Re: Spyware & IE Problems.
Steps to remove a persistent / dheet kisam ka spyware
(a personal anecdote of sorts - use at your own risk!)
The following How-To guide elaborates the steps that can be followed (at your own risk) to get rid of spyware/malware that cannot be permanently removed by spyware sweeper programs.
I tried the following spyware removal applications without any luck:
spybot, lavasoft adaware, enigma software spyhunter.
All of the above successfully remove the “parasites” but a lot of the spyware replicates itself even after the infected files / registry keys / cookies are removed.
This procedure is especially useful for Home Search Assistent (HSA) (notice bad spelling!), Search Extender, Shopping Wizard and YourSiteBar. Even though you will see these entries in your Control Panel Add /Remove programs, you will probably be unable to remove them directly.
SO here’s what you should do (again, at your own risk):
1. Disable the System Restore option in Win XP (can be configured under System option in the Control Panel)
2. Open the Windows Task Manager (ctrl+alt+delete) and from the processes tab in Task Manager, arrange processes by UserName and for those processes that are running under your name, kill any that look suspicious. Most of the time, the process names themselves sound eerie (with 5 random letter names).
3. From the start menu, use the run prompt to invoke “services.msc” and disable the “Network Securtiy Service” (use the properties menu). This is the main culprit that helps spyware in replicating the files.
4. Use Windows Explorer to go to c:\windows and arrange files by “Date Created” (enable through the view menu and select choose details). For the latest files in your list, delete all files with random 5 letter names that have an exe, dll or dat file extension. A good way to check if you’re deleting an authentic file is to move your mouse over the filename and see if it has a tooltip description from a vendor.
- Repeat step 3 for the c:\windows\system32 folder.
Steps 4 and 5 are cumbersome, but make sure you’re thorough. There may also be some recently created bat files. You can open these up in notepad to see if they invoke a spyware routine. Delete these as well.
- Delete all the temporary files from** C:\windows emp** and also from your windows profile usually under the following folders:
C:\Documents and Settings{your username}
and
C:\Documents and Settings{your username}
If you have a folder called C:\windows\prefetch, completely remove it!
Run hijackthis and get rid of all the BHO (Bad Home Page) entries and any other references you can pinpoint as malicious.
run regedit and search for some of the spyware names e.g. 'assistent' for home search assistent (HAS) and delete all the values/folders associated with them. Most importantly, delete those folders from HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall that are associated with the spyware names e.g. HSA, SW, SE and YourSiteBar.
Empty your Recycle Bin, Turn off your system and start in Safe Mode. Run any spyware removal and antivirus programs that your have.
Reboot in Normal mode and you should be ok! (hopefully).
