Security

Spyware Removal Turtorial

When the step indicates running an update, activate the update function of the program. Once the update is complete, stop and start the program before running your scan. This will ensure your scan is done using the latest program and malware database versions.

1. Update and run any anti-virus and anti-trojan products you already have installed on your computer. Do a full scan of your computer. Record exactly the names of any malware they turn up. Quarantine and cure (repair, rename or delete) any malware found.
2. Run two or three free web-based AV scanners. Record exactly the names of any malware they turn up. Then quarantine and cure (rename, move or delete) the malware. (This scanning is the most time consuming step in this checklist, but it is important.) Go to web based AV scanners

    

   	Symantec Security Check
   	Trendmicro Virus Scan
   	Rav Antivirus Scan Online
   	Panda ActiveScan
   	Mcafee Virus Scan

    

3. Download, install, update and run the following anti-hijacking and anti-spyware products. Then record exactly the names of any problems they turn up. (Tracking cookies are easily cleaned-up by deleting them, so don't bother recording them.) Then quarantine and cure the malware. (Note the links take you to tutorials for the listed software.. Download links are contained within each tutorial. The alternate link is a direct link to the program.

    

   	CWShredder (free): Direct Download: Syslock Security
   	Spybot S&D (donationware): Tutorial: safer-networking.org Download: download.com
   	Ad-aware (donationware): Download: download.com Download: lavasoft.com

    

4. If problem persists, download, install and update an anti-Trojan program. Record exactly the names of any problems it turns up. Then quarantine and cure the malware.

    

   	TrojanHunter (30 day free trial): Download: misec.net
   	A-squared: Trojan, Worm and Dialer remover (free): Download: emsisoft.com

    

5. If the problem persists, download and run HijackThis.

   HijackThis (free):   Download: download.com

   Remember that filenames suggest what a program file is, but files can be changed or renamed. It is file contents that determine what a file actually does. So it is important to run the scans in the earlier steps before creating the HJT log.

   Note: It is important to place Hijackthis in its own folder such as c:\hjt\hijackthis.exe

   Here are instructions on how:

   http://russelltexas.com/malware/createhjtfolder.htm

    

6. Run security analysis products to check your settings and installed software. These analysis products are definitely not 100% thorough in the checks they do. Also, the messages that are produced are usually cautions to check that something is as you want it to be, and are not definite instructions to change something.
   1. Install and run Belarc Advisor.

      Belarc Advisor (free): Download: belarc.com

   2. When you run Belarc Advisor, look for:
      1. Users you didn't add. Check whether your computer maker or re-seller added the users for support purposes before you bought the computer. Otherwise they indicate a hacker has accessed your system.
      2. Microsoft Hot fixes with red X's beside them, indicating they can be verified by the automated process, but failed verification. The earlier the version of Windows, the more likely the fix came off "innocently" when new software was added or upgraded. Click on "details". This will take you to a Microsoft webpage explaining the fix, and allowing you to re-apply it.
      3. Under software versions, software you didn't install. Many software packages include other third party software. So installing one product can make 3 or 4 products show up in Belarc and this is not a problem. On the other hand, hackers often install legitimate FTP server or email server software, and because the server software is legitimate it will not show up in a virus scan.
      4. Save a copy of the Belarc Advisor results. In a few weeks, compare your saved scan with a new scan, looking for unexpected changes.
   3. Review the results to see that they correspond with how you have set your computer up. Changes might indicate that someone has altered settings. Or the settings may have been altered when other software was added or updated. (Security updates with reason "306460" simply cannot be verified by the automated process. This is normal.)
      1. Save a copy of the results. Compare them with the results in a few weeks, looking for unexpected changes.
7. Different vendors have different names and version identifiers for the same virus, so first look up the virus in the encyclopedia of the scanner's vendor for specific disinfection instructions Use your products link to find the information for your situation

   In Windows XP and Me, to prevent a virus being restored by the operating system, it is often necessary to temporarily disable System Restore. The instructions are here: Microsoft.com

8. Depending on the instructions in the virus encyclopedia for your scanner, it may be necessary to use auxiliary virus removal tools.
   1. If an auxiliary tool is required, it is best to first try the tool of the scanner's vendor.
   2. Read the complete write-up of the virus in the encyclopedia of the tool's vendor to find the disinfection instructions. In addition to running the scanner or tool, there may be a few manual steps required.
   3. Generally each removal tool will only detect and effectively remove the virus variants it says it will.
9. If it was turned off earlier, turn System Restore back on, and confirm that your virus scanner is working.
10. Re-secure your computer and accounts. The ideas in the following step-by-step guide are useful for cleaning any version of Windows: www.cert.org
    1. In particular, if private information is kept on the computer, and if the malware found included a "backdoor" or allowed hackers to "run arbitrary code", and if it is likely that a hacker may have used the backdoor, consideration should be given to backing-up data to be retained, and then re-formatting and re-installing programs on the computer from trusted sources.

       This is because a backdoor allows a hacker to make other changes that may reduce your security settings, but that are not readily detectable with current tools.

    2. If a keystroke logger is detected then hackers may have access to what was typed into your computer, including passwords, credit card numbers, and account numbers.
       1. Immediately cancel any credit cards used on the computer, and ask for replacements with new account numbers.
       2. Using an uninfected computer, change any website or server passwords that were entered on the infected computer.
11. Check these other useful links for tips on disinfection and preventing a recurrence.

     

    	How to keep my computer secure: a layered approach by dslreports
    	A test for your AV see site you can download a dummy virus to test your AV
    	Security tips: Note: there are many more. An excellent resource can be found at www.dslreports.com Another good security resource is Eric Howes See his site: https://netfiles.uiuc.edu/ehowes/www/main.htm An especially good protective utility for IE users is IE-spyad Here are some places to help getting started dealing with problems of hijackings, infections etc. for the beginner: dslreports.com gladiator-antivirus.com www.spywareinfo.com Note that these are FAQ's that apply to different forms but the main idea applies to any form where spyware, hijackings, etc are going to be addressed. SpyBot Search & Destroy AD-AWARE Standard Edition CWShredder HijackThis Next, for the more advanced.. (I mean that.. don't delete something using HijackThis if you don't fully understand what you are doing!) These are full tutorials on how to interpret the logs from HijackThis.. http://hjt.wizardsofwebsites.com www.spywareinfo.com And here are some additional links to assist with using the HijackThis application: Tutorial: http://computercops.biz/HijackThis.html Forum: computercops.biz Forum

 

Copyright © 2007 iCon Services, Inc