Monthly Archives: May 2004
First, gather the proper tools:
- McAfee Associates’ Stinger Anti-Virus scanner
- Lavasoft’s Ad-Aware
- PepiMK’s Spybot Search & Destroy
- Merijn’s (SpywareInfo.com) Hijack This and CWShredder (note that CWShredder was sold to InterMute, which has now been bought by Trend Micro.)
- Mike Lin’s Startup Control Panel (This really should have come with Windows!)
- Darren Schroeder’s MyTop utility
- If you don’t have a zip utility, I recommend PowerArchiver 6.x. This is the last free version of a very nicely done WinZip clone.
- UPDATE 05-16-2004 – RootKit Detector and aports.exe
- Added 07-03-2004 – SysInternals’ Process Explorer
(Each of these is discussed in more detail below.)
Now, you’re going to run the listed tools. Each one performs a different function (although several of them are similar).
If you run into any problems with this process, visit any of the forums listed at the Alliance of Security Analysis Professionals.
The first tool to run is McAfee’s Stinger utility. Stinger is a stand-alone antivirus scanner that is regularly updated by McAfee that will catch and clean the most current viruses and worms. Simply double-click the S-T-I-N-G-E-R.EXE file, then click the Scan Now icon. Let the scanner run to completion.
As a checkpoint, now run HijackThis. It’s also a stand-alone utility that will scan for certain anomolies and make a list that can be analyzed. Double-click the HijackThis.exe icon, the click the Scan button. When the scan finishes, click the same button (now labeled Save Log) and save the file somewhere you can find it. Then you can exit the HijackThis utility.
The third step is to install and run Lavasoft’s Ad-Aware. Double-click the aawpersonal.exe file and click Next four times, then Finish. The installation program will put an icon on your desktop.
Close all open windows, especially any Explorer and Internet Explorer windows. Double-click the icon, then click on the Check for updates now link. In the update window, click the Connect button, then click OK to update the signature file. (Keep in mind the dates in this program are in European format, DAY.MO.YEAR.) After the update is done, click Finish, then Start and Next. When the scan finishes, click Next twice and say OK when prompted. After that, you can close Ad-Aware.
Step four: Spybot Search & Destroy. Double-click the spybotsd14.exe icon. click Next, Read and accept the license agreement and click Next twice. On the “Select Components” screen, uncheck everything except the “Main Files” component, then click Next twice. On the “Select Additional Tasks” screen, uncheck the “Create a Quick Launch icon”, then Next and Finish.
Double-click the Spybot – Search & Destroy icon. Select the language (English is the white flag with the red cross). On the next two dialog boxes, read the warnings and click OK. Then, click the Search for updates button. Install any updates found; the program will restart on it’s own. After it restarts, click
Check for problems.
When the scan finishes, click Fix selected problems and remove everything selected by default.
Last, run HijackThis again, and save the second log file with a new name (“hijack2.log” for example”). Then, if you have any questions or concerns about anything else installed on your computer, post the contents of the second log file to one of the ASAP member forums.
The last four tools, CWShredder is designed to clean up a specific strain of spyware, known under the name “Cool Web Search”. BHODemon, Startup Control Panel and MyTop are not specifically spyware or virus removal tools, but are useful for diagnostics.
- From the original author of HijackThis: CWShredder is “a small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names)….This program is updated to remove the new variants once they come out.
Read my article with documentation on Coolwebsearch here.”
From Intermute: “CWShredder� finds and destroys traces of CoolWebSearch. CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.”
- From the author: “BHODemon scans your Registry for BHOs (Browser Helper Objects), and presents any it finds in a list. By highlighting a BHO in this list, and clicking the “Details” button, you can see information about this BHO, and even disable it if you wish.”
- Startup Control Panel
- From the Author: “Startup Control Panel is a nifty control panel applet that allows you to easily configure which programs run when your computer starts. It’s simple to use and, like all my programs, is very small and won’t burden your system. A valuable tool for system administrators!”
- Handy utility, especially with Windows 95/98 (and possibly ME) which do not have a task manager. MyTop lists all currently running processes on your computer and gives you the ability to kill them, without having to give a CTRL-ALT-DEL. Windows NT, 2000 and XP all have a built-in utility that performs the same function, the Task Manager, which can be accessed by either pressing CTRL-ALT-DEL and clicking “Task List”, right-clicking on the Taskbar and selecting “Task Manager”, or pressing SHIFT-CTRL-ESC.
- Process Explorer
- From the Author: “The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.”
- Root Kit Detector
- This set of tools is useful in removing a newer, nasty version of CoolWebSearch that uses a malicious hacker tool called Hacker Defender to prevent removal of it’s files and hide the processes and other means of identifying the offender. Instructions can be found at This page at the University of Wales at Swansea.