machine much more efficiently. The resultant time savings will enable us to attend to a greater number of logs in a shorter period of time, thereby benefiting everyone involved.

Please follow all directions carefully.

Now we move on to the The Malware Removal Process Overview.

The Malware Removal Process Overview

With the "basic" understanding of what HJT can and cannot do, we have created the following "Malware Removal Procedure" consisting of the separate steps or Tiers that need to be done prior to posting a HJT log. Please follow the instructions listed below. When Tiers (1-6) have been completed, you may then post a log for evaluation in (Tier 7) and receive expert assistance in cleaning any malware which remains.

Please print out a copy of this overview and use it to check off each step as it is completed. Save this 'checklist' of removal programs you have run, because we will be asking you to provide us with that information when it comes time to post a HijackThis log.

Good Luck!

1st Tier: Before you do anything, Perform a reference (preliminary) HijackThis scan

2nd Tier: Temporarily Disable Real Time Monitoring Programs

Now please complete the following automatic malware detection and removal Tiers

3rd Tier: Clean the Clutter - Run one of the two listed

  1. Cleanup!
  2. Crap Cleaner

4th Tier: Antiviral Scans - Perform at least one

5th Tier: Antispyware Scanners - Run a minimum of two

  1. Ad-Aware
  2. SpyBot S&D
  3. Microsoft AntiSpyware Beta

6th Tier: AntiTrojan Scans - Perform at least one

  1. Edwido Security Suite Trial Download
  2. TrojanHunter Trial Download
  3. a2 Free
  4. Online Trojan Scans

You have completed the automated malware removal Tiers. We hope that your computer problems have been resolved to your satisfaction. Even if you think your computer is now 'clean', some additional steps are advisable to further ensure the security of your computer.

Please consult: How to Prevent Reinfection for further details.

Only if your computer problems persist, consider submitting a post to HijackThis Forum for review by CastleCops experts.

7th Tier: Getting Expert Help With Your HijackThis Log

1st Tier: Reference HijackThis Log

Obtaining a Reference HijackThis Log:

Before running any automatic cleaning programs or scanners, we request that you perform a reference HijackThis scan and save the results to hijackthis1.log for later posting. This reference HijackThis log will indicate what infections were present on your system and visible to HijackThis, prior to running any preliminary anti-malware tools. This log serves as an important baseline indicator to the person analyzing your HijackThis log, so be sure to save it properly. Make sure you are able to access hijackthis1.log in the HJT folder for later posting, before moving on to the next tier.

To download and properly install HijackThis:

  1. Download "Hijack This! v1.99.1".
  2. Save it in a permanent folder of your choice, such as C:\HJT\. To create this specific folder on your hard drive: Double click the 'My Computer' icon on your desktop, then under the category hard disk drives: double click Local Disk:, then select file-->New --> Folder and name it HJT. Alternatively,you may navigate to the directory of your choice, create a new folder in the same way, and save it there.
  3. Next right-click on the HijackThis! Zip file and 'extract all' to the new folder you just created.

Note: If you already have HijackThis v1.99.1 on your system and it is in a temporary folder, please move it to a permanent one following the same directions as above. If HijackThis is used from a temp folder, it is in danger of being accidentally deleted by clean up tools.

To obtain your Reference HijackThis Log:

  1. Double click the HijackThis.exe inside to folder to run the program.
  2. Choose the "Do a system scan and save a log file." option to perform your scan.
  3. HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.

To save the Reference HijackThis log:

  1. You must change the default log filename from Hijackthis.log to hijackthis1.log
  2. The file hijackthis1.log will be saved in C:\HJT\ or whatever you have chosen as your HijackThis folder.

PLEASE DO NOT ATTEMPT TO FIX ANYTHING WITH HIJACKTHIS. MOST OF THE HJT LOG ENTRIES ARE CRITICAL TO THE PROPER FUNCTIONING OF YOUR COMPUTER. REMOVING ESSENTIAL ENTRIES CAN POTENTIALLY CAUSE SERIOUS DAMAGE TO YOUR COMPUTER

  1. Now you may proceed to the 2nd Tier.

Back to Malware Removal Overview

2nd Tier: Temporarily Disable Real Time Monitoring Programs

The second step is to disable any real time monitoring programs for all successive Tiers.

The following anti-spyware programs are known to interfere with HJT fixing problem entries in a log if they are running at the same time the fix is attempted.

  • Spybot S&D (Teatimer)
  • Ad-Aware Ad-Watch
  • Spywareguard
  • MS AntiSpyware Beta
  • SpySweeper
  • WinPatrol
  • CounterSpy


Please turn off or disable any of these programs if you have them running on your system PRIOR to using HJT to fix anything. To do this, please follow the instructions provided in the respective sections:


Spybot S&D (Teatimer)

  1. Run Spybot-S&D in Advanced Mode.
  2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  3. On the left hand side, Click on Tools
  4. Then click on the Resident Icon in the List
  5. Uncheck "Resident TeaTimer" and OK any prompts.
  6. Restart your computer.


Ad-Aware Ad-Watch

  1. Right click on the Ad-Watch icon in the system tray.
  2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
    Active: This will turn Ad-Watch On\Off without closing it
    Automatic: Suspicious activity will be blocked automatically
  3. Uncheck both of those boxes.

Spywareguard

Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit. It will automatically restart at next boot.

MS AntiSpyware (MSAS) Beta

  1. Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye].
  2. Click on "Security Agents Status".
  3. Click on "Disable real-time protection".


Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.

  1. Click on the Options menu and choose Settings.
  2. In the left pane column click on "Real Time Protection".
  3. Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"
  4. Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).
  5. Click the Save button and close Microsoft AntiSpyware.
Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware".


SpySweeper

  1. Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
  2. On the left click "shields" and then uncheck everything there.
  3. Uncheck "home page shield".
  4. Uncheck "automatically restore default without notification".
  5. Exit the program.


WinPatrol

Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.


CounterSpy

  1. Right-click the running icon of CounterSpy in the sytem tray.
  2. With your mouse, hover over Active Protection Status (This should be enabled).
  3. A menu will slide out and then you need to right click on "Disable Active Protection".


Once your Log has been given an all clear by our experts, continue with the next tier.

3rd Tier: Clean out the Clutter

Your next step is to "Clean out the Clutter". By this we mean removing all the temporary, temporary Internet and other junk files that are stored on your computer. You may accomplish this by running either Cleanup! or CCleaner. Both are freeware programs that clean out the garbage. In addition, CCleaner may be set to remove useless entries in your Registry. Make "Cleaning out the Clutter" a part of your regular maintenance routine.

Cleanup!

Download, install and run Cleanup! version 4.0

It will get rid of any malware which may be hiding in your temp folders (a common hiding place). You will also regain a massive amount of disk space.

Check the custom settings to your liking under options, but be sure to delete temporary files for all user profiles. Also, cleanout the prefetch folder and the recycle bin. Then reboot to let it clean out any remaining files.

You may consult Grinler's Cleanup Tutorial for additional setup and running information.

OR

Crap Cleaner

Download Crap Cleaner

Instructions for using CCleaner:

  1. Before first use, check under Options, Advanced, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.
  2. A pop up box will appear advising this process will permanently delete files from your system.
  3. Then select the items you wish to clean up.
    In the Windows Tab:
    Clean all entries in the "Internet Explorer" section. If you prefer to keep your cookies, uncheck the Cookies entry.
    Clean all the entries in the "Windows Explorer" section.
    Clean all entries in the "System" section.
    Clean all entries in the "Advanced" section.
    Clean any others that you choose.
    In the Applications Tab:
    Clean all except cookies in the Firefox/Mozilla section if you use it.
    Clean all in the Opera section if you use it.
    Clean Sun Java in the Internet Section.
    Clean any others that you choose.
  4. Then click the "Run Cleaner" button and it will scan and clean your system.
    5. Click exit.

4th Tier: Online Anti-Virus Scans

Before performing your Online Anti-Virus Scan, please disable your own resident antivirus's real-time protection feature, to avoid any conflicts. Even if you have an up-to-date Anti-Virus program on your system, it is still important to run an online scan, since some parasites may prevent your own anti-virus program from functioning properly or even disable it. Additionally, it does no harm to "get a 2nd opinion" with antivirus scanners because they often find different types of malware. Most of these scanners require a browser which supports active-X downloads such as Internet Explorer.

Note: Please do not re-enable your own AV's realtime protection, until all the scans suggested in the Malware Removal Process Overview have been completed.

Perform at least one of the following scans:

Panda ActiveScan

RAV

Pc-Cillin (Trend Micro Housecall)

Kaspersky Online Beta Scanner (takes a very long time but it's well worth it - if you want run it overnight)

Bitdefender

McAfee FreeScan

Symantec Security Check

PcPitstop

Let the online AV scanner(s) auto clean whatever is detected and then reboot your system.

Note: Only if you are so severely infected that you cannot complete an online scan, even when run overnight, you may use McAfee Stinger as a temporary solution, until a full online viral scan can be performed.

5th Tier: Antispyware Scanners

Your fifth step is to use at least two of the following three spyware/adware removal programs:

Ad-Aware

Download Ad-Aware SE and install it. If you already have Ad-aware Second Edition (SE), please configure it per instructions below. (Note that Ad-Aware SE is free for non-commercial, non-governmental, and non-educational use.) If you have a previous version of Ad-Aware, please install Build 1.06 available here from Castle Cops.

Launch Ad-Aware and update the Definition Files by clicking on 'Check for Updates now' in the lower right hand corner. Then, to run:

  1. Click on "Scan now"
  2. Uncheck "Search for negligible risk entries"
  3. Check "Search for low risk entries"
  4. Check "Perform a full system scan"
  5. Click the 'Next" button in the lower right hand corner. to begin scanning.
  6. When the scan has completed, select Next.
  7. In the Scanning Results window, select the "Scan Summary" tab.
  8. Check the box next to each "target family" you wish to remove.
  9. Click next, Click OK.
  10. Shutdown/restart the computer.

For assistance with Ad-Aware, help is available from Castle Cops Ad-Aware SE Support Forum

Spybot Search & Destroy

Download Spybot S&D and install it.

  1. Run Spybot and allow it to create a backup of your registry when prompted.
  2. Click on "Search for Updates".
  3. If any updates are found, place a check mark next to each one.
  4. Click on "Download Updates".
  5. Click on "Immunize" [When it detects what has or has not been blocked, block all remaining items].
  6. Do this by clicking the green plus sign next to immunize at the top.
  7. Click on "Check for Problems" and if any problems are found, click on "Fix Selected Problems".
  8. Reboot your computer.


Bleeping Computer's Setup & Configuration Instructions

Tom Coyote's Tutorial & Help

Questions or problems with Spybot S&D can be posted at The CastleCops Spybot Search & Destroy Forum

Microsoft AntiSpyware Beta

Windows 2000 and XP users can find information and download links for The Microsoft Windows AntiSpyware Beta

Microsoft AntiSpyware Beta: Minimum System Requirements

  • Microsoft Internet Explorer 6.0 or higher
  • A 300 MHz or faster processor with at least 64 MB of RAM
  • Microsoft Windows 2000, Windows XP, or Windows Server™ 2003
  • At least 10 MB of available free space on your hard disk
  • Internet access with at least a 28.8 Kbps connection to use SpyNet™

Please download and install this program using all default installation options. You should update the definitions prior to running a scan, by clicking on the File menu and then selecting 'Check for Updates.' Once updating is complete you may set your scan options by clicking the Bulls Eye labeled Scan Options.

Set the program to 'Run a full system scan' and make sure all the following settings are checked:

  1. Scan memory locations and running processes
  2. Scan selected drives/folders
  3. Deep Scan folders (recommended but will increase scan time)

Then click on the Select link to the right of Scan selected drives/folders and a new screen will appear. Select all the hard drives in your machine that you would like to scan for infections. Next, Click the OK button and you will be back at the settings screen. Put a checkmark in the Save these options checkbox, to save these settings and then click on the Run Scan Now button.

When the scan is complete, you will be presented with your spyware scan results. Take the default action suggested by Microsoft AntiSpyware to deal with all threats found. By putting a checkmark in the checkbox labeled Create restore point, you will create a backup from which you may restore any items which have been selected for removal. Once you have selected an action for all threats found in the spyware scan results, reboot your computer.

For more detailed instructions consult The Bleeping Computer Microsoft AntiSpyware Tutorial

Please direct any questions you may have to The CastleCops Microsoft AntiSpyware Forum

6th Tier: Trojan Removal Programs

Run atleast one:

Ewido Security Suite Trial

Download and install the free Ewido Security Suite

Ewido runs on Windows 2000 and XP only. The Ewido download is a time limited full featured version. The background guard and resident protection install as a service but expire after a week. Install it as a stand-alone scanner that you can use as part of your regular maintenance. Thereafter you will still be able to update it but you will not have the background guard nor the resident protection.

  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. When running it the first time, you will get a warning "Database could not be found"
  3. Click OK.
  4. From the main screen, click on update in the menu, then click the Start update button.
  5. After the update finishes the status bar at the bottom will display "Update successful".
  6. Click on the Scanner button in the left menu, then click on the Start button to begin scan. [This scan can take some time to run so be patient]
  7. If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

TrojanHunter Trial

Download and Install the 30-day trial of TrojanHunter

TrojanHunter runs on Windows 95, 98, ME, NT, 2000 and XP. With the trial version you need to manually update the rule files before you can start scanning.

Click here for Manual Update Instructions

To do a full scan be sure the boxes are checked (green) beside your main hard drive folders, then click on Full Scan. The program is fully functional and free to first time users for only 30 days.

a2 Free

As an alternative for those using Windows 98, ME, NT4 there is a2 Free [it also works with Windows 2000, 2000 Server, XP and 2003 Server]

a-squared Free contains only the basic scanner. Background Guard, Automatic Updates and other advanced features are only available with a2 Personal.

On-line trojan scans

Sygate Trojan Scan
Windowsecurity Trojan Scan

7th Tier: Getting Expert Help With Your HijackThis Log

You have now completed the automated malware removal Tiers. We hope that your computer problems have been resolved to your satisfaction. Even if you think your computer is now 'clean', some additional steps are advisable to further ensure the security of your computer. Please consult: How to Prevent Reinfection for further details.

Only if your problems persist, consider submitting a post for review by CastleCops experts. Before posting, please obtain an updated HighJackThis log:

To obtain the post-scan HijackThis log:

  1. Double-click the HijackThis.exe inside the HJT folder to run the program.
  2. Choose the "Do a system scan and save a log file." option to perform your scan.
  3. HijackThis will analyze your system, and automatically open a notepad text file containing the HijackThis log when the scan is finished.
  4. This time when you save the scan results, you must change the default log filename from hijackthis.log to hijackthis2.log
  5. The file hijackthis2.log will be saved in C:\HJT\ or whatever you have chosen as your HijackThis folder.

The file hijackthis2.log represents your post-scan HijackThis log.

PLEASE DO NOT ATTEMPT TO FIX ANYTHING WITH HIJACKTHIS UNTIL YOU ARE INSTRUCTED TO DO SO. MOST OF THE HJT LOG ENTRIES ARE CRITICAL TO THE PROPER FUNCTIONING OF YOUR COMPUTER. REMOVING ESSENTIAL ENTRIES CAN POTENTIALLY CAUSE SERIOUS DAMAGE TO YOUR COMPUTER.

Asking for Expert Assistance:

Use WIndows Explorer to locate your pre-scan (reference) and post-scan HJT logs. If you saved them to the suggested folder C:\HJT, your pre-scan and post-scan logs will be located in C:\HJT\hijackthis1.log and C:\HJT\hijackthis2.log respectively. If you did not use the suggested folder, then subsitute whatever name you selected for your HijackThis folder for C:\HJT\. Double-click each of the logs when located, to open a notepad text file containing each one.

Next, start a new topic at the Hijackthis - Spyware, Viruses, Worms, Trojans Oh My! CastleCops Forum (The HJT Forum) and give your topic an appropriate descriptive title. Our experts are always busy thus a full and complete submission will allow a speedier response. With that in mind, please INCLUDE ALL FIVE OF THE FOLLOWING ITEMS Your log will not be analyzed until all items are submitted :

  1. A brief but informative description of your problem
  2. A summary of the anti-malware tools you have used to complete your preliminary scans
  3. A summary of any additional steps that you may have performed on your own that were not included in the Tiers
  4. Your pre-scan (reference) HijackThis log - hijackthis1.log (reflects the state of your system before any automatic removal tools were run)
  5. Your post-scan HijackThis log - hijackthis2.log (reflects the state of your system after completion of malware removal programs)

Notes:

  1. You must copy and paste the contents of your log files into your HJT post:
    1. Open the text files containing the logs with a text editor and click Edit ->Select All, followed by Edit->Copy.
    2. From within the browser window and with the message body text box selected, click Edit->Paste.
  2. POST ONLY AT THE HJT FORUM. Posting elsewhere leads to needless time wasted to move posts, etc. Only certified CastleCop staff are allowed to respond to your post at the HJT Forum, thus providing you with our assurance of the best possible advice.

How to Prevent Re-infection

Once your system is satisfactorily cleaned be sure to follow these guidelines to prevent a reinfection.

XP and ME System Restore Points

If you are using Windows XP or ME, you need to SET A NEW RESTORE POINT with System Restore. This will prevent the possibility of you becoming reinfected by restoring your system with corrupted files.

To set a new restore point:

System Reference
WIndows XP Creating a System Restore Point
WIndows ME

When to Create and Use Manual Restore Points

The new Restore Point will be stamped with the current date and time. Keep a log of this for your records so you can find it easily should you need to use System Restore.

Windows Updates

Be sure that your computer has the latest Windows Security Updates and Patches from Microsoft. These improve your system's integrity and security, according to our Security Experts.

This step should NOT be performed until you have ensured your system is fully cleaned and all viruses and malware have been removed. This is the recommended procedure by Microsoft before installing SP2. Some computers lock up when SP2 is installed with certain spyware in residence, and spyware programs can interfere with the new security features that SP2 installs by default. For a complete discussion on all necessary precautions see: What to Know Before You Download and Install Windows XP Service Pack 2

Updating Your Security Programs

Because new threats are continually introduced, a security application is only effective if it is updated regularly. Checking for updates can be simplified, by using the calendar provided at the Calendar of Updates website which is updated daily.

Blocking Unwanted Parasites with a Hosts File:

Read the discussion about installing a blocking host files and download the #1 rated MVPS host file

Another variation on the same theme - What is the Hosts file?

Tips for Safer Surfing

  1. ALWAYS surf with an active internet firewall. The Windows firewall does not provide outbound protection, but ZoneAlarm® FREE will block both inbound and outbound traffic.
  2. Use only reputable Antispyware and Security Programs: Consult the Rogue/Suspect Anti-Spyware Progam List first, before you download. Do not click on any random solicitations to "Scan your system for spyware".
  3. Do not download any attachments from unsolicited email or even unexpected attachments from known contacts
  4. Never provide sensitive personal information (SSN, financial account numbers)in response to an email request.
  5. Do NOT click on popups ads or download any anonymous software - google it first and read reviews
  6. Download all software from the vendor/developer site whenever possible (3rd party sites may distribute bundled adware)
  7. Set Safe Configurations for Internet Explorer and acquaint yourself with the Internet Explorer Security Zones
  8. Read these suggested Safe Configurations for Firefox
  9. Read about Cookie Management in The Unofficial Cookie FAQ
  10. Wireless Network Security For The Home
  11. If you must use peer-to-peer file sharing software, use it wisely:
  1. Remove any adware/spyware programs which were bundled with your file-sharing program
  2. Do not set your file-sharing program to automatically run at Windows Startup
  3. Do not allow others on the P2P network open access to downloads from you computer
  4. Close your filesharing program when you are not actively using it

Roll your own Free Security Suite

The final, and most important step, is to secure your system against future malware attacks. And it doesn't have to be costly. You can actually Roll your own Free Security Suite!

Congratulations

A well deserved congratulations for malware-proofing your computer! Yes what you've done required a lot of work, especially if your computer was infected. But through that work, you've gained a lot of knowledge. That knowledge will help you deal with new malware threats as they appear. With that, you can be confident your malware troubles are behind you.

So ... have a great day! Please don't hesitate to return for further assistance ... or to contribute in some manner.

Retrieved from "http://wiki.castlecops.com/Tiers_for_Fears_Cleaning_Malware_-_Take_2"
Personal tools