this article might help found it on my home browser
comcast.net
CajunTek READ THIS FIRST IF YOU'VE BEEN HIJACKED HAVE
SPYWARE OR YOUR PC'S INFECTED Feb 28, 2004 9:52 AM
Posts: 4,942 From: Arlington Texas
Registered: 10/7/03
Reply Report Abuse
Q: I think my computer is infected has been infested by
spyware or my home page has been hijacked. What should I
do?
Note: hijacked refers to having your home page changed
without your requesting it and usually not being able to
change it back..
Please follow these instructions in a step by step
fashion.. This is important.. NOTE: DO NOT POST FOR HELP
IN THIS THREAD.. YOU WILL NOT RECIEVE A RESPONSE HERE and
hopefully the mods would move it to a separate thread
anyway. updated 8/14/04
Some additional notes: We will generally have solved your
immediate problem when you have reached step 5.. It is
highly reccomended that you continue the process through
step 11. (not the notes and addendums)as this may help
you prevent further infections. updated 8/14/04
When the step indicates running an update, activate the
update function of the program. Once the update is
complete, stop and start the program before running your
scan. This will ensure your scan is done using the latest
program and malware database versions.
1. Update and run any anti-virus and anti-trojan products
you already have installed on your computer. Do a full
scan of your computer. Record exactly the names of any
malware they turn up. Quarantine and cure (repair, rename
or delete) any malware found.
2. Run two or three free web based AV scanners. Record
exactly the names of any malware they turn up. Then
quarantine and cure (rename, move or delete) the malware.
(This scanning is the most time consuming step in this
checklist, but it is important.)
Go to web based AV scanners
http://security.symantec.com/sscv6/default.asp?
langid=ie&venid=sym
http://housecall.trendmicro.com/
http://www.ravantivirus.com/scan/
http://www.pandasoftware.com/activescan/
http://us.mcafee.com/root/mfs/default.asp
3. Download, install, update and run the following anti-
hijacking and anti-spyware products. Then record exactly
the names of any problems they turn up. (Tracking cookies
are easily cleaned-up by deleting them, so don't bother
recording them.) Then quarantine and cure the malware.
(Note the links take you to tutorials for the listed
software.. Download links are contained within each
tutorial. The alternate link is a direct link to the
program
3.1 CWShredder (free):
http://forum.gladiator-
antivirus.com/index.php?showtopic=9638
Alternate download site:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe
3.2 Spybot S&D (donationware):
http://safer-networking.org/en/tutorial/index.html
Alternate download site:
http://www.safer-networking.org
3.3 Ad-aware (donationware):
http://forum.gladiator-
antivirus.com/index.php?showtopic=8050
Alternate download site:
http://www.lavasoft.de
4. If problem persists, download, install and update an
anti-trojan program. Record exactly the names of any
problems it turns up. Then quarantine and cure the
malware.
TDS-3 and Port Explorer (30 day free trial):
http://www.diamondcs.com.au/index.php?page=home
TrojanHunter (30 day free trial):
http://www.misec.net/products/
BOClean:
http://www.nsclean.com/
A2
http://www.emsisoft.com/en/software/free/ updated
8/14/04
Ewido
http://www.ewido.net/en/? updated 8/14/04
5. If the problem persists, download and run HijackThis:
http://forum.gladiator-antivirus.com/index.php?
showtopic=9469
Alternate download site: »
http://www.subratam.org/?
page=removal
In a new topic that you create (Do not post hijackthis
logs in this thread) in the Comcast Security Forum:
- Post the HijackThis log, one topic per infected
computer.
- Include the results of the earlier AV, AT and AS scans,
since this will help in the analysis of the HijackThis
log.
- You can carry on with the steps 6, 7 and 8 while you
wait for feedback from HijackThis experts in the forum.
Remember that filenames suggest what a program file is,
but files can be changed or renamed. It is file contents
that determine what a file actually does. So it is
important to run the scans in the earlier steps before
creating the HJT log.
Note that since it is so important to place hijackthis in
its own folder such as c:\hjt\hijackthis.exe Here are
instructions on how:
http://russelltexas.com/malware/createhjtfolder.htm
6. Run security analysis products to check your settings
and installed software. These analysis products are
definitely not 100% thorough in the checks they do. Also,
the messages that are produced are usually cautions to
check that something is as you want it to be, and are not
definite instructions to change something.
6.1 Install and run Belarc Advisor (free):
http://www.belarc.com/
When you run Belarc Advisor, look for:
6.1.1 Users you didn't add. Check whether your computer
maker or re-seller added the users for support purposes
before you bought the computer. Otherwise they indicate a
hacker has accessed your system.
6.1.2 Microsoft Hotfixes with red Xs beside them,
indicating they can be verified by the automated process,
but failed verification. The earlier the version of
Windows, the more likely the fix came off "innocently"
when new software was added or upgraded. Click
on "details". This will take you to a Microsoft webpage
explaining the fix, and allowing you to re-apply it.
6.1.3 Under software versions, software you didn't
install. Many software packages include other third party
software. So installing one product can make 3 or 4
products show up in Belarc - and this is not a problem.
On the other hand, hackers often install legitimate FTP
server or email server software, and because the server
software is legitimate it will not show up in a virus
scan.
6.1.4 Save a copy of the Belarc Advisor results. In a few
weeks, compare your saved scan with a new scan, looking
for unexpected changes.
6.1.5 Ask in the Comcast Security forum before making any
changes.
7.2 Install and run Microsoft Baseline Security Analyzer
(free):
Microsoft Baseline Security Analyzer
6.2.1 Review the results to see that they correspond with
how you have set your computer up. Changes might indicate
that someone has altered settings. Or the settings may
have been altered when other software was added or
updated. (Security updates with reason "306460" simply
cannot be verified by the automated process. This is
normal.)
6.2.2 Save a copy of the results. Compare them with the
results in a few weeks, looking for unexpected changes.
6.2.3 Ask in the Comcast Security forum before making any
changes other than reapplying hotfixes.
7. Different vendors have different names and version
identifiers for the same virus, so first look up the
virus in the encyclopedia of the scanner's vendor for
specific disinfection instructions Use your products link
to find the information for your situation
.. In Windows XP and Me, to prevent a virus being restored
by the operating system, it is often necessary to
temporarily disable System Restore. The instructions are
here:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;831829&Product=winxp
or if you are using Nortons products
service1.symatec.com...
8. Depending on the instructions in the virus
encyclopedia for your scanner, it may be necessary to use
auxiliary virus removal tools.
8.1 First be sure to submit a copy of any malware that is
not consistently detected or that doesn't behave as
excepted. Submit suspected malware.
8.2 If an auxiliary tool is required, it is best to first
try the tool of the scanner's vendor.
8.3 Read the complete write-up of the virus in the
encyclopedia of the tool's vendor to find the
disinfection instructions. In addition to running the
scanner or tool, there may be a few manual steps required.
8.4 Generally each removal tool will only detect and
effectively remove the virus variants it says it will.
9. If it was turned off earlier, turn System Restore back
on, and confirm that your virus scanner is working: »How
can I test that my AV program is working?
10. Resecure your computer and accounts. The ideas in the
following step-by-step guide are useful for cleaning any
version of Windows:
http://www.cert.org/tech_tips/win-UNIX-
system_compromise.html
10.1 In particular, if private information is kept on the
computer, and if the malware found included a "backdoor"
or allowed hackers to "run arbitrary code" , and if it is
likely that a hacker may have used the backdoor,
consideration should be given to backing-up data to be
retained, and then re-formatting and re-installing
programs on the computer from trusted sources.
This is because a backdoor allows a hacker to make other
changes that may reduce your security settings, but that
are not readily detectable with current tools.
10.2 If a keystroke logger is detected then hackers may
have access to what was typed into your computer,
including passwords, credit card numbers, and account
numbers.
10.2.1 Immediately cancel any credit cards used on the
computer, and ask for replacements with new account
numbers.
10.2.2 Using an uninfected computer, change any website
or server passwords that were entered on the infected
computer.
11. Check these other useful links for tips on
disinfection and preventing a recurrance.
How to keep my computer secure a layered apporach by
dslreports
A test for your AV see site you can download a dummy
virus to test your aV
Security tips
Note there are many more. An excellent resource can be
found at
http://www.dslreports.com
Another good security resource is Eric Howes See his site:
https://netfiles.uiuc.edu/ehowes/www/main.htm an
especially good protective utility for IE users is IE-
spyad
Here are some places to help getting started dealing with
problems of hijackings.. infections etc..
for the beginner:
http://www.dslreports.com/faq/8428
http://forum.gladiator-antivirus.com/index.php?
showtopic=9857
http://www.spywareinfo.com/forums/index.php?showtopic=5187
Note that these are faq's that apply to different fora
but the main idea applies to any fora where spyware,
hijackings, etc are going to be addressed..
Some other good tutorials by Calamity Jane.
SpyBot Search & Destroy
AD-AWARE Standard Edition
CWShredder
HijackThis
Next for the more advanced.. (I mean that.. don't delete
something using hijack this if you don't fully understand
what you are doing) These are full tutorials on how to
interpret the logs from hijackthis..
http://hjt.wizardsofwebsites.com/
http://www.spywareinfo.com/~merijn/htlogtutorial.html
And here are some additional links to assist with using
the hijack this application:
Tutorial:
http://computercops.biz/HijackThis.html
Download:
http://computercops.biz/modules.php?
name=Downloads&d_op=getit&lid=328
Forum:
http://computercops.biz/forum67.html
One other thing.. Before you begin posting requests for
help it will help the other users who are trying to
assist you if you select a user name for the forum it is
difficult to sort through all of the anonymi out there.
Do this by clicking on settings at the top of any forum
page and selecting the "your profile" tab.. Do not use
your email address (i.e. if you are (e-mail address removed)
do not use comcast for a forum name) We don't want to add
to your spam problem. Also there is an option to "hide"
your email address. Make sure that is selected..
Thank you
