The Emergency Spyware Removal Guide

Discussion in 'General Software' started by TEB, Nov 13, 2005.

  1. TEB

    TEB Newbie

    Sections:
    1. Introduction.
    2. Tools you will need.
    3. The Basics.
    4. Disable startup items.
    5. Using Spywareblaster, Crap Cleaner, And Ad-Aware.
    6. Changing your web browser.
    7. Hijack This.
    8. Conclusion.
    9. Tips for staying clean.

    Introduction:

    First off, lets get a basic definition of spyware/adware/malware are defined as any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes. There's many different variations, some are hijackers witch basically mean they take over your computer and redirect your web browser to a controlled website. Some are stealthy, meaning they secretly operate and slow down your computer gathering information. However the most popular are the ad banners, this is the kind of spyware/adware that's most annoying. It just displays completely random and useless ad when your Internet browser isn't even open.

    A virus on the other hand, is usually more complicated. Being created for more of a specific purpose or to cause the most amount of damage possible before it can be disabled or removed.

    Tools you will need before we begin:

    Some of these tools are single executables, in that case, save them in their own folder to C:\Toolname to avoid confusion and ensure that they are operated properly. Most of them will also run on Vista, but ask just in case.

    CWS Shredder
    Hijack This
    Crap Cleaner
    Avira Antivirus Free(only if you do not have an existing antivirus)
    Ad Aware(only if you do not have an existing antispyware/adware)
    Spyware Blaster
    Mozilla Firefox

    The Basics:

    Usually the first order of business when malacious software infects your computer is to corrupt/infect system restore, and prevent the user from accessing basic tools that could aid in removal.

    Disable System Restore On Windows XP:

    [​IMG]

    Control panel > system > system restore tab > check turn off system restore on all drives.

    Disable System Restore On Windows Vista:

    Start > Hover over computer, right click and click properties > on the left side click advanced > if asked, allow > click system protection tab > Uncheck any boxes listed for your drives.

    [​IMG]

    Run CWS Shredder

    Click fix on the right hand side of the window, and wait about 15-20 seconds usually for the scan to complete. Removal will be completed automatically. After the scan has finished, close CWS Shredder.

    [​IMG]

    Disable all but necessary startup items:

    On Windows XP:

    Start > Run > Type msconfig > startup tab > Uncheck everything but your antivirus/required drivers (if any)

    On Windows Vista:

    Click start > Type MSCONFIG in the search box and then either press enter on your keyboard or double-click on the MSCONFIG program that appears > click the startup tab.

    The list is always organized as follows:

    1. The name
    2. The location on your computer
    3. The location in the registry

    [​IMG]

    Simply uncheck what doesnt belong or isnt needed on startup, click apply, then ok. If you are not sure what an item is or if it is important, use one of these databases to see.

    <a href="http://www.bleepingcomputer.com/startups/" target="_blank">http://www.bleepingcomputer.com/startups/</a>
    Just type the name of the item in the list and BC will attempt to find it.

    <a href="http://castlecops.com/StartupList.html" target="_blank">http://castlecops.com/StartupList.html</a>
    Again type the name of the object and this will search for your object and verify it.

    Using Spywareblaster, Crap Cleaner, And Ad-Aware

    First run Spyware Blaster, you will be presented with a tutorial if it is the first time running the program. Click through it, or read it. Its very short and will teach you how to run the program. After the tutorial, you will be presented with menu like this:

    [​IMG]

    Click the updates button in the bottom right, and click check for updates to begin checking for the latest definitions. The process will probably take about 10-30 seconds depending on your internet connection.

    After the update process has been completed, click protection status in the top left to be taken back to the main program menu. When you are back at the main menu, click enable all protection near the bottom.

    [​IMG]

    Close Spyware Blaster after the process is complete.

    Run Crap Cleaner.

    Now run Ccleaner. In the left hand side, check everything that you want ccleaner to clean when it runs on your computer. I recommend checking everything. Then click the applications tab right above that. Again check everything you want to, I recommend it all. Now, click run cleaner in the bottom right hand corner once everything is checked. Ccleaner will now clean up your system. It can take anywhere from 1 minute to 10 minutes depending on how many files Ccleaner finds. Once it is finished cleaning, a list will be presented of all files marked for deletion. Go ahead, take a look. Amazing isn't it?
    Now click the issues button on the left. Follow the same procedure and click scan for issues on the bottom left. Let it run, and click fix all issues in the bottom right. You will be prompted to back up your registry, only do so if you want to, but it is not necessary.

    [​IMG]

    Close ccleaner.

    Run Ad-Aware

    Now, start up ad-aware. When started you'll see the main program menu with a navigational menu to the left.

    The first step you should do is update Ad-Aware SE so it is using the latest Spyware/Hijacker definitions. This will enable the software to recognize as much of these types of programs that it can. You should click on the Web Update button found in the middle of the user interface. Follow the prompts and allow Ad-Aware to update its definitions.

    [​IMG]

    Once completed updating, were going to perform a full system scan.

    [​IMG]


    Make sure you select perform a full system scan, and make sure search for negligible risk entries and search for low risk threats is checked. Now click next, this will lead you to the actual scan which will begin scanning your system. Is can take a while, so now's the time to take a break check back occasionally.

    Once completed you ll be presented with a screen similar to this:

    [​IMG]

    Click on the next button in the right hand corner, You will then be presented with a screen that shows all the objects found that are flagged as Spyware or Hijackers.

    At this point you should either right click on the screen and and choose the Select All Objects option or individually put a check mark in each objects check box that you would like quarantined. When all the objects that you would like quarantined are checked, you should click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. If you would like to do so, press the OK button. You ll will then be taken back to the original scan screen. Now were going to clear the quarantined items. So click open quarantine list and then select the quarantines and delete them off your hard drive forever. You may close the program.

    Close Ad-Aware

    Changing your web browser

    [​IMG]


    Mozilla Firefox is an open source web browser with far less vulnerabilities and potential security risks than Internet Explorer. Its also much more user friendly and can accomplish much more. The best part is, you can import all your settings and bookmarks in from Internet explorer if you wish. Meaning you don't lose any data or work.Install it, run it. It will prompt you to set as your default browser, click yes and dont show this message again. Mozilla will start up, usually it will be set to Mozilla.org as your homepage. If you'd like to change this, click tools -> options. It should be the first tab. Now after you change your homepage, go through the other configuration options as well and configure it to your liking. It takes a few minutes to orient yourself.

    [​IMG]

    Close Firefox

    Hijack This

    Hijack this is a widely used tool for spyware removal because it provides almost complete control of every running piece of software on a system. It does require some training however because it does not automatically remove bad items. Hijack this outputs a logfile in text format that can be looked over by someone who knows how to read them. They can then instruct you on what to remove and what not to.

    Run Hijack this, you'll be presented with this menu:

    [​IMG]

    Were looking for do a system scan and save log file, click it. Hijack this will now scan your system.

    Once it is completed, (takes a few seconds) A notepad will popup with the details of the hijack this scan. Copy the ENTIRE contents of the notepad to a post in this thread for analyzing. Since Hijack this is a very powerful tool, it should only be analyzed by someone who can follow up with removal. Usually getting your log analyzed by a trained person, will remove the greater of the security threat. Leaving only a few more steps for removal.

    Analyzing your own log:

    It isnt that hard to analyze your log on your own, it takes a little patience, and a little knowledge about software and system files, and the ability to research your infection and symptoms. Of course if you get stuck or need additional help, post your log in this thread to get analyzed by a trained member. The tutorial below will help you when analyzing your own log.

    <a href="http://www.bleepingcomputer.com/tutorials/tutorial42.html" target="_blank">http://www.bleepingcomputer.com/tutorials/tutorial42.html</a>

    Conclusion

    Getting your log analyzed is usually the last step to spyware and virus removal, so if your system is now clean, Congratulations! If your system is still riddled with malicious software, and none of the above steps even helped, then you will probably need to format your hard drive and reinstall your operating system. It is alot of work, but in the end it will be completely worth it.

    Reinstalling XP:

    Reinstalling Vista - Follow near the same steps with XP, the OS installation is nearly the same.

    Tips for staying clean:

    - Always at some time have an antivirus and antispyware program on your machine. Many of these programs provide active monitoring so your system is constantly being monitored for viruses and spyware.

    - Scan with your programs at least once a month. This helps keep the system running smoothly, and pick off any infections which might have slipped by unnoticed.

    - Be safe in general, programs help but the ultimate prevention comes from common sense. Downloading programs/files at random and following promises of free stuff are not good ways to be safe.

    That is all.

    Thanks,
    TEB
     
    Last edited: Jul 7, 2008
    thickglass, peaz and PsYkHoTiK like this.
  2. PsYkHoTiK

    PsYkHoTiK Admin nerd

    Stickied this.. :mrgreen:

    Nice writeup... :thumb: :beer:
     
    thickglass likes this.
  3. TEB

    TEB Newbie

    Whoa, Wow that was a fast stickie. Thanks.
     
  4. zy

    zy zynine.com Staff Member

    if msconfig closes automatically i do recommend booting into safe mode :p
     
  5. TEB

    TEB Newbie

    Ill add a few little more things like that.....what happens if this...
     
  6. PsYkHoTiK

    PsYkHoTiK Admin nerd

    Np. :mrgreen: Hey its a great article. :thumb:
     
  7. Jet

    Jet Just Started

    Good guide TEB!!! :thumb:
    It is very useful for me. :D
     
  8. TEB

    TEB Newbie

    Hey guys, just updated and added a few online virus scanners.
     
  9. CALLOFDUTY05

    CALLOFDUTY05 Newbie

    I prefer Spybot Search & Destroy .
     
  10. TEB

    TEB Newbie

  11. eXPeri3nc3

    eXPeri3nc3 Newbie

    This is what I always use when a user's pc is clean.

    Everything looks great --- your HijackThis log / logs appears to be clean. :)

    ---------------------------------------------------------------------

    C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. We will reset it now.

    ---------------------------------------------------------------------

    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK

    ---------------------------------------------------------------------

    Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
    • Windows Updates (a must!)
      It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.
    • Firewall (a must!)
      It is definitely a must have. Some good FREE versions are Comodo Personal Firewall, Outpost, PCTools Firewall, or Kerio Personal Firewall.
      Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.
    • Also make sure to run your antivirus software regularly, and to keep it up-to-date.
      Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.
    • SpywareBlaster
      It helps to prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
      Tutorial: How to use!
    • SpywareGuard
      It helps to prevent spyware from installing yet catch and block spyware before it can execute. Install & update SpywareGuard with the latest definitions.
      Tutorial: How to use!
    • IE-SPYAD
      This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      This is a self-extracting .EXE file, save it to your desktop. Once downloaded, follow the tutorial listed below on how to install it.
      Tutorial: How to use!
    • Spybot - Search & Destroy
      This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
      Tutorial: How to use!
    • Ad-Aware SE
      This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
      Tutorial: How to use!
    • AVG Anti-Spyware
      This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
      User Manual: How to use!
    • SUPERAntiSpyware
      This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
      Quick Guide: How to use!
    • McAfee SiteAdvisor
      An excellent SiteAdvisor to guide you through the internet websites. It helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
      Quick Guide: How it works!
    Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.
     
  12. TEB

    TEB Newbie

    Another update, its been a while since I have been around. Im looking forward to becoming regular again.
     
  13. Mac Daddy

    Mac Daddy Pickin' Da Gitfiddle

    Thanks for the update and looking forward to seeing you around more :mrgreen:
     
  14. Adrian Wong

    Adrian Wong Da Boss Staff Member

    Welcome back, TEB! :thumb:
     
  15. Jocelyn

    Jocelyn Newbie

    This tip is truly useful:D
     
  16. keetech

    keetech Newbie

    super guide...thanks so much, I have to sort out my mother's computer and this is really helpful.
     

Share This Page