How to get rid of ALL spyware!

D

DarkElite

Weaksauce
Joined
Jan 7, 2004
Messages
101
It's good to know that most people are educated enough to use Adaware or Spybot or SpySweeper, but running these programs will not get rid of everything. In this post I will give an overview on how to get rid of ALL spyware, garunteed!

Note: You will probably want to download the programs and updates listed here BEFORE going into safe mode. It is best to download them off another computer and burn them to a CD or put them on a USB drive. If your internet does not work in safe mode, and you need it, try "Safe Mode with Networking".

First, turn off System Restore. Right-click My Computer, and click on the System Restore tab and turn it off there. You can turn this back on when you are finished this.

You are going to want to preform all operations in "Safe Mode".
Reboot your computer, and hit "F8" right before Windows starts to load. Then choose "Safe Mode" on the list.

Once you're in safe mode, you are going to want to clean up all unnecessary garbage on your computer. to start, delete these folders:

C:\temp
C:\windows\temp
C:\documents and setings\"your user name"\local settings\temp
C:\documents and settings\"your user name"\temporary internet files

Note: some of these folders may not exist

Then, from My computer, right-click the C: drive, and hit properties. Click on "Disk Cleanup", and delete everyhing it finds.

Next, you are going to want to run some programs.

First, download and run "Microsoft AntiSpyware, found here:

Microsoft AntiSpyware

After it is done downloading, install and run the program. Wait for it to finish scanning, and let it repair and delete everything it finds.

Reboot your computer, again into safe mode. Now, download Spybot

SpyBot

and Adaware

AdAware

Install and run both these programs, and fix everything they find.

Then, reboot again into safe mode.


*This next part is more tricky and require user discretion on what to fix*

First, click Start and Run, and type "msconfig". In this program, clickthe "services" tab. Click the "hide all microsoft services" box first.

Uncheck the box of everything that looks bad, such as "WinTools" or "eBates". If you see something familiar, such as "Norton services" or "wan miniport driver" or anything you are unsure of, leave it checked.

Next, move to the last tab, "Startup". Uncheck the box of anything that looks malicious, such as "Webrabate01" or "zdrwerxdf.exe" check where the program is stored, the filepath, and make sure it isn't something that you want. Files stored directly in C:\. C:\windows or C:\windows\system32 are a bad sign, especially if thier filenames look random.

After you are done, hit "Apply", "Ok" and then reboot, yet again, into safe mode.

Now you need to download HijackThis, a great program for deleting all kinds of hidden spyware. You can download it for free here:

HijackThis

Install it and run "System Scan". After it finishes searching, you will have a large list of items. Read each one and check the box if it looks bad. Most of the things listed will be bad, but some thing such as printer utilities, and antivirus services will be listed too. You can probably go ahead and delete all BHO's, and anything that looks very weird, or you don't recognize as something you use or installed, check the box. When you are done, hit "Fix selected items". It will make backups, just in case. when this is done, you are probably totally virus and spyware free, or very close to it.

If you cannot access the internet, it is probably beacuse of LSPs, you can download the LSP fix utility here:

LSP Fix

Run the program, and click "I know what I am doing". Then click Finish" it will remove everything in the remove catagory. If there is nothing in this catagory, then your system is probably clean from LSP exploits.

*This last part requires more knowledge on what to delete and what to keep*

First, go into My computer, then click tools, and hit folder options. Go to the view tab and click the "Show hidden files" button. Additionaly, uncheck "hide file extensions for known types" and DO check the "show contents of system folders" boxes.

To make things easier, Click the folders button at the top of the screen to make a tree view. Then goto view --> details, and click arrange icons by type. Then go back to the folders options, view and hit "apply to all folders".

Now, open up "My Computer" and browse to the Program Files directory. Delte any folders that you see to be obviously spyware. Make sure you look in C:\program files\common files too. Culprit folders will look like Mysearch, GAIN, Lycos, istbar, Save, Wildtangent (wt), and many others that look like possible adware.

If you are more proficient at checking your operating system, look in the C:\, C:\windows, and C:\windows\system32 folders for culprit .exe files, such ass hidden .exe's and garbled names or obvious spywareware files. Somecommon ones may be:

-msbb.exe
-anything with a spyware name as an installer
-rundll16.exe
-lasas.exe
-ie.exe
-etc...

After all this is done, reboot one last time to make sure everything is working, and then empty the recycle bin. Your system should now be fully cleaned, anything that gets past this will probably mean you will have to wipe your system out.
 
One thing I think that needs to be addressed is the Hunt Bar....you know, that little search bar that has been appearing in the lower right of the screen. So far, the only way I have been able to get rid of it was by running eTrust Pest Patrol in safe mode.
 
No love for spyware doctor?

IT has joined my list of ad/spyware remval tools lately.
 
LoStMaTt said:
One thing I think that needs to be addressed is the Hunt Bar....you know, that little search bar that has been appearing in the lower right of the screen. So far, the only way I have been able to get rid of it was by running eTrust Pest Patrol in safe mode.
Click to expand...

hmm, never had a problem with that at work... :confused:
 
Good guide.

There are rootkits and other various fun things that can reside in system hidden folders that by default have only the System account full controll permissions applied. Namely, c:\system volume information. You'll need to add permissions to that directory after unticking the "Show contents of system folders" box.

I'd also like to note that the msconfig page is going to be foreign to 95% of the people that need this kind of guide, so saying "delete anything that doesn't look familiar" is too much of a blanket statement.
 
Josh_B said:
*inserts Fedora CD*

Spyware has been removed!
Click to expand...

FDISK does it as well! Works every time! ;)

Seriously though, good post DarkElite. Hopefully it will help some newbs with spyware problems.
 
ThomasE66 said:
FDISK does it as well! Works every time! ;)

Seriously though, good post DarkElite. Hopefully it will help some newbs with spyware problems.
Click to expand...

Thanks, yea at work sometimes we just say fuck it and FDISK.

Feigned: Yea, sysvol needs to have permissions added, but disk cleanup takes care of it (compressed old files). BUT, some viruses/spyware take permissions off in thier program folrders :eek: , THATS annoying! :mad:

Before I knew how to gain permissions I was stumped, luckily I figured it our quick. I used to take the HDD out and boot it off another computer to clean those.
 
Standard practice at work is that anything that takes more than 30min to fix gets wiped & reinstalled. Anything that's even potentially been compromised gets wiped & reinstalled & all affected users are forced to change their password.
 
pestpatrol fucking rocks. it gets rid of spyware and viruses like noneother. my new favorite <3
 
Best way to prevent spyware: stop going to porn sites, warez sites, stupid "dealz" site listed on Pricewatch, and the Register.

I still use IE, and not a single spyware problem has bothered me. Just cookies that get regularly removed.

An ounce of prevention (responsible surfing) is worth a pound of cure.
 
Most of this looks redundant to the info in the spyware sticky, but I'd re-post this in that thread. Good stuff here. :)

 
Great post.

Tip: Typing "cleanmgr" under run is quicker for removing the temp files and such.
 
Komataguri said:
easiest way to get rid of virii and spyware?

deltree /y c:\


:D :D :D
Click to expand...
Windows translation:
1. Insert DOS boot floppy.
2. Type "format C: /s" to format as a FAT 32 system disk or "format C: /s /-32" for FAT16 :p
3. Wait for youre drive to finish formatting...
 
Komataguri said:
You can't run deltree from teh cmd prompt?

if not, you still have Dos boot floppies :p
Click to expand...
nope. XP/NT (i think, it might just be XP/2K) dont support deltree... there is a different command for it, but i cant remember what it is right now.
 
Below Ambient said:
or just run firefox... i check every week... i dont get any spyware
Click to expand...
Same here. It's been so darn long since I had any spyware, I can't remember the last time.
 
You guys have all missed something important so far. In temporary internet files, there is a subfolder called content.ie5. It can not be seen, even as a hidden folder, so just add that to the end of the address bar and make sure you clean out that folder too. The windows disk cleanup won't even touch that folder.
 
Too much work, I would rather just use system restore from a week ago. Heck, I work in IT and we connect to the pc and dont have the safe mode option much. It would take me an hour to image a computer and I could do other work during that or waste half a day at this. Anyway, decent guide but if your spyware is that bad it is time to format.
 
huxley said:
Too much work, I would rather just use system restore from a week ago. Heck, I work in IT and we connect to the pc and dont have the safe mode option much. It would take me an hour to image a computer and I could do other work during that or waste half a day at this. Anyway, decent guide but if your spyware is that bad it is time to format.
Click to expand...
Not everyone has images setup to get back up in an hour. I haven't reloaded in over 3 years, why would I create a ghost image for that PC? It would have been wasted time. Heck even at work I have some machines I would exactly want to reload as they have SQL servers setup on them for some treasury app, PIA to setup. Anyways, don't always assume reloading is easy, in those cases it's worth just fixing the install, and you gotta know how.

BTW I'm finding safe-mode w/networking (network cable disconnected) logged on as the user who installed the spyware is a MUST to remove some spyware.

Safe mode prevents 99% of the services and .exes from running. Several are using services to monitor the .exes and replace the file and re-run them when they are stopped and or deleted. The services have the same function as the .exes you are familiar with, they are just hiding them in under random service names hoping you just check your running processes from task manager and miss them.

Logging on as the user (not admin) is necessary, and means you need networking support for domain users, at home, you can just use the regular safe mode. If you enable networking support, disconnect the network cable so the programs can't phone home during the removal process.

It will take *several* scan/reboot cycles to come up clean. What I'm doing is running ad-aware, MS anti-spy, and hijack this until the system comes up clean. Then I reboot and scan with each until they find nothing. I repeat this process until I find nothing on the first scan with each, then the machine is clean.

It takes quite a while to complete, but it works for the most part.

 
I work at a computer repair shop, and thought id add the way we found to be the most effective in removing things from msconfig. Here we go!!

Firstly backup your registry!!!

1)start/run, regedit
2)go to the paths
HKEY CURRENT USER/SOFTWARE/MICROSOFT/WINDOWS/RUN
HKEY CURRENT USER/SOFTWARE/MICROSOFT/WINDOWS/RUNONCE
HKEY CURRENT USER/SOFTWARE/MICROSOFT/WINDOWS/RUNONCESERVICES
3 delete all undesirable boot up items(webrebates0/1, ebates, sidefind, etc...)

4. go to paths
HKEY LOCAL MACHINE/SOFTWARE/MICROSOFT/WINDOWS/RUN
HKEY LOCAL MACHINE/SOFTWARE/MICROSOFT/WINDOWS/RUNONCE
HKEY LOCAL MACHINE/SOFTWARE/MICROSOFT/WINDOWS/RUNONCESERVICES
5. Again clean as necessary.

And now check your msconfig, you will see the items are now perminently gone from the startup tab, as they should be, if you unclick items from the startup tab, then go to the registry to remove them they will no longer show(backwards). This way you can get those pests out of your system for good!

Hope this contributed to the conversation

:)
 
There are some bugs that just don't seem to want to come out. The only thing I might add, is go over to sysinternals and grap Process Explorer and TCPView. With Process Explorer you can find some things that have hijacked WinXP services. You can also see what TCP connections are "ESTABLISHED" with TCPView.

With the original post, + the Registry 'runonce' 'run' etc, and the above utilities you can clean almost any machine. If you still think you are hijacked or have a virus after all that, it is probably time to start from scratch.
 
Phoenix86 said:
Not everyone has images setup to get back up in an hour. I haven't reloaded in over 3 years, why would I create a ghost image for that PC? It would have been wasted time. Heck even at work I have some machines I would exactly want to reload as they have SQL servers setup on them for some treasury app, PIA to setup. Anyways, don't always assume reloading is easy, in those cases it's worth just fixing the install, and you gotta know how.

BTW I'm finding safe-mode w/networking (network cable disconnected) logged on as the user who installed the spyware is a MUST to remove some spyware.

Safe mode prevents 99% of the services and .exes from running. Several are using services to monitor the .exes and replace the file and re-run them when they are stopped and or deleted. The services have the same function as the .exes you are familiar with, they are just hiding them in under random service names hoping you just check your running processes from task manager and miss them.

Logging on as the user (not admin) is necessary, and means you need networking support for domain users, at home, you can just use the regular safe mode. If you enable networking support, disconnect the network cable so the programs can't phone home during the removal process.

It will take *several* scan/reboot cycles to come up clean. What I'm doing is running ad-aware, MS anti-spy, and hijack this until the system comes up clean. Then I reboot and scan with each until they find nothing. I repeat this process until I find nothing on the first scan with each, then the machine is clean.

It takes quite a while to complete, but it works for the most part.

Click to expand...
You show me a workplace that doesnt have a RIS or ghost image or a workplace that has their sequel server filled with spyware and I don't know what I'll show you..your examples are just kinda out there.

If you work at a place where it is not easy to RIS almost all your machines without losing data you need to rethink your environment.
 
huxley said:
You show me a workplace that doesnt have a RIS or ghost image or a workplace that has their sequel server filled with spyware and I don't know what I'll show you..your examples are just kinda out there.

If you work at a place where it is not easy to RIS almost all your machines without losing data you need to rethink your environment.
Click to expand...
We *do* have a ghost image, it comatins all the unlicensed software. We don't have .MSIs or scripted installs for all our licensed software. Some of our folks are running lots of licensed software. I can ghost them and have the OS up in minutes, but that's not *done* to the user.

The SQL box is not a "server" it's a user's machine with SQL server installed because of the app they are using.

Heck the time it would take to create scripted installs would almost not be worth it for our size (less than 1000 machines). We might use the scripted install once or twice before the next version was in place and we'd have to update it. Anyways, like I said, it's not all in my hands. I can't control everything in my environment. ;)

 
Phoenix86 said:
Not everyone has images setup to get back up in an hour. I haven't reloaded in over 3 years, why would I create a ghost image for that PC? It would have been wasted time. Heck even at work I have some machines I would exactly want to reload as they have SQL servers setup on them for some treasury app, PIA to setup. Anyways, don't always assume reloading is easy, in those cases it's worth just fixing the install, and you gotta know how.

BTW I'm finding safe-mode w/networking (network cable disconnected) logged on as the user who installed the spyware is a MUST to remove some spyware.

Safe mode prevents 99% of the services and .exes from running. Several are using services to monitor the .exes and replace the file and re-run them when they are stopped and or deleted. The services have the same function as the .exes you are familiar with, they are just hiding them in under random service names hoping you just check your running processes from task manager and miss them.

Logging on as the user (not admin) is necessary, and means you need networking support for domain users, at home, you can just use the regular safe mode. If you enable networking support, disconnect the network cable so the programs can't phone home during the removal process.

It will take *several* scan/reboot cycles to come up clean. What I'm doing is running ad-aware, MS anti-spy, and hijack this until the system comes up clean. Then I reboot and scan with each until they find nothing. I repeat this process until I find nothing on the first scan with each, then the machine is clean.

It takes quite a while to complete, but it works for the most part.

Click to expand...

There's no way you should have servers that you can't recover from bare metal within an hour or less.
 
Josh_B said:
There's no way you should have servers that you can't recover from bare metal within an hour or less.
Click to expand...
They are not servers, they are workstations with SQL server loaded on them. See my last post.

Servers don't get spyware, and if they do the admin should be fired for surfing on a server.. ;)

All that being said, I don't think our network admins could have the main SQL server back up in an hour, it would probably take them longer. :(

 
Phoenix86 said:
We *do* have a ghost image, it comatins all the unlicensed software. We don't have .MSIs or scripted installs for all our licensed software. Some of our folks are running lots of licensed software. I can ghost them and have the OS up in minutes, but that's not *done* to the user.

The SQL box is not a "server" it's a user's machine with SQL server installed because of the app they are using.

Heck the time it would take to create scripted installs would almost not be worth it for our size (less than 1000 machines). We might use the scripted install once or twice before the next version was in place and we'd have to update it. Anyways, like I said, it's not all in my hands. I can't control everything in my environment. ;)

Click to expand...
If you don't have a good image and .zap files or .msi's that you can install during the image then you are running an inneficient operation IMO.

Nah, I worked for a company at about 1000 users (heck, the company I work for now created scripted installs with updates and software when they were at 30 people!) and we had automated software instillations. We used Microsoft RIS though. No point in paying for ghost when you can get RIS for free...a bit slower though. I am just saying your argument is not valid in the sense that you should waste half a day removing spyware when you can easily image the machine and lose nothing if you are running in a good environment.
 
huxley said:
If you don't have a good image and .zap files or .msi's that you can install during the image then you are running an inneficient operation IMO.

Nah, I worked for a company at about 1000 users (heck, the company I work for now created scripted installs with updates and software when they were at 30 people!) and we had automated software instillations. We used Microsoft RIS though. No point in paying for ghost when you can get RIS for free...a bit slower though. I am just saying your argument is not valid in the sense that you should waste half a day removing spyware when you can easily image the machine and lose nothing if you are running in a good environment.
Click to expand...
But such an environment isn't setup here, so it is faster to TS the spyware. It's not that bad either way. I probably spend ~1.5 hours of tech time (time to the PC is longer, probably closer to 1/2 a day) to fix a badly infested machine.

Spyware isn't impossible to remove, and there's much to you can learn by TSing it vs. dump and reload.

I have never been a fan of ghosting in lieu of good TSing, but I know when to cut my losses. I see too many people say "fuck it, I'm reloading", IMO. It's one thing to get a critical system up and running at the drop of a hat, it's another to get frustrated and give in.

 
Phoenix86 said:
But such an environment isn't setup here, so it is faster to TS the spyware. It's not that bad either way. I probably spend ~1.5 hours of tech time (time to the PC is longer, probably closer to 1/2 a day) to fix a badly infested machine.

Spyware isn't impossible to remove, and there's much to you can learn by TSing it vs. dump and reload.

I have never been a fan of ghosting in lieu of good TSing, but I know when to cut my losses. I see too many people say "fuck it, I'm reloading", IMO. It's one thing to get a critical system up and running at the drop of a hat, it's another to get frustrated and give in.

Click to expand...
The crappy thing is that you cant TS in safe mode (and safe mode with networking starts way too many darn services to even be called a safe mode).

I am just saying that the environment you describe is not the most efficient or best way to be setup. When we image, users lose nothing except for maybe one application that needs to be isntalled because it is seperate from their company build. Thats it. Their docs and drives are all mapped and roaming profiles take care of it all. So if one sweep of the ol' MS beta spyware doesnt take care of this I may try hijack this but will most likely just say image the PC.
 
huxley said:
The crappy thing is that you cant TS in safe mode (and safe mode with networking starts way too many darn services to even be called a safe mode).
Click to expand...
Network support is required to login as the user's profile, some spyware doesn't seem to remove logged in as administrator or an account with admin rights (VX2 comes to mind, probably a flaw in the scanning software).

What do you mean you can't TS in safe mode, that's what it's there for???

What do you do with your images for licensed software? Do you have licensed software in your image (licensed software that not every uses, not a licensed software that everyone has like office)? Or do you have scripted installs for licensed/non-company wide software and install the user's software from the scripts?

 
Phoenix86 said:
Network support is required to login as the user's profile, some spyware doesn't seem to remove logged in as administrator or an account with admin rights (VX2 comes to mind, probably a flaw in the scanning software).

What do you mean you can't TS in safe mode, that's what it's there for???

What do you do with your images for licensed software? Do you have licensed software in your image (licensed software that not every uses, not a licensed software that everyone has like office)? Or do you have scripted installs for licensed/non-company wide software and install the user's software from the scripts?

Click to expand...
whaaaa? You can TS safe mode with networking but I have never been able to TS in safe mode. I cannot really disclose how we run things around here due to the whole NDA deal but I can say that it is very automated accross teh board
 
Trouble Shoot, not Terminal Serve. :)

Spyware is best removed locally w/o actually being on the network. If you can remote connect to the box, the spyware can likely phone home to get new .exes if needed.

 
Phoenix86 said:
Trouble Shoot, not Terminal Serve. :)

Spyware is best removed locally w/o actually being on the network. If you can remote connect to the box, the spyware can likely phone home to get new .exes if needed.

Click to expand...
Of course but when you have field techs that visit a site once a week there are certain options available. My point still stands clear. A good infrastructure gives you the ability to reimage and have them back to perfect order in less time than it would take to try to remove a difficult piece of spyware.
 
Hi I'm following this guide and I have gotten to the part where I am susposed to run microsoft anti-spyware in safe mode. When I am in safe mode I can not change my resolution from 640x480. I can run and scan my computer with ms antispyware but when its done my resolution is too low to be able to click the button that says like continue with removal after i have scaned. any help?
 
You must log in or register to reply here.
Back
Top