Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Stubborn Spyware Removal Advice?

Cliff posted more than 8 years ago | from the get-that-bad-out dept.

Bug 223

onedobb asks: "I'm sure all of us are familiar with Lavasoft's Ad-Adware and Spybot Search and Destroy, however there always seems to be that particular piece of spyware, or malware that seems to slip past both of those programs (even with the most recent definition updates, and virus definitions). What program combinations, or websites do you use to uproot that last bit of unwanted software intrusion?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


The only solution ... (3, Insightful)

Palal (836081) | more than 8 years ago | (#14576064)

To read yourself of ALL spyware: format c:

Re:The only solution ... (1)

Palal (836081) | more than 8 years ago | (#14576079)

I meant to say "rid".... spyware ate my English

Re:The only solution ... (1)

jibjibjib (889679) | more than 8 years ago | (#14576892)

In soviet russia, spyware removes you

I run Windows, and spend all my time on the Internet, but I have never got any spyware. Where do people get spyware from, and how much of it can be attributed to their own stupidity?

Re:The only solution ... (0)

Anonymous Coward | more than 8 years ago | (#14576148)

format c:
fdisk /mbr

That's a temporary solution (1)

Arker (91948) | more than 8 years ago | (#14576557)

Unfortunately, it does nothing to prevent the problem from reoccuring.

Obviously, putting a real operating system on is advisable.

If, for whatever reason, you can't follow that advice, you can still take less effective steps. If you don't require the newer versions of windows (and many don't) you can use 98lite to install windows 98 or ME (98 is better, obviously) without most of the infection vectors used today.

If you must use XP, you may be able to run as a non-privileged user (although a depressingly high number of applications will refuse to work if you do this, which limits the usefulness of the techique.)

Even if you can't remove IE from your system entirely, you can reduce the risk from it by using a real browser, Firefox or Opera being obvious choices.

Re:The only solution ... (2)

BoomerSooner (308737) | more than 8 years ago | (#14576150)

I'm confused, how the hell do so many people get spyware on their computers?

Is it lack of caring, just not keeping their computer up to date, not knowing what's okay to install or not?

I seldom have problems.

Re:The only solution ... (1)

davez0r (717539) | more than 8 years ago | (#14576471)

i've worked with two late 20s female coworkers (one a PhD, one a PhD candidate) in the last year

both of them downloaded free screensavers off the internet

Re:The only solution ... (1)

bscott (460706) | more than 8 years ago | (#14576616)

>how the hell do so many people get spyware on their computers?
> Is it lack of caring, just not keeping their computer up to date, not knowing

Yeah! And I don't understand how the hell people ever encounter dead batteries in their flashlights - I mean, do they just not care about flashlight maintenance?

Why on earth does anyone ever experience dropped calls on their cellphones - it's almost as though people haven't memorized the map of coverage areas, and inexplicably neglected to check the blueprints for the buildings they're planning to enter on a given day to ensure they won't block signals on the frequencies they intend to use.

(OK I could go on but I'll shut up... my point, if I have one, is that yeah, I recognize how easy it can be to avoid spyware - but the fact that one or two people in the world who have had more going on in their lives than Slashdot-reading haven't heard about NAT firewalls and Mozilla vs. Outlook is no excuse for a catty, arrogant comment like parent...)

Re:The only solution ... (1)

flamingweasel (191775) | more than 8 years ago | (#14576744)

Please. Give me a f'ing break. I work at a Uni helldesk, and 75% of the unusably infected XP machines that come in are in that state because the person "saw the little update balloon but just closed it," or "noticed these weird popups and the machine acting really slow but it wasn't that bad." This isn't rocket surgery, it's a bloody 3 minute download. It's not "neglecting to check the blueprints for the building," it's checking that the goddamn wheels are still on the goddamn car before driving it 15 miles to work.

They don't need to know about firewalls or slashdot. They just need to stop the "oh it's too hard so I'll just ignore it" BS, stop being afraid of the damned thing, and try to pay just a little attention to their environment.

Hrm. Didn't quite mean to bite your head off, there. But like I said before, this is reading 20 carefully written words and 3 minutes of downloading, not rocket surgery.

Re:The only solution ... (1)

eclectro (227083) | more than 8 years ago | (#14576660)

Or plain stupidity^H^H^ignorance. I know someone (I hesitate to say family member) that seems to be a magnet for crapware.

I think he falls for a "click here for the joke of the day" or "I saw you online and want to have a date with you. Please click here" not realizing that it's an exe trojan.

This weekend they're getting a linux box.

Re:The only solution ... (1)

indy_Muad'Dib (869913) | more than 8 years ago | (#14576162)

build your own version of knoppix with VMWare and a windows VM preinstalled on it.

windows fucks up? restart the VM.

knoppix fucks up? restart the computer itself.

either way, problem solved.

Re:The only solution ... (2)

rscrawford (311046) | more than 8 years ago | (#14576232)

Yeah, I think my grandma could do that for me.

Oh, wait. No she can't. In fact, I'm not sure I could, either.

Re:The only solution ... (1)

moosesocks (264553) | more than 8 years ago | (#14576499)

is there still any place in winxp where you can actually do that from a command line? I thought the best way would be to format from thw XP installer's partition utility

(just curious. slow night, and your comment sparked my interest)

Re:The only solution ... (3, Insightful)

MillionthMonkey (240664) | more than 8 years ago | (#14576634)

To read yourself of ALL spyware: format c:

How do you know you're executing the real format executable and not a fake that simulates a formatted system just to fool you?

Re:The only solution ... (1)

hazem (472289) | more than 8 years ago | (#14576815)

That's why I boot into BBC-LNX (bootable business card linux), and do a:
dd if=/dev/zero of=/dev/hda bs=1M

Give it a few minutes and the drive is wiped enough for a clean install.

Re:The only solution ... (4, Funny)

melikamp (631205) | more than 8 years ago | (#14576947)

melikamp@woland:~$ format c:
bash: format: command not found

Hey, it worked perfectly!

HijackThis + Google (5, Informative)

tansey (238786) | more than 8 years ago | (#14576077)

Most of the time if you simply run HijackThis and then search google for any of the suspicious log entries, you'll quickly be directed to a page where someone had a similar log entry, and you'll find out if it's malicious or not.

Re:HijackThis + Google (2, Interesting)

ShyGuy91284 (701108) | more than 8 years ago | (#14576086)

I completely second what he said. Hijack this isn't a removal utility per say, but it allows you to see a lot of stuff AdAware and SpyBot don't see.

Re:HijackThis + Google (5, Informative)

tansey (238786) | more than 8 years ago | (#14576121)

For those who don't know about it, you can read up on HijackThis here [spywareinfo.com] and the direct link to the zip dl can be found here [merijn.org].

Re:HijackThis + Google (1)

gregeth (688579) | more than 8 years ago | (#14576566)

I would also add that to be sure to end offending processes, launch a command window and use the "at" command to launch either the task manager or even hijackthis, which has a built in process manager that usually lists all running processes.

This will make the program run with system priviledges. Even being logged in as an admin isn't enough sometimes. Of course, you want to make sure you know what it is you are ending, etc, before you do so. Also, hijackthis is really only good at finding programs that launch at boot, and BHO's. [wikipedia.org] Although it is definitely what I start with.

And no these aren't problems with my own computers, just with the people I work with who barely know how to use a mouse.

Re:HijackThis + Google (4, Informative)

stefanlasiewski (63134) | more than 8 years ago | (#14576585)

AdAware, SpyBot and MS Antispyware will see many malware programs, but will be unable to remove certain programs. (Virtumondo [nai.com] is one such nasty, as it can bind itself to the winlogon.exe or other critical processes, and the antispyware programs were unable to extract it.

Hijack this will at least let you view the details of your system, and let you remove the malware by hand.

Re:HijackThis + Google (3, Informative)

juventasone (517959) | more than 8 years ago | (#14576903)

I can tell the parent has had enough experience with spyware to know something most people do not: running any one product is good, and multiple ones is great, but in the spyware environment of yesterday and today, it is still not always good enough. Hence why the original submitter labeled it "stubborn", as in those not detected by current products.

Even though I rely heavily on HijackThis and Google, I also rely heavily on the fact that I've seen so many hundreds of systems, that I can go through the typically enormous lists HijackThis generates, and reliabily filter it down to just a few unknown entries which I can google. One small problem with all this is spyware using legitimate file and process names (getting the thumbs up from anywhere on google) but storing them in a different, unsuspicious path. Finally, there are places spyware can run that aren't listed by HijackThis, but these are covered by StartupList, a utility from the same author. The StartupList lists are grossly enormous (such as the dll lists in each process). Yes, its kind of grim.

Ok, so lets assume by using the above methods you do find each offending entry with complete accuracy. A product could even theoritically do this (one day). Then comes removal. The actual stubborn spyware will automatically regenerate entries deleted with HijackThis or any other method (including products). The files will be locked as well, even if you attempt to kill processes, and in the most stubborn of cases, even in safe mode. In these cases, you need to boot to a independant operating system (recovery console, BartPE, etc), and delete the files from there. In the most extreme of cases the files are located in NTFS's alternate data streams which makes virtually untouchable (assuming they use a critical area). These are identified by colons in the pathname (ie: C:\windows\system32:fdsafdas.dll). This makes fdsafdas.dll unaccessible by windows explorer, the command prompt, the recovery console, or pretty much anything else. If you google around, there are some limited and complicated means to deal with these.

If these don't work... (3, Insightful)

thenetbox (809459) | more than 8 years ago | (#14576087)

If Spybot, Adaware, Yahoo Antispyware, Sysinternals tools, add/remove programs, etc.. don't work then back up your files and format/reinstall.

Re:If these don't work... (1)

kinkos (789876) | more than 8 years ago | (#14576527)

I second the Sysinternals recommendation. Specifically, Sysinternals Process Explorer [sysinternals.com] is a wonderful tool. Generally I browse through all running processes with it, kill anything suspicious, then run Ad-Aware. It also lets you kill programs that have themselves re-executed seconds later as drivers and "vital windows services". Some adware loads itself into memory (and which windows will refuse to delete); kill with PE, then delete. Problem Solved.

Re:If these don't work... (1)

hazem (472289) | more than 8 years ago | (#14576822)

To keep things clean, once I build up my windows system, I then boot into linux and use partimage. I end up with a nice 2 or 3 GB image of everything just the way I like it. To make things easier, I set up "my documents" on another drive or partition.

If anything goes wrong, or every 6 months or so, I just re-dump that image onto my computer, and everything's fresh and brand new.

Prevention is the best cure (3, Informative)

iMaple (769378) | more than 8 years ago | (#14576100)

As they say , prevention is the best cure. Repartition the HD (if you are paranoid abt rootkits) and use linux or make sure you dont install random stuff if u choose Windows (and stay away from IE)

Spyware (3, Informative)

queenb**ch (446380) | more than 8 years ago | (#14576104)

We use a product called CounterSpy with a trial available here - http://www.sunbelt-software.com/CounterSpy.cfm [sunbelt-software.com]

We use this at a universtiy on lab computers that are available to the public, as well as desktop machines , laptops, etc. So far, I'll say that we've not encountered anything we know about it hasn't handled.

2 cents,

Queen B

Re:Spyware (1)

Jett (135113) | more than 8 years ago | (#14576318)

I'm working on a project to deploy the enterprise version of this software. It is bad-ass! In my testing it is the most effective single piece of antispyware software, occasionally spybot is also need for really bad infections but the vast majority of machines are fully cleaned by Counterspy. The enterprise version lets you deploy an agent to every machine and then remotely control them with as much detail as you want based on customizable policies. I'm still concerned that the active protection mode may cause some issues with other software we have deployed so that's where my testing is focsed now, but the actual cleaning of infections is solid. Definitely worth the ~$10 per seat cost.

The Nuclear Option (1, Insightful)

bobdehnhardt (18286) | more than 8 years ago | (#14576108)

Nuke it from high orbit (in other words, low level format). Repartition, reinstall. It's the only 100% solution.

And then, don't screw up your system.

Re:The Nuclear Option (0)

Anonymous Coward | more than 8 years ago | (#14576139)

Yeah, because we all have the equipment to do a low level format sitting in our moms basement.

low level format? whatever (0)

Anonymous Coward | more than 8 years ago | (#14576325)

you can't just "low level format" modern hard drives like you could the old MFM or RLL drives of old. A regular repartition and reformat and reinstall will be fine.

Re:low level format? whatever (1)

DigiShaman (671371) | more than 8 years ago | (#14576642)

Technically, you are correct. When you hear the term "low level format", what really happens is you're performing a "mid level format".


Low-level format = write zeros across all platters.

Mid-level format = write zeros across all platters except for the servo data tracks.

High-level format = setting up logical parameters for a file system.

Re:low level format? whatever (1)

Darth_brooks (180756) | more than 8 years ago | (#14576793)

Ahhh, no.

A "Low-Level format" refers to that actual creation of sectors on a drive, literally creating order from the chaos of a bare metal platter. Many years ago, like in the years of "megabyte" sized drives, companies offered tools that would allow you to go through the and "reformat" the drive, rewriting the sectors and tracks as had been done at the factory, usually in an effort to try and cure bad sectors. The formats seldom did much good, and since there was a good chance you'd fubar the drive, companies just quit offering the tools.

A zero-write pass writes 0's to all sectors on the drive, and is a nice way for the paranoid to make sure that there's very little chance of data surviving. For the ultra paranoid there's Autoclave [washington.edu] which has sadly been EOL'd by it's creator. This and similar utilities allow you to do numerous passes writing all sorts of random and non-random data

A normal, quick format just marks all sectors (normal sectors anyway) on the drive as being available for use.

I've never seen spyware or viruses survive even a quick format (or an fdisk /mbr in the case of boot sector viruses.) I guess in theory it's still there, but if nothing knows to look at that point for that data, why worry?

Re:low level format? whatever (1)

Devistater (593822) | more than 8 years ago | (#14576803)

If one could do a true low level format on an IDE drive (you can't btw), you'd be erasing the defect table and adding all those sectors to the drive as well. Nowadays if you do the "low level" format option in drive utils, it just zeroes it. If you are worried about security, you should use an eraser program that writes several patterns on a byte, not just zeros (although the only way to be 100% secure is to physically destroy the drive, if someone wanted to spend millions of bucks they could still recover data thats been overwritten many times). If you want to just erase stuff, just do a normal format. Low level formats were done with RLL/MFM drives, but not with IDE.

Prevention (4, Informative)

mnemonic_ (164550) | more than 8 years ago | (#14576129)

  1. Run Windows as a normal user, not as an administrator.
  2. Use Mike's ad-blocking hosts file [everythingisnt.com].

Re:Prevention (1, Informative)

Bios_Hakr (68586) | more than 8 years ago | (#14576578)

An Ad-Blocking Hosts file is a dumb suggestion. If you can modify the Hosts file, what makes you think that a program you launch can't modify the same file?

And before you suggest running as a non-admin user, don't forget that a lot of programs will not run properly unless you have admin rights.

Now, I guess you could put the hosts file on a floppy and write-protect that. Then you can create a symlink to the file on the floppy.

Re:Prevention (1)

gad_zuki! (70830) | more than 8 years ago | (#14576770)

>what makes you think that a program you launch can't modify the same file?

That's true of ANYTHING when runnning admin on windows. Install an antivirus but you get a trojan that hasnt been caught yet? Or your definitions are way out of date. Same deal. At least with ad blocking you're not able to get 90% of the ads and spyware packages out there because you're cutting off the vector to download.

I wouldnt at all call it a dumb suggestion. Well, its mine, so I kinda life it but you get some added benefits:

1. Less flash ads/blinken crap.
2. Faster page loads.
3. Blocking of not only ads, but known spyware servers and web-bugs.

Its as about as "dumb" as installing adblock and flashblock. A malicious program could remove those too.

Re:Prevention (1)

Bios_Hakr (68586) | more than 8 years ago | (#14576889)

AdBlock and FlashBlock are designed to block ads and flash. Modifying your hosts file to block spyware is a false sense of security. Dangerously false.

If you use Windows, AutoUpdate at least weekly. Nightly may be overkill, but isn't really hurting anything.

Turn on the Firewall and do not allow exceptions unless you know what they are for.

Install and use Opera or Firefox.

Install and update AVG and/or Avast. Norton is overkill for most home users. Why pay $50 for something only marginally better than the free editions?

Install and run SpyBot, MS Ad Scanner, and AdAware.

If you get any Spy/Adware, your only real recourse is to treat it like a virus; nothing can be trusted. You should back up your data and reformat/reinstall. Then scan your backups for malicious programs before you restore them.

Re:Prevention (1)

scdeimos (632778) | more than 8 years ago | (#14576957)

And before you suggest running as a non-admin user, don't forget that a lot of programs will not run properly unless you have admin rights.

Yes, but only because of stoopid developers who only run as an Administrators (group) user themselves. Most things don't need any kind of Admin access to run.

Personally, I have had good success with a number of freeware/shareware developers by telling them exactly what breaks about their programs when not running under an Administrators user (sometimes by giving them API call dumps). One guy fixed his Registry problems (trying to open HKLM keys with Read/Write access when he only needed Read-only access) and had a new version available for download that night.

If you can't get your program's developer to fix the problem then I suggest changing to different software.

Ha Ha, only serious (0)

Anonymous Coward | more than 8 years ago | (#14576134)

Try Debian, Slackware, RedHat, etc.

OK, there are some serious issues with migrating, but if you get badly enough burned by spyware, you might want to consider it.

Re:Ha Ha, only serious (1)

Izago909 (637084) | more than 8 years ago | (#14576417)

Believe it or not, *nx is not immune. Sortly after upgrading to the latest Ubuntu, my roomate was getting popups all over the place. Aparently he got some sort of java exploit through Azureus. Yet my windows box has never had a bug. I guess the OS matters less than the user.

Re:Ha Ha, only serious (1)

Nutria (679911) | more than 8 years ago | (#14576504)

Sortly after upgrading to the latest Ubuntu, my roomate was getting popups all over the place. Aparently he got some sort of java exploit through Azureus.

This Java exploit?
http://developers.slashdot.org/article.pl?sid=04/1 1/24/1323228&tid=172&tid=108&tid=218 [slashdot.org]

Was he running as root? If so, stupid him.

If not, the exploit would last only as long as his login session and should be easily findable the next time you log in.

Realistically Impossible (1)

zaliph (939896) | more than 8 years ago | (#14576146)

The spyware industry has become so devious that there is almost no way to keep your computer completely safe. For example, I'm relatively free of any malware most of the time, but tracking cookies always seem to make it on the machine. Even when you block the offending server altogether, it will just come from another.

If you're looking for a spyware-free experience, use lynx and mutt. Otherwise, you've just got to keep up your guard.

Re:Realistically Impossible (1, Informative)

syrinx (106469) | more than 8 years ago | (#14576201)

Try the CookieCuller extension: http://cookieculler.mozdev.org/ [mozdev.org]

You can have it delete all cookies you don't want upon exiting the browser. Load it up, find the cookies you do want to keep (Slashdot login, for example), protect them, and then switch on the extension's "delete cookies on exit". It will delete all non-protected cookies. So you can keep cookies on for those sites that require them, even save cookies you want to save, but permenant or long-term tracking cookies can't do much.

Re:Realistically Impossible (1)

Frogbert (589961) | more than 8 years ago | (#14576234)

What the hell are you talking about? Lynx still uses cookies, and the only real way to get around them is to turn them off, its not that hard. Other then that try not to use Internet Explorer and 99.8% of your problems will go away.

Solution.... (1)

In Fraudem Legis (937585) | more than 8 years ago | (#14576178)

Less porn Different OS (Linux, BSD etc).

Mod it up . . . it hurts, but its true (2, Insightful)

DongleFondle (655040) | more than 8 years ago | (#14576412)

I have put myself through quite a bit of college doing freelance computer work for people (and their kids) who have infected themselves with spyware and I can tell you that pr0n is probably the number 1 source of spyware out there. Men simply don't make good decisions about what links to click when they have gone into pr0n mode. Gaming sites are also pretty high on the list as well as file sharing apps. But truly, it comes down to the user. An intelligent user can completely evade spyware if they are cautious. I am living proof of that. God knows, I have surfed enough pr0n to nuke a thousand Windows boxes. However, I amazingly have never infected myself with a single instance of spyware.

Firefox? (3, Funny)

Saeed al-Sahaf (665390) | more than 8 years ago | (#14576675)

After I switched to FireFox exclusively for my porn surfing, I haven't been infected via that vector.

Re:Firefox? (0)

Anonymous Coward | more than 8 years ago | (#14576766)

Porn may be a source, but with spyware, it's the conduit that matters. Don't use IE, and the problem is just about solved.

I don't...because you can't (1)

AudioEfex (637163) | more than 8 years ago | (#14576242)

Trying to keep a system totally secure from these threats is usless the moment you connect your machine to a high speed connection. That's why I just reinstall the OS every three months or so. I keep the original installation files to all important software on a spare stand-alone hard drive and backups on DVD.

It takes about two hours and since I use a decent software firewall I know my information isn't being transmitted, and other than that I could care if anyone check up on my habits. If they know I visit both /. and britneyspears.org, well, I can live with that. By reinstalling every few months, the build-up never happens and my computer is always running briskly.

When I use friends machines that don't even have NAV yet have superior system specs to mine and the machine chugs along likes it's on dial-up on a 486, it's an easy sell the first time you suggest gutting the OS to them. That first time is rough, but if it's part of your routine it can save you much more time and effort in prevention instead of always trying to track down that one ellusive bit of shit-ware that exists soley to keep corporate IT departments in business. AudioEfex

Re:I don't...because you can't (2, Interesting)

networkBoy (774728) | more than 8 years ago | (#14576326)

Ever hear of ghost?
Make your OS install along with your "always on" programs. Patch it all up and make an image of the drive. Burn the image to DVD and next time you need to re-install just boot from the DVD and you're back up in under half an hour. (that's what I do)

Re:I don't...because you can't (1)

wernercd (837757) | more than 8 years ago | (#14576624)

I've found Acronis.com's disk imaging software to be superior...

install, patch, setup too your liking, then make an image (and setup a backup schedule, partial or full)

backup your fully setup and patched computer image to dvd and your set with the ability to flawlessly revert your computer to a newly installled state

much better than system restore or ghost in my experience... YMMV

The Ultimate anti-virus for Windows: (1)

Hosiah (849792) | more than 8 years ago | (#14576260)

The Solution Nobody Wants You To Know [distrowatch.com]

Do all your web business with a live CD. You can physically REMOVE the hard drive to ensure that it won't get infected with anything (all you have to do is unplug the IDE cable). Stick anything you want to download/save on a USB drive - you can even format it in FAT/etc. to keep it in Window's file system. Done with the web and need the hard drive, disconnect the ethernet cable (or whatever you use), virus-scan the USB storage, reconnect the hard drive, boot back to Windows. If any malware knows it's way around this method, I haven't met it yet!

Combination of Protection (1)

JorgeDeLaCancha (913036) | more than 8 years ago | (#14576271)

Besides Spybot and Adaware, I use the following programs:
SpywareBlaster [javacoolsoftware.com] - Prevents Spyware from being installed
Microsoft AntiSpyware [microsoft.com] - Completly free, and has nice active protection. Have a 'special' versions of Windows, use an alternate [softpedia.com] download source.

With respect to Viruses, please read the following article: Mega Antivirus Test [overclockers.com].
Summed up: AVG sucks, Anti-Vir [free-av.com] finds the most virus, Kaspersky 5 [kaspersky.com] finds most unique stuff, and Kaspersky's online scan owns everything.

Also I'd recommend using a NAT. All of this is prevention/reactive stuff, though I think the Hijack This + Google is the best for nasty stuff, as mentioned.

My Method (1)

Shawn is an Asshole (845769) | more than 8 years ago | (#14576293)

Create a PXE-based linux system (or live cd) that contains:

captive-ntfs (to give read-write access to ntfs partitions)

and the following virus scanners:


Mount the fs, and update the above four scanners. First run ClamAV, then BitDefender, then AVG, and F-Prot. The order isn't important.

Boot into Windows and install:

HijackThis! (be very careful, and google anything before removing)
Spybot Search & Destroy
Microsoft Antispyware

Run all of them in Windows.

Boot into Safe Mode, run them all again.

Boot back into Windows. Re-run Hijack this, Spybot, Adaware, and Microsoft Antispyware. Check the sure make sure everything works normally.

Boot back into Linux. Re-run all of the scanners. If anything is still detected, google it and learn how to remove it manually.

The downside to the above is it takes time, but it's not difficult and very effective. For the Linux-side stuff it takes like a minute to write a shell script to do it automatically.

I clean systems like that all the time and can get rid of some really nasty stuff. I usually don't spend more than 15 minutes actually working on it.

You're Asking this on Slashdot? (3, Insightful)

Greyfox (87712) | more than 8 years ago | (#14576296)

Install Linux.

OK now that we've got THAT out of our system...

Use Firefox, install the NoScript plugin, don't run stuff you download from every web site on the planet, and don't run Outlook. I'd suggest using a text-only email client if you can stand it. Oh yeah and don't run as the adminstrator and refuse to use any third party program that claims it needs administrator privs. Also keep your system up to date

If you're sufficiently paranoid, you should be able to keep even a Windows system reasonably secure.

Well... (1)

N4DMX (614024) | more than 8 years ago | (#14576300)

Spyware is like a double edged sword for me. I hate the problems it causes in general, but a significant portion of my income results from removing it.

What's really bad is even after warning my customers to be careful about downloading free stuff, and attempting to get them to use Firefox, etc., I am still called back in a couple of weeks for the same problems by the same people.

Firefox??? (0)

Anonymous Coward | more than 8 years ago | (#14576322)

Firefox with session only cookies.

I visit porn sites and various forums. I run as admin on win2k. When I run AdAware and Spybot nothing comes up. I check HiJackThis and don't see anything abnormal there either. I also use AVG and ZoneAlarm. I have occasionally run a rootkit detector with nothing found.

Since installing Firefox I have been clean, not pushing Firefox, but for me it works. Used Firefox since 0.8 and updated regularly.

Some tools to add to your belt (4, Informative)

DongleFondle (655040) | more than 8 years ago | (#14576349)

Adaware and Spybot Search and destroy are your best place to start, but I understand your frustration. Probably three out of the last four times I've dealt with a Spyware infested machine they didn't completely do the trick on their own.

Install and run Adaware and Spybot S&D, making sure you update the programs and select to perform deep scans (within archives, etc) in the custom scan options. This will probably most of the easiest and most common exploits. Reboot.

Go through your Add/Remove programs menu and try removing any programs you can identify as spware. If the programs didn't come with an uninstaller, I would have to officially recommend you do not go through any of their steps to download one and run it. I have tried this in the past with mixed results. Some of these programs truly were just severely annoying adware that actually removed themselves at the end of this lengthy process, but some were truly malicious that simply installed MORE spyware after running the uninstaller. I recommend you don't risk this.

Open up the task manager and go through each and every process, reseaching in if need be [google.au]. I use groups.google.au to get the older version which seems to provide more relavent results. Kill any processes that you find are suspiscious. Hell, kill any processes you can't identify as normal Windows OS or application processes. I dealt with a instance of spyware once that executed two randomly named processes that protected the spyware from removal. If you killed one process, the other would immediately respawn it.

Go through all of your startup locations: C:\WINDOWS\Start Menu\Programs\StartUp C:\WINDOWS\All Users\Start Menu\Programs\StartUp HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run Start --> Run --> msconfig --> Startup tab

Once again, go through each and every item and delete or disable everything that you can identify as malicious. It's likely that when searching you will run across others who have dealt with the same spyware issues in the past and have had to figure out how to remove them.

Run your Adaware and Spybot S&D scans again. Reboot. Test your machine to see if the spyware is still there. Still have problems?

Download and run Hijack This [spywareinfo.com] Pour through your log once more, or alternatively post it to one of the many forums [google.com.au] where professionals are willing to lend you a helping hand. At this point, you may also want to consider downloading and running Rootkit Revealer [sysinternals.com].

Also, try rebooting into safe mode and running your scans. Even though you are in safe mode, you should still monitor and kill processes that are suspicious. Remember, Sony's Rootkit came complete with a safe mode driver.

If all of this hasn't worked, then I suggest you back up your data, scan it for viruses, and do a low level format with a utility such as Killdisk [killdisk.com]. Now that you have to reinstall your OS, perhaps now is the prefect time to make the Linux switch [linuxiso.org].

live CD? (1)

astrashe (7452) | more than 8 years ago | (#14576354)

I've seen live windows CDs, and I always have the feeling that I should be able to use those to clean off the really nasty stuff. I'm a linux guy, and only deal with this when I'm trying to help someone else out, so I just don't have the windows guruhood to deal with the problem.

I know it's pretty straightforward to boot with a live CD and run something like ad-aware or spybot from it, but then you're scanning the registry that came off of the livecd, and not the infected one. I think there are tricks to do this, but I've never hunkered down and learned them.

Reinstalling really sucks. It takes a long time, and with product keys, and online activation, and machines that don't ship with CDs any more, it's getting dicier all the time. It works, but it's a very blunt tool solution, and it's a big waste of time.

I really hope that vista cuts down on these problems -- I expect that it will, as I don't think people will be running as administrator any more. But I just don't have the time to wipe off someone else's machine every time it gets sick.

It's easy... (5, Informative)

Izago909 (637084) | more than 8 years ago | (#14576396)

Build a Barts PE disc with the following:

Registry Editor PE

Begin by going through each users directory in Documents and Settings. Delete the cookies directory, then every directory in the Local Settings except Application Data. Then go to the Windows directory and delete the contents of the following directories: Downloaded Program Files, Prefetch, and Temp. Then finish by going to the root dir and deleting the contents of System Volume Information, and Recycler folders. This will clear out the majority of the places malware hides and code that reactivates any remaining nasties on boot. Also pay very close attention to any DLL and EXE files in the Windows directory. With a few important exceptions, only malware places libraries and executables in the Windows directory. Generally, if you right click the file and choose Properties and it shows detailed copyright info for a legitimate company, the file is safe; if not, change the extension to BAK and remember to change them back if your software has problems.
Then start Regedit PE and load the remote registry files including all user hives. It will launch regedit after they are loaded. Remove all spyware keys in the Software subkeys, and then remove the autorun strings from Run, RunOnce, and RunOnceExec locations. Do NOT close regedit when you're done or it will save the changes. While regedit is still running, run a complete system scan with adaware. When adaware is done, close it then close regedit. Next run McAfee to get trojans and viruses. Before shutting down, it's a good idea to run chkdsk just for good measure.
On reboot, start in safe mode (no network support). Run LSPfix and remove any bad LSP entries (such as newdotnet); most known bad things are automatically put in the right window. If you are unsure about something google it. Be careful or you could destroy your network layer. Then run winsockfix to repair winsock. Then run hijackthis to remove all other unnecessary stuff, but pay attention to path names as to NOT remove good things like antivirus/spyware/firewall entries. Log out (not switch user) and run hijackthis in each users account.
Reboot in safe mode with networking, install, update, and run spybot and adaware. Update any installed antivirus software, and run a final scan. Reboot again, but in normal mode, and run scans again to verify you don't have any persistent malware. If the scans come up clean, your work is done; if not, remove them, reboot, scan again, and if they still come back, cut your losses and restore the machine.

PS: I do this several times a day and have seen about every type of malware out there. Believe it or not, MS antispyware will pick up stuff that adaware, spybot, and webroot leave behind. Even if you don't want to use it, you can't do wrong by installing, updating, scanning, then uninstalling when done. MooSoft's The Cleaner and Bazooka can also help you remove persistent trojans.

Good luck.

Re:It's easy... (1)

pjl5602 (150416) | more than 8 years ago | (#14576479)

Call me crazy, but I don't consider your exhaustive steps, "easy". Can't tell if you were being sarcastic or not.

Anyway, thanks for the HOWTO. It will help if I ever have to disinfect somebody's computer ever again...

Re:It's easy... (1)

daddyrief (910385) | more than 8 years ago | (#14576701)

Jesus man. Either you are obsessive compulsive, or you look at a lot of porn. Jokes aside, is it really necessary to delete a bunch of system folders...? I think not. I can see how this is applicable in a worst-case scenario, but i can't even see this happening 'several times a day,' at least not on the same machine.

A four-step process. (2, Insightful)

kscguru (551278) | more than 8 years ago | (#14576962)

This is necessary - I did this about once a month for the past year. Ah, the joys of being in-dorm tech support for a hundred college students...

I only know of one problem. You really have to learn by removing a bunch of this crap yourself - new junk hides itself in new ways.

My five-step process:
1) Reboot in safe mode
2) Delete anything in C:\WINDOWS and C:\WINDOWS\SYSTEM32 (or whatever directories of choice) that has a hidden attribute and appeared since "problems began" (usually a month or so).
3) Wipe all temp directories. (that's C:\Documents and settings\username\local settings\temp and \temporary internet files, and maybe others I've forgotten).
4) Use regedit to remove strange Run, RunOnce, etc. entries. If in doubt, google, then destroy. Your user can always reinstall.
5) Reboot into normal Windows, then run a good antivirus and a good adware remover. BEFORE reconnecting to the network. (This may require having virus defs on a USB key).

The anti-spyware seem to get ~80% of what's out there. This gets 95%. Upgrade to the GP's PE environment instead of safe mode, you're probably at 99%. Anything else, transfer files off and reformat, because it's probably a rootkit. With practice, I got the above proceedure down to half an hour during "new computer" season.

Re:It's easy... (1)

Bugpowda (671725) | more than 8 years ago | (#14576760)

This is exactly correct. I use a similar technique at $50/hr. But you seem to have it more systemized. BartPE is a must.

Re:It's easy... (1)

juventasone (517959) | more than 8 years ago | (#14576914)

Despite these exhaustive measures, I can guarentee you there is spyware that will not be removed by this. If the parent doesn't believe me, I can send him some examples that he can execute on a system and see for himself.

Booya (1)

The NPS (899303) | more than 8 years ago | (#14576421)

At my college's help desk, we use a combination of Mcafee Enterprise, Spybot, Ad-Aware, Zero-spyware 2005, webroot spysweeper, and whatever other tools we have ...

Just for the sake of mentioning it (1)

stikves (127823) | more than 8 years ago | (#14576466)

Actually you should not try to disinfect a system after a virus or malware has successfully penetrated it. It's too much work, and more importantly it will always leave "traces". (This has been mentioned by many replies above).

However it's strange that nobody mentions Microsoft Anti Spyware. I've had much more success in preventing intrusion by using it, and it contains many tools making (HKEY_LOCAL_MACHINE) registry hunt irrelevant. (It contains over 30 checkpoints like IE toolbars, WinSock helpers etc. And also, it contains a complete list of each and every startup program possible).

I know it's from Microsoft and such, and it has it's own limitations (like not being available to pirated Windows installations. But as being free and efficient I could recommend it to every Windows users.

Re:Just for the sake of mentioning it (1)

notanatheist (581086) | more than 8 years ago | (#14576586)

Err.. well you see, all you need to do is download the executable from a known good machine or disable the Authenticity Check. It installs fine on *any* XP machine. Even pre-SP1.

Ewido Security Suite (2, Informative)

Anti_Climax (447121) | more than 8 years ago | (#14576481)

Ewido Security Suite [ewido.net] has helped me remove some pretty nasty stuff that the others didn't even recognize, but the more eyes scanning your system the better.

Re:Ewido Security Suite (2, Informative)

greg1104 (461138) | more than 8 years ago | (#14576575)

Finally, someone actually answering the question. It's been months since I had a spyware infection that either Ad-Aware or Spybot were really helpful for; those programs are now obsolete in my opinion. Hijaak This and such are great tools, but with the multi-level spyware infections nowadays (BHO + windows service + constantly reloaded DLL) it's a bear to try and nail everything at once even with it.

I second the recommendation for Ewido for cleaning out nasty infections. The best part is that if your IE still works, you can use their beta free online scanner [ewido.net] to try and clean things up.

I've also had success with the somewhat cryptic but powerful Adware Away [adwareaway.com], which was the only thing I ever found that killed the nastier "about:blank" infections. There used to be a free version of that, but apparently they realized most people ran the program once and never bothered with registering it afterwards. Well worth the $30 if you have one of the infections listed on their site that they kill.

Finally, it's worth mentioning Microsoft's Anti-Spyware package. While it isn't particularly good at killing nasty infections, the proactive tools they include do help at stopping re-infection. For example, when fighting the multi-layer spyware programs, it can stop the service/startup/DLL/BHO sections from re-installing themselves so that you can knock them out one at a time.

Can't say I've had this issue (1)

paulsomm (92946) | more than 8 years ago | (#14576561)

But then, I:

- do not surf with IE (except for internal Intranet apps for work)
- do not run under an Administrator account for normal usage
- never run P2P apps or unknown apps from my actual Windows install (I use VirtualPC for this)
- run ad-blocking software (Privoxy) and Firefox's ad-blocking extensions (seriously, not for the lack of ads, although that's a plus, but because unscrupulous advertisers will try and download something onto your machine)
- run Norton GoBack so that those rare times that these precautions fail, I just reboot and choose a time I know I wasn't infected and, viola, no more nastiness

TuneUp Utilities (0)

Anonymous Coward | more than 8 years ago | (#14576610)

No one has mentioned this yet, and it's pulled me out of a few tight spots so I thought I'd share it.

TuneUp Utilities 2006. It isn't free, but it isn't expensive either (and you could probably find a serial or something for it if you looked...) It has some great utilites, like a registry cleaner, a process manager (which will let you see hidden processes), startup manager and secure delete (scrambles the file before deleting it. Claims to use a method developed by the US DoD). It has some other great tools, like system optimisations, but they aren't important here.

Basically, if I have anything that just won't go away, I use the process manager to find out where the file is, and then use the secure delete to remove it. Then I remove anything about it from the startup, and run through a registry clean. When something points to a file that isn't there, it gets scrubbed. So any traces of it, are hopefully gone.

AV software can be handy to help find any files in question, as can anti spyware aps. If AVG or Ad-Aware don't remove it, I go strait to TuneUp. Of course, a good firewall and any browser that isn't IE helps a great deal too.

another good one is trendmicro (0)

Anonymous Coward | more than 8 years ago | (#14576621)

Trendmicro has scans for virus and spyware and I think they now have the cool website removal tool too. I don't think it uses Active X anymore as a plus.

Streamlined reinstall (1)

SanityInAnarchy (655584) | more than 8 years ago | (#14576665)

First, make sure you don't get spyware on your system.

That is: Run Firefox, run Linux when you can, and don't be stupid. Download things that you're reasonably sure are good.

Second, make sure you can wipe the drive. If you can't wipe and reinstall from scratch, you're not backing up properly. I actually have a theory about this:
Make an nLite'd Windows install disk, which automates the Windows install.
Avoid customizing things too much, so that you can deal with the rest via next-next-next if you have to. Document anything you do customize.
Make an image of your fully-installed system, all customized to your liking, only with none of your data (the stuff you backup regularly) created/restored.
Back up your data regularly, as in daily.
Every time you need to make a customization that it'd be annoying to do every month, and can't be backed up daily with your data, do a backup, then restore from image, then make the change (and get all updates/patches to your software), re-create the image, and restore your data.
Every month or two, do the above step even if you haven't made any changes.

Effectively, you'll be working off a fresh Windows installation that never gets older than a month or two. You'll have a separate backup of your data and of your programs. As far as I know, malware doesn't usually target data directly, but I'd run ClamAV on the data backup anyway. You can keep multiple versions of the data backup, because if you're like most Windows users, your data is really small compared to your programs.

Whenever anything bad happens to your system, be it a disk crash, a virus, spyware, or even mere obsolescence, you have a full backup, and unless you're actually replacing your computer, you have a lightning-fast restore -- as in, automatic, might take a few hours, but nobody has to be there. If you do upgrade hardware, it's not quite as fast, but your Windows install is fully automatic, and your programs are simple enough, and your customizations documented enough, that it shouldn't be too painful -- you could even hire someone else to do it for you.

On Linux, I have this feature somewhat built-in. Data is easily found -- I just back up /etc, /home, /usr/src/linux/.config, and /var/lib/portage/world. For a Gentoo system with a custom kernel, that's enough to reinstall with close to zero human interaction. And /home is enough to backup ALL my data even if I can't reinstall automatically, because Linux keeps data separate from programs. Windows CAN do this, it just usually doesn't do it well enough to just copy the Windows equivalent of a home directory, and most programs still use the fairly retarded Win9x concept of keeping global config files in the program's install directory, even if it is aware enough to give multiple users their own separate configs.

first step is doing initial scans from a clean pc (1)

sdnoob (917382) | more than 8 years ago | (#14576699)

through many years of experience and making a fair living out of other people's ignorance, i've gotten spyware and virus removal down to this process:

i start by hooking up the infested hard drive to a clean system and running initial scans from there: adaware and antivirus.

then i manually delete (from all the machine's user accounts) temp folders, temporary internet files, downloaded program files (the ie's activex cache), restore folders (in xp and me), and then go through program files folder and remove the (believe me, get good at it over time, especially if you do this often) obvious stuff.

a casual scan through windows and windows\system (or windows\system32, depending on windows version) can also yield many files that you can outright delete.

if i see anything suspicious but not ready to delete them, i'll google to see if i can find any further information on it.. and then if i'm still not ready to delete something, i'll zip it up and then delete it.

once those are done, i copy over my collection of antivirus and spyware utilities and definitions. (the usual ones.. but most times, all i need is adaware, spybot s&d, hijack this and reglite).

once the drive is back in the host system.. it's off to safe mode, where i run every scan from every configured user. and i show no mercy in anything detected -- it all goes. i'll also uninstall any questionable programs and clean up the add/remove programs entries (of things that were manually removed).

when those scans are done and realtime protection is enabled (usually through spybot's ie plugin and teatimer, and spywareblaster's been installed and enabled).. then i will boot up normally. 9 times out of 10, i'm done at this point. but i will browse a bit with ie and then run through the scans once more just to make sure. and again, i check all configured user accounts. somewhere along the line any applicable udpates for windows and their installed antivirus will get installed.

i then install firefox :) with adblock plus and the filterset.g updater. and demonstrate to the user (via a virtual machine on my test system) the difference between ie and firefox when browsing to a page that's loaded with spyware installers, and another that's got tons of ads on it. that demo is more than enough to get the user to switch to firefox. :) and finally, i give them a list of programs and their web site addresses so they can look up more information on their own (or purchase, in the case of adaware or spywareblaster's update service, etc)

only rarely do i resort to a format and reinstallation of the operating system.. and i can usually tell right away if that's the easier and faster way to go.

besides google searches, http://www.spywarewarrior.com/ [spywarewarrior.com] is my 1st source for info and links. of particular note is their listing of 'rogue' spyware applications.

Quick and easy... (1)

darsal (18194) | more than 8 years ago | (#14576718)

Okay, not really.

Process Explorer and Autoruns from Sysinternals [sysinternals.com].

PE: identify, investigate, and kill processes you don't know to be safe. Turn on the Image Path column, use the built-in google and strings searches. Worst outcome from over-aggression here is the system crashes. Restart and try again.

Mercilessly delete the directories that hosted the spyware, if you can, or just the apparently related files if you can't delete the directory.

Oops, some of those files were in use. Figure out what's using them (PE's dll/handle search), kill it, then try the deletion again. And again, and again. Why do those files keep coming back? ;-)

* EXPERT LEVEL TRICK: NTFS Permissions. Apply as appropriate and repeate above as needed.

* WEENIE LEVEL TRICK: WinZip anything you're unsure about deleting into an archive with full path info.

Got 'em all? Use Autoruns to clean up the startup triggers.

When I got back into day-to-day admin work a couple years ago, it would take me a couple of hours to work through this, starting with AdAware and Spybot S&D, doing full scans, rebooting when prompted, etc. Now, using just those two utils, I can get a system to be functionally spyware-free in about half an hour. I use AdAware and Spybot only to clean up the non-functional traces, after the utility approach has successfully stopped the live malware.

Works for me... (1)

daddyrief (910385) | more than 8 years ago | (#14576729)

I use Opera and run ZoneAlarm Pro firewall, I do not run active virus protection (except if i download from p2p/bt, I scan the files) and I run sp1, and I've been getting by alright.

My humble advice.... (1)

buddyglass (925859) | more than 8 years ago | (#14576755)

First, there is almost never a need to format your drive. Nor is there a need, despite what the zealots say, for you to move to a non-Windows OS. Here's how to avoid malware:

1. Keep your system up-to-date with the latest MS patches on a daily basis.
2. Either use XP's built-in firewall or something like ZoneAlarm if you're not using XP.
3. If you have the cash, buy a router and put it between your system and your net connection.
4. Don't log on using an account with Administrator access unless you absolutely have to.
5. Don't read your mail using MS Outlook.
6. Don't run suspicious executable files or open suspicious attachments. Don't install shady applications or porn dialers that come bundled with malware.

If you happen to get hit by something, here's what to do:

1. Install LavaSoft Ad-Aware, MS Anti-Spyware, Ewido and Hijack This!. Ewido isn't free, but comes with a free trial period last I checked. I didn't include Spybot Search and Destroy because it's mangled my system on mutiple occasions.
2. Boot into safe mode.
3. Run a full scan with Ad-Aware, MS Anti-Spyware and Ewido. When that's done, fire up Hijack This! and look for anything fishy. Browser helper objects (BHOs) should be considered suspicious unless they're something easily recognizable (Acrobat Reader, Google Toolbar, etc.)
4. If those three (Ad-Aware, MS Anti-Spyware, Ewido) didn't catch what you have, consider taking a "more the merrier" approach and installing additional spyware removal tools. I've heard good things about Spyware Doctor, but it's not free.

Safe mode, search by date (3, Informative)

dtfinch (661405) | more than 8 years ago | (#14576791)

When fighting the kind of malware that installs itself to dozens of executables and dlls, to revive itself later, you can usually isolate most of that crap by searching by creation date, first making sure that explorer shows hidden and system files, and that the search doesn't exclude them.

You may need to disable system restore to remove some malware, or else Windows will automatically reinfect itself when it sees the files are missing. Reenable it before installing any new/updated drivers, as that seems to be when I need it most often.

Just in case, before you delete a bunch of stuff and reboot, check HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit to ensure that it's not pointing to the malware, but to userinit.exe, wherever that is. Messing with userinit can render a system so that you can't log in, even in safe mode. XP SP2 might have fixed this, as I've seen some newer systems survive a broken userinit, or completely ignore it.

Also, empty out your host file (usually c:\windows\system32\drivers\etc\hosts on XP) to prevent browser hijacks.

If you suspect a rootkit, try a detector like rootkitrevealer. It won't remove it, but it might find it. Last resort: take your hard disk and slave it on another system, and remove the infected files.

Stinger is a good standalone virus scanner, and a small download

For future reference: Stop using IE and Outlook Express. Stop downloading free screensavers and other freebies, unless you get them directly from the author's website, and you trust them completely. I've seen places take my own shareware screensavers, bundle them with spyware, and redistribute them without permission or any regard for legality or morality.

Tools I use that haven't been mentionned (1)

Hockers (871149) | more than 8 years ago | (#14576811)

Worth a mention:

* Ultimate Windows Boot CD which I also find very useful when someone comes to me with a computer they have completely messed up - you have to create your own but it's a very streamlined experience. http://www.ubcd4win.com/ [ubcd4win.com]

* PrevxR which is a "permanent beta" version of their commercial offering. It can be configured the different settings range from Individual (suitable for Grandma) to Enterprise (very hardcore). http://free.prevx.com/ [prevx.com]

*KillBox - basically a utility you can configure to delete certain files on bootup, I use this in conjunction with HijackThis, which was already mentionned above. http://www.bleepingcomputer.com/ [bleepingcomputer.com]

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account