General discussion

Locked

Spyware and Virus Cleaning Tutorial. Any any Ideas what to add?

By cbcats ·
If you think of some software/step that is needed for this Tutorial that Im working on, please post it. Thank You. The Tutorial in *very rough daft* Be ready for bad grammar. Please note the details on how to use the software and reason for it has been removed for a simple daft version.

How to remove Spyware and Virus:

XP Only

Because spyware and virus in bed themselves into windows system like network and so on by removing them could cause the internet or computer to stop working!!! By following these steps of removing spyware/virus it possible, if not likely spyware virus could break your computer. Happy Hunting!

Before cleaning your computer you should backup your data. Also, Download (on a clean computer is very helpful) the following programs: WinSock XP Fix, Belarc Advisor, Ad-Aware Personal, Spybot - Search & Destroy, Windows Defender (Beta 2).


*Note* Unless I say I say differently all the steps should be in safe mode by hitting F8 during the computer reboot.

Up back all data you want to save!!

Install and Run Belarc Advisor

The software creates a local dynamic webpages that has information about hardware, CD-Key for Microsoft software and so on. If you having problems displaying the website or if Internet Explorer (IE) broken for some reason, install Firefox at Firefox.com.

Find the software keys Belarc Advisor doesn?t pickup!

Some programs you can get the CD-key by going to Help => about. It is very import to get the CD-Key incase during spyware/virus removal the OS/etc dies. After getting the software CD-Key check to see if you have all the software CD needed to reinstall the OS and other software.

Del Temp, Temp Internet Files, and Cookies

Why?

Virus/spyware are download and installed from website using drive-by-install.

(Must remove all files)

C:\Documents and Settings\(All the user on the PC)\Local Settings\Temp

C:\Documents and Settings\(All the user on the PC)\Local Settings\Temporary Internet Files

C:\Documents and Settings\(All the user on the PC)\Cookies
(*Note* Removing cookies will cause your browser to lose all Saved Username/Password).

C:\WINDOWS\Downloaded Program Files
(checking on)

C:\WINDOWS\Temp
(checking on)

C:\WINDOWS\Offline Web Pages
(May be pointless to have this one)

Remove files/Program Icon from Startup Menu

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\<for each user>\Start Menu\Programs\Startup

Disable System Restore

Why?

This will cause any possible system restore to be lost, however spyware/virus love handing around in the system restore.

To open System Properties, click Start, click Control Panel, and then double-click System. In the System Properties dialog box, click the System Restore tab and select the Turn off System Restore check box. Click Yes when you receive the prompt to the turn off System Restore.

Remove Program using Add/Remove Programs

Why?

Some software that comes with ad-ware will remove it once you remove the software.

Write down the location where the Programs you removed are location at.

To open Add or Remove Programs, click Start, click Control Panel, and then double-click Add or Remove Programs. Also, try going to the programs Uninstall in Startup, All Program, and then in the Program folder. If you don't know if the program good or bad try google the name of the program. Some spyware/virus programs only do half or fake removal.

After use the Add or Remove Programs go to the Program folder and remove any folder/file that remains.

Run msconfig

Why?

Stop the software from starting up in reboot and possible reinfection

Start -> run -> type msconfig

Do not reboot unless I say!

Click the Startup tab; uncheck all startup Item you wish to stop. If you don't know if the startup item is good or bad, try google.com. Example is Vptray is for Norton, or could be virus sometimes.

Click the Services Tab and check Hide all Microsoft Services. Click Disable All. This will disable all non-Microsoft service, as some virus/spyware could setup them as service.

Click OK. When small box comes up, click Exit Without Restart.

HijackThis

If you don?t know what this does/etc it best if you skip this step. Hijackthis is very powerful registry and has various other files editor. HijackThis could damage the OS, so best leave alone unless you know how to use it.


Reboot back into safe mode with network connect
(In safe mode there are min windows software running, the reason for about steps is to less the BS later one)

Ad-Aware Personal

Install (www.lavasoftusa.com) Ad-Aware Personal, update it, and then Run.
Ad-ware Personal can only remove spyware it knows about!! Update it!!

To update Ad-Aware Personal by using the software updater or the Ad-Aware SE Personal Definition File from www.download.com.

Spybot - Search & Destroy

Install (www.safer-networking.org/en/download/) Spybot - Search & Destroy, update it, and then Run it (Best if run in safe mode)

To update Spybot - Search & Destroy by using the software updater or get the Spybot - Search & Destroy Definition File from download.com

Windows Defender (Beta 2)

Download Windows Defender (Beta 2). Install in safe mode if you. If you can?t install windows Defender by reboot the computer in normal mode (unplug the network cable) and install Windows Defender. After installing, reboot back into safe mode with network connect. Update Windows Defender by using the ??? (Help icon) -> Check for updates. Read the Windows Defender (Beta 2) tutorial from microsoft.com if need be.

Check the host table

Why?

Some spyware/virus writes to the host table to force the browser/internet connect to go to incorrect website/IP. The computer check the host table first to find the IP address of the website, if its not there then goes to the DNS to get the IP address of the website. Example of problem is when you try to visit notorn.com, but the host table has IP address to hacker website. The Browser will go to the hacker website and could infect you computer again. Or they could stop you from updating you antivirus and antispyware.

(In case anti-spyware didn?t clean most of it out)

C:\WINDOWS\system32\drivers\etc

Open the file name "hosts" with word pad.
Enter the following at the bottom:

Should look like this

# Copyright ? 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Scan for Virus/more spyware by using Online anti-virus scanner!!


Trendmicrio Housecall Online Anti-virus scanner will help remove what it find.

Norton Online Scanner Norton will not remove the files for you. You need find the location and delete the files by hand. Click the Symantec Security Check
http://security.symantec.com/sscv6/default...id=ie&venid=sym

If spyware/virus is founded rerun the scan until you find none.

Run Rootkit scanner

http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx] RootkitRevealer

Why?

Rootkit is software that attempt to hide their presence from scanners and system management utilities. Rootkits can be executes in user mode or kernel mode.

Playing hook with the network connect


If you lose network connect during any of these step try running WinSock XP Fix. This should replace all the stocks for the network, hoping will fix it. The spyware/virus may have edit the software for the network connect and by removing the spyware/virus destroy the software.

You may need to reinstall Your OS or Drives

You may need to reinstall the OS on top of its self, or may need to wipe everything and reinstall a clean copy of the OS. You need the windows cd-key for both option. For the Driver you need to test them in order find out if they working or not, have fun in this step.

Reinstall anti-virus and scan your computer

Please note that the spyware/virus may have disable or kill your anti-virus!! You may need to remove the anti-virus and reinstall, then update and rescan for virus/spyware. Go to antivirus website to find the tool to full remove the antivirus.


Scan the Hard Drive for Errors (scandisk)

Scan Disk will take sometime; best go do something else for few hours after the scan started. It could taker longer if its larger hard drive.

Update Windows

Updates, Updates, Updates, and more updates.

Defrag the hard Drive
(Run Scandisk first!! This step will take sometime)

Before starting Defrag you should be in Safe mode or if you?re in normal mode stop all unnecessary programs that are running. Disk Defragmenter needs a min of 15% of free space on the hard drive in order to defrag.

Misc


Enable System Restore
Enable Service in msconfig
Enable Startup in msconfig
Clean Dust from the computer

<<<<adding more later>>>>>

Please say if needs added steps and what/where need be.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Replacement for msconfig

by eikelein In reply to Spyware and Virus Cleanin ...

Hi cbcats;
I hope you get lots of help with streamlining this VERY good approach! I do this sort of thing semi-professionally every day of the week; you have it pat down straight!

The only technical suggestion I have:

Do not suggest to possibly inexperienced people to use MsConfig. What a clumsy tool; IMHO needs way too much know-how on the users side. Why not (for this purpose only!) use Ccleaner? You find the latest version always here:
http://www.filehippo.com/download_ccleaner/

This little thing has helped me a lot! They even have their own web site with all the info about it (and then some): http://www.ccleaner.com

Keep up the good work.
Oh, BTW, if you want help in smoothing grammar and language, I am volunteering.

Regards
eikelein

Collapse -

Get Rid of Windows

by mogrady111 In reply to Spyware and Virus Cleanin ...

By he time you get rid of all the viruses, malware, spyware, rootkits, and whatever, and then reinstall, you could have installed whatever version of Linux you like, Freespire seems to work on most Windows machines and you're done, safe, and secure.

Goodby Bill !

Collapse -

Linux

by normhaga In reply to Get Rid of Windows

Have you read Phrack #63? Linux can be installed with malware without administrative privileges.

Collapse -

Details on Phrack #63

by mogrady111 In reply to Linux

Would appreciate details or a link to whatever Phrack #63 is.

Collapse -

Way to go!

by holmescd In reply to Spyware and Virus Cleanin ...

Nice in-depth coverage of this topic, cbcats! I do this for a living and "you've hit the nail on the head".

I, for one, would like to see your final version. I see you've already gotten a volunteer to assist with compiling your final version; I also would like to lend any assistance needed.

I agree with eikelein that Ccleaner is great, and Systernals' AutoRuns can't be beat for killing running processes and identifying garbage.

I also install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.htm ) to help keep the garbage off the machines I maintain.

In addition, ERUNT (http://www.majorgeeks.com/download1267.html) is one of my favorite "toys"; it performs a daily backup of WinXP and Win2K registries, and it's very easy to restore the current registry from within the Recovery Console. This has saved my bacon on more than one occasion.

Best of luck to you- holmescd

Collapse -

Well be adding that to another Tutorial

by cbcats In reply to Way to go!

Sorry for the very late reply. I will be adding SpywareBlaster and ERUNT to another Tutorial for keeping the computer safe before getting spyware/etc.

Collapse -

A few notes

by Dumphrey In reply to Spyware and Virus Cleanin ...

Hijackthis has a logfile analyzer on the main site that is based on a fairly large user database, and an active community. As for virus scanning, knoppix 5.1 and clamav are where I start. Though recently I have been testing a BartPE disk on a cdrw that I can update virus definitions on manually with any net connected box and a cd burner. Very comprehensive guide. I would have missed several steps you mention simply because I assume everyone already has serials and keys documented (I know I know, but I can dream). Though, whenever I reinstall my OS, I write zeros to the drive with either the disk utilities or Ghost 2003. And I always create a bootable DVD with my OS as a clean install on it for each new computer I get. I install set up drivers and basic common programs then burn the DVD. Latter, I can spend extra time zeroing the drive since I have condensed 3 hours of installs, reboots and configs to a 25 min re-ghost.

Back to Browser Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums