Sandi
Sat Jun 26 23:29:32 CDT 2004
Thanks George. I'll think about that for a while.
--
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org
"George Hester" <hesterloli@hotmail.com> wrote in message
news:%23MU8uk7WEHA.1036@TK2MSFTNGP10.phx.gbl...
Sandi many of these hijackers are putting in Add/Remove that if you try to
Add\Remove the installed hijack they require you to hook to their websites
for removal. The client does NOT want to do that. Just thought you might
want to include that caveat in your increasingly excellent "Spyware
avoidance and removal instructions."
--
George Hester
__________________________________
"Sandi - Microsoft MVP" <sandi_hardmeier@mvps.org> wrote in message
news:#LVaEc5WEHA.3640@TK2MSFTNGP11.phx.gbl...
> There are many people who have helped this FAQ improve over time - MVPs
> and
> newsgroup users. I thank all of you who have made the newsgroups,
> anti-malware websites and dedicated mailing lists into such a wonderful
> resource.
>
> Read the advice at my prevention link
> (
http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances
> of
> your computer being infected.
>
> IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
> the URL below - some malware can kill your internet connection when it is
> removed, and this software should get things going for you again:
>
http://www.cexx.org/lspfix.htm
>
> Also get a copy of WINSOCKFIX available at:
>
http://www.spychecker.com/program/winsockxpfix.html
>
> The software you should download and have ready to use is:
>
> AdAware - www.lavasoft.de [..Warning: AdAware is now version 6.181. All
> previous versions are NO LONGER SUPPORTED and will not be updated...]
>
> Spybot Search and Destroy -
http://spybot.eon.net.au
>
> HijackThis -
http://209.133.47.12/~merijn/files/HijackThis.exe
>
> CWShredder -
http://www.merijn.org/files/CWShredder.exe
>
> IMPORTANT: After obtaining the required software above, make sure you
> check
> for updates and run the programmes in safe mode.
>
> Malware removal (beginner's guide):
>
> First, go to Control Panel, add/remove programs. Check for malware entries
> and use the uninstall programs, then reboot.
>
> Go to start/run and type MSCONFIG. Go to the startup tab. Disable
> everything that you do not recognise as legitimate (do not disable any
> power
> profile options).
>
> Now go to the Services tab. Turn on the option to 'hide all Microsoft
> Services'. Disable everything that remains. If you don't have this
> option,
> don't worry about it.
>
> Reboot your computer and hold down the F8 key until the boot menu options
> appear. Choose Safe Mode as your startup choice. You will find
> information about what safe mode is, and what it does, at this link
> [
http://inetexplorer.mvps.org/data/safe_mode.htm]
>
> Start CWSHREDDER. Update it, and fix anything it finds. Reboot back into
> safe mode.
>
> Start AdAware. Use the 'check for updates now' option. After you have
> updated, click 'start'.
>
> Note that when run using default settings, AdAware does not cope with new
> 'intelligent' malware. Make the following changes to the default
> settings.
>
> Use the option 'select drives/folders to scan'. Set AdAware to scan your
> entire hard drive.
>
> Make sure 'activate in depth scan' is enabled.
>
> Select 'use custom scanning options' and then click on the 'customize'
> button. Turn on the following scan options - scan within archives, scan
> active processes, scan registry, deep registry scan, scan [my] IE
> favorites
> for banned URLs, and scan [my] hosts file.
>
> Use the 'tweak' button. Turn on the following options:
>
> Cleaning engine: 'automatically try to unregister objects prior to
> deletion', 'let windows remove files in use at next reboot', 'delete
> quarantined objects after restoring'.
>
> Scanning engine: 'unload recognized processes during scan'.
>
> After you have finished with AdAware run Spybot to pick up any leftovers.
> Fix anything marked in red. Again, don't forget to check for updates.
>
> Also do the following:
>
> Empty your IE cache and your other temporary file folders, eg: c:\temp,
> c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp
> (the
> path to your temp folder will change depending on your name) - sometimes
> programmes can be hidden in there - watch out for mysterious *.exe files
> or
> *.dll files in those folders.
>
> Go to IE Tools, Internet Options, Temporary Internet Files {Settings
> Button}, View Objects, Downloaded Program Files. Check for unrecognised
> objects there.
>
> Go to IE Tools, Internet Options, Accessibility. Make sure there is no
> style
> sheet chosen (under User Style Sheet - format documents using my style
> sheet). If the option is turned on, turn it OFF.
>
> If the problem comes back, start all over again but with the following
> changes (this section requires advanced computer skills - inexperienced
> users will require assistance):
>
> Examine win.ini using MSCONFIG to see what is loading. You may find
> something there. Go to MSCONFIG and go to the General tab. Turn off
> process win.ini file, load system services and load startup items.
> Restart
> Windows and run AdAware etc once more.
>
> Use services.msc to see what is running. Some malware is now registering
> itself as a Service. The problem is working out what is legitimate and
> what
> is not.
>
> I strongly recommend that unless you have strong experience working in
> this
> area that until such time as I am able to track down a comprehensive list
> of
> legitimate services (or put one together myself), that you post details of
> the services revealed by services.msc to a microsoft.public newsgroup for
> professional guidance. If you turn off the wrong service you could cause
> serious problems, and at the very worst, leave the computer unbootable.
>
> An experienced computer technician can use programme such as AutoStart
> Viewer for in-depth diagnosis:
>
http://www.diamondcs.com.au/index.php?page=asviewer
>
> Another excellent programme for the experienced user is APM (Advanced
> Process Manipulation), available at:
>
http://www.diamondcs.com.au/index.php?page=apm
>
> Once the computer is clean, and if it applies to the operating system,
> create a new restore point. The old ones may, of course, be infected with
> the malware and therefore cannot be used. Run disk cleanup to remove old
> restore points (if your operating system has this option you will find it
> on
> the 'more options' tab of the disk cleanup utility. If the option to
> remove
> old restore points is not available, stop and restart the restore service
> which will flush out old restore points and prevent accidental reloading
> of
> malware.
>
> MS have released a limited KB article regarding what they call 'deceptive
> software'.
>
http://support.microsoft.com/default.aspx?scid=kb;EN-US;827315
>
> Here is advice specific to:
>
> home page hijackings
>
http://inetexplorer.mvps.org/answers.htm#home_page
>
> pop-up ads
>
http://inetexplorer.mvps.org/data/popup.htm
>
> search engine hijackings
>
http://inetexplorer.mvps.org/answers4.htm#search_engine
>
>
> --
> Hyperlinks are used to ensure advice remains current
> _______________________________________
> Sandi - Microsoft MVP since 1999 (IE/OE)
>
http://inetexplorer.mvps.org/
>
>
>
> paulus wrote:
> > I have a similar problem to niv of todays date.
> > Home page is hijacked to ahbnr.dll/index.html#35759.
> > Any suggestion would be appreciated.
>