The Emergency Spyware Removal Guide

[TEB]

Sections:
1. Introduction.
2. Tools you will need.
3. The Basics.
4. Disable startup items.
5. Using Spywareblaster, Crap Cleaner, And Ad-Aware.
6. Changing your web browser.
7. Hijack This.
8. Conclusion.
9. Tips for staying clean.

Introduction:

First off, lets get a basic definition of spyware/adware/malware are defined as any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes. There's many different variations, some are hijackers witch basically mean they take over your computer and redirect your web browser to a controlled website. Some are stealthy, meaning they secretly operate and slow down your computer gathering information. However the most popular are the ad banners, this is the kind of spyware/adware that's most annoying. It just displays completely random and useless ad when your Internet browser isn't even open.

A virus on the other hand, is usually more complicated. Being created for more of a specific purpose or to cause the most amount of damage possible before it can be disabled or removed.

Tools you will need before we begin:

Some of these tools are single executables, in that case, save them in their own folder to C:\Toolname to avoid confusion and ensure that they are operated properly. Most of them will also run on Vista, but ask just in case.

CWS Shredder
Hijack This
Crap Cleaner
Avira Antivirus Free(only if you do not have an existing antivirus)
Ad Aware(only if you do not have an existing antispyware/adware)
Spyware Blaster
Mozilla Firefox

The Basics:

Usually the first order of business when malacious software infects your computer is to corrupt/infect system restore, and prevent the user from accessing basic tools that could aid in removal.

Disable System Restore On Windows XP:



Control panel > system > system restore tab > check turn off system restore on all drives.

Disable System Restore On Windows Vista:

Start > Hover over computer, right click and click properties > on the left side click advanced > if asked, allow > click system protection tab > Uncheck any boxes listed for your drives.



Run CWS Shredder

Click fix on the right hand side of the window, and wait about 15-20 seconds usually for the scan to complete. Removal will be completed automatically. After the scan has finished, close CWS Shredder.



Disable all but necessary startup items:

On Windows XP:

Start > Run > Type msconfig > startup tab > Uncheck everything but your antivirus/required drivers (if any)

On Windows Vista:

Click start > Type MSCONFIG in the search box and then either press enter on your keyboard or double-click on the MSCONFIG program that appears > click the startup tab.

The list is always organized as follows:

1. The name
2. The location on your computer
3. The location in the registry



Simply uncheck what doesnt belong or isnt needed on startup, click apply, then ok. If you are not sure what an item is or if it is important, use one of these databases to see.

<a href="http://www.bleepingcomputer.com/startups/" target="_blank">http://www.bleepingcomputer.com/startups/</a>
Just type the name of the item in the list and BC will attempt to find it.

<a href="http://castlecops.com/StartupList.html" target="_blank">http://castlecops.com/StartupList.html</a>
Again type the name of the object and this will search for your object and verify it.

Using Spywareblaster, Crap Cleaner, And Ad-Aware

First run Spyware Blaster, you will be presented with a tutorial if it is the first time running the program. Click through it, or read it. Its very short and will teach you how to run the program. After the tutorial, you will be presented with menu like this:



Click the updates button in the bottom right, and click check for updates to begin checking for the latest definitions. The process will probably take about 10-30 seconds depending on your internet connection.

After the update process has been completed, click protection status in the top left to be taken back to the main program menu. When you are back at the main menu, click enable all protection near the bottom.



Close Spyware Blaster after the process is complete.

Run Crap Cleaner.

Now run Ccleaner. In the left hand side, check everything that you want ccleaner to clean when it runs on your computer. I recommend checking everything. Then click the applications tab right above that. Again check everything you want to, I recommend it all. Now, click run cleaner in the bottom right hand corner once everything is checked. Ccleaner will now clean up your system. It can take anywhere from 1 minute to 10 minutes depending on how many files Ccleaner finds. Once it is finished cleaning, a list will be presented of all files marked for deletion. Go ahead, take a look. Amazing isn't it?
Now click the issues button on the left. Follow the same procedure and click scan for issues on the bottom left. Let it run, and click fix all issues in the bottom right. You will be prompted to back up your registry, only do so if you want to, but it is not necessary.



Close ccleaner.

Run Ad-Aware

Now, start up ad-aware. When started you'll see the main program menu with a navigational menu to the left.

The first step you should do is update Ad-Aware SE so it is using the latest Spyware/Hijacker definitions. This will enable the software to recognize as much of these types of programs that it can. You should click on the Web Update button found in the middle of the user interface. Follow the prompts and allow Ad-Aware to update its definitions.



Once completed updating, were going to perform a full system scan.




Make sure you select perform a full system scan, and make sure search for negligible risk entries and search for low risk threats is checked. Now click next, this will lead you to the actual scan which will begin scanning your system. Is can take a while, so now's the time to take a break check back occasionally.

Once completed you ll be presented with a screen similar to this:



Click on the next button in the right hand corner, You will then be presented with a screen that shows all the objects found that are flagged as Spyware or Hijackers.

At this point you should either right click on the screen and and choose the Select All Objects option or individually put a check mark in each objects check box that you would like quarantined. When all the objects that you would like quarantined are checked, you should click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. If you would like to do so, press the OK button. You ll will then be taken back to the original scan screen. Now were going to clear the quarantined items. So click open quarantine list and then select the quarantines and delete them off your hard drive forever. You may close the program.

Close Ad-Aware

Changing your web browser




Mozilla Firefox is an open source web browser with far less vulnerabilities and potential security risks than Internet Explorer. Its also much more user friendly and can accomplish much more. The best part is, you can import all your settings and bookmarks in from Internet explorer if you wish. Meaning you don't lose any data or work.Install it, run it. It will prompt you to set as your default browser, click yes and dont show this message again. Mozilla will start up, usually it will be set to Mozilla.org as your homepage. If you'd like to change this, click tools -> options. It should be the first tab. Now after you change your homepage, go through the other configuration options as well and configure it to your liking. It takes a few minutes to orient yourself.



Close Firefox

Hijack This

Hijack this is a widely used tool for spyware removal because it provides almost complete control of every running piece of software on a system. It does require some training however because it does not automatically remove bad items. Hijack this outputs a logfile in text format that can be looked over by someone who knows how to read them. They can then instruct you on what to remove and what not to.

Run Hijack this, you'll be presented with this menu:



Were looking for do a system scan and save log file, click it. Hijack this will now scan your system.

Once it is completed, (takes a few seconds) A notepad will popup with the details of the hijack this scan. Copy the ENTIRE contents of the notepad to a post in this thread for analyzing. Since Hijack this is a very powerful tool, it should only be analyzed by someone who can follow up with removal. Usually getting your log analyzed by a trained person, will remove the greater of the security threat. Leaving only a few more steps for removal.

Analyzing your own log:

It isnt that hard to analyze your log on your own, it takes a little patience, and a little knowledge about software and system files, and the ability to research your infection and symptoms. Of course if you get stuck or need additional help, post your log in this thread to get analyzed by a trained member. The tutorial below will help you when analyzing your own log.

<a href="http://www.bleepingcomputer.com/tutorials/tutorial42.html" target="_blank">http://www.bleepingcomputer.com/tutorials/tutorial42.html</a>

Conclusion

Getting your log analyzed is usually the last step to spyware and virus removal, so if your system is now clean, Congratulations! If your system is still riddled with malicious software, and none of the above steps even helped, then you will probably need to format your hard drive and reinstall your operating system. It is alot of work, but in the end it will be completely worth it.

Reinstalling XP:

Reinstalling Vista - Follow near the same steps with XP, the OS installation is nearly the same.

Tips for staying clean:

- Always at some time have an antivirus and antispyware program on your machine. Many of these programs provide active monitoring so your system is constantly being monitored for viruses and spyware.

- Scan with your programs at least once a month. This helps keep the system running smoothly, and pick off any infections which might have slipped by unnoticed.

- Be safe in general, programs help but the ultimate prevention comes from common sense. Downloading programs/files at random and following promises of free stuff are not good ways to be safe.

That is all.

Thanks,
TEB

[PsYkHoTiK]

Stickied this..

Nice writeup...

[TEB]

Whoa, Wow that was a fast stickie. Thanks.

[zy]

if msconfig closes automatically i do recommend booting into safe mode

[TEB]

Ill add a few little more things like that.....what happens if this...

[PsYkHoTiK]

Quote:

Originally Posted by TEB

Whoa, Wow that was a fast stickie. Thanks.

Np. Hey its a great article.

[Jet]

Good guide TEB!!!
It is very useful for me.

[TEB]

Hey guys, just updated and added a few online virus scanners.

[CALLOFDUTY05]

I prefer Spybot Search & Destroy .

[TEB]

It sure has been a long time since I have updated this article, but a newer revised version can be found at my personal tech support website, here:
The Anti-virus/Spyware Guide: Malware, Spyware And Virus Removal