Malware/Spyware Removal Guide

Mr_Linnet

I have read the above post and understand the contents, I am hoping that because I don`t know whether the previous links work or not that this post is acceptable.I have a problem with my PC ( it is slow, keeps freezing, keeps directing me to different sites to the ones I click etc ). I have tried AVG which highlighted a couple of Trojans and other warnings, all of which have been quarantined. I`ve since rebooted and rescanned using AVG several times but AVG doesn`t find any Trojans just tracking cookies which I quarantine.I`ve tried to download from the links listed but an error message box appears stating, Your current security settings do not allow this file to be downloaded.Is there a way over this problem? BTW, I haven`t altered any security settings!Many thanks for any help and advice.

aliEnRIK

Mr_Linnet wrote: »

I have read the above post and understand the contents, I am hoping that because I don`t know whether the previous links work or not that this post is acceptable.I have a problem with my PC ( it is slow, keeps freezing, keeps directing me to different sites to the ones I click etc ). I have tried AVG which highlighted a couple of Trojans and other warnings, all of which have been quarantined. I`ve since rebooted and rescanned using AVG several times but AVG doesn`t find any Trojans just tracking cookies which I quarantine.I`ve tried to download from the links listed but an error message box appears stating, Your current security settings do not allow this file to be downloaded.Is there a way over this problem? BTW, I haven`t altered any security settings!Many thanks for any help and advice.

Reboot and keep pressing F8 to get into SAFE MODE WITH NETWORKING

Assuming it works ~

Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM QUICK SCAN then click SCAN
Remove everything thats found (needs to be ticked)
Post the COMPLETE log in a NEW thread AFTER youve deleted everything it finds
If anything was found then do the exact same but run a FULL scan


reboot

Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log in your NEW thread so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)
If you get a message that you cant write to the hosts file then Press the SHIFT key, and whilst holding it RIGHT CLICK and select RUN AS (admin)

malc_b

Mr_Linnet wrote: »

I have tried AVG which highlighted a couple of Trojans and other warnings, all of which have been quarantined.

AFAIK the free AVG does not cover rootkits. At least it didn't a while back and my son caught one of these. I had to build an windows ultimate boot CD in order to be able to boot the PC not from the hard disk.

Once the HD OS was running nothing we did worked. Send the browser to an antivirus site it get a fix and it ended up not at the site (we could see from a clean PC that the sites were different). AVG which was installed before the infection was showing errors at this time. Googling the errors found sites offering a exe download to "fix" the problem. Yeah, right, and more infection more like. A fresh copy of AVG on CD downloaded from another PC would not install. Basically once the HD OS was booted the rootkit had control and the only fix I found was to break that cycle with UBCD http://www.ubcd4win.com/

Klaus1

Lots of good information here for Windows users, so I thought I would add the following for the benefit of Mac users (if you think you may have seen this before on the Apple Support Forums, you probably have as I wrote this user tip! I have had to remove informative links in this post as they are not allowed here):

Do not be tricked by 'scareware' that tempts computer users to download fake anti-virus software that may itself be malware.

Fake anti-virus software that infect PCs with malicious code are a growing threat, according to a study by Google. Its analysis of 240m web pages over 13 months showed that fake anti-virus programs accounted for 15% of all malicious software.

Scammers trick people into downloading programs by convincing them that their PC is infected with a virus.
Once installed, the software may steal data or force people to make a payment to register the fake product.
Beware of PDF files from unknown sources. A security firm announced that by its counting, malicious Reader documents made up 80% of all exploits at the end of 2009.:

(url deleted)

No viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions.

It is possible, however, to pass on a Windows virus to another Windows user, for example through an email attachment. To prevent this all you need is the free anti-virus utility ClamXav, which you can download for Tiger and Leopard from (on no account install Norton Anti-Virus on a Mac running OS X):

(url deleted)

The new version for Snow Leopard is available here:

(url deleted)]

(Note: ClamAV adds a new user group to your Mac. That makes it a little more difficult to remove than some apps. You’ll find an uninstaller link in ClamXav’s FAQ page online.)

However, the appearance of Trojans and other malware that can possibly infect a Mac seems to be growing, but is a completely different issue to viruses.

If you allow a Trojan to be installed, the user's DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's (that's you!) DNS records stay modified on a minute-by-minute basis.

You can read more about how, for example, the OSX/DNSChanger Trojan works here:

(url deleted)

SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:

(url deleted)

The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.

(Note that a 30 day trial version of MacScan can be downloaded free of charge from:

(url deleted)

and this can perform a complete scan of your entire hard disk. After 30 days free trial the cost is $29.99. The full version permits you to scan selected files and folders only, as well as the entire hard disk. It will detect (and delete if you ask it to) all 'tracker cookies' that switch you to web sites you did not want to go to.)

A white paper was published on the subject of Trojans by SubRosaSoft, available here:

(url deleted)l]

Also, beware of MacSweeper:

MacSweeper is malware that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland based computer security software company on January 17, 2008

(url deleted)

This was published on July 25, 2008:

Attack code that exploits flaws in the net's addressing system are starting to circulate online, say security experts.

The code could be a boon to phishing gangs who redirect web users to fake bank sites and steal login details.

In light of the news net firms are being urged to apply a fix for the loop-hole before attacks by hi-tech criminals become widespread.

Net security groups say there is anecdotal evidence that small scale attacks are already happening.

Further details here: (url deleted)

A further development was the Koobface malware that can be picked up from Facebook (already a notorious site for malware, like many other 'social networking' sites like Twitter etc), as reported by the BBC here on December 9, 2008:

(url deleted)

You can keep up to date, particularly about malware present in some downloadable pirated software, at the Securemac site:

(url deleted)

There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac, and alternatives will probably appear in the future. In the meantime the advice is: be careful where you go on the web and what you download!

Although any content that you download has the possibility of containing malicious software, practising a bit of care will generally keep you free from the consequences of anything like the DNSChanger trojan.
1. Avoid going to suspect and untrusted Web sites, especially p'orn'ography sites.

2. Check out what you are downloading. Mac OS X asks you for you administrator password to install applications for a reason! Only download media and applications from well-known and trusted Web sites. If you think you may have downloaded suspicious files, read the installer packages and make sure they are legit. If you cannot determine if the program you downloaded is infected, do a quick Internet search and see if any other users reported issues after installing a particular program. A recent example is of malware distributed through innocent looking free screensavers: (url deleted)]

3. Use an antivirus program like ClamXav. If you are in the habit of downloading a lot of media and other files, it may be well worth your while to run those files through an AV application.

4. Use Mac OS X's built-in Firewalls and other security features.

5. Stop using LimeWire. LimeWire (and other peer-to-peer sharing applications and download torrents) are hotbeds of potential software issues waiting to happen to your Mac. Everything from changing permissions to downloading trojans and other malicious software can be acquired from using these applications. Similar risks apply to using Facebook, Twitter, MySpace, YouTube and similar sites which are prone to malicious hacking:

6. Resist the temptation to download pirated software. After the release of iWork '09 earlier this year, a Trojan was discovered circulating in pirated copies of Apple's productivity suite of applications (as well as pirated copies of Adobe's Photoshop CS4/5). Security professionals now believe that the botnet (from iServices) has become active. Although the potential damage range is projected to be minimal, an estimated 20,000 copies of the Trojan have been downloaded. SecureMac offer a simple and free tool for the removal of the iBotNet Trojan available here:

(url deleted)

Also, there is the potential for having your entire email contact list stolen for use for spamming:

(url deleted)]

NOTE: Snow Leopard, OS 10.6.x, offers additional security to that of previous versions of OS X, but not to the extent that you should ignore the foregoing:

Apple's 10.6.4 operating system upgrade silently updated the malware protection built into Mac OS X to protect against a backdoor Trojan horse that can allow hackers to gain remote control over your treasured iMac or MacBook.

Finally, do not install Norton Anti-Virus on a Mac as it can seriously damage your operating system. Norton Anti-Virus is not compatible with Apple OS X.

Jamesdeer001

Hi
my mum is ringing me up as she has a virus. It's called AntiMalware pro. It stop virus scanners like AVG running and is trying to get her buy new virus software. As I can't get to her computer it is very difficult to know how to remove this. Has anyone experienced this or able to tell me how to remove this please

Thanks

Browntoa

see post 2 about renaming the malwarebytes file , or get her to download superantispyware portable at the bottom of post 2

you can both download the free version of www.crossloop.com and it will enable you to connect to and control her PC remotely

ellas9602

Hello
I found Trojan horse viruses on my laptop this morning I ran avg which detected and removed the file before I checked on here. I now can't connect to the internet due to firewall problems should I still follow the instructions in this thread ?

Browntoa

yes , start with just the malwarebytes part

then post that log file in a new thread when you have done it

WanWig

Can u help me? my home computer will not let me open any of me desktop icons it won't even let me do a system restore.I get a anti virus saying ur system is ur system is under attack etc etc what should I do?

Browntoa

read the first four posts in this thread , follow the steps

start a NEW thread about your problem with the log files you have got from your scans