Due to a bit of stupidity on my part, I got myself a DCAds spyware dealie. I’ve run Spybot, Adaware and AVG, and manualy deleted as many files as I can find, but I’m still getting the occasional pop-up. Would one more experianced than me suggest something to do next?
Try looking through your Hijack This! scan
Have you tried a System Restore to before you got the virus? That saved a friend of mine’s PC from a REAL killer virus that had almost locked every function on his PC. (He caught it from looking at that infamous “hostage decapitation site” of a few years ago… yeah, if he had asked me I would’ve told him to stay away from the damn place.)
If you have your stuff backed up, a format is always a clean solution.
System restore is the bomb if you have Vista. XP is too wide open and modern malware can easily sidestep it.
I suggest a thorough cleaning with these 4 scanners as things are quite prevailent these days.
Smitfraudfix: (This takes care of the Prevailant SmitFraud infection that installs rogue scanners)
http://tinyurl.com/yfxcaz
Combofix: (Takes care of rootkits that hide infections that install rogue scanners)
http://tinyurl.com/29gj2s
Vundofix: (Takes care of the Vundo infection that installs Rogue Scanners)
http://tinyurl.com/9uaag
Superantispyware: (You haven’t tried this scanner)
http://tinyurl.com/ysredh
For information on rogue scanners try:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Also, if you don’t actually PAY for antivirus/antispyware software, here are some free resources for what I think are the best free active protection programs.
(Active protection, it stops stuff as it comes in)
Antivirus:
AntiVir (Less popular than AVG Free, therefore it detects more as fewer virii try to avoid it. Kicks Norton/Mcafee/Trend Micro’s butts!)
http://filehippo.com/download_antivir/
Antispyware:
Spyware Doctor Free google version (Less “guards” but it has the crucial file guard)
http://www.pctools.com/spyware-doctor/google_pack/
Spybot (Immunize the browsers with it, and use Tea Timer ONLY if you are an advanced user)
http://spybot.info
Sticky if you need to.
Source: I am an Advanced Software Computer technician. :spam:
Have gone through the registry? A lot of time components will be hidden in the registry and no matter how many times you delete the files, they will be recreated as a result of the registry components.
Usually there will be another program in memory that will do so, but that program will be well hidden due to the registry, as you have said.
For that, there are 3 tools.
Hijackthis:
http://tinyurl.com/2vhrjo
Autoruns:
http://tinyurl.com/rnl5p
Process explorer:
http://tinyurl.com/y6nw5d
You must run Combofix and Smitfraudfix BEFORE running these programs mind you.
There are some nasty malware variants that disable the copying and pasting of file on any profile and will nuke the profile you’re working in.
So, you use Autoruns to determine which processes (roughly) have files running in them. In autoruns, once it finishes its first scan, click options up on the top, than click “Verify Code Signatures” and “Hide signed Microsoft entries.” You can now browse by section to see what starts up when the PC runs (Logon = standard startups in msconfig, Winlogon = in winlogon, LSA = Lsass, ect) You should also doublecheck with Hijackthis.
Don’t fix ANYTHING until you have used process explorer.
If Process explorer hit CTRL + F to bring up a find menu. Search for the suspicious files (example: ohnoes.dll <- Yes, that exists). Find out which processes they are running in (Most likely are explorer.exe, iexplore.exe, lsass.exe, winlogon.exe and svchost.exe). Programs and files that run in process explorer that are a deep purple are usually bad files (Packed files). Just make sure they’re not one of your virus/spyware scanners.
Regardless, keep Hijackthis open while you perform these steps. In process explorer, right click on the program that is infected with the file. Left click on properties. Finally, click on “threads”. From there you should look for all signs of your suspicious file. Left click on them, than click on “suspend” down below. That will keep it in stasis as long as too many of its friends aren’t running. Hunt down all malicious processes you can in this manner. If a ctrl-f search says a file is in a program but it’s not in threads view, that is not something to worry about.
Once everything is suspended. KILL THOSE MOTHER BUGGERS in Hijackthis.
If ones are in autoruns that are not in hijackthis, right click on them and delete them there. Use a program like NotMyFault to cause a bluescreen, than shut your PC down. Load windows back up and check for signs of infection to be sure. If there are none, reboot twice more to see if any symptoms come back. If not, you’re in the clear.
I recommend trying Hijack this but be very careful because Hijack this can mess you up badly if you delete the wrong thing.
Quite so. Same goes for Autoruns.