When you have determined you are infected, many times you need to do a certain amount of cleaning before you can clean the rest of the system. This will do just that.

1. remove all you can with a standard spyware removal program

   • SpyBot Search & Destroy
   • Adaware

2. unlock your anti-spyware to allow for changes in the registry and the host file.

3. Use Hijack this to see the points your computer/browser can be taken control of (hijacked).

• Fix all the search pages, start pages, and host file you haven't put there yourself.

• fix all O5 lines

• fix all O6 lines

• fix all O7 lines

4. Put "Internet Options" back on the control panel.

   • Windows 9x and ME
     Second, you have to put Internet Options back into the control panel. Do a file search and look for a file named "control.ini". Open it in Notepad. You may see something like this: [don't load] inetcpl.cpl=yes Delete the "inetcpl.cpl=yes" line under "[don't load]". You may need to do a reboot.

   • Windows NT, 2000, XP, 2003
     

     HKEY_CURRENT_USER\Control Panel\don't load\

     If inetcpl.cpl is listed, delete the entry for it and log off.

5. Run a search on your hard drive for any files ending with *.hta or *.js. If you find any, open them in notepad or some other text editor and look for the URLs that you have been hijacked to. Any file with those URLs, delete them. Also delete all *.tmp files on your drive; some of them contain malicious code (for e.g. browser hijacks or malware (re)installations). Besides, deleting *.tmp files doesn't hurt, unlike dll's which are also used sometimes for this purpose. (Thanks to cexx.org for the additional info in this step).

6. HijackThis will list any BHO installed on your computer. Check the BHOs listed against the list of all known BHOs. If you find one listed as some sort of spyware/malware/hijackware, run HijackThis again and find that BHO in the list. Check its box and have HT fix it. If you find a BHO that is not included in the list, please make a post in the Browser Hijackings section of our support forums with the HijackThis log pasted in along with an explanation of your problem. Please wait for replies before deleting this BHO, as it may be a new one which I can have added to various spyware/malware cleaning programs. It may also be an innocent file that is not causing your problem, so please wait for advice before deleting it.

7. Now you need to see if there is a startup entry for your hijacker file. The next time you reboot, the hijack might come right back. The reason for this would be an entry in the run section of the registry. Look in HijackThis for 04 startup items. Check the entries listed against Pacman's List. Items listed as virus, malware, spyware, or something else that is undesirable, put a checkmark next to it and "fix" it.

More information:

• http://www.cexx.org/hphijack.htm - Homepage Hijackers

• http://www.pcworld.com/news/article/0,aid,63345,00.asp - Stealth ad explosion

• http://www.pcworld.com/news/article/0,aid,101916,00.asp - Web Ad Explosion

• http://www.pcworld.com/news/article/0,aid,84464,tk,dn021402X,00.asp - Invasion of the browser snatchers

• http://www.spywareinfo.com/newsletter/archives/september-2002/09212002.html#xupiter - Xupiter

based on an article by Mike Healan at spywareinfo.com