Slashdot Mirror
Stubborn Spyware Removal Advice?
onedobb asks: "I'm sure all of us are familiar with Lavasoft's Ad-Adware and Spybot Search and Destroy, however there always seems to be that particular piece of spyware, or malware that seems to slip past both of those programs (even with the most recent definition updates, and virus definitions). What program combinations, or websites do you use to uproot that last bit of unwanted software intrusion?"
To read yourself of ALL spyware: format c:
-Palal
Most of the time if you simply run HijackThis and then search google for any of the suspicious log entries, you'll quickly be directed to a page where someone had a similar log entry, and you'll find out if it's malicious or not.
If Spybot, Adaware, Yahoo Antispyware, Sysinternals tools, add/remove programs, etc.. don't work then back up your files and format/reinstall.
HijackThis
Vundo removal tool
Some Free removal tools and the Bitdefender Live CD
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
I use a combination of both the previous programs mentioned and the AVG anti virus program and haven't had any problems in 2 years. Download link
As they say , prevention is the best cure. Repartition the HD (if you are paranoid abt rootkits) and use linux or make sure you dont install random stuff if u choose Windows (and stay away from IE)
We use a product called CounterSpy with a trial available here - http://www.sunbelt-software.com/CounterSpy.cfm
We use this at a universtiy on lab computers that are available to the public, as well as desktop machines , laptops, etc. So far, I'll say that we've not encountered anything we know about it hasn't handled.
2 cents,
Queen B
HDGary secures my bank
Nuke it from high orbit (in other words, low level format). Repartition, reinstall. It's the only 100% solution.
And then, don't screw up your system.
Try Debian, Slackware, RedHat, etc.
OK, there are some serious issues with migrating, but if you get badly enough burned by spyware, you might want to consider it.
If you're looking for a spyware-free experience, use lynx and mutt. Otherwise, you've just got to keep up your guard.
Companies like make ad-hoc tools to remove particularly nasty spyware. When in doubt, googling the name of the spyware can almost always find you a remover utility from a reputable company.
Check out my women's designer clothing store.
Less porn Different OS (Linux, BSD etc).
Per Aspera Ad Astra.
If it's not caught by anything, how do you know it's on your computer?
In Soviet Russia, backwards is everything.
It takes about two hours and since I use a decent software firewall I know my information isn't being transmitted, and other than that I could care if anyone check up on my habits. If they know I visit both /. and britneyspears.org, well, I can live with that. By reinstalling every few months, the build-up never happens and my computer is always running briskly.
When I use friends machines that don't even have NAV yet have superior system specs to mine and the machine chugs along likes it's on dial-up on a 486, it's an easy sell the first time you suggest gutting the OS to them. That first time is rough, but if it's part of your routine it can save you much more time and effort in prevention instead of always trying to track down that one ellusive bit of shit-ware that exists soley to keep corporate IT departments in business. AudioEfex
Do all your web business with a live CD. You can physically REMOVE the hard drive to ensure that it won't get infected with anything (all you have to do is unplug the IDE cable). Stick anything you want to download/save on a USB drive - you can even format it in FAT/etc. to keep it in Window's file system. Done with the web and need the hard drive, disconnect the ethernet cable (or whatever you use), virus-scan the USB storage, reconnect the hard drive, boot back to Windows. If any malware knows it's way around this method, I haven't met it yet!
Besides Spybot and Adaware, I use the following programs:
SpywareBlaster - Prevents Spyware from being installed
Microsoft AntiSpyware - Completly free, and has nice active protection. Have a 'special' versions of Windows, use an alternate download source.
With respect to Viruses, please read the following article: Mega Antivirus Test.
Summed up: AVG sucks, Anti-Vir finds the most virus, Kaspersky 5 finds most unique stuff, and Kaspersky's online scan owns everything.
Also I'd recommend using a NAT. All of this is prevention/reactive stuff, though I think the Hijack This + Google is the best for nasty stuff, as mentioned.
Create a PXE-based linux system (or live cd) that contains:
fuse
captive-ntfs (to give read-write access to ntfs partitions)
and the following virus scanners:
clamav
bitdefender
avg
f-prot
Mount the fs, and update the above four scanners. First run ClamAV, then BitDefender, then AVG, and F-Prot. The order isn't important.
Boot into Windows and install:
HijackThis! (be very careful, and google anything before removing)
Spybot Search & Destroy
Ad-Aware
Microsoft Antispyware
Bitdefender
AVG
Run all of them in Windows.
Boot into Safe Mode, run them all again.
Boot back into Windows. Re-run Hijack this, Spybot, Adaware, and Microsoft Antispyware. Check the sure make sure everything works normally.
Boot back into Linux. Re-run all of the scanners. If anything is still detected, google it and learn how to remove it manually.
The downside to the above is it takes time, but it's not difficult and very effective. For the Linux-side stuff it takes like a minute to write a shell script to do it automatically.
I clean systems like that all the time and can get rid of some really nasty stuff. I usually don't spend more than 15 minutes actually working on it.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
OK now that we've got THAT out of our system...
Use Firefox, install the NoScript plugin, don't run stuff you download from every web site on the planet, and don't run Outlook. I'd suggest using a text-only email client if you can stand it. Oh yeah and don't run as the adminstrator and refuse to use any third party program that claims it needs administrator privs. Also keep your system up to date
If you're sufficiently paranoid, you should be able to keep even a Windows system reasonably secure.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Spyware is like a double edged sword for me. I hate the problems it causes in general, but a significant portion of my income results from removing it.
What's really bad is even after warning my customers to be careful about downloading free stuff, and attempting to get them to use Firefox, etc., I am still called back in a couple of weeks for the same problems by the same people.
42
Firefox with session only cookies.
I visit porn sites and various forums. I run as admin on win2k. When I run AdAware and Spybot nothing comes up. I check HiJackThis and don't see anything abnormal there either. I also use AVG and ZoneAlarm. I have occasionally run a rootkit detector with nothing found.
Since installing Firefox I have been clean, not pushing Firefox, but for me it works. Used Firefox since 0.8 and updated regularly.
you can't just "low level format" modern hard drives like you could the old MFM or RLL drives of old. A regular repartition and reformat and reinstall will be fine.
Adaware and Spybot Search and destroy are your best place to start, but I understand your frustration. Probably three out of the last four times I've dealt with a Spyware infested machine they didn't completely do the trick on their own.
r entVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
Start --> Run --> msconfig --> Startup tab
Install and run Adaware and Spybot S&D, making sure you update the programs and select to perform deep scans (within archives, etc) in the custom scan options. This will probably most of the easiest and most common exploits. Reboot.
Go through your Add/Remove programs menu and try removing any programs you can identify as spware. If the programs didn't come with an uninstaller, I would have to officially recommend you do not go through any of their steps to download one and run it. I have tried this in the past with mixed results. Some of these programs truly were just severely annoying adware that actually removed themselves at the end of this lengthy process, but some were truly malicious that simply installed MORE spyware after running the uninstaller. I recommend you don't risk this.
Open up the task manager and go through each and every process, reseaching in if need be. I use groups.google.au to get the older version which seems to provide more relavent results. Kill any processes that you find are suspiscious. Hell, kill any processes you can't identify as normal Windows OS or application processes. I dealt with a instance of spyware once that executed two randomly named processes that protected the spyware from removal. If you killed one process, the other would immediately respawn it.
Go through all of your startup locations: C:\WINDOWS\Start Menu\Programs\StartUp C:\WINDOWS\All Users\Start Menu\Programs\StartUp HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
Once again, go through each and every item and delete or disable everything that you can identify as malicious. It's likely that when searching you will run across others who have dealt with the same spyware issues in the past and have had to figure out how to remove them.
Run your Adaware and Spybot S&D scans again. Reboot. Test your machine to see if the spyware is still there. Still have problems?
Download and run Hijack This Pour through your log once more, or alternatively post it to one of the many forums where professionals are willing to lend you a helping hand. At this point, you may also want to consider downloading and running Rootkit Revealer.
Also, try rebooting into safe mode and running your scans. Even though you are in safe mode, you should still monitor and kill processes that are suspicious. Remember, Sony's Rootkit came complete with a safe mode driver.
If all of this hasn't worked, then I suggest you back up your data, scan it for viruses, and do a low level format with a utility such as Killdisk. Now that you have to reinstall your OS, perhaps now is the prefect time to make the Linux switch.
I've seen live windows CDs, and I always have the feeling that I should be able to use those to clean off the really nasty stuff. I'm a linux guy, and only deal with this when I'm trying to help someone else out, so I just don't have the windows guruhood to deal with the problem.
I know it's pretty straightforward to boot with a live CD and run something like ad-aware or spybot from it, but then you're scanning the registry that came off of the livecd, and not the infected one. I think there are tricks to do this, but I've never hunkered down and learned them.
Reinstalling really sucks. It takes a long time, and with product keys, and online activation, and machines that don't ship with CDs any more, it's getting dicier all the time. It works, but it's a very blunt tool solution, and it's a big waste of time.
I really hope that vista cuts down on these problems -- I expect that it will, as I don't think people will be running as administrator any more. But I just don't have the time to wipe off someone else's machine every time it gets sick.
Build a Barts PE disc with the following:
Ad-aware
McAfee
Registry Editor PE
Winsockfix
LSPfix
Hijackthis
Begin by going through each users directory in Documents and Settings. Delete the cookies directory, then every directory in the Local Settings except Application Data. Then go to the Windows directory and delete the contents of the following directories: Downloaded Program Files, Prefetch, and Temp. Then finish by going to the root dir and deleting the contents of System Volume Information, and Recycler folders. This will clear out the majority of the places malware hides and code that reactivates any remaining nasties on boot. Also pay very close attention to any DLL and EXE files in the Windows directory. With a few important exceptions, only malware places libraries and executables in the Windows directory. Generally, if you right click the file and choose Properties and it shows detailed copyright info for a legitimate company, the file is safe; if not, change the extension to BAK and remember to change them back if your software has problems.
Then start Regedit PE and load the remote registry files including all user hives. It will launch regedit after they are loaded. Remove all spyware keys in the Software subkeys, and then remove the autorun strings from Run, RunOnce, and RunOnceExec locations. Do NOT close regedit when you're done or it will save the changes. While regedit is still running, run a complete system scan with adaware. When adaware is done, close it then close regedit. Next run McAfee to get trojans and viruses. Before shutting down, it's a good idea to run chkdsk just for good measure.
On reboot, start in safe mode (no network support). Run LSPfix and remove any bad LSP entries (such as newdotnet); most known bad things are automatically put in the right window. If you are unsure about something google it. Be careful or you could destroy your network layer. Then run winsockfix to repair winsock. Then run hijackthis to remove all other unnecessary stuff, but pay attention to path names as to NOT remove good things like antivirus/spyware/firewall entries. Log out (not switch user) and run hijackthis in each users account.
Reboot in safe mode with networking, install, update, and run spybot and adaware. Update any installed antivirus software, and run a final scan. Reboot again, but in normal mode, and run scans again to verify you don't have any persistent malware. If the scans come up clean, your work is done; if not, remove them, reboot, scan again, and if they still come back, cut your losses and restore the machine.
PS: I do this several times a day and have seen about every type of malware out there. Believe it or not, MS antispyware will pick up stuff that adaware, spybot, and webroot leave behind. Even if you don't want to use it, you can't do wrong by installing, updating, scanning, then uninstalling when done. MooSoft's The Cleaner and Bazooka can also help you remove persistent trojans.
Good luck.
I have put myself through quite a bit of college doing freelance computer work for people (and their kids) who have infected themselves with spyware and I can tell you that pr0n is probably the number 1 source of spyware out there. Men simply don't make good decisions about what links to click when they have gone into pr0n mode. Gaming sites are also pretty high on the list as well as file sharing apps. But truly, it comes down to the user. An intelligent user can completely evade spyware if they are cautious. I am living proof of that. God knows, I have surfed enough pr0n to nuke a thousand Windows boxes. However, I amazingly have never infected myself with a single instance of spyware.
At my college's help desk, we use a combination of Mcafee Enterprise, Spybot, Ad-Aware, Zero-spyware 2005, webroot spysweeper, and whatever other tools we have ...
Always a good time to try Linux or one of the other free Unix's.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
Actually you should not try to disinfect a system after a virus or malware has successfully penetrated it. It's too much work, and more importantly it will always leave "traces". (This has been mentioned by many replies above).
However it's strange that nobody mentions Microsoft Anti Spyware. I've had much more success in preventing intrusion by using it, and it contains many tools making (HKEY_LOCAL_MACHINE) registry hunt irrelevant. (It contains over 30 checkpoints like IE toolbars, WinSock helpers etc. And also, it contains a complete list of each and every startup program possible).
I know it's from Microsoft and such, and it has it's own limitations (like not being available to pirated Windows installations. But as being free and efficient I could recommend it to every Windows users.
Ewido Security Suite has helped me remove some pretty nasty stuff that the others didn't even recognize, but the more eyes scanning your system the better.
Even people that believe in pre-destiny look both ways before crossing the street.
Unfortunately, it does nothing to prevent the problem from reoccuring.
Obviously, putting a real operating system on is advisable.
If, for whatever reason, you can't follow that advice, you can still take less effective steps. If you don't require the newer versions of windows (and many don't) you can use 98lite to install windows 98 or ME (98 is better, obviously) without most of the infection vectors used today.
If you must use XP, you may be able to run as a non-privileged user (although a depressingly high number of applications will refuse to work if you do this, which limits the usefulness of the techique.)
Even if you can't remove IE from your system entirely, you can reduce the risk from it by using a real browser, Firefox or Opera being obvious choices.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
But then, I:
- do not surf with IE (except for internal Intranet apps for work)
- do not run under an Administrator account for normal usage
- never run P2P apps or unknown apps from my actual Windows install (I use VirtualPC for this)
- run ad-blocking software (Privoxy) and Firefox's ad-blocking extensions (seriously, not for the lack of ads, although that's a plus, but because unscrupulous advertisers will try and download something onto your machine)
- run Norton GoBack so that those rare times that these precautions fail, I just reboot and choose a time I know I wasn't infected and, viola, no more nastiness
Nice online tool for n00bs to see what flavor of linux they might like.
http://www.zegeniestudios.net/ldc/
No one has mentioned this yet, and it's pulled me out of a few tight spots so I thought I'd share it.
TuneUp Utilities 2006. It isn't free, but it isn't expensive either (and you could probably find a serial or something for it if you looked...) It has some great utilites, like a registry cleaner, a process manager (which will let you see hidden processes), startup manager and secure delete (scrambles the file before deleting it. Claims to use a method developed by the US DoD). It has some other great tools, like system optimisations, but they aren't important here.
Basically, if I have anything that just won't go away, I use the process manager to find out where the file is, and then use the secure delete to remove it. Then I remove anything about it from the startup, and run through a registry clean. When something points to a file that isn't there, it gets scrubbed. So any traces of it, are hopefully gone.
AV software can be handy to help find any files in question, as can anti spyware aps. If AVG or Ad-Aware don't remove it, I go strait to TuneUp. Of course, a good firewall and any browser that isn't IE helps a great deal too.
Trendmicro has scans for virus and spyware and I think they now have the cool website removal tool too. I don't think it uses Active X anymore as a plus.
This Broadband/DSL Reports forum was recently opened for helping people with infected systems. Its FAQ is informative as well.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
First, make sure you don't get spyware on your system.
/etc, /home, /usr/src/linux/.config, and /var/lib/portage/world. For a Gentoo system with a custom kernel, that's enough to reinstall with close to zero human interaction. And /home is enough to backup ALL my data even if I can't reinstall automatically, because Linux keeps data separate from programs. Windows CAN do this, it just usually doesn't do it well enough to just copy the Windows equivalent of a home directory, and most programs still use the fairly retarded Win9x concept of keeping global config files in the program's install directory, even if it is aware enough to give multiple users their own separate configs.
That is: Run Firefox, run Linux when you can, and don't be stupid. Download things that you're reasonably sure are good.
Second, make sure you can wipe the drive. If you can't wipe and reinstall from scratch, you're not backing up properly. I actually have a theory about this:
Make an nLite'd Windows install disk, which automates the Windows install.
Avoid customizing things too much, so that you can deal with the rest via next-next-next if you have to. Document anything you do customize.
Make an image of your fully-installed system, all customized to your liking, only with none of your data (the stuff you backup regularly) created/restored.
Back up your data regularly, as in daily.
Every time you need to make a customization that it'd be annoying to do every month, and can't be backed up daily with your data, do a backup, then restore from image, then make the change (and get all updates/patches to your software), re-create the image, and restore your data.
Every month or two, do the above step even if you haven't made any changes.
Effectively, you'll be working off a fresh Windows installation that never gets older than a month or two. You'll have a separate backup of your data and of your programs. As far as I know, malware doesn't usually target data directly, but I'd run ClamAV on the data backup anyway. You can keep multiple versions of the data backup, because if you're like most Windows users, your data is really small compared to your programs.
Whenever anything bad happens to your system, be it a disk crash, a virus, spyware, or even mere obsolescence, you have a full backup, and unless you're actually replacing your computer, you have a lightning-fast restore -- as in, automatic, might take a few hours, but nobody has to be there. If you do upgrade hardware, it's not quite as fast, but your Windows install is fully automatic, and your programs are simple enough, and your customizations documented enough, that it shouldn't be too painful -- you could even hire someone else to do it for you.
On Linux, I have this feature somewhat built-in. Data is easily found -- I just back up
Don't thank God, thank a doctor!
After I switched to FireFox exclusively for my porn surfing, I haven't been infected via that vector.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
through many years of experience and making a fair living out of other people's ignorance, i've gotten spyware and virus removal down to this process:
:) with adblock plus and the filterset.g updater. and demonstrate to the user (via a virtual machine on my test system) the difference between ie and firefox when browsing to a page that's loaded with spyware installers, and another that's got tons of ads on it. that demo is more than enough to get the user to switch to firefox. :) and finally, i give them a list of programs and their web site addresses so they can look up more information on their own (or purchase, in the case of adaware or spywareblaster's update service, etc)
i start by hooking up the infested hard drive to a clean system and running initial scans from there: adaware and antivirus.
then i manually delete (from all the machine's user accounts) temp folders, temporary internet files, downloaded program files (the ie's activex cache), restore folders (in xp and me), and then go through program files folder and remove the (believe me, get good at it over time, especially if you do this often) obvious stuff.
a casual scan through windows and windows\system (or windows\system32, depending on windows version) can also yield many files that you can outright delete.
if i see anything suspicious but not ready to delete them, i'll google to see if i can find any further information on it.. and then if i'm still not ready to delete something, i'll zip it up and then delete it.
once those are done, i copy over my collection of antivirus and spyware utilities and definitions. (the usual ones.. but most times, all i need is adaware, spybot s&d, hijack this and reglite).
once the drive is back in the host system.. it's off to safe mode, where i run every scan from every configured user. and i show no mercy in anything detected -- it all goes. i'll also uninstall any questionable programs and clean up the add/remove programs entries (of things that were manually removed).
when those scans are done and realtime protection is enabled (usually through spybot's ie plugin and teatimer, and spywareblaster's been installed and enabled).. then i will boot up normally. 9 times out of 10, i'm done at this point. but i will browse a bit with ie and then run through the scans once more just to make sure. and again, i check all configured user accounts. somewhere along the line any applicable udpates for windows and their installed antivirus will get installed.
i then install firefox
only rarely do i resort to a format and reinstallation of the operating system.. and i can usually tell right away if that's the easier and faster way to go.
besides google searches, http://www.spywarewarrior.com/ is my 1st source for info and links. of particular note is their listing of 'rogue' spyware applications.
http://www.sysinternals.com/Utilities/Autoruns.htm l and http://www.sysinternals.com/Utilities/ProcessExplo rer.html are the greatest tools to fight adware/spyware/viruses/worms. Trusting scans that may or may not find it cannot be trustworthy.
Process Explorer and Autoruns from Sysinternals.
PE: identify, investigate, and kill processes you don't know to be safe. Turn on the Image Path column, use the built-in google and strings searches. Worst outcome from over-aggression here is the system crashes. Restart and try again.
Mercilessly delete the directories that hosted the spyware, if you can, or just the apparently related files if you can't delete the directory.
Oops, some of those files were in use. Figure out what's using them (PE's dll/handle search), kill it, then try the deletion again. And again, and again. Why do those files keep coming back? ;-)
* EXPERT LEVEL TRICK: NTFS Permissions. Apply as appropriate and repeate above as needed.
* WEENIE LEVEL TRICK: WinZip anything you're unsure about deleting into an archive with full path info.
Got 'em all? Use Autoruns to clean up the startup triggers.
When I got back into day-to-day admin work a couple years ago, it would take me a couple of hours to work through this, starting with AdAware and Spybot S&D, doing full scans, rebooting when prompted, etc. Now, using just those two utils, I can get a system to be functionally spyware-free in about half an hour. I use AdAware and Spybot only to clean up the non-functional traces, after the utility approach has successfully stopped the live malware.
I use Opera and run ZoneAlarm Pro firewall, I do not run active virus protection (except if i download from p2p/bt, I scan the files) and I run sp1, and I've been getting by alright.
"Banking establishments are more dangerous than standing armies." -Thomas Jefferson
First, there is almost never a need to format your drive. Nor is there a need, despite what the zealots say, for you to move to a non-Windows OS. Here's how to avoid malware:
1. Keep your system up-to-date with the latest MS patches on a daily basis.
2. Either use XP's built-in firewall or something like ZoneAlarm if you're not using XP.
3. If you have the cash, buy a router and put it between your system and your net connection.
4. Don't log on using an account with Administrator access unless you absolutely have to.
5. Don't read your mail using MS Outlook.
6. Don't run suspicious executable files or open suspicious attachments. Don't install shady applications or porn dialers that come bundled with malware.
If you happen to get hit by something, here's what to do:
1. Install LavaSoft Ad-Aware, MS Anti-Spyware, Ewido and Hijack This!. Ewido isn't free, but comes with a free trial period last I checked. I didn't include Spybot Search and Destroy because it's mangled my system on mutiple occasions.
2. Boot into safe mode.
3. Run a full scan with Ad-Aware, MS Anti-Spyware and Ewido. When that's done, fire up Hijack This! and look for anything fishy. Browser helper objects (BHOs) should be considered suspicious unless they're something easily recognizable (Acrobat Reader, Google Toolbar, etc.)
4. If those three (Ad-Aware, MS Anti-Spyware, Ewido) didn't catch what you have, consider taking a "more the merrier" approach and installing additional spyware removal tools. I've heard good things about Spyware Doctor, but it's not free.
When fighting the kind of malware that installs itself to dozens of executables and dlls, to revive itself later, you can usually isolate most of that crap by searching by creation date, first making sure that explorer shows hidden and system files, and that the search doesn't exclude them.
You may need to disable system restore to remove some malware, or else Windows will automatically reinfect itself when it sees the files are missing. Reenable it before installing any new/updated drivers, as that seems to be when I need it most often.
Just in case, before you delete a bunch of stuff and reboot, check HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit to ensure that it's not pointing to the malware, but to userinit.exe, wherever that is. Messing with userinit can render a system so that you can't log in, even in safe mode. XP SP2 might have fixed this, as I've seen some newer systems survive a broken userinit, or completely ignore it.
Also, empty out your host file (usually c:\windows\system32\drivers\etc\hosts on XP) to prevent browser hijacks.
If you suspect a rootkit, try a detector like rootkitrevealer. It won't remove it, but it might find it. Last resort: take your hard disk and slave it on another system, and remove the infected files.
Stinger is a good standalone virus scanner, and a small download
For future reference: Stop using IE and Outlook Express. Stop downloading free screensavers and other freebies, unless you get them directly from the author's website, and you trust them completely. I've seen places take my own shareware screensavers, bundle them with spyware, and redistribute them without permission or any regard for legality or morality.
http://asap.maddoktor2.com/
Worth a mention:
* Ultimate Windows Boot CD which I also find very useful when someone comes to me with a computer they have completely messed up - you have to create your own but it's a very streamlined experience. http://www.ubcd4win.com/
* PrevxR which is a "permanent beta" version of their commercial offering. It can be configured the different settings range from Individual (suitable for Grandma) to Enterprise (very hardcore). http://free.prevx.com/
*KillBox - basically a utility you can configure to delete certain files on bootup, I use this in conjunction with HijackThis, which was already mentionned above. http://www.bleepingcomputer.com/
I got Back Web with my Logitech mouse software. Screw them!
Some say he is made with ascii, others that he is eyeballed daily by millions. All we know is, he is known as the Sig
I only know of one problem. You really have to learn by removing a bunch of this crap yourself - new junk hides itself in new ways.
My five-step process:
1) Reboot in safe mode
2) Delete anything in C:\WINDOWS and C:\WINDOWS\SYSTEM32 (or whatever directories of choice) that has a hidden attribute and appeared since "problems began" (usually a month or so).
3) Wipe all temp directories. (that's C:\Documents and settings\username\local settings\temp and \temporary internet files, and maybe others I've forgotten).
4) Use regedit to remove strange Run, RunOnce, etc. entries. If in doubt, google, then destroy. Your user can always reinstall.
5) Reboot into normal Windows, then run a good antivirus and a good adware remover. BEFORE reconnecting to the network. (This may require having virus defs on a USB key).
The anti-spyware seem to get ~80% of what's out there. This gets 95%. Upgrade to the GP's PE environment instead of safe mode, you're probably at 99%. Anything else, transfer files off and reformat, because it's probably a rootkit. With practice, I got the above proceedure down to half an hour during "new computer" season.
A witty [sig] proves nothing. --Voltaire
Take off and nuke the entire site from orbit. It's the only way to be sure.
Written by Mark Russinovich, the guy who blew the lid on the sony rootkit debacle (and author of other indispensible free windows utils like process explorer, filemon, regmon and many, many others)
His site is http://www.sysinternals.com and autoruns can be downloaded from here.
Autoruns shows EVERYTHING that is started on your pc at boot & logon etc, including device drivers, services... everything. It can even filter out binaries not signed by microsoft, to make third party stuff stand out like dogs balls.
Use process explorer to find and kill the spyware processes - you may have to google processes to identify them, but that function is built in. Here is a tip - look for anything that doesn't have a company name of "microsoft"
Some really stubborn spyware has more than one process running, watching each other and restarting each other if you kill them. Use PSKill (command-line process killer) to kill multiple processes at once, so they can't restart.
Once you have cleaned out the running junk, use autoruns to identify where it started from and kill it.
Its never failed for me, and you learn a whole lot about the internals of windows in the process.
Likewise, I use the same software as yourself, but you forgot to mention the weakest link in the chain, IE :)
AVG, S&D, Adaware (although less so now, S&D seems good enough) and Firefox!
Malware free for 2 years
... Linux.
A particularly stubborn piece of malware was the reason I finally took the plunge and switched to Linux (Mandriva) at home. Plus, as a bonus, suddenly my computer was interesting again.
Sean Ellis
Follow OfQuack's antics on Twitter.
You can use Process Explorer to kill multiple processes, just select each process you want to kill by holding down the control key and then 'kill process' as normal. Also, if the second process is a child of the first, select the first and use 'kill process tree'.
If that last bit of spyware is from those cheeky fellows at the NSA buy a new computer, anonymously with cash, in another city, whilst in disguise and never ever place any of your exisiting storage media in it.
Chaos - everything, everywhere, everywhen
First off you need to know that I have recognized that an attack from the United States Government onto one's PC will leave rootkits that no anti-spyware company will know about. Consequently, the higher the stakes, the higher the paranoia. XXClone Freeware has the cure for the paranoia by eliminating the fear of the unknown. It does this remarkably well by eliminating the unknown. The trick for me now, when building small 120-200Gb systems for friends, is to have a batch file swap two boot.ini files on partition 1, which is a 5Gb clean install called RestoreDoNotUse. The second and third partitions, called say, System1 and System2, are both set larger, around say 13GB. The XXClone Freeware Full Backup alternates to the other quickly formatted partition 2 or 3. After the backup, the system restarts onto the freshly backed up partition. XXClone does not image partitions but copies each file that it sees, leaving rootkits behind. Here's the full story behind my discovery. http://ingridx.dyndns.org/Privacy_Statement.html
Argumentum ad Probabilitum
Of course if you want to be 100% sure a format would work. DO NOT RUN A LOW LEVEL FORMAT! I seen it recommended it's just wrong... Low-level Formatting creates the Tracks and Sectors on a blank hard drive. The drives you buy today are Low-level Formatted at the factory. Low-level Formatting these hard drives yourself is not recommended.
;)
o rer.html
p ?id=10&application=firefox
p ?id=1136&application=firefox
But not everyone can or wants to go trough the trouble of formatting so what can we do next?
My standard way to get spyware of a box:
run crapcleaner this will remove a lot of useless files just make sure you only select the sections you want deleted. Don't use the reg clean unless you know what you're doing.
Next up would be the running the standard anti virus programs I personally use hitmanpro the site is dutch but the program is English it includes most trusted anti-spyware products and runs them all in a row and automatically removes anything and makes up a html page of what it did.
Still not gone?
- If you know the name of the spyware it might be worth googling chances are you find a special removal tool.
- In my case I can spot bad programma's and spyware as a process with the use of HijackThis and sysinternals process explorer. But be sure to google all the processes you don't trust before deleting them. This way of deleting is not recommended for your average computer user (then again you post on slashdot so your probably fine..)
- Some times it's required to boot in to safemode to remove some files
Ok now that you're cleaned you don't want this sort of thing to happen again there are a few common practices:
- Don't be YES man don't just click YES and NEXT on every box that pops-up also instruct any family members to do the same.
- Run as a normal user instead of administrator
- Make sure windows is up to date
- Some browsers such as firefox make it easier to avoid spyware though this requires some plugins. recommended are adblock + gblocklist
Useful links:
google: http://justfuckinggoogleit.com/
crapcleaner: http://ccleaner.com/
hitmanPro: http://hitmanpro.nl/
HijackThis: http://www.spywareinfo.com/~merijn/
Process explorer: http://www.sysinternals.com/Utilities/ProcessExpl
Firefox browser: http://www.mozilla.com/firefox/
adblock: https://addons.mozilla.org/extensions/moreinfo.ph
gblock list for adblock: https://addons.mozilla.org/extensions/moreinfo.ph
hope it helps...
A Dutch guy made an "all-in-one" solution http://www.hitmanpro.nl/ for spyware. It's basically a script downloading, installing and executing AdAware, SpySweeper and other stuff. It works well to protect computers of the unitiated, the clickhappy and the careless (names referring to parents and other relatives:))
We use Drive Image. If a tech is on a spyware call for over an hour this option moves towards the top of the list. Users are trained to keep their data on the server and aren't supposed to have any personal data on the computers. I know some break this rule and consider the computer 'theirs' as opposed to the company's, but that's not our problem. Fact is, most users that have machines hammered with spyware are always the ones who surf the 'net all day and aren't doing any real work. I don't have alot of sympathy for them. Anyway, we started to use Firefox as our standard browser spyware calls have gone WAY down.
it's a good suggestion. the most common infection vector these days is via IE exploits and iffy websites. blocking these in your hosts file means you won't inadvertently visit these sites in the first place, with the benefit of adblocking from these addresses too. it's another layer of protection.
...and can format from there.
...you can spend weeks trying to clean a spyware infection, while backing up data and reinstalling can be done in a few hours (most of which you are just waiting around and can do something else anyway.)
Whether this is a good call mostly depends on how much different software you use and how customised you have it. But arguably most people who use lots of highly-customised software are computer-savvy enough to avoid a spyware infection in the first place.
If you are looking a office worker's computer that is just running say Office and a web browser, format and reinstall is often substantially easier than attempting a manual clean (if the automated cleans fail.)
Oh, and by the way - people who get spyware infections aren't stupid; computer sysadmin work just isn't their specific domain. They have better things to be doing (such as their actual work.) I know there are plenty of things I don't know about.
Even though it is not free, I would suggest trying Spy Sweeper from Webroot. I have had very good luck cleaning up friends horribly infested (Windows machines) with this program and avoiding having to reinstall the OS. An added bonus is that apart from getting rid of uninvited guests it will monitor your registry and prevent subsequent infections. Just my 2c.
If you don't want to (or cannot) reinstall the OS and software, then what I usually do is
/. are very security-centric, and as always there is a trade-off between Security, Functionality, and Available time to clean up / secure your system.
1. Use Ad-Aware, Spybot S&D and Antivirus first
2. Use Add-Remove programs
3. Check the task list of processes (obviously no help if your system has been rootkit-ed) and run the list of processes you don't know into google.
4. Reboot the system into safe-mode and rename / move all the offending processes' files.
5. Reboot and run Ad-aware, Spybot S&D and Antivirus again
6. Check the process list again
7. Providing nothing is broken, you can safely delete the offending files and associate registry entries.
If you suspect a rootkit, then a liveCD is your best option without reinstalling the OS.
If you can safely and easily format / re-install then that is your best option.
It is worth noting that some of the posters on
Obviously tracking cookies are very likely to turn up on a regular basis - you just need to try and keep them at bay if you want to use cookies.
I've managed to get all spyware out with spybot on any computer I've tried. The trick is to not only let it scan, but to use the advanced features (process list, startup list, etc.).
If you know what should be on a system and what not, you can use spybot to remove it.
I also install Firefox on every infected computer, so spyware that is triggered by starting up IE isn't activated when googling stuff.
Everyone else here seems to be saying "reformat the computer," and I'd have to second that nomination. (Third? Fourth? Fifth?) I remember that I had to do that once with our family's only Windows XP machine – the rest are all Linux boxes, with maybe one or two 98SE installs – not just because of the spyware and stuff loaded up, but also just because of that stupid junk Dell pre-installs. There's a good reason I'm a Linux guy!
;-)
Of course, now no one at my place worries much about spyware or viruses anyway, because that was over a year ago, and I've converted everyone to Linux by now!
Oh, by the way, CLICK HERE TO LEARN MORE ABOUT RE-FORMATTING A COMPUTER! COMES WITH FREE SCREENSAVER AND RINGTONE!
Creative misinterpretation is your friend.
First, if you're on Windows NT/XP etc the obvious solution is Microsoft AntiSpyware for removal; however, I have a better solution. If you like it, use IE for your normal browsing. BUT: if you see a link to a questionable site, open it in Firefox or Opera. If you follow those simple rules, and don't install anything stupid, you're good to go! I just reinstalled my formerly out of date AntiSpyware, and ran it. I hadn't run an Anti-malware program since August 14th. NO ANYTHING! Not a single reference could be found to ANYTHING on my computer! No iffy cookies, no nothing! I use IE6 and 'Fox 1.5, and am unashamed to admit that I do indeed visit porn websites. Microsoft is not an evil company doing everything they can to let spyware get to your computer, and if more Slashdotters would spend half the amount of time bitching about "Micro$oft" by teaching their mother-in-law how to use her computer properly, we wouldn't have these problems!
...and some spyware is simply a rediculous pain to remove.
This method works for 95% of infections thoguh:
1) Reboot into safe mode (WITHOUT Networking)
2) Run Sysinternals Process Explorer from a USB drive or a CD-ROM.
3) Terminate any memory resident processes that are not signed Microsoft entries.
3b) If any of these will not terminate, read below. This requires creativity.
4) Run Sysinternals Autoruns and disable startup entries for anything that's not nessicary. In partiuclar look at the Winlogon DLL entries, several very malicious spyware applications wedge themselves in there. Refresh at least twice after removing, as memory-resident malware can cause things to hang around.
5) Run HijackThis and remove any unnessicary BHO items, HOSTS file redirects, security zone exploits, or other malware hooks. Refresh at least twice after removing, memory-resident malware can stick around after removal.
6) Reboot into normal mode and run the "Add/Remove" wizards for all installed spyware. "You're crazy!" you say? Well, yeah. But SSK3 and several others actually will dutifully remove themselves on their own, without the need for a painful file hunt. Some, of course, may install new malware but steps 1-5 don't take long. Just get it off the list at least!
7) Run AdAware, SpyBot, and the trial version of SpySweeper to verify completion. The new version of SpySweeper has rootkit detection, which is normally disabled for scans! Enable it before scanning.
There ya go! Clean system. Works in 95% of the machines I clean, which can reach well into the 100's a week sometimes.
NOTE: If malware is still resident in safe mode... Research it online. Most auto-reinstallers like SpyAxe, CoolWebSearch, Aurora (nail.exe), and many others have simplified removal tools made by the community at large that are easy and quick to run. The latest version of SpySweeper (4.5) has many of these kinds of fixes incorporated though, but some malware attacks removal products directly as well.
Good luck with your fixes! Having a CD burnt with all relevant tools can be a huge lifesaver. A USB drive with Portable FireFox can be an even bigger life saver when you have to research something like an autoreinstaller, too.
Kalie Ma
0. Prevention. Don't get spyware in the first place. Do the first item on the following list that you can: (in order of decreasing safety) Install Linux, Use Firefox, Use Anti-spyware innoculation/antiviruses, Use Safe Browsing Procedures.
1. Know your enemy. If you can identify what it is, then you can handle it.
2. Google for it. You aren't likely to be the first to have a problem.
3. Use a tool. Common spyware tend to have specialised uninstallers/removers available.
4. Use manual removal instructions, if all else fails. Reboot to safe mode for these.
5. If that doesn't work, format your hard drive, and go to step 0.
Here is a live CD that configures without user intention and has a GUI install process that takes less than half an hour without a single reboot. It contains Macromedia Flash and other commercial stuff which might be considered spyware, but you will never have to do the eight tool search and destroy topped off by the M$ upgrade train coup de grace. In their favor, they manage to configure these tools well so that you can turn them off. You also get cool stuff like open office 2.
Debian proper is not that much more difficult. When used in combination with auto configuring live CDs, even a novice can figure things out.
Red Hat, Fedora and all derivatives are similarly easy.
Friends don't help friends install M$ junk.
I'll probably get mauled here for saying this, but I've found Microsoft Anti-Spyware to be more effective than either Ad-Aware or Search and Destroy - and the UI is about a hundred times better as well.
Random rants about technology: http://technorants.blogspot.com
What program combinations, or websites do you use to uproot that last bit of unwanted software intrusion?"
http://www.ubuntu.org
'Nuff said.
Besides Ad-Aware and Spybot (which are a very good start), you should also use Rootkit Revealer by the guys at Sysinternals. This tool will compare Windows API results with actual disk contents to reveal programs hidden by rootkits.
I have had multiple machines recently that have been almost inoperational but were, according to Ad-aware and Spybot, free of spyware/adware. After running Rootkit Revealer, however, I came to find a hidden directory and process that was running and keeping a log of browsing habits. After removing from Safe Mode, the computer ran fine.
Hope this helps, Patrickpat o.
... should appear the day after I finally got my system cleaned from one. I had spent the last three days battling spyware, and popups and was ready to give in the towel.
I had ran Adaware, Spy Sweeper, Spybot S&D, AVG Free, Kasperky, Killbox, and HIJack This, still none fully cleaned it, it got rid of all the other junk and I had blocked my computers IP to keep it isolated on my network so newer adware wouldn't get installed.
I still had an odd entry in Add/Remove programs ( Network Monitor ) I had installed no network monitor, and upon removal it would complain about not finding the uninstall. C:\Netmon\uninstall_nmon.vbs". I decided to run a search on this and found it a variant of L2M ( Look2Me or VX2 ) yet all the anti spyware programs proclaimed my system clean yet popups still came.
I ran across this thread, which helped me to clean it out. It lead me to this post, which finally helped me clean it. I had this entry in my registry under HIJackThis O20 - Winlogon Notify: - C:\WINDOWS\system32\.dll
Seems it was hooking into Winlogon and upon shutdown it was setting itself up to restart on boot. The fix suggested in the second link I posted was the charm, fixed it no issues first time and 12 hours later no popups and normal processes running.
I am Bennett Haselton! I am Bennett Haselton!
The products ARE real. It's the security that isn't.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
All the people babbling about using Windows correctly or switching to linux are completely off topic. The original poster has a perfectly reasonable question. If the linux advocates want to drive out to Bumblefuck, WI, and teach the ladies at a credit union (or any of our other 100+ diverse small business customers) how to use Debian, and then try to get their banking software to run on it, then they're way more patient than me. However, sticking with Windows does commit one to dealing with occasional nasty spyware infections. The debate between OSes is a contentious and interesting one, but the reality is that there's a lot of users out there who are stuck on Windows and professional nerds out there are, at times, called upon to fix them.
On the rare occasion that I do get something, CTRL-ALT-DEL seems to be the most useful tool for removal.
There have been a few exceptions though:
1) Did fresh install of Windows XP SP1. SP2 is a big download, so I got bored and started looking for porn. Got something so nasty I had to format again.
2) Downloaded what claimed to be a crack for a game onto my work computer. AntiVirus didn't catch it. Took about 2 hours to clean it up using HijackThis and some googling.
Why does McAfee categorize Virtumondo as a Potentially Unwanted Program? wtf? Who would want a difficult to remove program that degrades your system performance and annoys the crap out of you with popups, hijacks your browsing, and screws around with your registry?
There are different requirements for enterprise use than for personal use. I will try to help out a bit for those in the corporate world. For example, SpyBot and Ad-Aware are only free for personal use. Because of this, IT shops are not supposed to use this without buying a license. So what should an underfunded IT department use?
;)
Anti-Virus: Yeah, it's usually not great for catching spyware, but the latest versions of all vendors should at least slow down some of it. In our organization, we have several different versions of Norton Anti-Virus, from 7.x to 10.0. So if one PC has lots of problems with spyware, putting version 10.0 on there helps fight it automatically.
Microsoft Anti-Spyware: This is a pretty good tool for unmanaged environments. It is better than Ad-Aware or SpyBot, from my experience. I am not sure of the licensing, however, since we don't use it here.
Autoruns and Process Explorer: These are fantastic products that you can use at work for free, as long as you always download it from www.sysinternals.com when you put them on a PC. Autoruns will give way too much information about what starts up and what has hooks into the OS. To the average user, this can be overwhelming and even dangerous, so make sure you know what you're doing when you remove something. Process Explorer is a great tool for seeing what is running. It is miles better than Task Manager that ships with Windows. It shows you what hooks into what processes and will even allow you to pause a running application!
StartupList and HijackThis: These two programs will help you figure out what kind of nasty stuff you might have running. I am not aware of the licensing issues with these, as I usually use Autoruns instead.
APT, APM, and TaskMan+: These three tools are process explorer type utilities. However, with APT and APM, you can unload a certain DLL file. This is very useful if you have a dll that you can't delete and that keeps regenerating all of the other junk you just removed. Simply unload the DLL from anything it is hooked into and then you can delete everything. TaskMan+ lets you kill almost any process, including services. Best of all, these products are licensed without restriction.
I hope these help. Sorry I can't write more but I'm at work fighting off the bad stuff myself
I'm a residential in home computer tech, so I deal with a lot of spyware. The one product I've found that solves and prevents more problems is Webroot Spy Sweeper. It beats adaware and spybot on almost every system I've had to clean. It costs $30 but the auto-update and auto-sweep (scan) features make it worth the investment. Solves that whole out of sight, out of mind problem that spybot has.
Luckily, I haven't had to fight too much malware, but I did have a couple hour bout after letting the kid on the computer once. A few months ago, he did quite a number on the machine. Spybot and AdAware did most of the work but one little bugger was really stubborn. He would run with a different (i.e., un-google-able) name all the time, and if you killed the process, it'd respawn. Try to delete his reg key, and he would re-insert himself. You couldn't possibly work fast enough to kill the process and remove the reg key before he respawned. I finally remembered to press "F8" while booting windows and come up in safe mode. Bam, no unneeded process were launched, I was easily able to remove the key and the app, and after teaching the wife how to lock the computer, all was fine.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
...wich stands for Buy A Mac
...or install Linux or xBSD on your PC.
--
If it dosen't work on Linux... then it isn't worth my time...
Nobody has mentioned SpywareBlaster. On my Windows machines, I run a combination of programs. I run AVG Anti-Virus for gernal viruses, I also run SpywareBlaster, Spybot S&D, and Ad-Aware for all of the spyware/adware etc. stuff. If there is still something going on, I'd dive into the Spybot S&D Windows startup options, and if that doesn't reveal anything, I'd head over and grab HiJackThis.
YOU'RE WINNER !
Another lame blog
for that problem, then anti-virus/spyware companies would be out of business. Everytime you fix it, there is another way to break it. So change you paradigm. Use a more secure OS.
Better yet - secure you base os fully and then run your applications in a VM. All my download activities are in a Virtual PC session that does all that is mentioned around here. Nothing is ever loaded in the Base os.
1. Switch to a non-IE browser. Permanently. Install the IEView and IEtab extensions, Adblock Plus and the G.Filterset updater.
2. Use a service like meebo.com or aimexpress.com if you really feel you must IM someone. Uninstall local IM shit. I tell people to remove P2P software as well, because most people are idiots who can't tell the difference between "Britney Spears Naked.AVI" and "Britney Spears Naked.AVI.vbs", and why downloading either would be a bad idea.
3. Use the Windows XP SP2 firewall (many of my students have a hard time configuring anything else, which leads to more problems)
4. Install Mike's Ad Blocking Hosts file (blocks ads from some sites that install drive-by shit in IE)
5. Install and Update (monthly) SpywareBlaster.
6. Install and Update (weekly) Adaware and Spybot
7. Go in to Safe Mode to Run Scans (tap the F8 key to bring up the boot menu during startup, if you aren't a Windows person). I suggest running scans weekly until one is sure the problem is under control. Parents with kids might as well just stay in safe mode forever.
8. Back to normal mode. Spybot and Adaware will both probably require a second, startup scan to kill something that wormed its way into Windows.
9. Do a final check with a visit to Housecall.antivirus.com (which can remove spyware nowadays). I like to drop to Safe Mode with Networking for this, but it isn't possible for some people.
These steps will eliminate probably 90% of the spyware people run into.
If at this point, there's STILL something on the PC, the next step is Hijack This (run from Safe Mode, natch) - I explain to my students that there are some places where they can post their log files, but most of 'em just email it to me.
I'd say this gets rid of 97% of spyware.
Beyond that, you can run into shit that, for example, sets permissions on registry keys (something Hijack This can't deal with, and that I wouldn't want a non-tech to deal with anyway), loads a DLL attached to Windows explorer, loads as a device driver, or is seriously a rootkit. Sometimes a removal method exists for that stuff. Sometimes it doesn't.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
If crap is still in memory it will re-instate itself. I have even had things come back after hijack-this removing them in safe mode. Here's what I do:
i have had some sucess with deep freeze this application freezes the curent state of the system and does not allow you to install anything as once rebooted it returns the system to the original state that the system was in once it was frozen.
have you guys got any bad stories about deep freeze ?
I first try removing junk via Add/Remove programs and then cleanup startup/autorun entries with Startup CPL
Security Task Manager (shareware) rates each process in how likely it is to be malicious and gives you the option of killing or quarantining (or uninstalling the corresponding program if appropriate). I've had good success with eliminating nasties that were sucking so much CPU that Ad-Aware and Spybot couldn't finish scanning.
BartPE is a great live CD, especially with the RunScanner plugin that lets you run Ad-Aware on the local machine's registry. RegeditPE was also mentioned by someone.
You know you shouldn't do that! The human brain runs 100% in root mode! see l oit/</a>
I really wanted to change my sig to something witty, but all I could come up with is this.
and our caller has decided to tune in and Ask Slashdot, "What program combinations, or websites do you use to uproot that last bit of unwanted software intrusion?"
You've already heard the usual drills: Change your browser/OS, hack, hack, hack and patch, patch, patch (followed by the obligatory reboot, reboot, reboot).
How an entirely different approach?
Don't connect to the web, in fact, don't network at all.
Whoa! Novel concept, eh?
Combine it with this: Buy two new (or gently used) PC CPUs. They're cheap enough nowadays. Now, configure one with all the patches, hacks, tweaks, programs you need, etc., etc., etc..
When you're through, and satified with the result, clone the drive to the other PC (how you choose to go about that is up to you, but a good starting point can be found here).
Now you'll have a "reference box" that will serve as a back up to the one accessing the web. This will allow you to continue to be productive, despite the inevitablity of you/your kids/your S.O. downloading and installing the crapware of the week which partnered with a data harvesting company, or clicking the wrong hyperlink in Internet Exploder thereby hosing your desktop with pr0n links.
In anticipation of your next question, "How can I move data when the PCs aren't networked?", please tune in tomorrow when Ask Slashdot answers the question "What's sneaker net?".
We now return you to your regularly scheduled programming.
Some days it's just not worth
chewing through my restraints.
What I mean by this is that one can spend hours trying to remove the stuff and still not have a machine that runs Windows decently. I have had a couple machines that have had problems recently, and rather than try to repair them, I have invested the relatively shorter time of reinstalling Windows fresh. For work this works fine since the number of applications has not been a problem. Also, having a ghost image of a fresh install can be a good possibility for handling this.
The only other alternative to this problem is the Linux solution. ( I am headed this direction slowly, but would be faster if not for the problems as mentioned above! )
I've used many tools before but I always seem to go back to using the good old dos prompt even on xp. Everday I remove malware from clients systems and find a lot get past ad-aware/spy-bot/anti-virus so I have to remove many by hand.
/od /a-d" command shows the last added/changed files. Then if your unshore about a small file I use "edit" to open a file and look for clues in the file. If it has UPX or FSG inthe header I delete the file, other clues are things strings that refer to website I don't like or encryption that hides string tables.
:(
m lo rer.htmlr isoft.com) /scannow", edit, "shutdown -a".
If you have something hiding in the windows\system32 folder the "dir
But if I can't delete the file I'll reboot using BartPE and then delete the files. In BartPE you can use the regedit mount a registry hive then edit a registy file offline.
But remember some malware have deadman switches so if you remove it your system won't boot. ie NewDotNet puts its self in the LSP (Winsock stack) so if you delete the files winsock stops working
The tools I would not leave home are:
http://www.sysinternals.com/Utilities/Autoruns.ht
http://www.sysinternals.com/Utilities/ProcessExpl
http://www.nu2.nu/pebuilder (bartPE)
then
hijackthis,ad-aware(www.lavasoft.de),spybot,avg(g
and not to forget those builtin tools:
msconfig, cmd, regedit, "sfc
happy hunting [sVen]
If it's going to take longer than 3 hours, backup, wipe and reinstall.
A quick note... LSP-Fix doesn't make any distinction of "good" or "bad" files...it does not target specific products. (If it did, I would be fending off lawyers from every 'product' it removed.) If something appears in the righthand (Remove) window, it's an invalid entry, e.g. a registry key pointing to a non-existent file.
:-)
(Yes, I wrote LSP-Fix
Caveat Emptor is not a business model.
If spyware developers really tried, they could probably develop spyware that could not be removed while running from the disk that contained the spyware. Removal tools would have to run from something like a bootable CD. Really aggressive spyware might limit the ability to boot from CD by patching the BIOS. I can see the day coming when you have to physically remove the hard drive and plug it into another machine to clean it up.
fencepost
just a little off
It was a real objection - and I mean it seriously that you lose credibility by stating (implicitly) that MSIE is not a real browser.
It may be riddled with security holes and may updating more often than my lappy needs a recharge but it is *still* the most used browser on the market - which unfortunately merits that they make their own standards that are often followed by major companies. For instance, I can't use my mobile telco's homepage from Opera because their crappy filter assumes that if you don't use IE you're a cell phone, and I am then tossed to their crappy WAP portal. Why? Because non-IE users are marginal.
I didn't say I disagree with your points, I merely stated that your chosen way of communicating your point worked against you.
0. the most sure way
[install strategy]
a. just install main OS and accumulate data
[when something goes wrong]
a. backup data (to somewhere)
b. format c:
c. reinstall
d. restore data
1. overhead in install procedure, but easy restores
[install strategy]
a. make 3 partitions
a1. main OS partition : w2k(ntfs), 16GB for me, though I did it for w9x, w2k(fat) also.
a2. data partition - (rest of free disk space - 5)GB : place for backup, iso,mp3,avis.
fat32 filesystem recommended(accessible for most OS)
a3. rescue partition - 5GB, linux
b. install main OS and patch it to latest, install VNC(if you have to access this pc remotely), defrag it, overwrite zero on all free spaces
c. install linux(don't forget ssh, screen if you have to access remotely)and make it multi-bootable(boot default=main OS)
d. in linux, "dd if=/dev/hda1 bs=32M | gzip > mainOSimage.gz" it took roughly 160MB in w9x
and 800MB in w2k for me(my native language version - your mileage may vary)
e. store mainOSimage.gz in data partition or linux partition or other media.
f. accumulate your data on data partition
[when something goes wrong]
a. backup essential data in your main OS partition to data partition(bookmarks, certificates, etc..)
b. boot in linux, do "zcat mainOSimage.gz | dd of=/dev/hda1 bs=32M ; shutdown -r now"
c. restore essential data needed in main OS partition
d. patch main OS some more(some more patches from MS in between...) and you're good to go!
This setup works well for your granma's interweb peecee.(uhm.. just keep tapping ctrl-keys as soon as you power on your peecee, when screen turns red, select 'leenuks' using arrow key and hit return, read your internet address in boot screen using shift-pgup.. OK I'll do the rest!)
1a. Variation - dual boot is not l33t enough
Similar to method 1, replace linux partition with live linux CD or rescue floppy(tomsbtrt?) or bootable usb-keychain. This is for people who don't tend to forget needed media when somthing bad happens.
1b. Variation - I already have linux server somewhere in my network.
You have another computer acting as NFS boot server in your network. Just make your pc netbootable
before you install your main OS - write & insert pxe or etherboot rom in your network card if you
have PCI lan card or buy motherboard that has intergrated lan(and enable network boot rom) EXCEPT
PCCHIPS motherboard! If you're unlucky enough to have bought PCCHIPS motherboard(which has NOVELL
RPL rom instead of PXE rom), use BIOS disecting tool(cbrom.. etc..) to discard RPL portion and
insert etherboot rom instead(DANGER - I'm not taking responsiblity for damaged motherboard. Do it at
your own risk! Really!!) This setup works well for small office environment(up to 50 pc per maintenance personnel, I guess).
You can store your main OS images in central NFS server.
1c. Variation - Why use linux?
Use other utilities like ghost.. etc..
I use Spybot S&D along with their Tea Timer. I also use Ad Aware, MS Antispyware, Hijack This, Spyware Blaster and an antivirus. Every once in a while, something shows up in a scan but isn't usally too hard.
My GF's machine gets all kinds of shit on it. The biggest difference is the user involved. I don't install anything unless I know exactly what it is. My GF's kids play all kinds of java games on the web and without fail the machine with the most crap on it is the one that they use.
Be careful and you can usually avoid the infestation in the first place.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Its the first piece of software that I install when I have to use a new PC. Its truely indispensible...
.Net software, and process explorer's .Net performance counters are very useful for that too. I used them to prove the memory leak in our software was our code's fault, not .Net itself. .Net has garbage collection."
Another thing that is handy is how it shows % time servicing DPCs and interrupts. I was copying some video from my camcorder to my pc via firewire the other day, and I was having problems with dropped frames. The CPU was maxed out, but I noticed that about 40% of the time was spent servicing interrupts....
Bit more checking and it turned out my HD had fallen back to pio mode.
My day job is developing
Architect:"Our code CAN'T have a memory leak -
Me:"Well, how come the large object heap size reported by process explorer keeps going up, tracking the overall process memory useage?"
Turns out each object in a very large collection was reading a 200k file into a byte array, and never releasing it.... garbage collection can't save you there.