Share your Spyware/Virus Removal Procedure!

W

Wrench00

2[H]4U
Joined
Sep 30, 2003
Messages
3,423
If you get some kind of a mass mailer or DDOS virus and its flooding you of the interwebnet, this is my manual procedure I use to clean up an infested system. I am hate waiting for the apps to do the scan (especially Norton)

The Following applies to mostly Win2k and WinXP. You can use parts of this to fix WinME and Win98. ME is just a pain tho.

First off all go disable your system restore Viruses Love to hide there...(Right Click on My computer go to properties them System Restore Tab)

Download the following software and install them and update all of them as well.

Adaware
CCleaner @ www.ccleaner.com
Spybot Search and Destroy
Beta MS Antispyware tool.. www.microsoft.com

If you don't have anti-virus you can get one from www.grisoft.com (avg7 free) Its really quite good.

Reboot into Safe mode:
1. Make sure you Unhide all system folders and files
2. Go into (x= your drive) X:\Documents and Settings\%User%\Local Settings\Temp (Delete all files)
3.Go into (x= your drive) X:\Documents and Settings\%User%\Local Settings\Temporary Internet Files\Content.ie5(I forgot this one The Brophyte remided me *Note You will not see this dir if your loged on your own profile, if your cleaning other users profile using your own account you will see it (Delete all files)
Note: I suggest that you perform this on each user, Viruses like to spread to all temp dirs on every user. If you can't see your own Temp or Temporary Internet Files Folder then type the folder name into the address bar or log onto another user. Or Creat a Temp account just to clean your system.
4. Go to X:\windows\prefetch (Delete All files in here)
5. Go to x:\WINDOWS\system32\config\system profile\Local Settings\Temp (Delete all files)
6. Go to x:\WINDOWS\system32\config\system profile\Local Settings\Temporary Internet Files\Conent.ie5 (Delete all files)
7. Go to Start -> Run -> Msconfig (hit OK) Go to start up tab. See what progs are starting, the location will tell you where it is. DO NOT disable anything from here.
Common Startup = Start Up folder on your Programs list (Some viruses like to make them selves invisible so you Explorer to go that folder) Delete anything you don't need.
HKLM = Hkey Local Machine
HKLU = Hkey Local User
To access these go to start start -> run -> regedit (hit OK)
Go to Hkey Local Machine\Software\Microsoft\Windows\Run (delete anything you don't need if you don't know what it is you might need to google it, or the path will tell you where its located)
Also Check RunOnce, RunService, RunOnceService if they exist.
Do the same for Hkey Local User\Software\Microsoft\Windows\Run

You can now close msconfig Hit Cancel not OK otherwise it will recreate all your registry settings.

8. Check your Hosts File x:\WINDOWS\system32\drivers\etc. You can open your hosts file with notepad, check if you got entries like 127.0.0.1 www.google.com etc (remove them if you got any). Spybot will add bunch of entries later to block certain websites, but before that you can straight out delete this file (back it up first if you unsure) Windows generates this file automatically.

9. Run Adaware.
10. Run SpyBot.
11. Run CCleaner
13. Run MS Antispyware (if you can in safe mode)
14. Reboot into normal mode then run anti-virus
15. Optional - turn on your system recovery again. ( I don't ever use this cause viruses always hide there and Anti-Virus scanners and adaware type programs have no access to that dir, very hard to remove them)
 
My method is alot simpler...

1. Insert Linux CD
2. Reboot
3. Install Linux
4. Reboot
5. Update software
6. Enjoy Environment
7. Put away migraine pills

:p :D


---This was a poor attempt at humor, please don't get mad at me :)
 
After doing this too many times, here's my routine.

1. Download Spybot S & D and Ad-Aware, and update them.
2. Disconnect from the internet
3. Got to Add/Remove Programs and manually delete every adware program that i can. Sometimes this involves getting back on the internet b/c they want to connect. So far, i haven't found any problems with doing this. i do this because i've found that sometimes if you remove malware with just AdAware or Spybot, it'll screw up a person's internet connection. So i try to do it "properly" first.
4. After removing as many as i can manually, i make sure i'm offline, then i run SpyBot and AdAware. This usually involves letting it restart several times to get the stuff it couldn't delete the first time
5. After that, i manually delete all the registry keys and files that the two programs couldn't delete. Then i restart again.
6. Next i delete all the cookies and temporary internet files, and clear the temp directory. Then i check the browser helper objects and if i don't recognize any, i go to Google and look them up. Delete all i need to.
7. Run antivirus just because. They tend to have a virus or two among all the other malware.


I probably should turn off system restore, but i never think to. But that gets rid of 99% of the malware i've run into.
 
1. close everything
2. run spybot
3. run adaware
4. run ms antispyware
5. reboot
6. repeat 2-4
7. run antivirus program
8. reboot
9. update spybot, adaware, and ms antispyware
10. update spywareguard and spywareblaster
11. confirm i turned off active X
12. sit and wait till i am paranoid again
13. be happy
 
I'm kinda liking the linux idea(but with bsd). If you are doing it on your own pc and haven't loaded it to hell with spyware then yea running the programs is great. If it is someone who has loaded it to hell then do the add/remove first to kill what you can. If then internet conenction gets screwed you can always try WinSockFix. I've had great luck with it dealing with people who have trashed there os.
 
use firfox

have spybot spy sweeper protect me

no spyware since 4 months... :D
 
Hmm, all I do is use firefox and run adaware every now and again, plus I have VirusScan on my machine, as per the Universitys reccomendation. Is there anything else that I need to be doing to keep clean? Some of the solutions posted here seemed kind of dire... Is it all necessary?
 
FULL AVG Scan
Reboot
SpyBot
Reboot
Adaware
Reboot
MS Antispyware
Reboot
Go into MSCONFIG and see if there is some leftover unknown shit
Go into safemode and scan with all things listed above
Reboot
Hope that it's fixed

Never had to do this on my machine but others, yes.
 
You guys are forgetting the more basic step in the desinfect procedure: Disable System Restore, this prevents worms becoming undeletable by antivirus.

OldMX
 
D1sc1pl3 0f Mal1c3 said:
Hmm, all I do is use firefox and run adaware every now and again, plus I have VirusScan on my machine, as per the Universitys reccomendation. Is there anything else that I need to be doing to keep clean? Some of the solutions posted here seemed kind of dire... Is it all necessary?
Click to expand...

These solutions are for the computers where their owners DIDN'T run AdAware or an antivirus programs. You're keeping your computer defended, which is good. Most people don't and then call us.
 
1. Update definitions on Spyware software (Spybot, ad-aware, etc.)
2. Reboot into safe mode
3. Delete c:\temp; c:\windows\temp; c:\documents and settings\<username>\local settings\temp
4. Delete all temporary internet files
5. Scan for spyware
6. Check the registry HKLM\Software\Microsoft\Windows\Current Version\Run (RunOnce, Runservices) and the same keys under HKCU.
7. Reboot into safe mode with networking support
8. Windows Update
9. Reboot normally and rescan with Spyware.
 
Along with all those suggestions, I would like to add that it might be a good idea to not install all that free crap off the internet.
If prompted to install something while surfing the internet, say no.
 
well, i use all my scanning tools (spyware doctor, adaware, norton antivirus 2005, and registry mechanic) i copy down all of the locations of the infections. i remove all of the infections, then in search their locations and manually delete if they are still there, then i search in windows program files, system 32 folders, etc, and search for anything out of the ordinary and right click and choose "scan with...x program" and if its all good and dandy i leave it alone, but watch its progress within the next few days to see which files change or anything. but if it reads it as spyware, adware, or a virus (which its usually really easy to tell) then the bastards gone! if it cant be manually deleted (unable to write to disk, access is denied) then i open the files with word, or notepad, or whatever, then i erase all of its data and then save it as it was so that it cant function! it worked good this one time. i couldnt get this thing to go away, so i started manipulating its files and saving them, suddenly a process was halted in the taskmanager, and it was that same .exe that was part of the program that i was manually trying to delete! i then went to "end task" (which i wasnt allowed to do before) then once it was ended, i was finally able to delete the main files which were in system 32!
 
You guys are missing some of the temp files. Under:
X:\Documents and Settings\%User%\Local Settings\Temporary Internet Files there is another directory named "content.ie5". You can not view it even if you have hidden and system files set as visible, but you can enter it in the address bar. Delete everything in that folder, it's a common place for viruses to hide.
 
OldMX said:
You guys are forgetting the more basic step in the desinfect procedure: Disable System Restore, this prevents worms becoming undeletable by antivirus.

OldMX
Click to expand...
I mentioned this in mine.
 
I have seen some good sugestions here but my clients in which seam very skilled at collecting spyware and adware mostly just want to be up and running fast again...

my normal procedure is as follows:

1.
go through control panels add/remove programs and manualy remove as many programs that I know to be adinfested peices of crap... ones I don't recognize I google..
this part sometimes takes a few reboots depends..

2.
I then install adaware SE 1st and run it's update and let it do it's full scan (I find it does a better job removing the bulk of things 1st then spybot does..)

3.
I then install spybot run it's updates imunize everything and run a full scan. ( I do not turn on the run in the background features)

4.
I then sometimes also install spyware for an extra level or protection

5. I then remove whatever crappy virus protection they may or may not have = anything that is not AVG install AVG update and run it

6. remove all uncesssary programs that run in the systray (20+ of them is common with my clients)

7. install all windows updates

8. defrag

9. and depending on the client instruct them on how to run adaware and AVG and defrag at least once a month

sometimes I have to do lots of extra work removing programs from starting up using msconfig and changing IE settings but thats the must do procedure I do

now that you know my secrets I must kill you.

you whats even more fun then doing that to a clients computer either at their home or taking the computer home with me.... doing it remotely.... yikes....
 
I have not had a virus or any spyware (depends on your definition of spyware, I don't consider cookies a form of spyware in most cases) since the Sasser worm. Maybe I am just very careful. I don't even have a proven method of removing them, so I will be sure to check out some of yours if I pick one up.
 
On the couple of occasions that buddies have used my PC and chocked it full of spyware, only Webroot's Spysweeper program has ever worked for me. I've tried Ad-Aware, Spybot S&D, and MS Spyware Beta...all were completely useless.
 
Im just copying one of my previous threads from another forum about my weekend story:

Over the weekend I was downloading 'things' using IE (and I should know better by now- I use Firefox 99.5% of the time ). I came across a 'homemade' website that had some anime episodes I was looking for...

To make a long story short I allowed an applet to be installed and next thing I know I'm infected and inundated with spyware/adware. This particular one was a virus/malware which put multiple replicating instances of ISTsvc.exe, sahagent, sais.exe, mxh****.exe, shoppingagent, websearch tool bar etc etc etc. Needless to say my AV went crazy and deleted all instances(so i thunk). I stopped everything I was doing, ran adware which found all instances and removed (which required a reboot)(so i thunk). After the reboot everything SEEMED fine then CRAZY POPUPS appeared without me doing anything at all....

To continue to make a longer story shorter you have to reboot into safemode, run adaware, manually search for and delete those files I mentioned above. Most of them you can find in 'Add remove programs' but that doesnt really remove them. These files/programs reside in C:\Windows; Programs files; \Local Settings\Temporary internet files and \Local Settings\Temp. You might want to check your registry (if your comfortable with it and always back it up first). Also run 'msconfig' at command prompt and check for running instances there. (Win2000 users have to install msconfig seperately).
 
EmbraceThePenguin said:
My method is alot simpler...

1. Insert Linux CD
2. Reboot
3. Install Linux
4. Reboot
5. Update software
6. Enjoy Environment
7. Put away migraine pills

:p :D


---This was a poor attempt at humor, please don't get mad at me :)
Click to expand...
u_DR_K13

u_DR_K13

:D
 
FiZ said:
I have not had a virus or any spyware (depends on your definition of spyware, I don't consider cookies a form of spyware in most cases) since the Sasser worm. Maybe I am just very careful. I don't even have a proven method of removing them, so I will be sure to check out some of yours if I pick one up.
Click to expand...
cookies can link sites that distribute spyware, adware, and any other wares that can mine data and/or corrupt system files. always check just to be safe. just some friendly info! :)
 
lesman said:
cookies can link sites that distribute spyware, adware, and any other wares that can mine data and/or corrupt system files. always check just to be safe. just some friendly info! :)
Click to expand...
You bet. I check pretty frequently, and use Firefox.
 
Step 1 Boot into safemode with Netowrking
Step 2 Log-on as Admin (not my main user account)
Step 3 Delete each user Temps, Temp Internet File, Cookies
Step 4 Run Spy Bot S&D Most Up to Date & clean what it finds
Step 5 Run Ad-Aware SE Most Up to Date & clean what it finds
Step 6 Run Trial Spysweeper 3.5 Most Up to Date & clean what it finds
Step 7 Run Trial NOD32 Most Up to Date & clean what it finds
Step 8 Run Hijackthis & check what shouldnt be there
Step 9 Reboot into Normal mode & Redo step 3 - 8

PS the MS antispyware is just giant & i run it if i feel that spysweeper isnt getting everything or there is a little thing that willnt remove giant seems to be better at getting the little nagging stuff but can give a ton of fail postives so watch it.
 
Spyware (except for Portalsearching):
(1) run Ad-Aware SE
(2) run Spybot: Search & Destroy

Portalsearching Spyware:
(1) run Portalsearching Spyware Uninstaller

Viruses:
(1) run Norton Antivirus
(2) run Ad-Aware SE
(3) run Spybot: Search & Destroy

Consistent spam that won't go away:
(1) ignore/delete
(2) send them an email specifically requesting that they cease communications with me
(3) track their ip addy and investigate possible legal actions
(4) sue their @$$ off if possible
 
Worse thing you can do is reply to spam. It'll just insure that you'll get even more. Another thing is most of them spoof their send mail address so it's difficult to find them.
Best practice is a spam blocker and never reply to it.
 
i know the addresses are crappo, so i go to the website itself and use the addy's written there.
 
It's easy...just delete any emails you get saying "free" anything, or anything "porn" unless, that is, if you have an account with a porn site...then you're just basically paying for spyware, adware, etc.
 
well Ive just received my first mass mailer virus. I dont even remember opening the original e-mail, but it took over Outlook like it was france or something. Symantec didnt even stop it, but the spam filter on our e-mail server kept the messages from going out in the first place, or they just got rejected by the recipiant.

Using the ideas above to clean my sys. I knew I could count on the HardOCP community

Thanks yall
 
Usually do most of the aformentioned things and then I use my neat little IDE to USB adapter to scan the "questionable" drive in the clients PC from my clean PC.
 
Symantec, 0 problems found :mad:
Ad-Aware, 0 problems found :eek:
Spybot S&D, 45 problems found & destroyed :D

Which one is getting some cash from me?

In safe mode now, my eyes are killing me
 
OldMX said:
You guys are forgetting the more basic step in the desinfect procedure: Disable System Restore, this prevents worms becoming undeletable by antivirus.

OldMX
Click to expand...
Or just give the folder admin privs, instead of system privs. (Which the virus software should be capable of doing, but most don't)

As to the rest of this thread, if you take the purest view, you can never guarantee that the virus modified a file that the virus scanner doesn't know about, so if possible you should format, and start over, and assume the data is compromised. That is the safest view. (I personally play with viruses all day, and am pretty sure you don't have to take the sledgehammer approach, but it is the safest.)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
What would I do if I installed a virus or caught a worm? Hit my head against the wall for installing it, and then flatten the box. From another machine, examine each network resource the affected machine could have touched, and wipe out appropriate data.

Why?
If a system is compromised, there is no way to prove that the hostile code has been removed from the system. The only way to be absolutely sure is to wipe everything the hostile code could have affected. Call it absolutist, call it paranoid, but call it secure and the right thing to do.


Why do I say “what would I do if”?
When was the last time I installed a virus? 1998. My understanding of computer security was still pretty limited at the time and I did some stupid things (running executables from the net in this case).
When was the last time a worm got onto my systems? Never, though I have dealt with afflicted machines, wiping them out and going from there.
 
EmbraceThePenguin said:
My method is alot simpler...

1. Insert Linux CD
2. Reboot
3. Install Linux
4. Reboot
5. Update software
6. Enjoy Environment
7. Put away migraine pills

:p :D


---This was a poor attempt at humor, please don't get mad at me :)
Click to expand...
Lol.
 
Boot with the latest BartPE CD. Run AdAware and Spybot, and McAfee.

Not something I've ever had to do since I specifically deny the execution of executables from any place on the workstation other than program files, the Windows system directories, and one directory to which only I have access (system is specifically denied access) of which one sub is my temp directory, using local machine policy.
 
I format that shit at first sign of threat. Everything is ALWAYS backed up so if i do get infected i can just hit power and pop in the win XP disc.
 
In safe mode:
--scan w/ Nod32
--scan w/ Ewido
--scan w/ Counterspy
In desktop mode:
--run online scanners from Trend-Micro & Bitdefender

If all of the above doesn't work, restore a backup image of a clean XP Pro installI have stored. Then reinstall any programs I want from backed-up installers.
 
-safe mode
- run ad-aware personal se
- run spyware doctor
- run norton antivirus
- clean temp files
- defrag
- reboot
- repeat 1-3
- be happy

by the way spyware doctor kicks major arse
 
You must log in or register to reply here.
Back
Top