Lozoot's Spyware Removal Guide. UPDATED August 7th

[lozootmaniac]

Courtesy of:Anniku989

Obviously people arent finding the HiJackThis Log analyzer.

LOG ANALYZER= HERE
If you still dont find anything then post your log in an existing thread or start a new one, do not post it in this thread.

INTRO

Most spyware/viruses start out small and end up growing. Yup that is right "growing" and it will spread to other computers, corrupt files and eventually some will crash your computer. That is why you will want to get rid of it as soon as possible.

Any thing you do should be done in safemode. The reason for this is Spyware and viruses dont run in safemode. Safemode is a way to startup using only basic services and programs. So it doesn't use your normal starup and doesnt start the spyware. I dug up a thread on how to get spyware (Only on EOCF) so read it and dont try any of it, these guys are looking for the worst of the worst http://forums.extremeoverclocking.co...d.php?t=201023. This is just to show you how you could get bad spyware that usually ends up crashing your pc.

HOW TO'S

How to boot in safe mode.

~ In the start menu go to RUN.
~ Type MSCONFIG
~ Follow the pics




LINKS

Well if ya ever have a spyware problem go to http://www.2-spyware.com/

2-spyware has some downloads and links to downloads that will help you find/kill spyware using programs like spybot sd and hijack this.

Also they have complete instructions on how to remove the software/ spyware/virus/adware/malware/worms/trojans manually. Just type what the spyware is called and it will give you some options like news and removal instructions.

If ya see any mysterious processes go to http://www.processlibrary.com/

Type the process in and they will give you a threat level and source of the process.

*HiJack This is a highly advanced FREE choice to spyware/virus removal and is only recomended by advanced users. You could mess up your computer using this! Hijackthis shows stuff in windows only areas of disk space like in the registry key (HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS_NT/ ). Also this will show several things related to critical windows components that when deleted could crash your system. It will notify you when there is a suspicious item running in memory. Also anyone with REGEDITS that tweak your OS they will show up as bad. Before even trying to use it i would read up a little on it and find the log analyser and how it works.

**Process library does not have every process on earth so it may come up empty. Such as ISP related or driver related processes.

***Spybot sd is also free but it is not updated as often as say norton av and the guy that is developing it gets money only from donators through paypal.

Anti Virus/Spyware Software List

Anti-Virus:

• a-squared - http://www.emsisoft.com/en/software/free/
• AntiVir - http://www.free-av.com/
• Avast - http://www.avast.com/i_idt_1018.html
• AVG - http://free.grisoft.com/
• BitDefender - http://www.bitdefender.com
• ClamWin - http://www.clamwin.com/

Anti Spyware:

• Ad-aware - http://www.lavasoft.de/software/adaware/
• Bazooka - http://www.kephyr.com/spywarescanner/index.html
• Hijackthis - http://www.spywareinfo.com/~merijn/downloads.html
• SpyBot Search & Destroy - http://spybot.safer-networking.de/
• SpywareBlaster - http://www.javacoolsoftware.com/spywareblaster.html
• SpywareGuard - http://www.wilderssecurity.net/spywareguard.html
• WinPatrol - http://www.winpatrol.com/

Proccess Assasin: Well I came accross the thread codeweasel made and I saw the Proccess Assasin. It is a good tool to use and kill multiple proccesses started by spyware/viruses. Also has a built in google for proccesses that you are unsure of. Also has a Hit list where you can kill proccesses from a list that you can save. You can create a notepad with all of the running proccesses to show to people for help if the google tool doesn't help. Since it is different spyware and viruses wont be able to block it or shut it down. Highly recommended. Thanks to CodeWeasel for this great software.

PM Me if anyone knows of some more

Almost every spyware removal software is resource consuming meaning you cant play c&c or age of empires while running the software. But spyware and viruses will be also just as resource consuming as the software used to get rid of it.

Also ISP related Anti anything usually sucks. The reason I put it in the poll was to see if anyone actually liked them.


DICTIONARY

Spybots are just like a trojan only with spyware and malware. It imbeds or downloads into a browser (mainly IE 6) and downloads or creates copies of itself into directories or merges with a file to stay in the shadows of your hard disk to keep itself on your computer.

Active X controls are a websites way of comunicating software to you over the internet. Such as an online virus scan or a company chat box. Active X spies are the worst thing ive ever come accross because they get worse while your on the internet. They emmbed into every browser window and download stuff all of the time. Which some of us are on the the internet all day. Then when you restart you relize something bad is happening cauze your pc took an hour to start up. Active X Spies are to be treated as spyware and most spyware killers will get rid of them.

Worms do destroy files and will eventually cause a unrepairable crash. Sometimes contaminating every file on an HDD. Every worm I myself have gotten has come from an email but i have heard of worms coming through downloads, attachments in a forum, file sharing, and active x controls as well. They are also very easily distibuted through any form of communication such as AIM bots and spam emails.

AdWare is basically the popups that youll get when spyware is about to download.

MalWare (also known as a hijacker) is the stuff that changes dial up connections and searchbars/toolbars. Bad this is the name for collwwwsearch which is a searchbar that is linked to porn. I have had my dial up number changed and a bill sent to my house because i hit agree and did not read the fine print. since have changed to broadband. Bad for dial up users.

Viruses live on the death and destruction of other computers. Usually will lead to some or all of the following: unrepairable crash, spyware, malware, worms, and Haywire Anti-spyware/virus program. Ussually the best thing to do in my case is hook my HDD to another computer and backup my uninfected files and xp my computer once again.

Keyloggers will steal passwords and track surfing habits. You wouldnt want someone stealing your EOC password and using your username to post spam would you. That is the kind of stuff it is used for.

Trojans are usually marked by spyware/adware but actually are something bigger usually a virus, worm, or malware. They leave tracks of spyware to hide there presence then unleash there package at a significant time either when your pc is very vulnerable or when switching drivers.

Some of the newer cpus will not allow some spyware, games, and viruses to run in certain areas of the ram and processor.

File sharing programs have to have ads if youre using there free version. LimeWire and BearShare are the least ad infested. KaZaa and FreeShare are the worst ad infested. Warez P2P is a virus. LimeWire PRO is $20.00 and is free of spyware. BearShare is the same after paying for it.

A Hijacker replaces search bars, home page (or in firefox & IE7 home pages tabs), or both. Usually sending you to places with more spyware/malware.

Spam is when a person registers on this site and starts a thread called crazy crazy crazy in the news section and posts purse sites to get you to buy them.

Cookies will save things like when you click on the Remember me checkbox when signing in at EOC to remember your password. Or if you dont check it it remembers it but expires after a short period of time. Adware will usually use these to know your surfing habits. Malware will us it to collect personal information.

How you can get Spyware/Viruses etc.

Spyware are usually installed with something like a freeware/shareware program or tempting/fake software so you don't know it is there. Usually doesn't spread to other computers such as a worm or virus.

Worms are mostly in email and diskettes. Very easily distibuted through any form of communication such as AOL bots and spam emails.

Some people get spyware when they get there computer because they go and get a burnt copy of windows and it is modified from the start with intergrated spyware.

Stay away from sites like cracks.ws and freeserials they will make you dowload an Active x control while just surfing their site.

Porn is also a great way to get spyware.

Trojans and Spybots are gotten the same way as Spyware by downloading stuff that looks tempting like a fake Anti-Spyware program or a free offer.

Adware is usually bundled with freeware/shareware software to advertise so the parent software's company makes money for their free/free trial software.

Viruses are usually budled with Trojans but can be gotten in crack sites with bundled spyware. I consider many Spyware working together a Virus in the sence that all of them are helping each other to not be erased/removed and are trying to destroy your pc and/or trying to collect personal information.

Hijacker is gotten through downloading cracks and software.

Browsers

Microsoft Internet Explorer: IE 6 is complete rubbish. Although it has all of the updates it is ever going to have, it still has many undiscovered loopholes where spyware can get in. IE 7 Beta 2 is okay though. While meeting the tabbed browsing of firefox it also works in sync with Windows Defender Beta 2 to mark phishing sites and block any spyware from installing. But there are still loopholes. With the most popular ActiveX Controls and VBS (Visual Basic scripting) being a key part in Microsoft IE, and spyware viruses etc. using these as windows of opportunity, IE is not a browser that i would call safe.

Mozzila FireFox: Well this is my personal favorite. Features an intergrated popup blocker and being a many plugin type browser, helps stop up any holes in the programing. While having a multiple range of plugins that can be a bad thing when dealing with viruses/spyware. Spyware will eventually if not already manifest as a plugin of some sort. The browser doesn't support ActiveX and VBS, which in turn make it safer than IE from the start. That is why you cant get security updates with it from the Microsoft Download Center.

Opera: While being the first to introduce many of the things we like in a browser, like tabbed browsing, it also does not use ActiveX or VBS, Therefore eliminating these types of problems. However, I have heard that opera is very restrictive on images and other media. Many mass-mailing worms exploit the ActiveX and VBScript vulnerabilities and infect the system through IE and Outlook Express. This will never occur in a Opera based browser. Making it extremely safe. Though Opera used to have Adware integrated to support funding, I doubt that this will be the case now.

The Windows Registry

Anybody using Windows XP or better should be able to edit the registry very easily. 2-Spyware.com when giving manual removal instructions will tell you what registry entries to modify or erase. Anti Spyware/virus software will erase these automatically. The spyware/virus/worm/malware will embed itself in your computer using the registry to avoid being deleted/removed.

(HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS_NT/ note that this is a hotspot for spyware and viruses)

The reason your Spyware/Virus is not being removed

When you delete/remove spyware/viruses sometimes they will reside in memory. Meaning that once the whole of the program you deleted is gone and you figure your computer is "clean" it will reinstall/redownload itself.

It has some Registry keys that you or your Anti Virus/Anti Spyware software has not picked up find them and delete them.

It is bundled with a program that you want and keep and the program you want to keep reinstalls/redownloads it. Such as Bearshare (want to keep) and Ad watch (want to get rid of)

Your certain infection is writing itself to your files on your hard drive. Corrupting them and making them unuseable. You need to do a good search of the hard disk, on another PC, and in safe mode perferably.

The virus/spyware is starting with your computer. And it is denying your from moving or deleting it. Shutdown and restart in safemode or put your HDD in another computer and do a search and destroy from there or try and find it yourself. I would try a search first.

You need to update your anti-virus/anti-spyware software. This is ussually done automatically but most people shut off the auto update. Also some av/as can be updated by windows using the sceduler(ex. Windows Defender, C&C Antivirus).

Under construction
I will check back for broken links/updating. Also if you have a good/bad experience with anything here post the pro/con for others to see. Or if you have a program not listed then feel free to add it. Remember you may save a fellow oc'ers computer.

Let me know if you have any requests or things you think need pictures.

~Thanks
~lozootmaniac

[Anniku989]

I vote sticky, we need one in here. I've always used process library and its worked great. For my spyware scanning needs I use zonealarm pro (it has a spyware blocker and scanner) and it's worked great for me.

Also, congrats on 100posts...

[sdat1333]

Any thing you do should be done in safemode

[lozootmaniac]

Quote:

Originally Posted by sdat1333

Any thing you do should be done in safemode

This is because 1) The malware will not be running in safemode
2)You wont be able to mess up your os too bad because some functions are disabled

Plus if you ever have a haywire Anti virus/spyware killer youll prolly have to delete it in safe mode. Sometimes malware will edit key registries and will cause it to do evil things.

[sdat1333]

Really the ideal way to get rid of spyware is from outside of windows completely. IE: Plug the HDD into another comp and scan from there

[Makatiel]

Stickied.. Looks like a very valid project and definitely will help out a lot of people.

The other sticky on this matter hasn't been updated in over a year so a lot of things have changed. When this one passes the other one in usefulness I will take the other one down.

[Jason]

You listed NortonAV, but forgot a LOT of other AV packages that also have anti-spyware/malware detection. I use Kaspersky Interenet Security 6 (Switched from Norton after it kept missing stuff), and it has done a great job. It's kind of like McAfee where it will detect Potentially unwanted stuff that isn't malware but you can be an issue like VNC or and IRC client.

Also Hijack This, while useful, doesn't really detect anything, it just spits out all the stuff in various locations in Windows. It's up to the end user to determine what is and is not wanted.

[lozootmaniac]

Hijackthis shows stuff in windows only areas of disk space like the registry HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS_NT/SPYFALCON

And yes I did miss some av/as i just listed ones ive used. I wouldnt want to mislead anyone by adding things i know nothing of. That is why i added that people that post should talk about some ones theyve used and thought were worthy of trying.

[Jason]

Yes, but my point is, it's not like any of the other programs you have listed which 'detect' known spy/malware and let you know what they are. Hijack this just spits out a list of everything in those locations and the user must make the determination of good / bad.

I'm not saying hijack this is not useful of a bad program, it's just "different" from the rest of the group and should get noted as such.

[lozootmaniac]

Quote:

Originally Posted by Me

*HiJack This is a highly advanced FREE spyware finder and killer and is only recomended by advanced users. Before even trying to use it i would read up a little on it and find the log analyser and how it works. There is also a program called SpyOnThis by the same co. but i havent tried it but if you do post on it.

I said it was a finder and killer. sorry for my wicked ways. but i did note it is for advanced users and to read up on it b4 trying it

I did edit it to say it is not an auto killer and that it could mess up your pc and that it doesnt detect spyware and such

[Impaqt]

LavaSoft AdAware

That and Spybot S&D Are the only 2 that I use. (And Hijackthis.. But as Jason said... Just Info there....)

[D_unruled]

might wanna add some formatting to the 1st post man
aswell as links to the sites, etc.

I still stand by hitman as being the closest to a most thorough solution.

[lozootmaniac]

Links added

lol
<--link

Also i dont use anything but xp right now im about to touch on linux and i used windows 98 when i was a wee lad but i dont use any other os. If anyone knows how the win nt or wnidows 2000/me registry works POST

[Jason]

Might want to consider moving your guide to the Wiki so anyone can contribute & help maintain it.

[flclisgreat]

whats a spybot

not the av program

[lozootmaniac]

Added a section on spybots in the dictionary.

EDIT: I added spybot to the how you get it section will update the wiki tommorow.

[flclisgreat]

thanks for the spybot stuff it helped. Plus i love that banner.

[Apocolipse]

Spybot + NAV never had problems

[lozootmaniac]

do you use them together or use one all of the time and use the other when you have a problem.

[Apocolipse]

Both are running in the system tray. The NAV is set to highest security with no exceptions for scanning with auto scan on (so when new files are added to your system they are auto-scanned) Then i run SnD every week to clear up stuff and i have teatimer enabled. Works amazing!