How to get rid of spyware/viruses

Discussion in 'Backup and Security' started by paulxx, Sep 5, 2008.

  1. paulxx

    paulxx

    A few threads have mentioned the current plague of 'antivirus popups' and also loss of desktop settings tab and other problems.

    A customer had one of those this afternoon and I've had a half dozen or more in the last two or three weeks.

    I do it manually, which also speeds the whole system up, but before summarizing how to do that, I'll suggest one click solutions for immediate relief for completely non-tech people, which may or may not work - but at least it's easy....

    First download this: www.malwarebytes.org and save to your desktop.

    Also download this: http://siri.geekstogo.com/SmitfraudFix.php
    also to your desktop. Even if the 'Smitfraud' type malware is not your problem it runs a fixup procedure that will restore your desktop settings tab and other settings without you twiddling with the system registry (as long as the spyware is not active ie. run this after the other one). I use it quite often.

    You can run them normally, or better, you can go into 'Safe Mode' by restarting your computer and either (people tell me) by continually hitting F8, hoping it doesn't conflict with a BIOS function; or the surefire way of pressing and holding the power button for 4 seconds (to force a rough shutdown) while the moving LED Windows startup is in progress, followed by powering up again and moving the up/down arrows to the 'Safe Mode' option when presented. Normally not good for your disk, right now we don't care and can run a disk check afterwards.

    After running the two programs, restart and reset your theme to standard by right clicking the desktop>Properties. Sometimes a lingering 'antivirus' image is just your desktop background picture.

    This might solve at least some of the current crop of 'antivirus' popup problems, but if you want or need the full job I charge for every day, here is the basic procedure:

    In addition to the above: download 'HiJackThis!' http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

    Also download CCleaner: http://www.ccleaner.com/

    You may also need 'winsockxpfix': http://www.snapfiles.com/download/dlwinsockxpfix.html

    Before beginning, you would be better off uninstalling Norton/Macafee (and unfortunately now AVG) or any other complex 'security' suite. They almost always slow things down massively and/or become part of the problem. Search my other posts for links to special removal tools if you have any problem uninstalling. Restart.

    Then, go into Safe Mode as described above. Then go Start>Run (in Vista use the Windows Search box above the start button)and enter 'msconfig' (without the quotes). This gets the easy superficial stuff: go to the Startup tab and untick everything (if you have not removed Norton/Mac etc. you are on your own sifting through which ones to untick or not).

    Then go to the 'Services' tab and make sure the tickbox (above the OK button) 'Hide All Microsoft Services' is ticked. All of the remaining entries should be unticked except: 'Office Source Engine' (if present) and maybe a printer related entry (especially 'Lexbce') and maybe 'synaptics' touchpad stuff. Anything mentioning 'HD Audio' can also be left. You can always retick later if something stops working. Click OK. Ignore/refuse any restart prompts.

    Now run HiJackThis! and click 'Do a System Scan'. You will then see pages of junk entries, all you need are a handful - tick everything else (to remove) leaving only any possible printer related entries, anything mentioning ..windowsupdate..., any licensing services for specialist software (eg adobe) and Synaptics touchpad entries. You can always reinstall a printer (though never tick/remove 'Lexbce server') Vista users can leave more entries - my cleaned up HP vista laptop has a few innocent ....Internet Explorer/Main..Start.. Page entries. Also an entry containing .... 'Hosts' and another containg ...'Gopher'

    Click on 'Fix checked' and respond with OK if prompted about BHO entries.

    Run HiJackThis! again and check for any stubborn entries, particularly random looking names with a .dll or .exe suffix, often but not always located in C:\Windows\System32 folder. These are viruses and if they can't be removed using HiJackthis! there is a more difficult operation necessary. Sometimes a complete reinstall is necessary if these have damaged the system and things aren't right even after a cleanup.

    You can now run CCleaner. With the 'Cleaner' button selected the left pane entry under Advanced, 'Old Prefetch data' can be ticked. Also (assuming you removed 'security' suites earlier and restarted after that) select the Options button on the left Tab>Advanced> untick 'Only delete....48 hours' Now go back to 'Cleaner' side tab/button and click 'Run Cleaner'. Probably you will then remove a few hundred MBs of junk files.

    I have also found that the current crop of popups create a folder in C:\Program Files, but be careful not to delete an essential program. Inside the folder is an installer for the malware. Delete nothing if in doubt.

    Restart the computer and for 90% of you all will be well. Reset your Theme to standard and reset Internet explorer (Tools>Internet Options>Advanced) You could also run winsockxpfix if there is still any Internet trouble.

    Open CCleaner and choose the 'Registry' side tab and then 'Scan for Issues' followed by 'Fix Selected Issues' (ignore backup prompts) and choose Fix all. Repeat a couple of times.

    Also, go to Control Panel>Internet connections. Right click>Properties on any Local Area or Wireless connection. Highlight and uninstall any entry except these four: 'Client for Microsoft..', 'File and Printer Sharing', 'QOS Packet...' and 'Internet Protocol (TCP/IP)' On a wireless connection go through the tabs and make sure a 'Use Windows to configure wireless' option is ticked.

    You can repeat this whole procedure again if necessary and restart.

    If you still have stubborn entries in HiJackThis, then removal is not easy. You could just install Antivir (see below) and manually scan, but things can get complicated once viruses are already active and embedded. There are brute force removal programs but I don't use them.

    The way I do it is to make a note of the virus names and location from HijackThis, then boot the system using 'Ultimate Boot CD' (http://www.ubcd4win.com) for Windows. This allows the system to run, albeit slowly, from a CD and allows acces to the hard disk in order to delete the noted files manually. You could use a Linux CD also. Another way I use is to remove the laptop or desktop hard drive and put it in a USB external enclosure. This can be plugged into a good computer and the files manually deleted. It is often good to look at C:\Windows and C:\Windows\system32 and sort by date. Usually the newest files, especially if using random looking names are viruses, but some judgement and risk is involved, to be on the safe side just delete the noted files. There are also USB to IDE and/or SATA cables you can buy which just plug into the bare hard drive without placing in an enclosure.

    Once your system is functional, don't go back to bloatware security suites, use the free Avira Antivir, http://www.free-av.com along with Spybot (1.4 recommended for now - http://www.tucows.com/preview/310138 . Only version 1.6 is at spybot.com) Don't use 'SDHelper'/'immunize' just scan weekly. Spybot 1.4 is still the best basic spyware remover as far as I'm aware. Also go to Control Panel>Windows Firewall to make sure it is turned on (do allow exceptions). If you have a router, that acts as a double hardware firewall and no other firewall is necessary anyway. Once the antivirus is up and updated, do a one off manual scan of your whole system, thereafter it will protect you in the background and update itself. Also do a one off error check on the C:\ drive: Go to My Computer, right click the C drive>Properties>Tools>Error Check. Tick the top of the 2 tick boxes only, restart. It is then safe to defragment.

    If you have decided a reinstall is the way forward and you have the disc or preinstalled Recovery feature (often F10 on startup), make sure you do a destructive reinstall that formats the disk and loses your data (which should be backed up). The other non- destructive way just overwrites windows and leaves viruses in place. If you haven't got the disk, you could download a torrent from piratebay, mininova or demonoid, search for 'XP SP3' and choose one with a high number of sharers. Read sharer comments first.
     
  2. spywareblaster.com does an excellent job of PREVENTING things from ever getting into your system.
     
  3. Hijackthis is absolutely not for amateurs...

    In some instances I have been helping people where "nothing seemed to work". In the end I booted from the Windows installation CD and removed the last incessant spyware from the system.


    If you are serious about system stability and security - run something else than Windows. I suggest Debian Linux as the most secure, hassle free and stable system. Running Java programs is just as easy on Linux as on Windows.
     
  4. paulxx

    paulxx

    Even if you untick everything using HiJackThis you don't need to be concerned it won't spoil any essential services, you might have to reinstall a printer or something.

    I spent weeks going through loads of Linux distributions, the best one for ordinary users I found was 'DreamLinux' My wife used it for many months, but I finally dumped it for XP. There is just more technical work involved to keep it working and updated.

    On free market/private property grounds, I agree with the theory of freedom software and oppose the monster copyright monopoly corps like MS. But in practice Linux operates in a reverse legal framework lacking even a little market discipline and supremacy of users - except in the server area. There are some great guys developing Linux but also a lot who won't listen to obvious improvements because they think they are doing the user a favour and they know better.

    In practice, Linux is useless to any trader, or anyone with specialist software requirements as the applications are all designed for Windows. Even Java apps cannot be guaranteed to work (and stay working) on Linux as they do with Windows.

    The real elephant in the living room is that it is not free Linux vs. pay Windows but free Linux vs. 'bootleg' free fully activated Windows. Emotionally involved Linux people may not like this and can end up supporting the copyright laws they claim to oppose. But civil disobedience by millions of file sharers also contributes to freedom.

    For those interested in the subject here is a good short podcast: http://www.lewrockwell.com/podcast/?p=episode&name=2008-09-23_032_ip.mp3
     
  5. Do all that - or just get a MAC!

     
  6. Don't look at/watch porn on your trading machine(s) ;)
     
  7. Paulxx, is it worthwhile to get the paid version of Avira? It includes anti-spyware.
     
  8. Moving to *NIX OS (Mac, Linux, whatever) is the best way to really get rid of spyware/viruses...
     
  9. IWB

    IWB

    Saturnine; "Don't look at/watch porn on your trading machine(s) ;)"
    Spot on! Or casual browse for that matter, machines are cheap enough to keep one machine strictly for trash browsing.
    I do not recommend Hijack-this for the untrained. If you must try Hijack-this then do this: On a new install or on a machine that has never exibited signs of malware troubles run Hijack-this and check all findings to the ignore list. From then on if you install any new software or peripheral support software run Hijack-this immediately afterwards and add any new entries to the ignore list.
    You may have to do the same with Java updates or the occasional MS freebee that comes via MS updates.
    Then when you become aware of a threat to your machine running Hijack-this MAY (i stress may) flag the threats handle.
    There are a good many free tools written for a single specific threat, coolwebshredder to spywarequake and the smitfraud families of malware to name but three.
    For free, Spywareblaster, Spybot S&D and Ad-Aware. For pay I have no recommendations, this is not a spam site is it?
    You may run a selection of the free anti-malware applications on your machine and keep them up to date, its important. If you are unfortunate enough to suffer a malware infection you may find that what Norton misses Spybot picks up and vice-versa.
    Some threats are specifically written to target and disable certain AV suites or scan applications.
    Above all do not panic and start deleting everything that you dont like the look of, your machine will become a basket case within an hour if you do.
     
  10. CFerret, did you mean UNIX OS? If so, I agree, but the only glitch is that it is not as user-friendly as Windows. :(

    "Spybot" is another software that is considered helpful and effective (read in ET forums too), what is your opinon over this?
     
    #10     Nov 12, 2008