Unable to eliminate spyware causing computer to operate very slowly

Did you follow the advice posted in the thousands of messages on this forum to download and run HijackThis and post the log on one of the spyware forums?  Try reading the message from ChrisRLG at the top of this forum and follow through with the advice given after Sypbot and Ad-Aware.

Steve

Woodrow,

Fully half my client activity involves removing spyware/malware. Some systems were so bad they could not even boot to safe mode. In such cases, you can't even get to the point where the usual removal tools can be installed, without taking some manual steps first.

If you're really stuck, try the following immediately after rebooting (and do not launch Internet Exlorer).

1. Do Start....Run and run msconfig. Got to the startup tab. Write down the name and path of everything listed there, but do not change anything at this point. Note that some of these entries will refer to executable (EXE) files, while others will refer to dynamic link libraries (DLLs) launched by RunDll.exe. Again, write down everything... do not make assumptions about what looks like "part of Windows".

2. boot to safe mode (via F8 during restart) and start Windows Explorer (in Accessories). Be sure the following are optioins are set in Tools...Folder Options (on the View tab):

• "hide extensions for known file types" is UNCHECKED
• "show hidden files and folders" is SELECTED

3. For each file that you wrote down in step 1, perform the following (assumes a single partition, drive C:):

1. navigate to the file in Windows Explorer. Most of the files you noted will be in:
2. • C:\Windows or one of its "System" subdirectories
   • a subdirectory within C:\Program Files
   • C:\Windows\Temp
   • C:\ (the root directory)
3. right click on the file and choose Properties from the popup menu
4. go to the Version tab (if it doesn't have a version tab, it's probably spyware, so treat as in step 4).
5. If the owner is not "Microsoft Corporation", rename the file as follows:
6. • if the extension is .EXE, change the extension to .$EXE
   • if the extension is .DLL, change the extension to .$DLL
7. Optionally, note the timestamp of the file, or of it's installation directory (within Program Files). Later, you can review History in Internet Explorer to try to determine which sites were responsible for the spyware. Avoid those sites in the future.

Yes, this is probably overkill. There may be some executables and DLLs you recognize, and you could skip those. However the machine will probably boot as long as anything from Microsoft is allowed to load. But nothing else will be able to start.

4. Navigate to your browser's Plugins directory (usually this will be C:\Program Files\Internet Explorer\Plugins. Create a subdirectory there called $Plugins. MOVE everything from Plugins to the $Plugins subdirectory.

5. Go to Start Menu...Control Panel...Internet Options and set the following:

• For Home Page, click Use Blank
• Click Delete Cookies
• Click Delete Files, and include All Offline Content when prompted
• Click OK to close Internet Options, then close Control Panel
• Do NOT clear History at this time (see note above)

6. Reboot. You should now be able to get to a normal desktop.

7. Start Internet Explorer (it should be usable now). Go to www.google.com. For each file you noted in step 1, do the following:

1. Enter the filename and click Search
2. Look for references to the executable or DLL in some of the common anti-spyware sites and follow those links to read the discussions.
3. If the file is part of known spyware or malware, note this in your list. BTW, you can ignore cases where the only reference to the file is in someone's HiJackThis log - those list everything, good and bad.
4. Make a note of the common names, if any, for the packages (there may be more than one)
5. If the discussion gives specific removal instructions, print the page for later reference. If these instructions describe steps that must be taken after navigating to the spyware vendor's website, set these aside in a separate group.

8. Close the browser and disconnect your computer from the network. This is because some of the spyware and malware have "Uninstall" options that take you to their sites to perform the uninstall. Don't trust 'em, inless you have found specific instructions above.

9. For any spyware for which specific instructions were found, follow those instructions (this may require reconnecting your computer to the network, but disconnect it again when done with that set of insructions). If any do not uninstall cleanly, make a note of this in your list.

10. Be sure your computer is disconnected from the network, then do Start menu...Control Panel...Add/Remove programs. Search the list for the common names you noted in step 7 (skip those that you've already removed). Uninstall each one you find. If it tries to connect to the internet, you'll get a "Page cannot be displayed" message. Note these in your list. If it doesn't uninstall cleanly, note that as well. (In some cases Uninstall will be unable to delete the installation directory because it will not have deleted any of the files you renamed in step 3. We'll take care of these manually.)

11. If you have flagged any items that did not uninstall cleanly, open Windows Explorer, and create a folder under Program Files called $Banned. Move the offending program's installation folders to this subdirectory.

12. Run msconfig again. If any of the items that you uninstalled still appear in the list, uncheck the entries. This includes any that did not uninstall cleanly and were moved to the $Banned directory. If you have a "Clean Up" button, click it.

13. Locate any of the non-Microsoft executables and DLLs that were renamed in step 3, and which were NOT removed in later steps. These will typically be things like Real Player, your anti-virus software, and so forth. Rename the extensions back to the original values. (To speed this up, use Search, or sort by clicking on the File Type heading.)

14. Reconnect to the network and reboot.

At this point you should be able to download and install tools like AdAware, Spybot and HiJackThis. Do so immediately - they may find other stuff we've missed here. Keep their respective "definitions" files up to date, and USE THEM REGULARLY.

In Internet Options, go to the Security tab and click Custom. For any content type that has a Prompt option, select it. This allows you to see where some of this stuff is coming. Later, you can change some of the settings to "Disable" or "Enable", once you understand what's involved.

On the Privacy tab, click Advanced. Click the box to accept session cookies (or most sites won't function at all). Click Prompt for third party cookies; consider using Prompt for first party cookies, too, if you're in the habit of clicking links without first reviewing the destination URL in the status bar.

There will probably be some debris left in the registry, start menu and desktop. There are all kinds of tools (including free- and share-ware) that can clean this up. If you have Norton System Works, use "one-button checkup".

If any of the programs you use regularly don't work, or complain about missing files, look in the $Banned or $Plugins directories we created above, and move the files or folders back to their original locations. After a few weeks, you can probably safely remove The $Banned and $Plugins folders - whatever is left in there you didn't need anyway.

Finally,

• if you EVER see what looks like a system dialog dialog advising you that "your clock may be incorrect", or that "your connection speed is too slow", do not click any buttons. In fact, do not even click on what looks like the "title bar". Minimize your browser instead - if the "dialog" goes away, it was just an image in the page, probably with a link to install something nasty.
• Be wary of any actual "system" dialogs that display while viewing a web page. If you're unsure about where they came from, kill Internet Explorer via Task Manager (Ctrl-Alt-Delete); if the dialog is still there, it really was from Windows.
  

Good luck!

...Jeff

Message Edited by djhill on 02-07-2004 01:51 PM