Technical Guide Part 2
Technical Guide Part 2
Step 2: The automated tools
Step 2: The automated tools
Preparation for cleanup
Before you run any automated malware removal tool, you should first uninstall any of the malware sources that you've identified. Software like DivX Pro, Kazaa, and the like won't work after you remove their "ad-supported" components anyway. You should uninstall them using Add/Remove Programs in the Control Panel.
You should also uninstall any of the malware that gives you the option to in Add/Remove Programs. In many cases, the uninstall will not be complete, but the automated tools will clean up the pieces, and you won't end up with phantom entires in your Add/Remove Programs list. Some of these items will have multiple uninstall steps (like MediaLoads), where a new item appears in Add/Remove after you uninstall the first one. Items to remove this way include but are not limited to:
Active Alert
B3D Projector
BackWeb
ClickTheButton
CometCursor
CommonName
DownloadWare
eAnthology/eAcceleration
eXact Search Bar
Ebates Moe Money Maker
GoHip
HotBar
HuntBar
IEDriver
IEPlugin
Internet Optimizer
Interstitial Ad Delivery by n-CASE
IPInsight
MediaLoads
MySearchBar
N-Case
NetworkEssentials
New.net
NewtonKnows
PAD Lookups by n-CASE
SaveNow
SubSearch
TopText
WeatherCast
WhenUSearch
Win32 BI Application
Xupiter
There are countless other pieces of malware that will show up in the Add/Remove Programs with seemingly innocent names. If you're not sure what it is, then it's usually safe to let the automated tools take care of it.
It is not recommended that you remove "BackWeb" from HP or Compaq machines that came pre-loaded with Windows, as it is part of HP/Compaq's automatic software update system. Similarly, "IPInsight" is used by SBC Yahoo's software.
The automated tools will also run much, much quicker if you empty the Internet Explorer cache and delete your cookies. From the Control Panel, go to the Internet Properties and click on Delete Cookies and Delete Files.
Running the tools
There are four automated malware removal tools that are recommended. The first two tools you should run are CWShredder and Kill2Me. These tools are designed solely to remove variants of the CoolWebSearch and Look2Me varieties of adware, but they do a very good job of it and they are very small downloads. CWS and L2M are also very common pieces of malware, and are often difficult for more general-purpose tools to remove completely, so they're a good thing to run first. Running CWShredder and Kill2Me is extremely straightforward and will not be covered in detail here; just make sure you're running the latest versions, since they are constantly updated, and make sure that all of your Explorer and Internet Explorer windows are closed when you run them, or else they may not be able to fix everything.
You can download CWShredder and Kill2Me from the creator's website; if you're being blocked by a piece of malware, here is a personal mirror of both programs maintained by the FAQ author. (Please only use this mirror if absolutely required.) They're both EXE files that require no installation, although they need some Visual Basic 6 libraries which should already be present on all modern Windows machines. (If by some chance you don't have them, you can download them here.)
The two other tools are SpyBot and AdAware. These are general-purpose tools designed to scan for and remove a wide variety of malicious software (including spyware, adware, dialers, and other garbage). SpyBot is generally more powerful and more aggressive, but AdAware is easier to use. Both are good products, and can co-exist on a computer without problems (although AdAware may occasionally find items in SpyBot's quarantine). Sometimes, when one tool fails to remove all the malware on a system, the other tool will finish the job.
SpyBot's homepage is
http://www.spybot.info
and the latest version as of this writing is v1.3 (which just came out). It is freeware.
AdAware's homepage is
http://www.lavasoftusa.com
and the latest version as of this writing is v6.181. The "Personal" version is free for use, and has full scanning and cleaning functionality; the paid-for versions have more features, such as "inoculation" (which we'll talk at later) and extra customizability.
When running either tool, it is essential that they be updated to include the latest patches and scanning databases. Like anti-virus software, these tools can only scan for malware that they know how to identify. Updating AdAware is easy: click on the "Check for Updates" link when you first start it and then the "Connect" button. To update SpyBot, click on the Update button in the left-hand column. Then click on "Search for Updates", check the updates you want (which should be all of them), select an appropriate mirror from the list (which defaults to
To scan with SpyBot, click on the "Search and Destroy" button in the left-hand column, and then the "Check for Problems" button on the bottom. To scan with AdAware, click the "Start" button and follow the instructions. Once either application is finished scanning, it will present a checklist of items that it has found.
Here's a list of stuff that it is always safe to let SpyBot or AdAware kill, in addition to anything you already tried to uninstall via Add/Remove Programs:
Aureate
CoolWebSearch
Cydoor
FreeScratchAndWin
Gator/GAIN
GonnaSearch
Investigator
Lop.com (aka C2.Lop)
PerfectNav
VX2 (and all variants)
There's one thing that you should watch out for that both SpyBot and AdAware will catch, and that's C_Dilla. C_Dilla (aka "CD Secure") is a copy-protection tool (created by Macrovision) used by a wide variety of software, including 3DSMax, that has an unfortunate tendency to "phone home". It would be great if one could get rid of it, but doing so will make the software that uses it stop working. Unless you're very sure that you don't need it anymore, don't let SpyBot or AdAware remove C_Dilla from your system, since it was probably installed by something legitimate.
You should also avoid removing Backweb or IPInsight under certain circumstances, as mentioned above.
Once you're comfortable with the checklist of items, you can tell SpyBot or AdAware to fix them. Make sure that all of your Explorer and Internet Explorer windows are closed when you do this, or else it may not be able to fix everything. If there is something that they cannot delete, they will ask to run again after you reboot. You can either choose to write down the items that it was unable to delete and delete them yourself after you reboot the system, or let the application do it for you (which will mean letting it re-scan the system again).
Both tools save a copy of everything fixed; AdAware calls this a "Quarantine", SpyBot calls it "Recovery". If problems show up after you reboot the system, you can undo the changes that were made and try again with a different list.
If the automated tools are all crashing as soon as they start, then you've got CoolWWWSearch.SmartKiller, a particularly ugly version of CWS which attempts to stop SpyBot, AdAware, and CWShredder from running. An updated version of CWShredder should be able to take care of it, if you run it more than once. Otherwise, grab delcwssk.zip from the SpyBot folks and use it.
The other available tools
The other anti-malware tools falls into two categories: merely not as good as SpyBot and AdAware, or actual frauds.
Spyware Blaster is not a scanner, but a "vaccine" tool.
Bazooka Adware and Spyware Scanner is legitimate software, and freeware. It has an extensive database of threats, and is extremely fast. However, it has no removal capabilities; it is purely a scanner.
SpyRemover, SpySweeper, and SpywareEliminator are legitimate but mediocre software packages that are also commercial. No reason to consider them.
SpyKiller, XoftSpy, SpyCatcher, SpyGuard, SpySweeper, Spyware Nuker, SpyHunter, Warnet, Virtual Bouncer, AdProtector, Spyware Remover (from BulletproofSoft), SpyFerret, SpyGone, Stop-Sign, SpyBan, and SpyAssault are all either of very dubious quality or known malware sources themselves. Stay the hell away.
Step 3: When the automated tools haven't gotten everything
Unfortunately, the automated tools can only detect and remove malware that they know exists. And since malware is a money-making business, there's new stuff appearing every day. So sometimes, the automated tools can't clean everything off a system. That's where HijackThis comes in.
HijackThis isn't an automated scanner like SpyBot or AdAware. It's a system editor, from the creator of CWShredder. It's kind of like MSConfig or RegEdit, only specifically for finding browser parasites and spyware-related garbage. It shows you everything browser-related on your system, good or bad, and it's up to you to decide what's harmful and what's benign. It also makes backups of everything it changes, and can create a text logfile for analysis by others.
In the hands of an expert, it's an amazing tool. In the hands of a novice, it's less than useful, it's dangerous. So unless you're very, very sure of yourself, never make any changes in HijackThis without consulting others first.
It will write its logfiles and backups to the same directory it's run from, so it's recommended that you put it in its own subdirectory.
It's recommended that instead of trying to fix things yourself with HijackThis, you post a logfile to either these forums or the Net-Integration forums (where the SpyBot authors are). The AdAware forums are another possibility, although they will insist that you use AdAware's reporting tools before you use HijackThis. Forum users experienced with the removal of malware can then recommend which items to fix using HijackThis, and what files and directories to delete from your system. They may also recommend mailing one or more files (along with the original HijackThis log) to the authors of one of the automated removal tools, so that they can update that tool's detection database.
Step 4: Problems related to removing malware
Most of the time, malware can be cleaned off a system without side effects. But sometimes there are lingering issues, even after the malicious software has been removed.
Startup errors
If a program file is removed, but the startup entry for it is left in the registry, then an error will occur when the PC is restarted. An error involving "CMD32.EXE" is not uncommon after cleaning up a heavily-infested machine. These startup entries for nonexistent programs can be found and removed using HijackThis.
Missing system files
Some particularly nasty pieces of malware will actually overwrite minor system files in order to keep themselves on your PC. The author of CWShredder has a list of files that versions of the CoolWebSearch malware software may damage, along with backup copies and instructions for replacing them. You can also replace these files with their original versions from the Windows installation CDs.
Damaged Winsock
The "Winsock" is the Windows networking system for TCP/IP, the Internet protocol. The design of the Winsock allows legitimate add-on software to plug itself into the system, in order to add or change network functionality. These "Winsock plugins" are called "LSPs". Unfortunately, this means that malicious software can plug itself into the Winsock as well.
Step 5: How can I not get this crap again?
Be careful what you download.
Here are some safe alternatives to malware-laden applications:
Instead of Kazaa and other commercial file-sharing applications, try
Instead of GoZilla or DownloadWare, try GetRight or wget.
You probably don't need any other toolbar for IE other than the Google Toolbar, with integrated Google search and popup blocking.
Instead of the dozens of malware-filled MP3 encoders on download.com, get CDex or Exact Audio Copy.
Instead of WeatherBug (which is adware), try WeatherWatcher.
Harden your browser
There's two ways to do this. The first way is the quickest and the most effective: switch to an alternative browser that doesn't support auto-installs of malicious software at all. Browsers in that category include Mozilla, Firefox, or Opera. The browsers MyIE2, Crazy Browser, and Avant Browser are just shells on top of Internet Explorer, and inherit the same malware problems that IE has.
If you don't want to switch browsers, then you can attempt to harden Internet Explorer. (These same tips apply to MyIE2 and Avant Browser.) This is more complicated, and is not ever going to be %100 reliable, since there are many security holes in Internet Explorer that have not yet been fixed by Microsoft.
First, make sure that you are running the latest version of IE.
Make sure you have everything from "Critical Updates and Service Packs" installed from Windows Update. When they say "critical", they are not kidding.
Turn off ActiveX downloading for the Internet zone.
This will stop a huge amount of malware dead in its tracks. The next step is to go to the Trusted Sites zone and reset it to "Medium" security (it defaults to "Low"). Then you add microsoft.com to the list of trusted sites to make Windows Update continue to work; you can then add sites like macromedia.com (for Flash updates), apple.com (for QuickTime updates), and yahoo.com (for games and chat) at your discretion.
Turning off ActiveX downloading for the Internet zone only prevents new software from being downloaded; it does not prevent existing plugins from working. For example, it won't prevent the Flash plugin from working on a site in the Internet zone, but it will prevent the Flash plugin from installing, unless macromedia.com has been added to the trusted sites list.
Install the Sun Java Runtime, and have it be the default Java VM instead of the Microsoft one. Sun's Java implementation is much more secure than Microsoft's. Java exploits are rare, and some versions of Windows XP don't have the Microsoft JVM at all, but it never hurts to be safe.
Use an "inoculation" or "vaccination" tool, which acts much like a real-time virus scanner. SpyBot has one of these built into it, called "Immunize".
If you choose to keep using Internet Explorer, it is recommended that you run SpyBot, AdAware, or both scanners at least once a week, because no current solution is going to give perfect immunity to the malware problem. Always make sure that your scanners are up-to-date (as outlined earlier) before running them, as new malware databases are released on a weekly basis, and sometimes even more frequently.
Doxdesk parasites article and listing - highly recommended
The CWS Chronicles - Merijn's constant fight against the ever-evolving CoolWebSearch trojan, to keep CWShredder up-to-date
SimplyTheBest's spyware pages
CounterExploitation's spyware pages
Bazooka's adware database
SpyBot FAQ
Spybot Forums at Net-Integration
AdAware forums
http://www.spywareinfo.com/~merijn/downloads.html
StartupList : A simple tool that lists all and every auto starting program on your system. You might be surprised what it finds, this is way better than Msconfig. Commonly used to troubleshoot malfunctioning systems, trojan/viral infections, new spyware/malware breed and the likes.
Currently at version: 1.52.1
-> Download from LurkHere
-> Download from ComputerCops
-> Download from Subratam
-> Download from OfficeFive
-> Download from UniteTheCows
-> Download from BleepingComputer
-> Download from DKnoppix
-> Download from SpywareInfo
-> Download from RichardtheLionHearted.com
HijackThis : A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.
A rudimentary HijackThis log tutorial by me is available here.
The official HijackThis QuickStart for posting on the SpywareInfo forums is available here.
Currently at version: 1.99.1
-> Download from Merijn.org
-> Download from Subratam
-> Download from UniteTheCows
-> Download from BleepingComputer
-> Download from DKnoppix
-> Download from SpywareInfo
-> Download from ComputerCops
[Old version 1.98.2 available here or here or here.]
Itty Bitty Process Manager (IBProcMan): A standalone version of the little process manager included in HijackThis (Misc Tools section). Shows full paths to processes, optionally shows DLLs loaded by processes. Can save the process list (and dll list) to file, as well as copy it to the clipboard. Compatible with at least Windows 98, 98SE, ME, 2000, XP and newer.
Very useful for cleaning up systems infected with trojans or viruses that kill antivirus and antispyware programs.
-> Download from SpywareInfo
-> Download from ComputerCops
-> Download from UniteTheCows
-> Download from BleepingComputer
-> Download from DKnoppix
CWShredder: A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D and Ad-aware tend to forget essential parts of the hijack, so until they update, you can use this to completely remove the hijack. This program is updated to remove the new variants once they come out.
Read my article with documentation on Coolwebsearch here.
CWShredder is owned and maintained by InterMute since October 19, 2004. It is available from them for free seperately, or integrated into SpySubstract PRO.
The free version is available for download here:
http://www.intermute.com/spysubtract..._download.html
BugOff: This little app disables a few exploits that are commonly used by browser hijackers (including CWS), thus protecting you from infection. This does not remove an existing infection! Applicable to everyone that uses Internet Explorer.
Currently at version: 1.10
-> Download from ZerosRealm
-> Download from ComputerCops
-> Download from Subratam
-> Download from OfficeFive
-> Download from UniteTheCows
-> Download from BleepingComputer
-> Download from DKnoppix
-> Download from SpywareInfo
-> Download from RichardtheLionHearted
ADS Spy: A small tool to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems. ADS is a way of storing meta-information for files without actually storing the information in the file it belongs to, carried over from early MacOS compatibility from Windows NT4. Recently browser hijackers began using this technique to store hidden information on the system, and even store trojan executable files in ADS streams of random files on the system. Use with caution.
Currently at version: 1.05
-> Download from ComputerCops
-> Download from Subratam
-> Download from UniteTheCows
-> Download from BleepingComputer
-> Download from DKnoppix
-> Download from RichardtheLionHearted
-> Download from OfficeFive
BHOList: A frontend for TonyKlein's BHO Collection that downloads the list, and displays it in a sortable, searchable list. You can also export it to a file and load that file back instead of downloading it from Sysinfo.org.
Currently at version: 1.40
-> Download from ComputerCops
-> Download from Subratam
-> Download from OfficeFive
-> Download from BleepingComputer
-> Download from DKnoppix
-> Download from SpywareInfo
Kill2Me: A removal tool specifically for the Look2Me parasite. This tool removes versions 115, 116, 117 118, 120, 121 and 122 (the most recent ones) on Windows versions 95, 98, 98SE and ME.
Currently at version: 1.11
-> Download from ComputerCops
-> Download from OfficeFive
-> Download from BleepingComputer
-> Download from DKnoppix
-> Download from SpywareInfo
Uptimer4: A bar that sits at the top of your screen and can display over 20 pieces of system information that might be useful to you. System time, system date, uptime, free RAM, free pagefile, free disk space, CPU usage, IP address(es), Winamp controls, battery status, running programs, netstat, etc.
This project is currently suspended until I have more time to update it. Keep sending in bugreports though.
(Some functions may not work properly with Windows 95 and Windows NT4 without SP6.)
Currently at version: 1.0 (beta)
-> Download from ComputerCops
-> Download from OfficeFive
-> Download from BleepingComputer
-> Download from DKnoppix
-> Download from SpywareInfo
MovieCollection: A database program that can keep a list of movies you have (intended for DVD Rips), publishing this in a format that is directly readable by all major browsers that support CSS. To see what it can do, take a look at my movies list.
Currently at version: 1.42
-> Download from ComputerCops
-> Download from OfficeFive
-> Download from BleepingComputer
-> Download from SpywareInfo
TransIcon: This does exactly the same as TransText, but is WAY smaller and more flexible. It uses a tweak to make the background color of the text below desktop icons transparent, and exits. The effect should last until the next boot, so a shortcut to this program in your Startup folder works perfectly. Needs command line parameters (add them to the 'Target' field in the shortcut) to specify the color you want the icon text itself to be in the form of hex values (e.g. FFFF00), RGB (e.g. 16711935) or words (e.g. white).
Note: this program is not useful on Windows XP, since that has support for this tweak natively.
Currently at version: 1.01
-> Download from ComputerCops
-> Download from OfficeFive
-> Download from BleepingComputer
-> Download from DKnoppix
-> Download from SpywareInfo
KazaaBegone: A Kazaa uninstaller which scans and removes all elements of all Kazaa versions, as well as all of the bundled software that comes with it.
Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. An update is being worked on. If you still want to use KazaaBegone, download LSPFix to fix your Internet connection (download it before you run KazaaBegone, of course).
Currently at version: 1.10
-> Download from ComputerCops
-> Download from Subratam
-> Download from OfficeFive
-> Download from BleepingComputer
-> Download from DKnoppix
-> Download from SpywareInfo
