Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Before Posting a Hijack log file - Best Practices

Removing adware & spyware

Before Posting a Hijack log file - Best Practices

by  bcastner  Posted    (Edited  )
As you are likely aware, reading a Hijack log report is incredibly tedious work. To interpret it properly is an art as well as a skill developed from long hours reading information in security forums.

The author of Hijack This! (and cwshredder) notes that there are now close to 10,000 variants of the Cool Web Search hijack exploit alone on the web. These malware infections of your system are often not viruses, at least as far as most antivirus programs are concerned.

Many excellent tools, including some excellent freeware tools, have been developed to supplement your antivirus program.

Before posting a Hijack log here, it would be a great help if the following steps were taken first:

Special Note for XP users:
right-click My Computer, Properties, System Restore, and uncheck the box to have System Restore active on all drives. Do this first. When you have finished the steps below, re-enable System Restore.

Special Note for all:
You want to run the antivirus, spyware, adware, and other utilities without IE active, and without any Peer-2-Peer application active, such as eDonkey, Kazaa or eMule. Your success with any of the tools below approach 100% if no internet application is currently active. A tip of my hat to forum member SYAR2003 for reminding me of the importance of this step.

1. If you have an antivirus program installed (and you should) update the virus definition files and do a complete and thorough scan. Allow your antivirus program to do its job quarantining and removing any malware it discovers.

2. In addition, run at least one online antivirus scan from smah's FAQ: FAQ760-3862

I would run two: Trend Micro and Panda, but there are other choices available in smah's FAQ.

For a single file you find suspicous, submit it Virus.org to have several scanners take a look and report back to you: http://scanner.virus.org/

3. Scan with an anti-spyware, anti-trojan tool. Several excellent ones for free or free trial:
Microsoft Defender Antispyware (formerly GIANT): http://www.microsoft.com/athome/security/spyware/software/default.mspx
A2 scanner: http://www.emsisoft.com/en/software/free/
Ewido: http://www.ewido.net/en/?section=features

My personal favorite is Microsoft Defender Antispyware.

I never seen a single antivirus program or malware scanner that caught everything.

4. Download, update within each program and run these three troubleshooting tools, in the order given:

. cwshredder
. SpyBot
. AdAware

It is important to run these programs in the above order. Each identifies different malware issues, and there is a a method to this madness. This is an orderly way to remove malware.

Unfortunately, the main download sites are often hit with Denial of Service attacks, and may not resolve. Use the "mirror" links first:

Cwshredder, Hijack This:http://www.spywareinfo.com/~merijn/downloads.html
Cwshredder Version 2 - 10/2004:
http://www.intermute.com/spysubtract/cwshredder_download.html

AdaWare: http://www.lavasoftusa.com/support/download/

SpyBot:
http://www.safer-networking.org/en/download/index.html

Special Note #1: In some cases one or more of these programs may immediately exit. If this happens to you, download and run this program first, and then Cwshredder, Adaware and/or Hijack This will run successfully: http://www.safer-networking.org/files/delcwssk.zip

Special Note #2: If your problem is an unwanted Toolbar appearing in IE, a rather direct route to removing this malware is ToolBarCop: http://www.mvps.org/sramesh2k/toolbarcop.htm

5. Reboot. Test to see if your IE or other browser or mail client issues have been resolved. There has recently been some variants that will require one more tool Kill2Me: http://www.spywareinfo.com/~merijn/files/kill2me.zip

6. If still no joy: (this will not do harm)

. Download and run the LSPfix utility: http://www.cexx.org/lspfix.htm

7. If still no joy: (this will not do harm)

. Download and run the Winsock repair utility: FAQ779-4625

Reboot. If it is still problematic, post the Hijack log on the site.

Hijack This! can be downloaded from: http://www.spywareinfo.com/~merijn/downloads.html
Mirror sites: http://www.lurkhere.com/~nicefiles/

My own good guess is that if you take the steps above there will be no need to post a Hijack log here. But if you still have problems:

. State the problem first. Your homepage is hijacked to the wrong site; I cannot access the internet at all; I receive pop-ups I do not want; my Favorites list is now populated with porn sites; etc. Be as specific as possible in the first lines of your post.

. Hijack This has the option to update the program on-line. Do so, and then if available exit the original version and run the new.

. Post the complete log here. Sometimes the problem lurks in a section that may not seem important to you.

. Now post the log generated with a click on the Scan button.

Usually someone will see your log file and give specific advice about what to remove with Hijack, or in combination with other instructions.

Remember that you can always run Hijack again and revert any changes suggested by a poster. Hijack lists a great deal of information, and it can happen that something removed is important to your system. Run Hijack again and revert the change. Reboot. The horrible fact of the mattter is that bad guys often hide under the name of good guys. Removal of all the bad guys is an imperfect process, and it may take more than one scan to complete the job.


Best,
Bill Castner
(With a lot of help from Syar2003, carr, smah, manarth, Diogenes10 and many others)
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top