Elazul Yagami Posted June 5, 2006 Share Posted June 5, 2006 After blood and tears and fighting, i've won a spyware war against a flocking leech. there aren't that many resources about it (i googled) so i developed my own solution... here it is in case anyone has a problem with it: Well, i was infected with Ul windowseek... and well i couldn't find any decent resources on how to fix it. Ul windowseek is an annoying biatch, and is usually coupled with coolwebsearch. dialers and othershit, and yes, it actually does effect firefox. well, here's how: what you need: 1- Hijack this.2- Open Regedit window3- open windows task manager window on processes4- PATIENCE... removing this thing is a biatch.5- CWshredder6- a good antivirus7- a good anti spyware/adware8- spyware blaster with full protection enabled9- open notepad window10- ewido anti-malware (more useful than it seems if you're not using symantec corportate antivirus or something of the sort.11- explorer windows open on the following folders: C:\WINDOWS\TempC:\WINDOWS\system32C:\Documents and Settings\"User name"\Local Settings\Application Data (yes it is important to have all these open.) Optional:1- Windows Defender: saves searching time but not integral.2- CCleaner (crap cleaner) however, it's again, not integral.3- Unlocker program, used to help delete or move a file when it refuses to do so because it's being used by another file (be careful using it.) What to do: 1- first off, open an IE window and disconnect your phoneline if you use dsl/isdn..etc (dialers will try to dial in, and cost you a shitload of money, however you need internet for a few mins) 2- use traditional scanners (addware, spyware, malware...etc), and cwshredder, remove ANYTHING they find, even mru's and such. 2- wait for the the ulwindowseek window(s) to open (it should be blank now, since spyware blaster and the other programs should've blocked access to teh ads.) 2- close your internet connection, disable the lan or modem (if you use dial up)connection. (so the infection doesn't recover from online.) 3- check the processes in the windows task manager tab, you should start to see some odd looking processes, full of numbers and such, and almost always with the extension ".exe ", you'll note a particular process that if you close, the open ulwindowseek windows will close, and it'll most likely be a series of numbers.exe 4- type down the names in notepad, note them for later, and (VERY IMPORTANT ) kill/end the oddnamed process (should kill both ul windowseek windows when you kill this process) 5- open hijackthis, scan, and check to see if any of the names you wrote down are labelled there, also search for a url that starts with an ip address (http://ipaddress/oddfilename ), note the name of the oddfile name, also note any entries that have "file missing", you should find the following: a- one entry of the odd file name in C:\WINDOWS\system32b- one entry of the same odd file name in C:\Documents and Settings\"User name"\Local Settings\Application Data in my instance the odd file name was something like 350237.exe alt method for steps 3 & part of 5:Use windows defender, even though it won't actually stop the infection, it will register the file, and you can search through your defender history and find the oddfile name a bit easier. 6- now, make sure that all these names aren't legit programs (it's easy to find out, find the file, right click check properties and it'll say if microsoft made it...etc), once you're sure, check the box, and have hijackthis fix them, for reference, this is what you should be removing: a- one entry of the odd file name in C:\WINDOWS\system32b- one entry of the same odd file name in C:\Documents and Settings\"User name"\Local Settings\Application Datac- an entry (or more) that has no company information, and leads to a http://"ipnumber"/"filename2"d- anything else that seems too flocked up to be legit. remove all of these... now it's time for the heavy stuff. 7- switch to regedit, and start looking for entries for the oddfile name... REMOVE THEM ALL. doesn't matter where the entry is, REMOVE IT. there's a slight chance you might also find entries for "filename2", if you do remove those too. 8- once done, CLEAN YOUR COMPUTER, this is where CCleaner comes in, either use it, or manually delete all temp files, all temp internet files....etc (advice, use ccleaner, much simpler.), remember the windows we had open? now's the time to use them, you should find files associated with the names we've collected in all three of those folders (sometimes, you'll only find them in one or two) and DElete all these files use Unlocker if you must (and want). try to be a bit fast in this step, cause i think if given enough time, the infection will reinfect (eg: file b will restore deleted file a, before you delete b.) ----------------------------------------***** From this point on, i'm assuming that the pieceofshit didn't manage to reinstall itself, if it has, then you must repeat instances 5-7 again *****---------------------------------------- 9- once more run hijack this, and make sure the entries weren't readded, research the registry one last time. double check the folders to see if items have been added. Checklist time:--------------- by now you should've removed: 1- Registry entries for oddname files2- actual oddname files3- browser hijacks for oddname files, and entry (or more) that has no company information, and leads to a http://"ipnumber"/"filename2" and anything else that seems too flocked up to be legit.4- all temp files...etc By now, this should've actually deleted the ulwindowseek itself,therefore the popups should not show up again, but we will make sure of that here and however since it's usually bundled with trojans and such, we still need to remove those. reboot your computer into safe mode. 10- run hijack this in safe mode, and make sure there are no suspicious entries. OPTIONAL STEP:--------------11- run ewido anti-malware, do a full system scan (or custom and specify drive c only), it should find the remaining trojans (as well as the.dll file) and delete them (after scan is done and you reboot). Note the trojan name in the notepad doc in case you need to remove it manually. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now