how-to block ads
Just because you "fixed" it in HJT doesn't mean it's clean.
A. Use the Mandatory Steps prerequisite for running apps & posting logs first:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
II. Do NOT start your fix by disabling System Restore. This rule applies to any manual fixes and is especially true for spyware removal. That is because disabling System Restore wipes out all restore points. Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running. Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off. Clean the restore folder and set a new point AFTER the PC is clean and all programs are working properly.
How to Turn On and Turn Off System Restore in Windows XP
How to Enable and Disable System Restore in Windows ME
III. Please don't delete all the 016 items as a rule. I see this being done and it is very sloppy HJT work as the harmless, even helpful ones, should remain on the user's PC. You can check 016 items in SpywareBlaster's Database by rightclicking on the Database list in the program and choose *find* (you can find by name or by CSLID). Then, if found, you can click on *more information* and find by name to see what that item is and if there are any special instructions needed (Javacool provides information links to many of those items). With the ones that remain, if you are not sure you can check the website if you are using Eric Howe's IESPYAD. If the site shows up in the restricted zone - best to remove it. But I see too many helpers removing perfectly harmless 016 items.
IV. About (file Missing) and what it means. It doesn't always mean the file is really missing!!
You will see (file missing) in some of the lines in different sections. You can only rely on that to be true in the sections for BHOs and Toolbars (02s & 03s)
When you see (file missing) in other sections, it may really NOT be missing. You will see it in the 09's and the 023s especially. The only time you should fix the (file missing) in those sections is IF AND ONLY IF you see a *bad* file there. Be aware that "fixing" doesn't remove the malware either. It's important to have them manually delete the file as well (plus any other recommended removal methods)
Except for the 02 & 03 Sections, good items listed in other sections with (file missing) should be left alone. Most often they ARE there but HJT doesn't see the file.
V. Don't begin fixes until you have an updated HJT version and it is located in the proper folder!!
VI. Back up the Registry Don't even think about giving instructions to edit the Registry unless you have them backup the Registry first
How to backup and restore the entire registry:
VII. Don't wrap up a thread until you have given your user some prevention advice and tools.
»Security Cleanup FAQ »How do I prevent Browser Hijacks and Spyware?
Give a man a fish and he will eat for a day. Teach a man to fish and he will eat for a lifetime
Remember that part of our mission is educating our visitors! Each one should not leave here without some good free antispyware tools and instructions to be able to clean their PC and prevent future infections.
VIII Remember to check for Windows Critical Security Updates Remind your victims to check Windows Update and get all the latest updates recommended for their OS and IE. The first defense against infection is a properly patched system and browser.
Encourage them to set their PC for automatic updates so that they won't miss any.
IX DO lookup what type of malware you are dealing with where possible.
Many times, the user might have a nasty that requires extra instruction due to registry changes, lowered security system changes, or other considerations. Especially in the case of a dangerous nasty like a trojan, keylogger, password stealer or RAT. Most of the databases used to lookup HJT items have links for reference to the file names - very useful in these cases :)
In other words, just finding out a file is bad is NOT ENOUGH. you must find out why it is bad and how to clear out the entire infection. plus any cautions your user may need to know about changing passwords, accounts, etc.
X DO identify unknown files where possible and submit undetected nasties to the AT/AV/AS vendorswhere possible. You can scan single files at one of these:
»Security Cleanup FAQ »Single File Detection Sites
Those sites will submit your file to any vendors they are using at their site that do NOT detect a particular nasty (unless none of them detect it, then you need to submit manually to the Vendors)