Dealing With Malware (Adware / Spyware)

One of the fastest growing industry in technology today is development and deployment of malware - software to run on peoples personal computers, without their consent and / or knowledge. This software is called by some adware, by others, spyware. It has many installation methods, many purposes, and many results.

It can range from the most innocuous add-on program designed to "enhance your Internet enjoyment", to programs which secretly transmit your most intimate financial details (like your credit card number and PIN) to thieves who will use the information to empty your bank account.

The one thing you can say for a certainty is that it's software that you do not want on your computer.

This is where you need a thorough adware / spyware scan, including CWShredder, AdAware, Spybot S&D, HijackFree, and HijackThis, with expert advice to interpret the HijackThis log.


Check the Hosts file.
Search your entire system drive, including hidden and system folders, for file "hosts". There is one legitimate copy, and it is used in many security strategies. Any others are possibly bogus, and part (but just part) of the problem. Make sure that the registry entry points to the legitimate location.

Now, you need to examine the contents of each Hosts file. Look for entries like

which would make your browser display "404 (Page Not Found)", or similar, when you try to access Symantec.

When examining each Hosts file found, check it very carefully.


Scan for viruses using online services
How current is your virus protection? Try one or more free online virus scans services, which should complement your current protection.


Download AntiMalware and Corrective Software.
Download free tools to detect and remove malware. Only download each individual product from each server as listed. When dealing with malware, the most current version of all software is essential, so don't use old versions - download new versions before starting.

NOTE: Some malware installs components into the LSP / Winsock layer in the network. Its removal may damage the LSP / Winsock, and damage network functionality in various ways. Download corrective tools, described in Problems With The LSP / Winsock Layer In Your Network, before starting malware removal. Those tools are all very easy to use, and take up very little disk space. Downloading them, before starting malware removal, is a very good idea. Damage LSP / Winsock, and you may not be able to download anything. Download those tools before you start malware diagnosis.


Install Software.

  • Create a separate folder for HijackFree, such as C:\HijackFree, and copy the downloaded file there.
  • Create a separate folder for HijackThis, such as C:\HijackThis, and copy the downloaded file there.
  • Create a separate folder for Silent Runners, such as C:\SilentRunners, unzip the downloaded file, and copy "Silent Runners.vbs" there.
  • Create a separate folder for the two TrendMicro files, such as C:\TrendMicro, and copy the downloaded files there (unzipped if necessary).
  • AdAware, CWShredder, and Spybot S&D have install routines - run them.
  • The other downloaded programs can be copied into, and run from, any convenient folder.


Scan for Malware.

  • Close all Internet Explorer and Outlook windows.
  • Run Stinger. Have it remove all problems found.
  • Run CWShredder. Have it fix all problems found.
  • Empty your temporary files folders:

    • "C:\WINDOWS\Temp"
    • "C:\Documents and Settings\(Username)\Local Settings\Temporary Internet Files".

  • Disable System Restore.
  • Boot your computer into Safe Mode.
  • Run C:\TrendMicro\ Delete any infections found.
  • Reboot your computer, and re enable System Restore.
  • Run AdAware. First update it, configure for full scan, then scan. When scanning finishes, remove all Critical Objects found.
  • Run Spybot S&D. First update it, then run a scan. Trust Spybot, and delete everything ("Fix Problems") that is displayed in Red.
  • Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the HJT Log.
  • Run A2 HijackFree, using Windows Explorer. Simply find the folder where you copied "HijackFree.exe", and double click on it. It will run, with no settings or selections needed. Save a log file. Next, hit the Analyze.. button, and it will open a browser window, and analyse its findings against the current Sysinfo malware database.
  • Run Silent Runners, using Windows Explorer. Simply find the folder where you copied "Silent Runners.vbs", and double click on it. It will run, with no settings or selections needed, and create a .txt file in that folder.
  • Interpret your HJT log.
  • Remove any malware found. Alternately, run whole computer heuristic analysis, starting with the HJT log, and including HijackFree.

If removal of any spyware affects network functionality, run the corrective software downloaded above. See Problems With The LSP / Winsock Layer In Your Network for specific advice.


Improve Your Chances For the Future.

Now that you've experienced the frustration and uncertainty involved in dealing with malware, do you want to go thru this again? I hope not. So improve your future - layer your security!


Anonymous said...

Fantastic , Chuck ! Scary , but Fantastic . I'll just need a coupla years to understand this stuff , but Fantastic !
Having no experience with computers , layering really does make sense . We even layer our own personal defences - in everyday life and 'P to P' commuications ! Now , I understand ! Thanks , I think ...