Troubleshooting browser hijackings

The reality of the modern malware world is that there is no one product (or two products) that will catch all of the infections that are circulating on the net. Sometimes you will need specialised tools.

This article will start with clean up routines that get rid of the more basic infections. If that isn't enough to clean your system then we have to pull out the heavy armoury. If you find yourself facing a stubborn malware infection, please visit one of the recommended help sites. Remember, you're not alone in this.

There are many people who have helped this FAQ improve over time - MVPs and newsgroup users. I thank all of you who have made the newsgroups, anti-malware websites and dedicated mailing lists into such a wonderful resource.

Read the advice at my prevention link to reduce the chances of your computer being infected.

Some people recommend that System Restore be turned off and all Restore Points deleted before attempting spyware removal. DO NOT DO THIS. If something goes wrong (anything is possible) you will have no way to reverse your actions. You'll want to delete your old Restore Points, but the time to do that is later, not now. A discussion about System Restore, malware and best practice can be found on my blog:
http://msmvps.com/spywaresucks/archive/2005/09/17/66724.aspx

Before trying to remove spyware

Back up all essential data.

Record what you can about the current situation. Take screenshots of the malware before you start cleaning and save them to a Word document or into a folder - it will help with identification if the preliminary steps don't work.

Preliminary cleaning

Download, install and update the following software:

Windows Defender (Microsoft Windows 2000 Service Pack 4 or later, or Windows XP Service Pack 2 or later, or Windows Server 2003 Service Pack 1 or later)
Pay for products - Pest Patrol, Spy Sweeper or Spyware Doctor

Download the following software:

LSPFix (Up to Windows XP) or Winsockxpfix (XP pre-SP1 only) Note: Windows 95 users must install Winsock 2
If you are using XPSP2 write this down - it may get things going if you are unable to access the internet after removing malware: netsh winsock reset
HijackThis. You can also find the latest version at the author's home site, being http://www.merijn.org/downloads.html Important note: Some malware is targetting HijackThis and preventing it from running. Rename the executable to hjt.exe or scan.exe or bitemebadguys.exe to get around the problem.

After all software has been downloaded, installed and updated disconnect the computer from the internet and any network to which it may be attached.

Some malware *will* try to connect to the internet if it detects attempts to remove it. Do not give it the chance to do so if at all possible. You will need to reconnect to the internet at times (for example, for online scans) but as much as is possible keep the computer isolated from the Internet and from other computers.

Siljaline (aka Microsoft MVP Randy Knobloch) maintains information about the latest updates to various security products at Security Tools Updates and his blog:
http://msmvps.com/blogs/siljaline/default.aspx

Malware removal (beginner's step-by-step guide)

Some of the following advice may seem pedantic, or unnecessary, but I strongly advise you to do everything in the order given to maximise your chances of a successful outcome. A lot of modern malware, if given the chance, will try to reinstall itself automatically. The steps below are designed to minimise the chance of this happening.

A. Getting ready to disinfect....

Go to Control Panel, Folder Options, View Tab. Turn on the option to show hidden files. Turn off the option to hide protected system files. Turn off the option to hide the extensions of known file types. Apply this change to all folders. ***WARNING!! Files are hidden by Windows for a very good reason. It is not wise to 'experiment' with these files. Unfortunately, to successfully remove some malware we must turn this protection off. There is a risk to doing this. Please turn the protection back on when you have finished cleaning your system.***
Check all 'startup' folders for unwanted malware entries. Windows 95 and 98 users can examine their startup folder via the Start Menu. Those of us who are using a later operating system should check ..\Documents and Settings\All Users\Start Menu\Programs\Startup and ..\Documents and Settings\<username>\Start Menu\Startup. Move any that you find on to your desktop (note: log on as administrator to access all startup locations).
Check Add/Remove programs. Some adware utilises add/remove programs. Remove what you can that way.
Right click the shortcuts that you have moved out of the startup folders and select 'Properties'. You will use this list to cross reference what is found and removed by the anti-spyware applications and ensure nothing obvious has been missed.

A target path has been highlighted with a red box in this screen shot (click on it to see a larger graphic)

B. Cleaning your computer - first sweep

Boot into safe mode and do the following:

Start the computer in safe mode - Windows 95
Start the computer in safe mode - Windows XP
Start the computer in safe mode - Windows 2000

Empty your IE cache and your other temporary file folders:
c:\temp
c:\windows\temp
c:\Documents and Settings\<username>\Local Settings\Temp

The path to your temp folder will change depending on username and operating system.

Empty:
c:\windows\prefetch

Do NOT try to delete the contents of the Windows folder, delete ONLY the contents of the prefetch folder (yes, believe it or not, some have tried to delete the Windows folder in its entirety)
Go to Control Panel. Open Internet Options, Temporary Internet Files {Settings Button}, View Objects, Downloaded Program Files. A Windows Explorer window will open. Unwanted plugins can be removed by right clicking on the object, and selecting 'remove'.

Go to the Programs Tab then click on Manage Add-Ons. Examine the list of 'Add-ons that have been used by Internet Explorer' and disable anything that you do not want Internet Explorer to use. If you wish, the add-ons can be re-enabled at a later time.
Click on the Accessibility button on the General tab. Make sure there is no style sheet chosen. If the option is turned on, turn it OFF.
Once finished, reboot into safe mode.

You may need to download and install Update KB888240 to solve a known problem for XP SP2 where add-ins will sometimes hide themselves from the Add-On Manager. The hotfix is available here (this may already be installed, depending on how up to date your system is).

Please take screenshots whenever something is detected on your computer. It will help you remember what was found and removed, and will help us assess the situation if you need more expert help.

As much as is possible, the following steps should be completed in safe mode. Sometimes this will not be possible.

C. Cleaning your computer - second sweep

Start Windows Defender. Remember you should have updated it as soon as it was installed, and you should also update it every time it is run (unless you have already checked for updates that day).
Run a full scan and remove any malware that is detected.
Once finished, reboot.
Run Windows Defender again. If the infection is back, note down its name.

D Cleaning your computer - third sweep

Run a full system scan if you have purchased any pay-for product and remove any malware detected. Clean any malware that is detected. Remember you should have updated it as soon as it was installed, and you should also update it every time it is run (unless you have already checked for updates that day).
Once finished reboot into safe mode.
Complete a second full system scan. If the infection is back, note down its name.
Reboot.

E Cleaning your computer - fourth sweep

Run an online Trend Micro antispyware scan.
Run an online Ewido scan.

F. Final steps

If you are unable to get on to the internet after cleaning up your computer, run LSPfix if not using XP. If using XP run Winsockxpfix. If you are using XP SP2 and are unable to access the internet after removing malware, the following commandline may help with the need to run Winsockxpfix- it will reset the winsock catalogue:

netsh winsock reset

Once the computer is clean, and if it applies to the operating system, create a new restore point. The old ones may, of course, be infected with the malware and cannot be used. There are two ways to get rid of infected restore points once you have a new one available, depending on what version of XP you are using:

Windows XP - Start, All Programs, Accessories, System Tools, Disk Cleanup. Options Tab, Clean Up. Delete all but the latest restore point.

Windows XP - Control Panel, System. System Restore Tab. Enable 'turn off system restore'. Click Apply. Uncheck the box. Click apply, then click ok.

Windows ME - right click My Computer, select Properties. Performance tab, File System. Troubleshooting tab. Enable 'Disable System Restore'. Ok twice, then click yes to reboot your computer. After rebooting, turn System Restore back on.

G. Still infected or the infection comes back?

This where the screenshots and notes you have taken up till now will be absolutely essential.

You may be able to identify, and download an automated removal tool for your particular infection at this site:
http://www.bleepingcomputer.com/forums/forum55.html

If the malware problem comes back further specialised assistance is available via various anti-spyware forums, my preferred forums being aumha.net, castlecops and bleepingcomputer.

You will need to post a HijackThis log at the anti-spyware forums for analysis, but please make sure that you have attempted to clean your system as per the advice above before generating the log file.

The following information is for advanced users and for professional technical support - these steps are NOT recommended for the inexperienced. I have not provided detailed instructions or advice and have assumed a higher than average level of skill....

Removing malware can be an exacting process. If you don't do things at the right time and in the right way, you may find yourself having to start all over again - the worst examples of malware will transmute as soon as any imperfect attempt at removal occurs.

Killbox is an essential addition to your arsenal.

Ensure that the option Delete on reboot is enabled.
Paste the full file paths of all malware files detected using Hijackthis into the Full Path of File to Delete field using Killbox's Paste from Clipboard option on the file menu or ctrl v.
Click the 'delete file' button (white cross on red circle). Unfortunately you will have to delete each file individually.
Click 'yes' at the Delete on reboot prompt.
Do not allow Killbox to reboot the system until after you have entered the last file name.
If the file reappears after removal on reboot, use the option to replace the aberrant file with a dummy.

Examine win.ini, autoexec.bat, system.ini, config.nt, autoexec.nt as relevant.

Pay close attention to shell= and load=

Fire up services.msc. Check out what's going on and investigate further any mysterious/unusual servies.

Search for unusual or unexpected *.bat files and unexpected entries in the Run, RunOnce, RunOnceEx, RunServices, Services, Winlogon and Scripts registry keys.

MSCONFIG, (Services Tab - hide all Microsoft Services) can be helpful.

Search the rest of the registry for any reference to discovered malware files. You may see clues pointing you to files or CLSID that, in turn, can be examined to reveal even more keys or files. Invariably if you find a malware reference in the registry it will point you to another component elsewhere.

"Security Central" at Castlecops is a fantastic resource - you'll find several searchable databases including CLSID, BHO and ActiveX.

Also watch out for entries at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects

HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\
Windows\AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\SharedTaskScheduler

[HKEY_CURRENT_USER\Software\Classes\CLSID\***\InProcServer32]

which will in turn reveal malware file names. Sometimes it can be hard to work out what is a legitimate SharedTaskScheduler entry and what is not, but if you're seeing those "you have been infected with spyware" fake alerts, you can bet there is a malware entry there. Use the Castlecops CLSID list to check out the keys, and also look at the file names associated with the CLSID. Obviously unusual or random file names should be looked at with suspicion.

AppInit_DLLs is especially problematic. If a malware file is referenced in that key, you will not be able to get rid of it until the reference is removed, which is no easy task. First you will have to nuke whatever is monitoring that key and recreating the malware entry. For example:

File X will be mentioned in AppInit_DLLs
File Y will be monitoring AppInit_DLLs

You have to get rid of File Y before you can delete the AppInit_DLLs entry and afterwards delete File X. Fun, yes?

Some malware dumps HTML files on the local machine for use as fake home pages or for other uses.

I strongly recommend that unless you have a lot of experience working in this area that you post details of the services revealed by services.msc to aumha.net for professional guidance. If you turn off the wrong service you could cause serious problems, and at the very worst, leave the computer unbootable.

An experienced computer technician can use programme such as AutoStart Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer

Process Viewer for Windows:
http://www.teamcti.com/pview/

Silent Runners - use EXTREME caution, and be careful of whom you obtain advice from regarding results:

APM (Advanced Process Manipulation):
http://www.diamondcs.com.au/index.php?page=apm

StartupTracker
www.dougknox.com

Rootkits are becoming more common - add RootkitRevealer and Blacklight to your arsenal.

This Support Page has been visited times

Sandi's Site