Slashdot Mirror
Stubborn Spyware Removal Advice?
onedobb asks: "I'm sure all of us are familiar with Lavasoft's Ad-Adware and Spybot Search and Destroy, however there always seems to be that particular piece of spyware, or malware that seems to slip past both of those programs (even with the most recent definition updates, and virus definitions). What program combinations, or websites do you use to uproot that last bit of unwanted software intrusion?"
Most of the time if you simply run HijackThis and then search google for any of the suspicious log entries, you'll quickly be directed to a page where someone had a similar log entry, and you'll find out if it's malicious or not.
HijackThis
Vundo removal tool
Some Free removal tools and the Bitdefender Live CD
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
Adaware and Spybot Search and destroy are your best place to start, but I understand your frustration. Probably three out of the last four times I've dealt with a Spyware infested machine they didn't completely do the trick on their own.
r entVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
Start --> Run --> msconfig --> Startup tab
Install and run Adaware and Spybot S&D, making sure you update the programs and select to perform deep scans (within archives, etc) in the custom scan options. This will probably most of the easiest and most common exploits. Reboot.
Go through your Add/Remove programs menu and try removing any programs you can identify as spware. If the programs didn't come with an uninstaller, I would have to officially recommend you do not go through any of their steps to download one and run it. I have tried this in the past with mixed results. Some of these programs truly were just severely annoying adware that actually removed themselves at the end of this lengthy process, but some were truly malicious that simply installed MORE spyware after running the uninstaller. I recommend you don't risk this.
Open up the task manager and go through each and every process, reseaching in if need be. I use groups.google.au to get the older version which seems to provide more relavent results. Kill any processes that you find are suspiscious. Hell, kill any processes you can't identify as normal Windows OS or application processes. I dealt with a instance of spyware once that executed two randomly named processes that protected the spyware from removal. If you killed one process, the other would immediately respawn it.
Go through all of your startup locations: C:\WINDOWS\Start Menu\Programs\StartUp C:\WINDOWS\All Users\Start Menu\Programs\StartUp HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
Once again, go through each and every item and delete or disable everything that you can identify as malicious. It's likely that when searching you will run across others who have dealt with the same spyware issues in the past and have had to figure out how to remove them.
Run your Adaware and Spybot S&D scans again. Reboot. Test your machine to see if the spyware is still there. Still have problems?
Download and run Hijack This Pour through your log once more, or alternatively post it to one of the many forums where professionals are willing to lend you a helping hand. At this point, you may also want to consider downloading and running Rootkit Revealer.
Also, try rebooting into safe mode and running your scans. Even though you are in safe mode, you should still monitor and kill processes that are suspicious. Remember, Sony's Rootkit came complete with a safe mode driver.
If all of this hasn't worked, then I suggest you back up your data, scan it for viruses, and do a low level format with a utility such as Killdisk. Now that you have to reinstall your OS, perhaps now is the prefect time to make the Linux switch.
Build a Barts PE disc with the following:
Ad-aware
McAfee
Registry Editor PE
Winsockfix
LSPfix
Hijackthis
Begin by going through each users directory in Documents and Settings. Delete the cookies directory, then every directory in the Local Settings except Application Data. Then go to the Windows directory and delete the contents of the following directories: Downloaded Program Files, Prefetch, and Temp. Then finish by going to the root dir and deleting the contents of System Volume Information, and Recycler folders. This will clear out the majority of the places malware hides and code that reactivates any remaining nasties on boot. Also pay very close attention to any DLL and EXE files in the Windows directory. With a few important exceptions, only malware places libraries and executables in the Windows directory. Generally, if you right click the file and choose Properties and it shows detailed copyright info for a legitimate company, the file is safe; if not, change the extension to BAK and remember to change them back if your software has problems.
Then start Regedit PE and load the remote registry files including all user hives. It will launch regedit after they are loaded. Remove all spyware keys in the Software subkeys, and then remove the autorun strings from Run, RunOnce, and RunOnceExec locations. Do NOT close regedit when you're done or it will save the changes. While regedit is still running, run a complete system scan with adaware. When adaware is done, close it then close regedit. Next run McAfee to get trojans and viruses. Before shutting down, it's a good idea to run chkdsk just for good measure.
On reboot, start in safe mode (no network support). Run LSPfix and remove any bad LSP entries (such as newdotnet); most known bad things are automatically put in the right window. If you are unsure about something google it. Be careful or you could destroy your network layer. Then run winsockfix to repair winsock. Then run hijackthis to remove all other unnecessary stuff, but pay attention to path names as to NOT remove good things like antivirus/spyware/firewall entries. Log out (not switch user) and run hijackthis in each users account.
Reboot in safe mode with networking, install, update, and run spybot and adaware. Update any installed antivirus software, and run a final scan. Reboot again, but in normal mode, and run scans again to verify you don't have any persistent malware. If the scans come up clean, your work is done; if not, remove them, reboot, scan again, and if they still come back, cut your losses and restore the machine.
PS: I do this several times a day and have seen about every type of malware out there. Believe it or not, MS antispyware will pick up stuff that adaware, spybot, and webroot leave behind. Even if you don't want to use it, you can't do wrong by installing, updating, scanning, then uninstalling when done. MooSoft's The Cleaner and Bazooka can also help you remove persistent trojans.
Good luck.
Hey, it worked perfectly!
Written by Mark Russinovich, the guy who blew the lid on the sony rootkit debacle (and author of other indispensible free windows utils like process explorer, filemon, regmon and many, many others)
His site is http://www.sysinternals.com and autoruns can be downloaded from here.
Autoruns shows EVERYTHING that is started on your pc at boot & logon etc, including device drivers, services... everything. It can even filter out binaries not signed by microsoft, to make third party stuff stand out like dogs balls.
Use process explorer to find and kill the spyware processes - you may have to google processes to identify them, but that function is built in. Here is a tip - look for anything that doesn't have a company name of "microsoft"
Some really stubborn spyware has more than one process running, watching each other and restarting each other if you kill them. Use PSKill (command-line process killer) to kill multiple processes at once, so they can't restart.
Once you have cleaned out the running junk, use autoruns to identify where it started from and kill it.
Its never failed for me, and you learn a whole lot about the internals of windows in the process.