Rob Cheng
Dave Methvin
Steve Hogan
Lyle Schuknecht
Steve Bass
Harry McCracken
Chris Pirillo
Bill Pytlovany
John DodgeRemove TOP 10 Shareware HiJackers
Over the weekend a good friend asked me to take a look at his sons computer. He’s a great kid, and like all his peers, he loves music. He downloads songs, pirated of course, at an alarming rate. Because this was my third time cleaning his pc, I decided to take note of what I found.
In the past it had always been a single Hijacker, or a couple of spyware items. They were easily removed with Exterminate or Hijack This. This time the problem was much worse. By the time I was finished, the top 10 Malware items for 2008 were all there, with another 20 or 30 thrown in. They are listed here.
| TOP 10 TROJANS, HIJACKERS AND SPYWARE OF 2008 | ||
| 1 | Win32 | Backdoor W32 Trojans steal passwords and send critical info (CC numbers, phone number, address, and banking info) to an awaiting server. The best cure is a clean install. |
| 2 | Smitfraud | Known for it's fake "Blue Screen of Death, Smitfraud alters your registry and hides in your physical memory or boot sector. |
| 3 | My WebSearch | Part of FunWeb Products and My Way Speedbar it is easily removed. |
| 4 | CoolWeb Search | Has it's own spot in WIKIPEDIA. It will change your homepage. |
| 5 | Winfixer | Gives exaggerated security threat reports. It's latest release version is June 14th, 2008. |
| 6 | ContraVirus | Also known as ExpertAntiVirus. It is a fake spyware removal application that tricks you into buying and installing it. |
| 7 | Spy-Shredder | Here's the verbiage"NOTICE: If your computer has been running slower than normal, it may be infected with Viruses, Adware, or Spyware. Spy-Shredder will perform a quick and completely FREE scan of your system for malicious programs. Download Spy-Shredder for FREE now!” |
| 8 | FakeAlert | Easily identified, this trojan displays false alerts in a balloon type pop-up in the system tray. |
| 9 | Virtumonde | First discovered in 2003, the latest was spotted on June14th ,2008. Is someone putting their kids through school with this money? |
| 10 | Virus Protect | This Zlob Trojan is found in codecs used to play video files. Especially associated with adult content sites. |
For the fun of it, I spent 6 hours cleaning and removing one infamous intruder after another, hundreds of infected files. Eventually the list grew to 2 pages and included things I had never heard of. I removed them, but opted to reinstall because of the obvious destruction to the registry. I found out later that the reinstall was a good decison. Once a system is infected with the Win32 bot a reinstall is a must.
Taking action before things were completely out of hand would have made recovery much easier. Also keeping the antivirus up to date and active would have helped. Knowing the correct steps to remove this junk is paramount to the success of restoring your system. Knowing which tools detect and remove the problems is equally important. To reduce the amount of time needed to make these repairs, I’m listing the necessary steps and providing links to free removal tools. It’s my hope that it doesn’t take you 6 hours or an operating system installation to achieve a clean and clear pc.
REMOVAL INSTRUCTIONS
1. Run the following detection tools in the order given. No single product detects all known threats. It’s important to use a number of good solid detection tools to find all pests on your system. Take note of the problems found but do not use any of the removal options yet. First identify the threats.
- OverDrive: Register for a free account or run anonymously. Most informative free software available, plus it lists the dangerous applications running on your system.
- Ad-Aware 2008: This is one of many excellent detection and removal tools.
- Spybot Search and Destroy: One of the best free tools.
- Avast Antivirus: Although it seems that Virus infections are diminishing don't be fooled, check your system.
A word of caution is necessary here. You should not run more than one Antivirus at a time. If you already have an antivirus installed, use that. If you are using an antivirus and are still infected then I suggest using an online scan. Pitstop's own Jacee suggests; Kaspersky, Dr.Web CureIt, TrendMicro's HouseCall, ESET Online Scanner, or Panda.
2. Next you will need to enable “show all system files and folders” in Windows Explorer. To do this in XP close all programs and click: Start/ Double click My Computer/ Tools/ Folder Options/ View/Check “Display the contents of system folders”/ Under Hidden Files and Folders select “Show hidden files and folders”/Uncheck Hide file extensions for known file types/ Uncheck Hide protected operating system files/ Apply/OK. The system files are hidden for a reason, be sure to hide them again when you are clean and finished.
To show all system files and folders in Vista you will need to close all programs and click: Start/ Control Panel/ Classic View/ Double click folder Options/ View/under Hidden files and folders click “Show hidden files and folders/ uncheck “Hide extensions for know file types/ uncheck “Hide protected operating system files/ Apply/ OK.
3. When removing malware it is best done while in SafeMode. Many systems can access SafeMode by tapping the F8 key during the boot process. Once presented with the options screen be sure to choose SafeMode with Networking. If you are having trouble accessing safe mode, there is one sure fire way to get there. In XP go to: Start/ run/type “msconfig” without the quotes/ boot ini/ SafeBoot/ Network/ Apply/ OK. Now reboot your computer and it will take you directly to SafeMode.
WARNING: Do not change any other settings in the msconfig utility.WARNING
Systems using Vista are essentially the same. Go to: Start/ All Programs/ Accessories/ Run/t ype “msconfig” without the quotes/ Boot/ Safe boot/ Network/Apply/ OK.
Please note, if you have used the configuration utility to enter safemode, you will need to uncheck the Safeboot box in the configuration utility to boot into Windows normally.
4. Once you have identified the Virus, Hijacker, or Trojan, clean your system and flush System Restore. Many of today’s pests will hide there while you are removing them from other locations. They return to infect you again as soon as you reboot your pc. For systems using XP go to: Start/Help and Support/Undo changes with System Restore/ System Restore Settings/ Turn Off System Restore/ OK As soon as your completed this step go back and create a new clean restore point.
For Vista users the process is just as simple, go to: Start/ Right Click Computer/ Properties/ System Protection/Uncheck the Drive or Drives listed/ Turn System Restore Off/ OK.
5. For minor spyware infections you may be successful using only the Adaware and/or Spybot programs. If you are getting repetitive warnings and your system is exhibiting Trojan and HiJack behavior, you will need to use some more serious removal programs.
Regardless of the type of malware, I suggest running the removal programs in the normal Windows mode, then SafeMode with Networking, and then a final time after a reboot into normal mode.
6. For more severe infections you can remove most of the TOP 10 by using one or more of the following removal tools.
7. Hijackers and some stubborn infections may require drastic measures to clear your system. "Hijack This" is a powerful tool that should not be used without help form trained advisors. PC Pitstop has advisors ready to help you use this program. Do not attempt using "Hijack This" without assistance.
8. When you are sure you are clean be sure to check that you have created a new clean restore point and "re-hide" your System Files..
9. Do a final scan with OverDrive and Adaware. You should notice a significant improvement in your OverDrive results. Also note the difference in the virus and spyware processes shown under Software and Processes. They will be color coded in red and yellow.
10. Reinstall your antivirus or use the free Avast for future protection. Once installed, set it to automatically update it's definitions. An antivirus or internet protection suite is only as good as its latest update.
How do we avoid these problems? It's simple, visiting sites to pirate music and movies will guarantee you an infected system. It doesn't matter what internet protection suite you use, if you expose yourself to BearShare, PirateBay, and Limewire you will have problems. Once you click OK, it's too late! Keep your protetion suite active and updated. Stay away form shareware, adult content, and pirating sites. Your system will stay a lot healthier.
If you are having trouble and feel a little overwhelmed by these pests, you can increase your chances of success to 100% by visiting our Free Help Forum. It is full of people who want nothing more than to rid your computer of these irritating pests.
__________________________________________________________________________
A special thanks to our own "Jacee" for helping me with the information on these nasty bugs. Jacee and the whole crew of Trusted Advisors are responsible for the success of our Virus, Spyware, and AdWare Forum. Thanks Jacee
Related posts:
Loading ...
June 30th, 2008 at 8:05 pm
Thanks for the information. Excellent advice.
June 30th, 2008 at 8:05 pm
Great article. Thanks for doing all the research. Very useful information.
July 1st, 2008 at 7:01 pm
I can't find OverDrive. Where is that? I'm surprised that the names of things were not underlined due to having a link so we wouldn't have to look everywhere for things.
Kaspersky works well with Opera. The other online scanners require either IE or Firefox. No Opera support.
I think you mean Dr. Web "Cure It", not Dr.WebCurit. I had to search for this, too, as you provided no link.
Ad-Aware is a nice choice, but how good is 2008? The 2007 version was a disappointment, so many stayed with their older version that was from before 2007.
Why wasn't A-squared Free mentioned? That's another good one. Finally, Returnil should be mentioned. Its the fastest and most trouble-free solution in this world of badware gone mad.
July 1st, 2008 at 9:40 pm
Hello Mina. Thanks for the input. If you click on the word Overdrive it will now take you to the product. The links don't show an underline untill your mouse is on them, only the redish color.
Dr Web CureIt is correct.
There are many good products out there. I feel AdAware is still one of them. Feel free to mention any you like and even provide links.
July 1st, 2008 at 10:53 pm
there's a link to OverDrive on the top left of the navigation panel.
July 2nd, 2008 at 12:33 am
No problem. I highlighted Overdrive but nothing happened. I clicked it. Nothing happened. So I'm puzzled.
The link for Returnil is:
http://www.returnil.com
The link for A-squared is:
http://www.emsisoft.com/en/software/free/
I hope this helps.
July 2nd, 2008 at 12:58 am
D'oh. OverDrive is in the left top corner, folks. [embarrassed]
July 2nd, 2008 at 7:09 am
Great article, it would be nice if at the bottom you also had the option of a "printer friendly" version that I could print so I cant be reading it as I work through the steps and my computer isn't show the steps any more. Thanks DAVE
July 2nd, 2008 at 1:20 pm
Thanks for doing all the legwork. Our company always had trouble trying to clean up these nasty things.
July 2nd, 2008 at 6:06 pm
Thanks for this. i have tried to put the information down on a page before.
but you have nailed it to the exact and my little brothers will be happy when i send them this page.
love from eltonjd04
July 2nd, 2008 at 9:08 pm
Someone appears to have hacked your "Remove hijackers, trojans and viruses" page. You show "Smitfraud" as a hijacker, but in item 6. it is shown as a removal tool.
July 2nd, 2008 at 11:03 pm
Thanks for a great report. I can't tell you how many hours lost over the last 8 months due to hacktools and malware. I have been on a road of education. I run numerous spyware tools and really like AVG and yeah hackthis and malwarrior were helpful tools to the nutnworks guys. The real trip is I don't go places I shouldn't. A friends email account got hijacked and when I opened up an email from her…well that was all she wrote! Anyway thanks for helpng us common folk to stay on a healthy track!
July 3rd, 2008 at 1:50 am
John Innes:
If you mouse over the "Smitfraud" in the removal tools, you'll see that it is "Smitfraudfix".
July 3rd, 2008 at 9:35 am
You initially list Smitfraud as one of the Top 10 TROJANS, HIJACKERS AND SPYWARE OF 2008, then you later recommend it as a removal tool; i.e., "For more severe infections you can remove most of the TOP 10 by using one or more of the following removal tools". Was this a 'typo' or am I not reading this correctly? Please advise and thanks for your help.
July 3rd, 2008 at 9:47 am
Thanks this was most helpful. Cheers to all the wonderful and helpful people at PC Pitstop!
July 3rd, 2008 at 9:29 pm
Thanks guys..I love this site! I ahve been a fan for..well, lets just say a-while now : )
Always great info and always ontop of things..Thank you..you guys are really great!
July 4th, 2008 at 7:59 am
I remove malware from computers for a living and never spend more than an hour doing so. The last system had 30 different malware products with 105 corrupted files and registry entries, including 3 of the above listed top 10 for 2008. Best of all, the tools for removal are free. Anyone can download them, use them and feel protected with them. I recommend AVG over Avast because it works better and doesn't fill your screen with silly popups for buying the paid version every day.
Download and install these 2 products. It's up to you if you want SuperAntiSpyware to protect your home page or not but I recommend doing so.
1) AVG 8.0 Free Anti Virus ( http://free.avg.com/ww.download-avg-anti-virus-free-edition )
2) SuperAntiSpyware ( http://www.superantispyware.com/ )
Update both products immediately after installation (installs latest definitions).
Reboot, and update SuperAntiSpyware again (will install latest engine).
Boot into safe mode and run both products (can be run at the same time). Follow instructions to remove any malware found. Reboot computer back to Windows. End of problems.
Regularly run manual updates and scans to be sure the operations are happening.
July 5th, 2008 at 12:50 am
Hi,
In step 4 you say to cleanout system restore,do you do that in safe mode ?
July 5th, 2008 at 8:13 pm
"You initially list Smitfraud as one of the Top 10 TROJANS, HIJACKERS AND SPYWARE OF 2008, then you later recommend it as a removal tool; i.e., "For more severe infections you can remove most of the TOP 10 by using one or more of the following removal tools". Was this a 'typo' or am I not reading this correctly? Please advise and thanks for your help."
The "Smitfraud" mentioned as a removal tool is its fix. The "Smitfraud" labeled as a top malware product is.. well, the actual malware.
July 7th, 2008 at 2:17 am
Thanks for all of your info and the work you put in to it. Most of all, thanks because it did not cost a thing-one of the few things left that are free. (dark 41 had some nice info too.) But I am surprised at how critical some of the other people were on here and hope they do not stop you from sharing your knowledge with the rest of us. thanks!
July 10th, 2008 at 7:07 am
I am SOOOOOOOOOOO glad you are in my world. I am actually llearning how to look after my own computer and not have to call on an 'expert' at £20 per visit. Thankyou, thankyou, thankyou for all your hard work.
July 21st, 2008 at 12:49 am
I am a little bemused. In the table of TOP 10 TROJANS, HIJACKERS AND SPYWARE OF 2008 you mention at No3 My WebSearch, yet in another article on your website "Windows XP SP3 has problems" you have a link just to the right for screen savers, and guess who by ? - My Web Search!
Wake up fella's.
July 21st, 2008 at 12:52 am
Follow-up to previous comment, you also have a screen saver link (by My Web Search) in your Customer Service page.
Well Done!
July 21st, 2008 at 9:29 am
Follow-up to my earlier comments. Good to see your quick reaction and that those links to My Web Search screen savers have been removed.
July 22nd, 2008 at 6:39 am
Steve,
I think you need to check your computer as it sound like you are infected with My Web Search.
Good luck to you.
August 21st, 2008 at 1:13 pm
Looking for help. While my son was browsing wrestling websites. He clicked on a link. It seems to have downloaded a program that has disabled my screen save and will not allow you to change the background picture. It says my computer is infected. You switch to a diffrent user and its gone go back ant it reappears. It looks like someone is trying to get you to by some sort of virus protection which we have any ideas. I deleted the file in program files but it still wont take the warning of the screen..
February 8th, 2009 at 2:14 pm
Wow! what an idea ! What a concept ! Beautiful .. Amazing
March 1st, 2009 at 7:57 am
What is captcha code?, pls provide me captcha code codes or plugin, Thanks in advance.