It's inevitable that clients will infect workstations, PCs, and laptops with spyware and viruses. Regardless of preventive steps, from gateway protection to automated scans to written Internet use policies, malware threats sneak through even layered defenses.
What makes the situation worse is that many clients aren't willing to invest in standalone antispyware software, even though they understand the need for minimal antivirus protection. This is a perfect example of what I call Reactive Rationality. Clients who won't invest in preventive measures find it easier to justify paying three or even four times the cost of prevention to remediate infections once a debilitating disruption strikes their systems or network.
Some IT professionals advocate simply wiping systems and reinstalling Windows, while others suggest that's akin to giving up and letting the bad guys win. The truth lies somewhere in between.
Following tried-and-true methods frequently repairs even heavily damaged systems. I've returned systems to college students that ran as well as they did out of the box, even though some 1,200 lively Trojans, viruses, and worms were active on the machine when it hit my workbench. In other cases, systems with a single sinister and nefarious infection required me to reinstall the operating system. The trick is to discover which method is called for as quickly a possible when encountering an infected client PC.
Here are the virus and spyware steps I find most effective. After making an image copy of the drive (it's always best to have a fallback option when battling malicious infections), these are the steps I follow:
1. Isolate the drive
Many rootkit and Trojan threats are masters of disguise that hide from the operating system as soon as or before Windows starts. I find that even the best antivirus and antispyware tools — including AVG Anti-Virus Professional, Malwarebytes Anti-Malware, and SuperAntiSpyware — sometimes struggle to remove such entrenched infections.
You need systems dedicated to removal. Pull the hard disk from the offending system, slave it to the dedicated test machine, and run multiple virus and spyware scans against the entire slaved drive.
2. Remove temporary files
While the drive is still slaved, browse to all users' temporary files. These are typically found within the C:\Documents and Settings\Username\Local Settings\Temp directory within Windows XP or the C:\Users\Username\App Data\Local\Temp folder within Windows Vista.
Delete everything within the temporary folders; many threats hide there seeking to regenerate upon system startup. With the drive still slaved, it's much easier to eliminate these offending files.
3. Return drive and repeat scans
Once you run a complete antivirus scan and execute two full antispyware scans using two current, recently updated and different antispyware applications (removing all found infections), return the hard disk to the system. Then, run the same scans again.
Despite the scans and previous sanitization, you may be surprised at the number of remaining active infections the antimalware applications subsequently find and remove. Only by performing these additional native scans can you be sure you've done what you can to locate and remove known threats.
4. Test the system
Once you finish the previous three steps, it's tempting to think a system is good to go but don't make that mistake. Boot it up, open the Web browser, and immediately delete all offline files and cookies.
Next, go to the Internet Explorer Connection settings (Tools | Internet Options and select the Connections tab within Internet Explorer) to confirm that a malicious program didn't change a system's default proxy or LAN connection settings. Correct any issues you find and ensure settings match those required on your network or the client's network.
Then, visit 12-15 random sites. Look for any anomalies, including the obvious pop-up windows, redirected Web searches, hijacked home pages, and similar frustrations. Don't consider the machine cleaned until you can open Google, Yahoo, and other search engines and complete searches on a string of a half-dozen terms. Be sure to test the system's ability to reach popular antimalware Web sites such as AVG, Symantec, and Malwarebytes.
5. Dig deeper on remaining infections
If any infection remnants remain, such as redirected searches or blocked access to specific Web sites, try determining the filename for the active process causing the trouble. Trend Micro's HijackThis, Microsoft's Process Explorer, and Windows' native Microsoft System Configuration Utility (Start | Run and type msconfig) are excellent utilities for helping locate offending processes.
If necessary, search the registry for entries for an offending executable and remove all incidents. Then reboot the system and try again.
If a system still proves corrupt or unusable, it's time to begin thinking about a reinstall. If an infection proves persistent after all these steps, you're likely in a losing battle.
What's your method?
Some IT consultants prefer a different strategy from what I outline above; however, I haven't found another process that works better at quickly returning systems to stable operation.
Some IT consultants swear by fancier tricks. I've investigated KNOPPIX as one alternative. And I've had a few occasions where, in the field, I've slaved infected Windows drives to my Macintosh laptop in order to delete particularly obstinate files in the absence of a boot disk.
Other technicians recommend leveraging such tools as Reimage, although I've experienced difficulty getting the utility to even recognize common NICs, without which the automated repair tool cannot work.
What methods do you recommend for removing viruses and spyware from clients' machines? Join the discussion by posting a comment.
Related TechRepublic resources
- 10 ways to avoid viruses and spyware
- 10 ways to avoid IT security breaches
- 10 Faces of Computer Malware
- Product Spotlight: ESET NOD32 Antivirus 4
- Which spyware removal tool do you use? Take the poll.
- E-mail links and attachments: Help stop malware from spreading
- Be prepared for your next Spyware battle with a removal checklist
Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president of Eckel Media Corp., a communications company specializing in public relations and technical authoring projects.