To ensure your problem receives the best possible attention, please
open a new topic here in the
Computer Forum detailing your problem. Also,
please follow the proceedure outlined below before posting a HiJackThis log.. Doing so may actually solve your problem alltogether, and at the very least will make your problem much easier to analyze and solve.
DO NOT POST YOUR HELP REQUEST OR HIJACKTHIS LOG TO THIS THREAD, OR TO SOMEONE ELSE'S PRE-EXISTING THREAD; IF YOU DO IT LIKELY WILL BE IGNORED AND EVEN MAY BE DELETED WITHOUT NOTICE OR COMMENT
UPDATED YUCKWARE REMOVAL PRELIMINARY STEPS
PLEASE DO ALL OF THIS BEFORE POSTING A HIJACKTHIS LOG
Over the past year or so, the yuckware problem has continued to grow exponentially, almost beyond belief. Here at A2K, we've helped innumerable folks clean the crap off their systems and prevent re-infection. The purveyors of the crap have become increasingly sophisticated, and the yuckware has gotten trickier and trickier to detect, defeat, and destroy.
Prevention is always the best defense, but even that doesn't work all the time. If you are infested - your browser or search function has been hijacked, you're swarmed with popups/popunders, and "Targeted Ads", or the like - carefully following the updated steps outlined below well may cure your problem, and at the very least will make it much, much easier for the gurus here to handle whatever might be left over.
Here are the essential, basic get-ready steps to take if you suspect a yuckware issue. This particular procedure is specific to Windows systems only, and slanted to Win 2K or later; if you are running any other Windows operating system, some of the following recommendations - the ones marked "
(WIN 2K/XP ONLY)" won't work for you. Skip them and do the rest. The tools recommended all are free or free trial versions, so this won't cost you anything but time and attention to detail. The method has been tested and found to be safe, reliable, and effective, if followed carefully, in order, and according to instructions. However, it must be understood that if you choose to follow the process, you do so at your own risk.
Able2Know takes no responsibility for any problems or damages you might incur as a result of the advice contained herein..
Print out these instructions, and don't do anything without fully understanding how to step through this proceedure.
If anything is unclear, please ask on this thread for clarification or further instructions, being as specific as possible what the problem might be. If any of the links don't work, please report that, also in this thread, as soon as you are able.
This thread's focus is on the process itself, not on individual yuckware problems. Posts not in accordance with that focus may be moved or deleted.
If your operating system is unable to extract .zip files, you will need a Zip Utility to extract and install several of the necessary tools. If you do not have one, the following may be downloaded and used for free:
IZArc (freeware)
7-Zip (freeware)
WinZip (free trial, purchase required for use beyond trial period)
There are others available as well, easily found through a websearch. Whichever you choose, be sure to read, understand, and follow its instructions for use.
When you're ready to go, and have completed the downloads, updates, configurations, and online scans, follow the steps in order.
If, while following the steps below, you should get an error message, try to to report -
On your own Help Request Thread, not this one just what you and your machine were doing at the time of the error, what, if anything, you did about it, what the results were, and as close to the
EXACT error message you received, not something like "I was doing fine, then all of a sudden I got some sort of error message". Be as specific as possible.
First, update your own resident antivirus and run a full system scan. If you have an expired subscription to a paid antivirus, either renew your subscription, or uninstall the expired version and acquire an antivirus which can be updated to current engine and pattern files. Any of the major name brand applications will work fine. If for some reason you don't wish to pay for a subscription, the following are downloadable free antivirus applications from reputable vendors. The free versions offer adequate basic protection, but will lack certain configuration and convenience features common to paid antivirus apps. Your choice, but whatever, get, update, configure and maintain (per the app's instructions) a current antivirus before going any further, and have it run a full system scan.
AntiVir Free Personal Edition
Avast! 4 Free Home Edition
AVG Free Personal Edition
If you have Ad-Aware SE, HiJackThis, Microsoft AntiSpyware, Spybot S&D, or SpywareBlaster installed, I suggest you uninstall them via their own uninstall utilities, or through Add/Remove Programs, and redownload the latest versions. If you are sure you have the latest versions, you can just update them if you wish, and configure them as detailed in their respective sections below ... your call, but I do recommend starting fresh. As for the other tools linked here, if you have any version of them installed, it really is best to uninstall your copy and start fresh, to be sure of having the latest version.
Be certain you have the latest version of
HiJackThis,
and that it is installed to a folder of its own either in your Programs file or directly on your root drive. If you have already installed HiJackThis, be certain its in its own folder and not a temporary or desktop folder (to place HJT in its own folder, open Windows Explorer - Windows key + E - locate and select your root drive, the drive on which Windows is installed, and open that folder, right-clicking anywhere in that folder's blank space, select "New">"Folder", name the new folder "HJT", then download and extract, or if you already have the latest version somewhere else move, HJT into that folder). Launch the application, then, from its splash screen, choose "Miscellaneous Tools", or from the main start page, select "Config", then select "Search for updates online", confirm, and be sure your's is the latest version. Don't run a scan or fix anything yet. When running HiJackThis to scan or fix things, run it from its own folder,
WITH NO OTHER BROWSERS, WINDOWS, FILESHARING, EMAIL, OR MESSAGING APPLICATIONS OPEN OR RUNNING
Go to Windows Update and check to make certain there are no outstanding Service Packs or high-priority updates for your operating system and/or Internet Explorer.
Run the
Microsoft Windows Malicious Software Removal Tool (WIN 2K/XP ONLY) .
Download, install, and update
Microsoft AntiSpyware Beta (WIN 2K/XP ONLY). Just install it and update it (when the program has installed, select "File" at the top left-hand side of the page, and click "Search for updates ... "), don't run it yet. When the update has been completed, just close the application without running a scan yet.
Download
LSP-Fix (WIN 2K/XP ONLY). Just download it to a convenient to find place on your machine; it may or may not be needed, but if it is needed, you'll want to find it easily. Sometimes removal of yuckware will result in your not being able to connect to the internet. If this happens, LSP-Fix should take care of the problem. Be sure to read and understand (good idea to print out) the application's
DOCUMENTATION so you know what to do if it becomes necessary. Windows 9X/ME users should use
WinSockFix. The documentation is available in the downloaded file, be sure to read and understand it
Download
STINGER. Again, just download it right now; we'll use it later. See this
TUTORIAL.
Download, install, and update
Ad-Aware SE Personal. Just install and update it (when the program has installed, click the blue-green "Planet" icon, second from the right at the top of the screen, to run the auto-update function, and follow the prompts to update the application); don't run a scan yet.
When it has updated, click on the orange-ish "Gear Icon" (second-from the left at the top right-hand side of the window) to open the Ad-Aware configuration utility.
- Under the "General" tab, all radio buttons should be green; if not, click to activate them.
- Click the "Scanning" bar at the left of the page. Under "Drivers, Folders & Files", only the "Scan within archives" button should be green. Under "Memory & Registry", all buttons should be green.
- Click the "Advanced" bar. Under "Shell Integration", "Move deleted files to Recycle Bin" should be green, and its your call whether you want to add "Scan with Ad-Aware to Explorer".
- Under "Logfile Detail Level", all 3 buttons should be green.
- Under "Alternate Data Streams", both buttons should be red.
- Skip the "Startup", "Default", and "Interface" bars for now.
- Click the "Tweak" bar. Click the plus-sign to open "Scanning Engine". "Unload recognized processes ... ", "Obtain command line ... ", and ""Scan registry for all users ... " should be green, "Run scan as background ...", "Ignore spanned files ...", and "Use permanent ... " may be left red.
- Click to open "Cleaning Engine". The first 5 buttons should be green ("Automatically check ...", "Always try ...", "During removal ... ", "Let Windows remove ... ", and "Delete quarantined ..."} should be green, the remaining 3 ("Suppress warning ...", "Suppress progress ..." and "Disable manual ...") should be red.
- Skip the remaining bars, click "Proceed", then close Ad-Aware WITHOUT RUNNING A SCAN.
With Ad-Aware closed, download Ad-Aware's
VX2 Cleaner Plugin, and install it per instructions found on the download page. read the instructions carefully so you'll know how to run the plugin when required. Do not run it, or Ad-Aware, yet; just exit back to your desktop.
Download, install, and update
Spybot S&D. Just install and update it (when it installs, the program will give you the option to "Download all updates" - let it do so), don't run it yet.
- When the program has been installed and updated, select "Immunize", click the green "+" plus-sign symbol at the top of the page to install Spybot's immunization, and follow any prompts.
- On that same page, click to place a checkmark in the "Browser Helper to block bad downloads ... " button, then, from the dropdown below that, select "Block all bad pages silently".
- While you have Spybot open it would be a good time to read the tutorial available under the Help file at the top left-hand corner of the page. When done, don't run a scan yet, just close the application.
Download and install the trial version of
EWIDO Security Suite (WIN 2K/XP ONLY). Again, just install and update it (when it installs, it will ask to be updated - let it. If for some reason you miss the opportunity, select "Update" from the program's start page and manually update it). Do not scan yet.
Additional setup/update instructions for Ewido Security Suite:
- Install ewido security suite
- When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update
- Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido:
Ewido manual updates.
When updating has been completed, do not run a scan, just close the application. Remember, we will not be scanning yet, but when called on to do so, use the following proceedure:
- Click on Scanner
- Click on Complete System Scan and the scan will begin.
- NOTE: During some scans with ewido it is finding cases of false positives.**
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")
Download
CWShredder, and unzip it to your desktop, but don't run it yet.
Download
NAILFIX. Just download it and unzip it to a folder on your desktop; don't do anything with it right now.
Download
AboutBuster 5.1, unzip it to a folder on your desktop, and read the accompanying text file. Launch and update the application, but don't run it yet; when the update has completed simply close the application and exit to your desktop.
Download
CCleaner[/i][/u] (WIN 2K/XP ONLY). Just download it to a convenient-to-locate spot (your desktop is fine for now), don't do anything with it yet; we'll be using it a a few times later in this process. If you are running Windows ME or earlier, use
Cleanup! 4 - be sure to read the FAQ
HERE.
Download
DelDomains.inf. When it has downloaded (should take just a few seconds), click on the file to run it. If the link above displays text instead of downloading the file, then copy & paste the text into notepad and save the file as DelDomains.inf. To use it, right-click and select "Install". Note: This will remove all entries in your "Trusted Zone" and "Ranges".
Download, install, and
update Javacool Software's
SpyWareBlaster. When the update has completed, select "Enable all protection", and exit back to your desktop. SpywareBlaster does not need to be running for its protection to be active, but you should should launch it at least weekly to check for updates. Read the FAQ
HERE
Next, configure Windows Explorer to
Show All Files
Perform
at least 2 of the following free online virus scans
(with your own resident antivirus disabled):
Trend Micro Free Online Scan
Panda Free Online Scan
BitDefender Free Online Scan
Symantec Free Online Scan
Kaspersky Free Online Scan
StopSign Free Online Scan
RAV Free Online Scan
McAfee Free Online Scan
Additionally, and again with any resident security/privacy software disabled, once you have completed at least 2 of the online virus scans, run Trend Micro's
Online Spyware Scan, per the intructions on its splash page.
IMPORTANT: DISABLE ANY OTHER ANTIVIRUS YOU MAY HAVE ON YOUR MACHINE BEFORE RUNNING ANY OF THE ONLINE SCANS. Also, if you have any popup blocking, adblocking, or actively running antispyware application, disable those as well; they can interfere with online virus scans. Should an online scan report it has detected something it cannot repair or remove, please copy the
exact message received, being sure to note the entire path of any file mentioned, and save it to post to your help request thread at the appropriate time.
If you are running Win ME or Win XP, make sure your Windows and your programs other than your browser are operating properly, then disable System Restore. Again, be sure everything else works as it should before you do this, as you will remove your previous restore points.
Disable/re-enable System Restore, Win XP
Disable/re-enable System Restore, Win ME
Remember this procedure, so you can re-enable System Restore when your machine is finally clean., but do not re-enable System Restore until your system really is clean.
Now,
- Boot Into Safe Mode. The following steps are to be carried out in safe mode until the series is completed, and you are advised to reboot normally. If at any time during the process you do reboot, boot back into safemode before proceding with the next step.
- Once booted into safemode, locate Stinger and run it, selecting "Fix". The process may take a fair while to complete - be patient, let it run to the end. When it has completed, run it a second time. If it reports it has found nothing after the 2cnd scan, move on, otherwise, run it a 3rd time. If it does not come up clean after the 3rd run, note the exact, verbatim message it gives you, being sure to include the full path to any file(s) it mentions. When this has been done, reboot, returning to safe mode.
- Locate "NAILFIX", and click on "Nailfix.cmd". Your desktop and icons will disappear and reappear, and a window should open and close very quickly. When it has completed, run it a second time. If prompted to reboot, do so, returning to safe mode, otherwise move on.
- When NAILFIX has run, locate and run AboutBuster 5.1; when it has completed, run it a second time. If prompted to reboot, do so, returning to safe mode, then go on to the next step, otherwise, don't reboot. Note and save AboutBuster's log following your second run of the app.
- When AboutBuster 5.1 has completed its 2cnd run, and you have saved its log, locate and run CWShredder, selecting the "Fix" option. When it has completed, run it a second time. Don't reboot unless prompted to do so.
- Locate EWIDO (Win2k/XP Only), run a full system scan (which might take an hour or more), allow EWIDO to fix whatever it can, and save the log to post back here. When EWIDO has completed, reboot, returning to safe mode.
- Locate and run CCleaner (Windows ME or earlier, use CleanUp per its intructions; there will be no option to scan-for-and-repair "Issues"). When it opens, select "Analyze", let it scan through your system (should be just a couple minutes), then select "Run Cleaner", confirm you wish to delete files, and follow any onscreen prompts. When that cleanup is complete, click on the 3rd tab , "Issues", and select "Analyze". When the analysis has completed, select "Fix selected issues .... ", and confirm when prompted. The application will offer to write a registry backup - let it do so. It will offer to place the backup in your "My Documents" folder - select "New Folder", name the folder "CCleaner Backups", and click "Save". Reboot, returning to safe mode.
- Locate Microsoft AntiSpyware Beta, and launch it. At the top of the screen, select "Tools", then select "Advanced Tools" and select "Browser Hijack Settings Restore". At the bottom right of the list, click "Check All", then click "Restore". When the restore has completed, select "Spyware Scan" from the top right of the page, then select "Scan Options, and make sure "Full System Scan" and all 3 of its boxes are checked, then click "Run Scan Now". This shouldn't take very long, but 15 minutes to half an hour would be common. When the scan and repair have completed, run a second full scan-and-clean, then reboot, returning to safe mode.
- Locate Ad-Aware SE, and launch it. Click the "Add-ons" bar, locate, and run the VX2 Cleaner plugin. When that has been completed, close then relaunch Ad-Aware SE, select "Scan Now", select "Use custom scanning options", select "Next", and allow the scan to complete - which could take a good long while. When it has completed, have it fix all it has found, then close the application. If it requests permission to run again on reboot, permit it and reboot normally, allow it to perform its automated scan-on-boot, have fix anything it finds, then reboot back into safe mode. Otherwise, do not reboot.
- Locate and launch Spybot S&D, click "Check for problems", and be patient while it scans. Allow it to fix anything it finds that it lists in red. If it requests permission to run again on reboot, permit it and reboot normally, allow it to perform its automated scan-on-boot, have it fix anything it finds marked in RED, then reboot back into safe mode. Otherwise, do not reboot.
- When Spybot S&D has finished, run CCleaner once more (Windows ME or earlier, use CleanUp). When CCleaner has finished, BOOT NORMALLY, not into safemode. Do not connect to the internet yet, and do not re-enable System Restore.
- Disable your resident antivirus if not still disabled, then run full system scans with EWIDO (if you are running Win2K or XP) - save the new EWIDO logfile, naming it "2cnd", or something like that), Microsoft AntiSpyware (if you're running Win XP), Ad-Aware, and Spybot S&D, allowing each to fix whatever, if anything, needs fixing.
- Run CCleaner or Cleanup, as applicable, once more, then reboot normally again. Do not connect to the internet.
- Close all running applications, and run HiJackThis WITH NO OTHER BROWSERS, WINDOWS, FILESHARING, EMAIL, OR MESSAGING APPLICATIONS OPEN OR RUNNING, fixing nothing, just saving the log. Now, re-enable your resident antivirus, run another full system scan, then reconnect to the internet (use LSP-Fix or WinsockFix, as appropriate, per its instructions if you cannot connect).
- Once connected to the internet, navigate to your A2K yuckware help thread, or open one if you have not already done so, give a brief description of your problem, paste both of EWIDO logs (if you are running Win 2K or XP) and the latest HiJackThis log to your own help request thread. Also include any error messages or "could not fix" reports you may have received. Do not re-enable System Restore yet; we may not be done.
DO NOT POST YOUR HELP REQUEST OR HIJACKTHIS LOG TO THIS THREAD, OR TO SOMEONE ELSE'S PRE-EXISTING THREAD; IF YOU DO IT LIKELY WILL BE IGNORED AND EVEN MAY BE DELETED WITHOUT NOTICE OR COMMENT
Edit to add: Please note this proceedure may be updated from time to time as circumstances warrant. It is best always to refer to the current page to be sure you have the latest info; you shouldn't rely on an earlier saved or printed-out version you may have on hand . Thanks for understanding and cooperating - timber