Troubleshooting: How to eliminate spyware or adware from your computer
Posted by Rakesh in 
- Image via Wikipedia
If your computer are infected by spyware/ adware, it could be causing your computer to run slower or redirection to other site (i.e. when clicked on links, redirects to other sites, not which you are looking for). This kind of problem indicates that your computers are infected by the spyware or adware.
This article explains how to reslove the problem (i.e. troubleshooting for infected computers).
Procedures: How to eliminate spyware or adware from your computer
Please follow the steps below in order to eliminate the infection and clean up your computer:
1. Download the “HijackThis” Installer from this link and install it. Then, create a log file of possible malware with HijackThis so you can analyze the results.
2. Download the Pocket KillBox Pocket, Spybot – Search & Destroy ( free available ) and BlackLight Rootkit (detects objects that are hidden from users and security tools ). You will need them later to delete parasite-related files and folders.
You can grab Spybot Search and Destroy download from The home of Spybot-S&D! and Blacklight from here
Note: Unless you are an expert computer user, you may wish to create a log file of possible malware HijackThis finds and then analyze the entries by yourself ( if you're able to do so ) or report the information to a computer expert or a computer security support website for possible help.
Howto create a HiJackThis Log:
To create a log file, open HijackThis, and from the QuickStart window click “Do a system scan and save a logfile”. This will create a log file of POSSIBLE malware and save it as hijackthis.log in your HijackThis directory. You can then distribute ( do yourself ) this log file as needed to get assistance on what items you can keep and which items need to remove.
Here’s the brief steps to create HiJackThis Log:
- Download the “HijackThis” Installer from this link and install it. http://www.trendsecure.com/portal/en-US/_download/H JTInstall.exe
- Click on the “Do a system scan and save a log file” button. It will scan and then ask you to save the log.
- Click “Save log” to save the log file and then the log will open in Notepad.
- Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
HijackThis Log will look like as given below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:45 AM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 – BHO: AcroIEHlprObj Class – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: (no name) – {243B17DE-77C7-46BF-B94B-0B5F309A0E64} – C:\Program Files\Microsoft Money\System\mnyside.dll
O2 – BHO: NCO 2.0 IE BHO – {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} – C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 – BHO: Symantec Intrusion Prevention – {6D53EC84-6AAE-4787-AEEE-F4628F01010C} – C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58-01DD-4d91-8333-CF10577473F7} – c:\program files\google\googletoolbar2.dll
O2 – BHO: Google Toolbar Notifier BHO – {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} – C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 – BHO: (no name) – {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} – (no file)
O3 – Toolbar: &Google – {2318C2B1-4965-11d4-9B18-009027A5CD4F} – c:\program files\google\googletoolbar2.dll
O3 – Toolbar: Show Norton Toolbar – {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} – C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 – HKLM\..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 – HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 – HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 – HKLM\..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 – HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 – HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 – HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Palm\Configtool.exe
O4 – HKLM\..\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 – HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32×86\3\hpztsb10.exe
O4 – HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 – HKLM\..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 – HKLM\..\Run: [osCheck] “C:\Program Files\Norton Internet Security\osCheck.exe”
O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 – HKCU\..\Run: [MoneyAgent] “C:\Program Files\Microsoft Money\System\mnyexpr.exe”
O4 – HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 – HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 – Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 – Startup: PowerReg SchedulerV2.exe
O4 – Global Startup: Exif Launcher.lnk = ?
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 – Extra ‘Tools’ menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 – Extra button: MoneySide – {E023F504-0C5A-4750-A1E7-A9046DEA8A21} – C:\Program Files\Microsoft Money\System\mnyside.dll
O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O15 – Trusted Zone: http://echo.bluehornet.com
O15 – Trusted Zone: http://*.insurancejournal.com
O16 – DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) – http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176551855953
O16 – DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) – https://webdl.symantec.com/activex/symdlmgr.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{2B29ABBE-57DF-474C-B737-FF08262B4EC3}: NameServer = 85.255.113.204,85.255.112.99
O17 – HKLM\System\CCS\Services\Tcpip\..\{39F59BEA-326A-47E2-A8C2-629EF367CBB7}: NameServer = 85.255.113.204,85.255.112.99
O17 – HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.204 85.255.112.99
O17 – HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.204 85.255.112.99
O17 – HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.204 85.255.112.99
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\system32\Ati2evxx.exe
O23 – Service: Automatic LiveUpdate Scheduler – Symantec Corporation – C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Symantec Lic NetConnect service (CLTNetCnService) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: COM Host (comHost) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 – Service: Google Updater Service (gusvc) – Google – C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 – Service: hpqwmiex – Hewlett-Packard Development Company, L.P. – C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 – Service: LightScribeService Direct Disc Labeling Service (LightScribeService) – Hewlett-Packard Company – C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 – Service: LiveUpdate – Symantec Corporation – C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 – Service: LiveUpdate Notice – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Symantec Core LC – Unknown owner – C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
–
End of file – 9092 bytes
3. Use HijackThis to fix suspect entries and check those which are suspected. After you check suspect items, close all browsers and windows except for HijackThis, then click the Fix Checked button. Reboot after fixing.
4. Clean all your Cookies, Recycle Bin and Temporary Internet Files.
5. Run the PANDA online virus scan (availabe at http://www.pandasoftware.com/products/activescan.htm)
- Once you are on the PANDASCAN site click the Scan your PC button – A new window will open…click the Check Now button – Enter your Country – Enter your State/Province – Enter your e-mail address and click send – Select either Home User or Company – Click the big Scan Now button – If it wants to install an ActiveX component allow it – It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) – When download is complete, click on Local Disks to start the scan – When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Finally, restart your computer once more.
OR
Run EWIDO anti-spyware micro scanner ( available are http://www.ewido.net/en/onlinescan/ ).
For EWIDO:
- Before running the Ewido scan, please make sure your browser settings allow ActiveX controls. If your browser has ActiveX controls disabled, then
To enable ActiveX Controls, please follow below steps:
I. Click on Tools > Internet Options > Go to Security tab > Select Internet > Click on Custom Level
II. Enable below components related to ActiveX Controls:
a) Run ActiveX controls and plug-ins. b) Script ActiveX controls marked safe for scripting.
6. Once in Safe Mode, use Pocket KillBox that helps to delete those annoying files that will not let themselves be deleted, no matter what you do.
7. Now run Spybot program, it will detect and remove the spywares/adwares infection from your computer. Reboot your computer.
8. Then, run BlackLight Rootkit ( it detects objects that are hidden from users and security tools ) and it scans your computer for rootkits. I mean, BlackLight is a tool that detects files, folders and processes that are hidden from the user and other programs and is also able to remove hidden malware by renaming them.
BlackLight Rootkit log looks like as given below:
05/19/08 15:21:49 [Info]: BlackLight Engine 1.0.70 initialized 05/19/08 15:21:49 [Info]: OS: 5.1 build 2600 (Service Pack 2) 05/19/08 15:21:49 [Note]: 7019 4 05/19/08 15:21:49 [Note]: 7005 0 05/19/08 15:21:56 [Note]: 7006 0 05/19/08 15:21:56 [Note]: 7011 1776 05/19/08 15:21:56 [Note]: 7035 0 05/19/08 15:21:56 [Note]: 7026 0 05/19/08 15:21:57 [Note]: 7026 0 05/19/08 15:22:02 [Note]: FSRAW library version 1.7.1024
05/19/08 15:33:45 [Note]: 2000 1012
HELP: Downloading, Installing and HOW-TO: using the tools
Blacklight:
To download Blacklight, goto the link ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe and install it. It is a tool that detects files, folders and processes that are hidden from the user and other programs. BlackLight is also able to remove hidden malware by renaming them.
For BlackLight Help, please go to the following page:
http://www.f-secure.com/blacklight/blacklight_help.html
BlackLight creates a log file “fsbl-.log”. By default, the log file is in the same directory as the executable.
Pocket KillBox:
a) Download Pocket Killbox: http://www.downloads.subratam.org/KillBox.zip. Place it in a folder on your Desktop.
b) Extract Pocket KillBox from the zip file and double-click on Killbox.exe to run it.
c) In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.
d) When done, and back at the main screen of KillBox, select the option: Delete on Reboot.
e) Then, in the Full Path of File to Delete box, copy and paste suspected entry, if any:
For example:
C:\WINDOWS\system32\csjrm.exe
- Press the button with a red circle and a white X (Delete File button) – Click YES at the Delete on Reboot confirmation prompt. – Click NO at the request to reboot ( if you don’t have any files to delete, click YES ).
f) Do the same for other file, and select No at the request to reboot!
g) On this last file, close KillBox and Notepad, and Reboot the computer!!
e) Run HijackThis and post a new log, also run Blacklight again and analyze the log from it.
Once you have done it and if you find there any WareOut infection, please follow instructions below to fix them.
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
FixWareout:
Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://swandog46.geekstogo.com/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure “Run fixit” is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts. Afterwards, HijackThis will launch. If it does, you have nothing to do. Just close the application.
Delete all you cookies, Tools/Internet Options delete cookies.
* Restart your computer in Safe Mode, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you see the Boot Menu.
* When the Windows Advanced Options menu appears, select an option, and then press ENTER.
* When the Boot menu appears again, and the words “Safe Mode” appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Then run EWIDO. Anything left?
Reboot normally.
Enjoy virus free Internet surfing.. 
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=c45b36a7-bf6e-4f33-9861-9204322d46e3)
No related posts.
Post comment
Archives
Recent Posts
- Digg Up with New Feature: Moments after the new version of the site went live, the site experienced a flood of traffic and went down!
- Data Structures through C & C++ for beginners
- Installing Linux Mint 5 LTS into a Pen-Drive
- BlackBerry SSH: Connect to the remote Linux Server using MidpSSH on BlackBerry Curve 8520
- How to hack or crack Wi-Fi Password Using Debian Linux
Recent Comments
- Rakesh on BlackBerry SSH: Connect to the remote Linux Server using MidpSSH on BlackBerry Curve 8520
- buy camera on Dine out with folks from work at Chandni Chowk!
- janav on BlackBerry SSH: Connect to the remote Linux Server using MidpSSH on BlackBerry Curve 8520
- sandeep on Speed Up Your Web Browsing with OpenDNS
- Rakesh on BlackBerry SSH: Connect to the remote Linux Server using MidpSSH on BlackBerry Curve 8520
Blog Sponsor
Tags
Switch site
Blogroll
- Data Structures through C & C++ for beginners
- Debaira: Debian Blog
- Ian Murdock: Debian
- Linus Torvalds
- Mark Shuttleworth: Ubuntu
- Naba: Anjuta (IDE)
- TechCrunch
