Security

Five step process for removing viruses and spyware from client machines

IT consultants must regularly remove stubborn, often regenerative and corrupting spyware and viruses from client machines. Erik Eckel shares his preferred strategy for quickly returning systems to stable operation.

 It's inevitable that clients will infect workstations, PCs, and laptops with spyware and viruses. Regardless of preventive steps, from gateway protection to automated scans to written Internet use policies, malware threats sneak through even layered defenses.

What makes the situation worse is that many clients aren't willing to invest in standalone antispyware software, even though they understand the need for minimal antivirus protection. This is a perfect example of what I call Reactive Rationality. Clients who won't invest in preventive measures find it easier to justify paying three or even four times the cost of prevention to remediate infections once a debilitating disruption strikes their systems or network.

Some IT professionals advocate simply wiping systems and reinstalling Windows, while others suggest that's akin to giving up and letting the bad guys win. The truth lies somewhere in between.

Following tried-and-true methods frequently repairs even heavily damaged systems. I've returned systems to college students that ran as well as they did out of the box, even though some 1,200 lively Trojans, viruses, and worms were active on the machine when it hit my workbench. In other cases, systems with a single sinister and nefarious infection required me to reinstall the operating system. The trick is to discover which method is called for as quickly a possible when encountering an infected client PC.

Here are the virus and spyware steps I find most effective. After making an image copy of the drive (it's always best to have a fallback option when battling malicious infections), these are the steps I follow:

1. Isolate the drive

Many rootkit and Trojan threats are masters of disguise that hide from the operating system as soon as or before Windows starts. I find that even the best antivirus and antispyware tools -- including AVG Anti-Virus Professional, Malwarebytes Anti-Malware, and SuperAntiSpyware -- sometimes struggle to remove such entrenched infections.

You need systems dedicated to removal. Pull the hard disk from the offending system, slave it to the dedicated test machine, and run multiple virus and spyware scans against the entire slaved drive.

2. Remove temporary files

While the drive is still slaved, browse to all users' temporary files. These are typically found within the C:\Documents and Settings\Username\Local Settings\Temp directory within Windows XP or the C:\Users\Username\App Data\Local\Temp folder within Windows Vista.

Delete everything within the temporary folders; many threats hide there seeking to regenerate upon system startup. With the drive still slaved, it's much easier to eliminate these offending files.

3. Return drive and repeat scans

Once you run a complete antivirus scan and execute two full antispyware scans using two current, recently updated and different antispyware applications (removing all found infections), return the hard disk to the system. Then, run the same scans again.

Despite the scans and previous sanitization, you may be surprised at the number of remaining active infections the antimalware applications subsequently find and remove. Only by performing these additional native scans can you be sure you've done what you can to locate and remove known threats.

4. Test the system

Once you finish the previous three steps, it's tempting to think a system is good to go but don't make that mistake. Boot it up, open the Web browser, and immediately delete all offline files and cookies.

Next, go to the Internet Explorer Connection settings (Tools | Internet Options and select the Connections tab within Internet Explorer) to confirm that a malicious program didn't change a system's default proxy or LAN connection settings. Correct any issues you find and ensure settings match those required on your network or the client's network.

Then, visit 12-15 random sites. Look for any anomalies, including the obvious pop-up windows, redirected Web searches, hijacked home pages, and similar frustrations. Don't consider the machine cleaned until you can open Google, Yahoo, and other search engines and complete searches on a string of a half-dozen terms. Be sure to test the system's ability to reach popular antimalware Web sites such as AVG, Symantec, and Malwarebytes.

5. Dig deeper on remaining infections

If any infection remnants remain, such as redirected searches or blocked access to specific Web sites, try determining the filename for the active process causing the trouble. Trend Micro's HijackThis, Microsoft's Process Explorer, and Windows' native Microsoft System Configuration Utility (Start | Run and type msconfig) are excellent utilities for helping locate offending processes.

If necessary, search the registry for entries for an offending executable and remove all incidents. Then reboot the system and try again.

If a system still proves corrupt or unusable, it's time to begin thinking about a reinstall. If an infection proves persistent after all these steps, you're likely in a losing battle.

What's your method?

Some IT consultants prefer a different strategy from what I outline above; however, I haven't found another process that works better at quickly returning systems to stable operation.

Some IT consultants swear by fancier tricks. I've investigated KNOPPIX as one alternative. And I've had a few occasions where, in the field, I've slaved infected Windows drives to my Macintosh laptop in order to delete particularly obstinate files in the absence of a boot disk.

Other technicians recommend leveraging such tools as Reimage, although I've experienced difficulty getting the utility to even recognize common NICs, without which the automated repair tool cannot work.

What methods do you recommend for removing viruses and spyware from clients' machines? Join the discussion by posting a comment.

Related TechRepublic resources

Get weekly consulting tips in your inbox TechRepublic's IT Consultant newsletter, delivered each Monday, offers tips on how to attract customers, build your business, and increase your technical skills in order to get the job done. Automatically sign up today!

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

39 comments
Bilou54
Bilou54

Image and restore from a known goood is my last step. The earlier steps are the same as you use, but a full reinstall is prohibitively expensive now that some clients run over over 200 apps and want a complete restore. The best anti-viruses are Kaspersky and Rising. Both have a lot less false positives than the competition. Many client's have sophisticated employees who download and use pirated software. The main apps they need (Office, 2003 is the current favourite, I agree), are payed for. Marginal apps are pirated. Its not nice, but I have to live with it. So I train them to use their anti-virus first before any install. Remove Internet Explorer, it is a deadly and huge target. I train the unsophisticated users on Opera, and the wannabees, God bless em, on Firefox. Get it working well off the net. Every client machine has to be imaged, or I won't take the contract. If they refuse, the I refuse to help. Reimage every machine once a month. Hiren's is illegal, but it works. I have licences for the progs anyway, but it is a wonderful all-in-one to put in my briefcase. Yes, once in a while I get a humongous infection that nothing can fix. The last one on my own flagship machines was three years ago. Images were out-of-date due to overwork. So I had no choice but to I reinstall from scratch and that cost me 1 months work. Aargh! Bonus was that I wiped out 200 or so of the 700 programs she was carrying, updated the vid to a new card, and added RAID. She appreciated the attention, and has not let me down since. I call her Esmerelda!

BarryRobbins76
BarryRobbins76

Everything you describe in your article sounds like it will take a lot of time. Several antivirus and antispyware scans? I've had antivirus scans by themselves take hours. I recommend creating an image of the base install of a machine (this works better if systems are the same throughout your organization). Assign each users documents folder to be on a server. Let the users know that data recovery cannot be guaranteed unless its in their documents folder. Backup the users files from the server every night. If a computer or multiple computers get infected and you can't fix them in 5 minutes, take your base image and reimage the machines. Restore any my documents files that may have been infected and can't be easily fixed. You may have to reinstall a few programs but this is going to be much faster than pulling the hard drive out, performing multiple scans, putting it back in the original machine, testing web sites, etc etc. I also recommend having users pst files on a server as well as backing up users favorites.

g3po2
g3po2

I think that Erik has a number of good ideas. Sadly, "isolating" a suspected hard drive to another system as a slave drive may only infect the "test" system's primary hard drive. I've seen it happen more than once, and would not suggest that as a primary solution. Over the years as a computer tech, I've found that NO single solution is going to get you the desired results. There are numerous shareware programs that will perform many of the tasks the Erik is suggesting in this very well-written article. I use a series of nineteen different programs before even considering making the offending drive a slave on a test computer. In many cases, to make some of these programs function to full capacity, it is necessary to either boot up in Safe Mode, and/or turn off turn off the Microsoft built-in safety controls, which in many cases will actually restore an active virus although it has been technically deleted from the disk drive in question. Why? Keep in mind that when most versions of Windows restart, they will restore many of the deleted .exe, .com, or .dll files (not to mention a host of other file types) that we the original culprits. This is especially true in the case where you make the infected drive into a slave on a test machine, and subsequently reinstall it as a master on the original system. Programs such as C Cleaner, D Cleaner, DC Cleaner and the built-in Windows hard drive cleaner will remove a lot of crud, resulting in a faster scan by any anti-virus/malware software. Also, various registry cleaners will often detect various problems. I keep eight different ones in my "stable," using them when it seems appropriate. Another group of programs that I suggest include registry defrag and hard drive defrag programs. The obvious programs to run first would be Spyware Blaster, Spybot Search & Destroy, Windows Defender, Microsoft's Malicious software remover, AVG or Avast, and Lavasoft's AdAware. Finally, there are a number of very good on-line anti-virus/maleware detection programs, such as Trend Micro, Panda, Kaspersky, to name but a few... Aloha from Hawaii, Glenn

Jackmagurn
Jackmagurn

Hi Erik, I dont understand why you need to run spyware apps twice again after you put it back in PC,if the hard drive is the only datacenter hows is it a different scan scenerio. And has this 5 step procedure prove to be successful on many virus/spyware cleanups like 95percent or so? Thanks, Certifiedtek

daryl
daryl

We use the ultimate boot CD for windows. Each month we make a new CD so it has up to date virus and antispyware definitions. Saves having to remove the HDD from the system and ensures that none of the viruses or spyware applications are running when windows starts because it is booted from the CD. We run the virus scan using Avira, use Adaware or other spyware removal tools, delete temp files (none will be in use) and also do a defrag and disk scan.

Data Ninja
Data Ninja

Depending on the method you're using, be sure to check the 'winlogon' entry under the "HKLM/software/microsoft/windows nt/current version/winlogon" entry for items that refuse to go away. You might also check the HKCU hive, but I rarely find anything there. If you find one, go get killbox.exe (the beta version is best), to remove the file at boot time, then you can delete the registry entry without it replacing itself. Same goes for any 'run' entries that re-appear in HKLM and HKCU.

jhinkle
jhinkle

The best method I've found for recovering from Virii problems (and I've seen plenty of them) is to: 1) Install ccleaner, clean all the temp files 2) Install hijack this, remove all unnecessary bho's and extra startup entries. 3) Shut off system restore, I do this because most virii hide entries in there. 4) Download the mvps hosts file popup blocker. Run the batch file and load the list into your HOSTS file. This will help a lot with adware/spyware that run popups. 4) Install avast av, run updates then a boot time virus scan 5) When the boot scan is done load safe mode (don't go into normal windows) and run scans and/or clean up any specific registry entries from here. Make sure to do this on all of the profiles in the system. When you run scans you can use Spybot S&D, Adaware and possibly AVG av. I say possibly AVG because they took over Ewido, which was an amazing scanner for being free, but you probably won't need it. 6) Boot back into normal windows and install any system updates. When I use this method very rarely do I have to do anything else to the drive.

rwbyshe
rwbyshe

All good info from the various members. They are all good tips and thoughts for those of us in the support end of things. BUT... Once again we are "treating the symptoms and not the (proverbial) disease". Here's a thought that I think would help us all in a way that truly isn't measureable. Let's get our clients educated a little and suggest things that our they can do to prevent getting the "malware" in the first place. Face it, that's where the major portion of the problem is based... the "users" and what they do on the web. I recommend a "10 things" list from TR that addresses things the users can do to avoid these issues. Everything we see is geared towards the IT professionals and very little is written for us to pass on to the "end user". So here's a suggestion for some user based "preventative medicine". Hopefully it will start the ball rolling on things users can do. DO NOT: Click on any popup or link that offers something for nothing. i.e. Free Antivirus Scans; Free Fixes for viruses detected on your PC; etc. These are especially dangerous when they are presented to you on pages that you have been redirected to. Submit your suggestions and hopefully TR will come out with a current listing of "10 Things" to really assist and educate the end user.

nzimmerman67
nzimmerman67

You need to disable system restore (XP and Vista) prior to any virus removal attempts. else, the infections could return as they corrupted file(s) could be hidden in a restore point

lastchip
lastchip

there's nothing wrong with what you're suggesting, but it's very time consuming, particularly, if at the end of your efforts, you have to reinstall anyway. Generally speaking, I only go down that road, if a client has specifically told me to do so and understands the likely financial cost of recovery. My own preferred method is to boot with a Linux live CD, recover any required data (if possible) and reinstall. I've found over the years, it is almost always more cost effective to do it that way and there is no doubt about the integrity of the machine at the end of it.

PurpleSkys
PurpleSkys

oh here goes my opinion...start with a program called ccleaner...I love it...removes all your cookies, temp files etc...next, download, install update and run in SAFE MODE (as a lot of malware/spyware will still be running in the background in normal mode) malwarebytes and superantispyware...and I'll be honest, I'm a huge Avast fan, download, install, update, and run (keep in mind it will prompt you to do a boot scan on first reboot after install, please do so; if it finds anything just select either delete or delete all. You should insure that you are running only one antivirus program as more than one may conflict with each other). Now...at some point you may have to ask yourself "how much is my time worth", I've seen my husband and I spend days cleaning up badly infected systems; there comes a point when it's easier to just back up, wipe and reload (as Balthor suggests)...find a good back up program like norton ghost or acronis (sometimes you can find free trials for some pretty good back up programs). So there's my two cents worth for the moment. Oh...and one of the best things to do is surf safe ;)

reddyworld
reddyworld

Thanks, for those steps. Depending on the complexity of the machine,ie(software, configs,etc)I recommend a call must be made to reinstall the machine within 30-45mins of the initial troubleshooting process, Having said that, making std images of machines in your environment is a good idea.

BALTHOR
BALTHOR

Get yourself a good backup and restore program and at the end of the day erase the drive and restore.It's the only way and it's easy too.You'll have to set up the computer with all of your software first then do a backup.You'll loose any factory partitions but you'll have a brand new computer every day.(Good luck on finding a good backup restore program.)

IC-IT
IC-IT

Nice article. I would also recommend turning off System Restore as one of the first steps. Autoruns is a nice little tool to check all the subtle startup programs and services. As StealthWiFi mentioned BartsPE is an alternative as is UBCD4Win. You can use a CD to build a bootable Windows environment with up to date AV and Anti-Malware definitions. It can also burn an image to a DVD for even more tools at your fingertips.

StealthWiFi
StealthWiFi

Rather than remove and slave out the drive, I just boot from a live disk (BartsPE built) and go on scanning and fixing from there. Provides the same access slaving would yet a bit more convient, and less risk of spreading infection to your testing box. Cheers,

PurpleSkys
PurpleSkys

with some of your opinions, but that's just my opinion.

Sterling chip Camden
Sterling chip Camden

There's not a system here I can't wipe and load if I need to -- even the server, because the shared files are on separate drives.

Erik Eckel
Erik Eckel

Barry, Many of my clients, with critical systems downed by viruses or spyware, never called me before. Worse, they're maybe a five or six PC shop. Such companies, which constitute the bulk of small businesses, have never invested in imaging software, no less the time required to pay someone to create base images. That's simply not an option for many small businesses, including those living reactively (instead of proactively). Hence the time-consuming process to recover infected systems.

Erik Eckel
Erik Eckel

I've been "slaving" infected hard drives to my specifically designed test machine a couple times a week for three and a half years. My test machine has never been infected.

Erik Eckel
Erik Eckel

I routinely see antivirus/antispyware scans run natively (versus within a slaved environment) find and remove additional infections on the same hard disk. This is true even when using the same antivirus/antispyware applications with the same updates. That's just been my experience working as a consultant.

akil.hashim
akil.hashim

I tend to agree with lastchip. For those of us who do this on a daily basis, saving the data is the most important aspect of this area. But you won?t know what you may have until a full scan is done. That takes time. And still then you may still find nothing. But the computer may be showing signs of things like (The filewall being turned off, anti-virus being disabled). Save the data by whatever means you have in your tool kit. Mac or Linux. Then reload to a ?clean? system when all else fails.

andywilson2004
andywilson2004

I like the Common-sense of PurpleSkys, I am not into backup programs, more into external drives(BUT NEVER back-up limewire or others), where the corrupt drive is slaved to a clean machine. I also use the Linux based cds, but when it becomes un-economical too repair? after re-installing the drive and taking off the Drivers, I will use the CD to disk wipe the drive overwritting it with random data, then wipe the drive clean after that, before installing Windows with the quick format, as the Windows Format does NOT always remove everything that wants to hide. Andy

Erik Eckel
Erik Eckel

I agree that, in larger organizations, maintaining disk images for various departments and configurations makes sense. Many of my small business clients, though, simply aren't prepared to spend the money necessary to secure the proper required licenses and hardware. And, many times I'm called in to repair corrupted machines after the fact (whereas image strategies require proactive planning, ie imaging a corrupted drive doesn't work).

bbarnes
bbarnes

We redirect the users' My Documents folders to individual hidden shares on one of our servers so if we have to restore, no docs are lost. Those shares are backed up nightly to tape too. We recently started using OpenDNS and drive-by infections have stopped and so fewer restores are needed.

jeremial-21966916363912016372987921703527
jeremial-21966916363912016372987921703527

Believe it or not, I employ something close to this. I use Sun's VirtualBox for when my niece and nephew are over, as they always seem to blow something up. I set up an XP image for them, configured it with the software I would like, and then took a snapshot. When they login to the machine, the virtual machine automatically runs, giving them no access to the physical box. When they shut down the virtual machine, it reverts to snapshot and then logs them out of the account. Thus far, it has worked wonders. Even when I have confirmed an infection on the virtual machine, the problem has not escaped the Sandbox to bother the physical box.

Erik Eckel
Erik Eckel

Yes, great point bwilmot. Turning off System Restore is very important. Just be sure to enable System Restore once the sanitization is complete!

g3po2
g3po2

As the prices lower, and more computers allow, within their CMOS/BIOS settings, the capability of booting from a USB device, it is possible to make a bootable USB memory stick. Another advantage to this method is that you can "wipe" the memory stick after using it, and reload the software from a "test" computer known to be free of malware. Just a thought... Aloha from Hawaii, Glenn

j_m_donelson
j_m_donelson

BartPE and driveimageXML is my friend :)

PurpleSkys
PurpleSkys

I never back up p2p programs...then again, I don't use p2p programs, too "iffy"...and when I format, I do a full format and fdisk (one of my husbands trick, it gets rid of pretty much everything).

bbarnes
bbarnes

Useing Ghost 2003 I create a locally-stored image in a special FAT32 partition. I create that partition with Norton's GDisk and I hide that patition (also with GDisk) once the image has been made. That way, the image is invisible to DOS and Windows and it should be safe to use to restore an infected machine. When I restore, I delete and re-create the primary partitions (GDisk again)so the restore should be clean.

santeewelding
santeewelding

That way, you see new friends and new places everyday. Your mind is refreshed and you see right through it all.

Data Ninja
Data Ninja

I have had a few instances where the malware had made the System Restore tab and .exe where it wasn't accessible. The fix led me to slaving the drive, taking ownership (via the security tab of properties) of the System folder containing the restore points and files, then deleting all of it. Of course, you first have to disable SR on that drive from your currently running OS to accomplish this task.

Sterling chip Camden
Sterling chip Camden

Too big an overhead, and if things get wonked I just wipe and load. Of course, you have to maintain a readiness to wipe and load, since Windows gets wonked all the time.

braithwaiteinbritain
braithwaiteinbritain

Ever come across a drive which has a PCI / BIOS Rootkit? Try removing them. If you attempt to write to the MBR, you can often be given errors, or simply the inability to overwrite or low-level format the drive - even if booted from a linux-live distro, like Knoppix. This is the BIOS / PCI Rootkit at work. To remove it, you will need to perform a low-level format of the drive, but on a second machine. Whilst the drive is out of the first machine, you will need to re-flash the BIOS of this first machine a few times - preferably with different versions of the BIOS (hopefully will be different sizes, which will overwrite different portions of the CMOS storage). At this point, try booting with WinPE, connect up your USB flash drive with the updated firmware of the optical media (DVD/CD drive), and flash this with an updated version of the drives' firmware. If available, flash the NIC's firmware with a new release - if available. Finally, with the original drive on your second PC, and with a low-level format already done; now update the firmware on this drive with a new one (or even multiple versions of the older one) from the manufacturer. That all done, put the hard drive back in the original machine, and rebuild to your chosen OS. BIOS / PCI level rootkit are becoming more common. Refer to: http://theinvisiblethings.blogspot.com/2009/01/why-do-i-miss-microsoft-bitlocker.html http://theinvisiblethings.blogspot.com/2007_03_01_archive.html And here's something of the same kin as the main post: http://blog.nitefall.co.uk/?p=33

Sterling chip Camden
Sterling chip Camden

XP wasn't bad -- I only had to wipe and load that about three times in eight years. The versions before that (even NT/2000) it was a once-every-six-months activity. I'm still on the initial installs for Vista, but one of them is getting pretty bad.

OnTheRopes
OnTheRopes

I've been all over the Internet and have installed a lot of programs for trial and I'm still working on a Windows installation that dates back several years. Everything works as well as if I had a fresh installation. < knocking on wood >

Editor's Picks