Domain: merijn.org
Stories and comments across the archive that link to merijn.org.
Comments · 7
-
Re:Off the top of my head:
Another great program for when (not if) your machine's acting weird is hijackthis. It tells you everything that runs when your computer boots, even programs called from other programs, and allows you to delete any you don't want running. You can even run it from a CD, although it will complain that it can't write a log file (It only writes to its own folder.) so it's easy to use at on friend's box.
-
Re:Simply not true
Did you just recommend MSconfig for system analysis and troubleshooting? Pffft.
HijackThis is much more thorough, IMNSHO. -
Re:HijackThis + Google
-
Re: 40 mothers agree: Cleaning Windows is a PITA
More often than not these days, the real tough buggers have randomly generated process names. Here's how I clean a machine:
Tools required:
Process Explorer(procexp) from http://www.sysinternals.com/
autoruns.exe from the same, or hijackthis.exe from http://www.merijn.org/
Any good virus scanner(McAfee's Enterprise scanner is decent. Use a simple scanner if possible, not a scanner/firewall/spam filter/personal servant. It will be generally be faster and simpler.
Ad-Aware from http://www.lavasoft.de/
LSPFix from http://www.cexx.org/lspfix.htm/
Updated Stinger from McAfee http://vil.nai.com/vil/stinger/
Experience enough to know valid windows processes and files.
Have all of this on a USB drive or CD. Will probably fit on a 64mb drive, unless your virus package is bulky.
Boot to safe mode
Start Task Manager or Proc Explorer and kill anything that doesn't look good, or everything that you know isn't part of windows. You could go to Control Panels:Admin Tools:Services and stop all services first, this will narrow the field.
Run Stinger, just let it scan memory and running apps. Don't wait for it to do a full system scan.
Run Ad-Aware, do the same. Just trying to ditch bad things that are actually running.
If you've gotten this far in 15 minutes, the machine probably isn't in too bad of shape. Dump all temp files, c:\temp, c:\winnt(windows)\temp, c:\documents and settings\username\local settings\temp, c:\documents and settings\username\local settings\temporary internet items
Update virus definitions and do a full scan. Latest SuperDAT from McAfee or Definitions from Symantec or whoever you use, should also be put on the USB drive or CD.
So, virus scan didn't deal with it, or couldn't stop/remove it? This is where it gets tricky and completely manual. This is the point where most people give up, since you really need to know what should be where in Win2k/XP/2k3. I'm really not thinking of 95/98/Me, if those are hosed just wipe it clean and move to XP home for $99-199
Run HiJackthis and look for gremlins. This tool really requires an eye for what is supposed to be there, but pay special attention to startup objects and BHOs(Browser Helper Objects aka evil Internet Explorer plugins)
Add/Remove programs. Go through it with the client. Anything they don't recognize, or know they don't need, ditch. This can be risky, since people forget, but compared to a reinstall . . .
Now for the real manual part . . .
Run lspfix and check for foreign entries. There are normally 2-4 LSP's present. I usually only do this if there are persistent network failures.
Check Hosts file at c:\winnt(windows)\system32\drivers\etc\hosts There really should only be one entry in here, for 127.0.0.1 localhost. You may have already checked this with hijackthis
Browse to c:\winnt(windows). Sort by date. On a default install, the file modify dates are going to be a long time ago. If you see anything from within the last few months, get suspicious. Ignore log/text files, but don't ignore those without an extension. Do the same for c:\winnt(windows)\system32 This can be a bit trickier, there are way more files in system32 than winnt(windows), but the same rule generally applies. Anything from the last 3-6 months is suspicious.
Do the same for c:\program files Delete any empty folders that your previous uninstall didn't remove. You should have an idea what is supposed to be here, after doing Add/Remove programs, so hack and slash the folders that you don't think belong.
In one of these deleting sprees you are sure to find something bad that won't let itself be deleted, usually a .dll that is registered and can't be removed. Never fear! Write down the .d -
CWS claimed "affiliates" do it...
But they're basically commissioning it with their PPC search engine model.
Also, if you've not read up on CWS and what they do - and how they do it - read this:
http://merijn.org/cwschronicles.html
Merijn's the original developer of CWShredder, and while his recording of CWS stops at the original about:blank strain, that's enough to tell you what kind of scum pull this.
Disclaimer: I use CWShredder in my work on SpywareInfo's antispyware boards. -
Re:Link please
the maker of hijackthis has a website at http://www.merijn.org/
the AC gave a url for spybot... i usually use http://www.safer-networking.org/ -
Re:I Prefer hijackThis
There is a newer version (beta) availlable at http://www.merijn.org/files/beta/hijackthis199_be
t a.zipThis one also shows running processes and is able to kill them.