How to fix popups, spyware, malware and nuisance programs

[NooNoo]

Tools for killing spyware are:

start with an online virus check Yes you may have the latest and greatest but often these are blocked so that they appear to work but are not. Online checks cannot be blocked. If you can't get to the online page you have either got a java problem or big worries.

a-squared trojan, dialer and worm scanner Free version (requires a free activation code).

spybot Must be updated as soon as its installed.

adaware Must be updated as soon as its installed.

spyware blasterRun this as a further check[/url]

bhodaemon Use this to see what "helper objects" are not very helpful.

Hijack this Gives you a list and lets you decide what to kill.

this will help you to understand what hijackthis is telling you

more in depth tutorial for reading a hijack this log

cwshredder gets cool web search and its variants

About:Blank killer

Now the tricky bit is to work out what you don't want.

Where possible run these in safe mode (press f8 just before windows starts loading)
First, disconnect from the internet and if you have a network, unplug the network cable. This will prevent cross-infecting from other machines or the internet feeding you more problems.

Run spybot to kill most things automatically
Run adaware to see if spybot missed anything
Run bhodaemon and look up whether you want those bhos
Run hikack this, make a note of any .exe or .dll or .cab files, check the ones you want fixed and click the fix button. Now go on a search and destroy mission on of your own. Make sure you can see hidden and system files (my computer, folder options,view for xp or my computer, view, folder options, view for 9x) Find each file and delete it - either to the recycle bin and then empty it or press and hold shift and hit the delete key.

If files will not let you delete them, you may have to turn off a service in xp/2k and end a process tree, or in 9x/me press ctrl, alt,del and end task.

Now use the immunise function in spybot to stop those damn things installing again.

Only reboot to normal mode when you feel sure you got it all. If you didn't you make get it straight back again.

There are a few more of these utils - I am sure people will add to the list.

http://www.pestpatrol.com/pestinfo/#index
]pestpatrol has a library of spyware with explanations[/url] The product is commercial, but the info is free.

You will also need some sort of winsock /lsp fix if certain spyware is removed the wrong way. When this happens you will know, because you wont get on the internet and nothing you do will make a difference.

winsockfix

winsock2 fix for windows 95/98/ME

winsock2 fix for 2k/XP

lsp fix

Here is how SteveCohen fixed the Ndrv problem:

I stopped the NDrv.exe process.
I then deleted both NDrv.exe and NDrv.dll
I also deleted the following Reg Keys:

HKey_Current_User/Software/Clickspring
HKEY_CLASSES_ROOT/CLSID/{1B7D753B-1981-4bd2-91F3-6D055EE113A0}
HKEY_CLASSES_ROOT\Context1.Curl
HKEY_CLASSES_ROOT\Context1.Curl.1
HKEY_CLASSES_ROOT\TypeLib\{EE6F3F6A-AD8E-48DA-9B1D-D5204B2D227D}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]"NDrv"="C:\\WINNT\\system32\\NDrv.exe"

You should attempt this in safe mode, logged in as administrator in 2k or XP. In 9x/ME there is no login, but you should still use safe mode.

You must turn off system restore in xp or me for this to work.
The Ndrv.exe and dll files should be found in c:\windows\sytem32 or c:\winnt\system32 if you are running windows 2000.

To delete the registry keys, start, run, type in regedit. First thing you should do is File, Export and export the current registry to a file that can be easily found - such as c:\mybackup.reg. Find the keys above one at a time, by navigating or by using edit, find. Right click on the key and select delete. If you are sure you have the right key, click yes to delete it. If the key will not delete you have not ended the process in task manager or you do not have administrative rights to delete the key.

if you have winlogin.exe running as a process, you probably have Wintools. good how to remove it here