Security

Five tips for removing viruses and spyware from client machines

IT consultants must regularly remove stubborn, regenerative, and corrupting spyware and viruses from client machines. These pointers will help you return systems to stable operation.

It's inevitable that clients will infect workstations, PCs, and laptops with spyware and viruses. Regardless of preventive steps, from gateway protection to automated scans to written Internet use policies, malware threats sneak through even layered defenses. What makes the situation worse is that many clients aren't willing to invest in standalone anti-spyware software, even though they understand the need for minimal antivirus protection.

Some IT professionals advocate simply wiping systems and reinstalling Windows, while others suggest that's akin to giving up and letting the bad guys win. The truth lies somewhere in between. After making an image copy of the drive (it's always best to have a fallback option when battling malicious infections), here are the measures I find most effective.

Note: These tips are based on an entry in our IT Consultant blog; they're also available as a PDF download.

1: Isolate the drive

Many rootkit and Trojan threats are masters of disguise that hide from the operating system as soon as or before Windows starts. I find that even the best antivirus and antispyware tools -- including AVG Anti-Virus Professional, Malwarebytes Anti-Malware, and SuperAntiSpyware -- sometimes struggle to remove such entrenched infections.

You need systems dedicated to removal. Pull the hard disk from the offending system, slave it to the dedicated test machine, and run multiple virus and spyware scans against the entire slaved drive.

2: Remove temporary files

While the drive is still slaved, browse to all users' temporary files. These are typically found within the C:\Documents and Settings\Username\Local Settings\Temp directory within Windows XP or the C:\Users\Username\App Data\Local\Temp folder within Windows Vista.

Delete everything within the temporary folders. Many threats hide there seeking to regenerate upon system startup. With the drive still slaved, it's much easier to eliminate these offending files.

3: Return the drive and repeat those scans

Once you run a complete antivirus scan and execute two full antispyware scans using two current, recently updated and different anti-spyware applications (removing all found infections), return the hard disk to the system. Then, run the same scans again.

Despite the scans and previous sanitization, you may be surprised at the number of remaining active infections the anti-malware applications subsequently find and remove. Only by performing these additional native scans can you be sure you've done what you can to locate and remove known threats.

4: Test the system

When you finish the previous three steps, it's tempting to think a system is good to go. Don't make that mistake. Boot it up, open the Web browser, and immediately delete all offline files and cookies. Next, go to the Internet Explorer Connection settings (Tools | Internet Options and select the Connections tab within Internet Explorer) to confirm that a malicious program didn't change a system's default proxy or LAN connection settings. Correct any issues you find and ensure settings match those required on your network or the client's network.

Then, visit 12 to 15 random sites. Look for any anomalies, including the obvious popup windows, redirected Web searches, hijacked home pages, and similar frustrations. Don't consider the machine cleaned until you can open Google, Yahoo, and other search engines and complete searches on a string of a half-dozen terms. Be sure to test the system's ability to reach popular anti-malware Web sites, such as AVG, Symantec, and Malwarebytes.

5: Dig deeper on remaining infections

If any infection remnants persist, such as redirected searches or blocked access to specific Web sites, try determining the filename for the active process causing the trouble. Trend Micro's HijackThis, Microsoft's Process Explorer, and Windows' native Microsoft System Configuration Utility (Start | Run and type msconfig) are excellent utilities for helping locate offending processes. If necessary, search the registry for an offending executable and remove all incidents. Then, reboot the system and try again.

If a system still proves corrupt or unusable, it's time to begin thinking about a reinstall. If an infection persists after all these steps, you're likely in a losing battle.

Other strategies

Some IT consultants swear by fancier tricks than what I've outlined above. I've investigated KNOPPIX as one alternative. And I've had a few occasions in the field where I've slaved infected Windows drives to my Macintosh laptop to delete particularly obstinate files in the absence of a boot disk. Other technicians recommend leveraging such tools as Reimage, although I've experienced difficulty getting the utility to even recognize common NICs, without which the automated repair tool can't work.

What methods do you recommend for removing viruses and spyware from clients' machines? Post your suggestions in the discussion below.

Related TechRepublic resources


Check out Five Tips... the newsletter

Get a concise roundup of solutions and techniques that will make your IT job go more smoothly. TechRepublic's Five Tips newsletter, delivered every Tuesday, gives you instant access to the information you need. Automatically sign up today.

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

88 comments
jeffybridge
jeffybridge

I have had a computer virus and I know virus removal is a tricky process. You definitely need to know what you are doing. It is really important to try and locate the virus on the drive. That way you can get rid of it without losing too much other important data.

http://www.mcmurraycomputer.ca/software.html 

tommydigital
tommydigital

I used lots for antivirus and anti malware tools. We've used symanted antivirus ce and endpoint protection on all of our desktops for years. When I'm really in a jam I use Ultimate Boot Disk for Windows. It has a bunch of useful tools to remove viruses and malware. It has tools to repair the MBR, reset passwords, etc. I suggest you give it a try. I'd to know what you think.

MuhammadUmar
MuhammadUmar

First of all i try to show all super-hidden files by using tools such as USB Disk Security / RRT (www.sergiwa.com) or by using ACDSee program where i use to see hidden files to remove viruses etc After ^^ these steps, "Hijack this" tool is used to remove / delete viruses. Registry Cleaner program like "Tune up utilities" to clean registry as well as temporary files. In last i create new user and delete the previous one if necessary Last one

MuhammadUmar
MuhammadUmar

First of all i try to show all super-hidden files by using tools such as USB Disk Security / RRT (www.sergiwa.com) or by using ACDSee program where i use to see hidden files to remove viruses etc After ^^ these steps, "Hijack this" tool is used to remove / delete viruses. Registry Cleaner program like "Tune up utilities" to clean registry as well as temporary files. In last i create new user and delete the previous one if necessary Last one

Gis Bun
Gis Bun

Here's a few things to at least curb any problems: 1) verify the host file 2) reset IE's settings [full reset preferred] 3) empty all temp folders [note that malware may make itself hidden, use DOS' attrib] 4) use Microsoft/Sysinternal's Autorun to see what is getting loaded Malware will attack on any browser. The weakest "point" is the individual. If they are novices or not notified of the malware out there, they will believe in anything - just like the people who keep on forwarding hoaxes that are 7+ years old. Most AV products won't even detect the fake AV "software" at all. I've seen this with Avast Pro.

blackmaleya41
blackmaleya41

All sounds good except taking the hard drive out.

DKeith45
DKeith45

Agree Erik. I always pull the drive, slave it, save out what files I can, doc's, pic's, email files, address book etc... then try to fix the infection... if that doesn't work, then it's total reinstall time...

jmarkovic32
jmarkovic32

You can't dismount and scan an encrypted drive! So I'm forced to install Malwarebytes and SuperAntiSpyware in Safe Mode and scan that way.

johnpall
johnpall

2 Quick easy steps to be rid of virus and spyware: 1. Throw PC AWAY. 2. Get a Mac to replace it. Problem Solved

slconsultingsvc
slconsultingsvc

For you folks that are working for a company with spare drives or on a corporate helpdesk formatting is an option and often the smart thing to do. But when you are an independent consultant and the customer calls you and says that they absolutely have to have this computer back up and running in its pre virus state, its not that easy. I had one customer that got one of the advanced rogue antivirus deals on his PC. This PC is the center of his universe and literally would have taken me over 20 hours to rebuild and install all of his 20+ programs back to their custom configurations. Before everyone jumps on it; he now has a comprehensive backup solution running on the machine after this incident. Bottom line however is that you can't charge a customer 20+ hours at nearly $70 an hour to rebuild his PC. You need to be able to fix the problem without rebuilding the machine. Any high school kid can do that. If there is little configuration or special programs on the PC then the reformat is the answer but not in the case of a business owner who has 20+ business apps installed and configured on the machine. Especially when the malware is stopping you from being able to see what all these custom configurations are.

demiwebman
demiwebman

Normally what works for me is a Live CD boot from, first, AVG Rescue then second, F-Secure. Then I use Ultimate Boot CD to run EzPcFix looking closely at registry entries. Any randomly named files in the Docs directory are obvious malware infections. Plus EzPcFix allows me to look at the Hosts file. Be sure to remove both the Hiberfil and Pagefile files off the C: root too. Finally, booting to Windows I install HitmanPro 3.5 then MalewareBytes. If that doesn't do it, it's time to backup and reformat.

Mr. Fix
Mr. Fix

Haven't we all heard it: "But I have an antivirus program. How could my computer get infected?" How do you explain that they got the virus because they were CARELESS - visited that porn site, clicked on that pop-up, downloaded that neat free app, opened that attachment from someone they don't know from Adam... How do you convince someone that having an anti-virus application will NOT PROTECT them from their own stupidity, when vendors tout invincibility?

davebrik99
davebrik99

I like to check out the Windows\System32 folder for any recently added DLLs or any that have gibberish file names. Safemode helps a lot!

Jon Bush
Jon Bush

Can somebody tell me if Windows is a virus, or was I infected from outside? My two computers, a laptop with XP Pro and a desktop with W 7: the laptop has developed a habit of making whatever external drive, USB Flash Drive, SD card, whatever, as Read Only, therefore making it very difficult to move a file from the laptop C: drive to my other computer. The Win 7 computer does not do this, I have the permissions set correctly on it. Why do I need the permission of my operating system in the first place? This is very annoying...

wilbrian
wilbrian

So just look at all the suggestions for scanning/cleaning different areas and different experiences with what not to overlook in the process. When you add up all the hours it takes to cover all of those bases you've already spent the equivilent time of a full reformat. And with the full reformat you get a fresh, updated install and the latest drivers as well as the latest versions of commonly used utilities like Adobe Reader, Java and Flash.

Coss71
Coss71

At our company, we have a very simple solution. We have a number of spare drives for our systems (we're an all Dell house at all 21 locations). We'll spend about an hour cleaning, and if it begins to look like it will take longer, we pull My Docs, Favorites, and the PST files, pull the infected drive out, stick one of the stock units in, config for the network, push the off loaded files back to the new drive, done. Usually takes about 45 min to an hour. Infected drive is taken back to office, formatted and reloaded, then set on the shelf for future use. Simple, quick, and 100% good to go. In some cases, we won't even save the personal files, and just go with a clean setup. Sorry about your luck losing all of your email and pictures.

juliette.fister
juliette.fister

We don't have enough resources to spend that much time on a drive. Grab any .pst files and reimage from your secure source is the most efficient method.

SteelTrepid
SteelTrepid

What a waste of time. If you techies out there don't already know this or have better methods, then you have problems. The "shameless" plug right at the beginning puts the icing on the cake. I figure this article probably helped about 1/2 of the members here.....which is a sad statistic. There are so many better methods out there it is sick and I'm not going to do Tech Republic's work and list them. Good luck!

leo8888
leo8888

When we have tools like BartPE bootable CD's available. I have not found anything I could not accomplish using various plugins for virus and spyware removal, drive partitioning, drive imaging, file backups etc that would require me to remove the infected drive. Boot from the CD, backup or image the infected system to an external disk and then make repairs to the infected drive. That method has worked very well in my experience.

alwova
alwova

you can remove the viruses and spywares if you know there names or suspect them by running a linux live cd like (mint,nimblex,austrumi enev ubuntu) and mounting and accessing the drives and then deleting the virus .

tmargulis
tmargulis

I am constantly running into virus problems because most of my clients are retired older folk who just don't understand what harm a virus can do to their machine and open up every attachment they receive without due consideration. The first attempt I try is to use a program such as Advanced Systems Care which will usually tell me what type of virus I am facing. If that doesn't remove the virus, I than will try to do a restore to a much earlier date. And if that doesn't work, than I'll start using the various programs you have already suggested. Only once recently have I had to resort to a new install. Ted Margulis

Frostyone
Frostyone

I have found Trinity Rescue Kit to be one of the easiest to use to scan a machine. It uses Clam and you don't have to do anything to the box, just load the CD and connect the network cord (so the database can update) then let run.

JohnMcGrew
JohnMcGrew

Long ago, I came to the conclusion that relying upon loading anti-virus or removal software on a computer that has already been compromised is akin to a surgeon attempting to do open-heart surgery on himself. You just can't have confidence in the effectiveness of the surgeon, or the results. I keep a dedicated XPC-form computer on standby for these situations loaded with all the usual tools. It's portable and I can easily interface all types of drives (SATA, IDE, SCSI) and can clone drives before surgery. (just in case) But most importantly, I can be confident that my malware tools are operating in an unhindered and uncompromised state. After the subject drive has been cleaned and removed, I sanitize my rig by re-imaging it to a pre-test "clean" state just to make sure that nothing could have possibly jumped aboard during the cleaning process. The $600 or so I spent on this setup years ago has paid for itself dozens of times over.

devshop
devshop

Just worked on "one of those" yesterday, so this is fresh in my mind... I didn't isolate the drive by slaving it into another system, but booting up in Safe Mode (this was an XP system), does the trick, too. After that I was able to clean everything using MalWareBytes, AntiSpyware and once back in normal mode, the system's own anti-Spyware from CA. All three utilities found some "leftovers", so the bottom line is you have to work it over and over until every utility comes up clean.

chris.wright1
chris.wright1

It's a good idea to clean the registry after removing all malware etc, ccleaner or registry mechanic will do the job, or which ever tool you prefer.

perulous
perulous

best way to remove Virus is as above mentioned, make the infected HDD as slave and scan the same.

ComputerJimDotCom
ComputerJimDotCom

Please note, that some malware can and will block windows tools like regedit, msconfig and task manager. Plus I have had all Microsft sites block. Jim Steinis

unhappyuser
unhappyuser

Delete restore points. I've seen where multiple scans, by various packages, don't find the malware and it keeps coming back. EMD

dpgolds
dpgolds

Please forgive the shameless plug but these types of computer issues can be extremely time consuming, if you do not have the necessary tools and processes in place. In our experience these types of issues can be corrected remotely 95% of the time. We have found that our Partners would rather focus on larger issues, and bigger ticket assets which bring in more money for their effort. GMS Live Expert is a 24/7 phone, chat, email and screen share Help Desk and PC Management solution provider. We enable our Partners to sell proactive PC monitoring, maintenance and management solutions along with one time repair services as described in this article... Our Partners work under their own SLA's and own the customer relationship.

Editor's Picks