Tiers for Fears Cleaning Malware

From CastleCopsWiki

This article is deprecated and is superceded by the Malware Removal and Prevention Procedure.

Tiers for Fears - Cleaning Malwares

Please Print or Save these Instructions: As this is a lot of information to work with at one time, we suggest you print these instructions so that you can make sure you have done everything. Save it in Notepad or Wordpad for easy reference later.

Contents 1 Introduction: 2 1st Tier: Clean out the Clutter 3 2nd Tier: Online Scans 4 3rd Tier: Ad-Aware 5 4th Tier: Spybot Search & Destroy 6 5th Tier: Trojan Removal Programs 7 6th Tier: Hidden Files and Folders 8 7th Tier: HijackThis 8.1 Spybot S&D (Teatimer) 8.2 Ad-aware Adwatch 8.3 Spywareguard 8.4 MS AntiSpyware (MSAS) Beta 8.5 SpySweeper 8.6 WinPatrol 8.7 CounterSpy 9 8th Tier: Windows Updates 10 9th Tier: Updating Your Security Programs 11 10th Tier: Roll your own Free Security Suite

Introduction:

Your computer has been hijacked or infected with malware such as trojans, viruses and spyware. As such you have been recommended to download and use HijackThis [HJT] to post a log. What kind of log you ask? A log created by the HJT tool that lists most places on your computer that spyware and malware are known to target.

HIJACKTHIS IS AN ADVANCED TOOL AND REQUIRES ADVANCED KNOWLEGE ABOUT THE WINDOWS OPERATING SYSTEM. MOST OF THE HJT LOG ENTRIES ARE REQUIRED TO RUN YOUR COMPUTER. REMOVING ESSENTIAL ENTRIES WITHOUT KNOWING WHAT THEY ARE CAN POTENTIALLY CAUSE SERIOUS DAMAGE TO YOUR COMPUTER SUCH AS YOUR INTERNET NO LONGER WORKING OR PROBLEMS WITH RUNNING WINDOWS ITSELF.

HJT is not a stand-alone cleaning tool and it does not scan the entire system. HJT only scans certain areas of your system to help diagnose the presence of undetected malware in known hiding places. As such, it is extremely important to use full system scanning tools like Ad-Aware SE and Spybot S&D first followed by online AV scans for virus, worm or trojan infections before fixing anything with HJT. It is not unusual to have Ad-Aware or Spybot find hundreds of infected files and registry items HJT does not target. Just because you "fixed" something in HJT doesn't mean you have a clean system yet.

If you allow HijackThis to remove entries before another removal tool scans your computer, the files from the malware will still be left on your computer and future removal tools may have difficulty detecting them. In addition, just having HJT fix the listed entries does not complete the cleaning process. There are specific files and folders which must be deleted afterwards. HJT does NOT delete them. If you do not have advanced knowledge about computers then you should NOT fix entries using HijackThis without consulting an expert in a security forum as to what to fix.

With this "basic" understanding of what HJT can and cannot do, we have created the following "Hijackthis Guidlines" for performing the preparatory work in separate steps or Tiers that need to be done prior to posting a HJT log. Please follow the instructions listed in each Tier. When all the steps have been performed you can then post a log for evaluation and receive expert assistance with using HJT and cleaning what malware remains on your system.

Now you are ready to proceed with the First Tier.

1st Tier: Clean out the Clutter

Your first step is to "Clean out the Clutter". By this we mean removing all the temporary, temporary Internet and other junk files that are stored on your computer. To do this use CCleaner. It is a freeware program that cleans out the garbage as well as useless entries in your Registry. Make it a part of your regular maintenance routine.

Download Crap Cleaner

Instructions for using CCleaner:

1. Before first use, check under Options, Advanced, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.
2. A pop up box will appear advising this process will permanently delete files from your system.
3. Then select the items you wish to clean up.

In the Windows Tab:

Clean all entries in the "Internet Explorer" section except Cookies.

Clean all the entries in the "Windows Explorer" section.

Clean all entries in the "System" section.

Clean all entries in the "Advanced" section.

Clean any others that you choose.

In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it.

Clean all in the Opera section if you use it.

Clean Sun Java in the Internet Section.

Clean any others that you choose.

4. Then click the "Run Cleaner" button and it will scan and clean your system.

5. Click exit.

Or, you can download Windows Cleanup 4.0. It does the same things as CrapCleaner (does not clean clutter out of the Registry) although some think it's easier to use. Windows Cleanup is freeware.

These cleaning softwares are not slated to remove malwares but they get rid of a lot of clutter. This helps the scanners in their tasks.

2nd Tier: Online Scans

Your second step is to perform scans with one or more free Anti-Virus and Trojan Online Scanners. Be sure to disable any resident antivirus realtime scanner that is already installed so it does not conflict with these scans. You can re-enable after the scans have been completed. It does no harm to "get a 2nd opinion" with antivirus scanners because they often find different types of malware.

Panda Active Scan: http://www.pandasoftware.com/activescan/

RAV Antivirus Online Scan: http://www.ravantivirus.com/scan

HouseCall Free Online Virus Scanner: http://housecall.trendmicro.com/

Sygate Trojan Scan: http://scan.sygatetech.com/pretrojanscan.html

Windowsecurity Trojan Scan: http://windowsecurity.com/trojanscan/

Let them auto clean whatever they find and reboot your system.

3rd Tier: Ad-Aware

Your third step is Using Ad-Aware SE to remove Malware from Your Computer.

If you suspect that you have spyware installed on your computer, Ad-Aware SE is an excellent tool that can help to remove it. In this Tier we will show you how to setup and configure Ad-Aware to obtain the best results when using it to scan and remove sypware.

Download Ad-aware Second Edition and install it. If you already have Ad-aware Second Edition (SE), please configure it per instructions below. (Note that Ad-Aware SE is free for non-commercial, non-governmental, and non-educational use.)

1. Run the Webupdate feature. (Click on the Globe icon, Click connect, Click OK, Click Finish.)
   
   
2. Set up the Configurations (Gear wheel at the top) as follows:

   General Button > Safety & Settings: Check (Green) all three.

   Advanced Button > Logfile Detail Level: All options under this should be checked (Green).

   Tweak Button

   Scanning Options: Check "Obtain command line of scanned processes"

   Log Files: Please check only:

   - "Include basic Ad-Aware settings in logfile"

   - "Include additional Ad-Aware settings in logfile"
   

   Click on "Proceed"
   
   
3. Click on "Scan Now."
   
   
4. Please deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat. If these are included in your logfile it will be removed and we will not give advice on them. They are the user's choice.
   
   
5. Run the scanner using the Full Scan (Perform full system scan) mode. A full scan is the in-depth scan mode that scans your whole computer for Spyware infections. When performing a full scan the following scan settings are used:

   - Full Memory Scan is performed

   - Registry Scan is performed

   - Deep Registry scan is performed

   - Cookie-Scan is performed

   - Favorites are scanned

   - Hosts file is scanned

   - Conditional scans are performed

   - Archive files are scanned

   - All fixed drives are scanned
   

   When a scan is completed the Performing System Scan screen will change name to "Scan Complete".
   
   
6. Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.
   
   
7. Click the Critical Objects Tab. In general, all of the items listed will be bad. Be careful with the Hosts file entries (if you use a blocking Hosts file). Malware may corrupt a Hosts file and use it to redirect your browser to suspect websites. However, you can install a blocking host file to prevent you from visiting such malware related websites. If the object has 127.0.0.1 in it, it should most likely not be deleted, as it is there to provide protection. For more information on how to use a blocking Host file to protect yourself read What is the Hosts file?
   
   To fix all the bad critical objects do the following:
   1. Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.
   2. When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.
   
   
8. Close Ad-aware, reboot your system and go on to the below.

Detailed Setup & Configuration instructions are here: http://www.bleepingcomputer.com/forums/index.php?showtutorial=48

For further assistance with Ad-Aware please post in the CastleCops Ad-Aware Forum: http://castlecops.com/f142-Lavasoft_Ad_Aware.html

4th Tier: Spybot Search & Destroy

Your fourth step is Using Spybot Search & Destroy to remove Malware from Your Computer

Spybot S&D is another excellent tool to help you remove spyware from your system. In this Tier we will show you how to setup and configure Spybot to obtain the best results when using it to scan and remove sypware.

Download Spybot S&Dand install it.

1. Run Spybot and allow it to create a backup of your registry when prompted.
2. Click on "Search for Updates".
3. If any updates are found, place a check mark next to each one.
4. Click on "Download Updates".
5. Click on "Immunize" [When it detects what has or has not been blocked, block all remaining items].
6. Do this by clicking the green plus sign next to immunize at the top.
7. Click on "Check for Problems" and if any problems are found, click on "Fix Selected Problems".
8. Reboot your computer.

Detailed Instructions for Setup & Configuration are here: http://www.bleepingcomputer.com/forums/tutorial43.html

Tutorial & Help is here: http://tomcoyote.org/SPYBOT/index1.php

Questions or problems with Spybot S&D can be posted here: http://castlecops.com/f143-Spybot_S_D.html

5th Tier: Trojan Removal Programs

In the fifth step you will perform scans with Trojan Removal Programs.

Download and Install the 30-day trial: http://castlecops.com/downloads-file-83.html

TrojanHunter runs on Windows 95, 98, ME, NT, 2000 and XP. With the trial version you need to manually update the rule files before you can start scanning.

http://www.misec.net/trojanhunter/updating/ <<= Manual Update Instructions

To do a full scan be sure the boxes are checked (green) beside your main hard drive folders, then click on Full Scan. The program is fully functional and free to first time users for only 30 days.

Download and install the free Ewido Security Suite: http://www.ewido.net/en/download/

Ewido runs on Windows 2000 and XP only. The Ewido download is a time limited full featured version. The background guard and resident protection install as a service but expire after a week. Install it as a stand-alone scanner that you can use as part of your regular maintenance. Thereafter you will still be able to update it but you will not have the background guard nor the resident protection.

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When running it the first time, you will get a warning "Database could not be found"
3. Click OK.
4. From the main screen, click on update in the menu, then click the Start update button.
5. After the update finishes the status bar at the bottom will display "Update successful".
6. Click on the Scanner button in the left menu, then click on the Start button to begin scan. [This scan can take some time to run so be patient]
7. If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

As an alternative for those using Windows 98, ME, NT4 there is a-squarded Free [it also works with Windows 2000, 2000 Server, XP and 2003 Server]

a-squared Free contains only the basic scanner. Background Guard, Automatic Updates and other advanced features are only available with a-squared Personal. The free version can be downloaded here: http://www.emsisoft.com/en/software/download/

6th Tier: Hidden Files and Folders

In this tier we show you how to "Reconfiguring Windows to Show Hidden and Files and Folders."

It will help in cleaning out malware if you enable your system to show hidden files and folders. This allows Windows to show the files, folders and extensions commonly used by Trojans and Spyware to remain hidden.

To do this see: How to see hidden files in Windows.

If you prefer a copy of these instructions that you can print easily you can download it here

Or instead you can download and save ToggleHiddenExplorerStuff.vbs to your desktop: http://www.edbott.com/weblog/files/ToggleHiddenExplorerStuff.zip

1. Extract the zip file to a permanent folder on your hard drive named ToggleHiddenFiles

2. Open the folder and double-click the .vbs file to enable [show] hidden files and folders.

3. When done, double-click the .vbs file to hide them again. [This protects them from accidental deletion]

7th Tier: HijackThis

If malware problems still persist after performing all the steps in each Tier up to this point, then follow these instructions on HOW TO USE HIGHJACKTHIS & POST A LOG:

1. Download "Hijack This!". and save it in a permanent folder such as C:\HJT\. [Note: If you already have HijackThis on your system and it is in a temporary folder, please move it to a permanent one following the same directions as above. If HJT is used from a temp folder it is in danger of being accidentally deleted by clean up tools.]
2. Double click the HijackThis.exe inside to folder to run the program.
3. Choose "Do a system scan and save a log file." HijackThis will analyze your system, create a log and save it in the HJT folder.
4. When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, then Ctrl-A to Select All, Ctrl-C to copy it, using Ctrl-V to paste it and post your log in the Hijackthis - Spyware, Viruses, Worms, Trojans Oh My! Forum at the CastleCops Security Professionals web site.

PLEASE DO NOT ATTEMPT TO FIX ANYTHING WITH HIJACKTHIS UNTIL INSTRUCTED TO DO SO. MOST OF THE HJT LOG ENTRIES ARE REQUIRED TO RUN YOUR COMPUTER. REMOVING ESSENTIAL ENTRIES CAN POTENTIALLY CAUSE SERIOUS DAMAGE TO YOUR COMPUTER.

A forum security expert will analyze your log and reply with instructions advising you what to fix. Please be patient.

When you post in the HJT forum please choose an appropriate title for your topic post. Do not use a new topic title like "HJT log" or "Help." Be more specific and original. Please include the following with your HJT log post:

1. A statement that you have read and followed all the procedures listed in the HJT Guidelines and list the scans that you have completed so that the experts will have the complete picture.
2. If you included any additional steps on your own that were not included in the Tiers, please advise what you did.
3. A brief explanation of your problem.

Important Note: The following anti-spyware programs are known to interfere with HJT fixing problem entries in a log if they are running at the same time the fix is attempted.

• Spybot S&D (Teatimer)
• Ad-aware Adwatch
• Spywareguard
• MS AntiSpyware Beta
• SpySweeper
• Winpatrol
• Counterspy

Please turn off or disable any of these programs if you have them running on your system PRIOR to using HJT to fix anything. To do this, please follow the instructions provided below:

Spybot S&D (Teatimer)

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

[After your system is fully cleaned reenable Teatimer using the same steps but this time place a check next to "Resident TeaTimer".]

Ad-aware Adwatch

1. Open AdAware SE and click on the Ad-Watch User Interface.
2. Go to the AdWatch User Interface.
3. Go to Tools and Preferences.
4. At the bottom of the screen there will be two checkable items called Active and Automatic.

   Active: This will turn Ad-Watch On\Off without closing it

   Automatic: Suspicious activity will be blocked automatically

5. Uncheck both of those boxes.

[After your system is fully cleaned reenable Ad-watch using the same steps but this time check both boxes in Step 4.]

Spywareguard

Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit. It will automatically restart at next boot.

MS AntiSpyware (MSAS) Beta

1. Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye].
2. Click on "Security Agents Status".
3. Click on "Disable real-time protection".

Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.

1. Click on the Options menu and choose Settings.
2. In the left pane column click on "Real Time Protection".
3. Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"
4. Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).
5. Click the Save button and close Microsoft AntiSpyware.

Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware".

[After your system is fully cleaned reenable MSAS using the same steps but this time reverse them.]

SpySweeper

1. Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
2. On the left click "shields" and then uncheck everything there.
3. Uncheck "home page shield".
4. Uncheck "automatically restore default without notification".
5. Exit the program.

[After your system is fully cleaned reenable Spysweeper using the same steps but this time reverse them.]

WinPatrol

Right-click the running icon of Winpatrol in the sytem tray and choose exit. It will automatically restart at next boot.

CounterSpy

1. Right-click the running icon of CounterSpy in the sytem tray.
2. With your mouse, hover over Active Protection Status (This should be enabled).
3. A menu will slide out and then you need to right click on "Disable Active Protection".

[After your system is fully cleaned reenable Counterspy using the same steps but this time reverse them.]

For additional protection, we suggest you download and install these 3 free programs that you run once and then just occasionally have to check for updates.

SpywareBlaster will block bad ActiveX and malevolent cookies.

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

SpywareGuard is a real-time protection solution against spyware! And you can easily have an anti-virus program running alongside it!

Please also read this article. So how did I get infected in the first place?

Once your Log has been given an all clear by our experts, continue with the next tier.

8th Tier: Windows Updates

Be sure that your computer has the latest Windows Security Updates and Patches from Microsoft. These improve your system's integrity and security, according to our Security Experts.

This step should NOT be performed until you have ensured your system is fully cleaned and all viruses and malware have been removed. This is the recommended procedure by Microsoft before installing SP2. Some computers lock up when SP2 is installed with certain spyware in residence, and spyware programs can interfere with the new security features that SP2 installs by default. See: http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx

9th Tier: Updating Your Security Programs

Because new threats are continually introduced, a security application is only effective if it is updated regularly. Checking for updates can be simplified, by using the calendar provided at the 'Calendar of Updates' website which is updated daily: http://www.dozleng.com/updates/index.php?act=calendar

10th Tier: Roll your own Free Security Suite

The final, and most important step, is to secure your system against future malware attacks. And it doesn't have to be costly. You can actually Roll your own Free Security Suite!