Stubborn Spyware Removal Advice?

onedobb asks: "I'm sure all of us are familiar with Lavasoft's Ad-Adware and Spybot Search and Destroy, however there always seems to be that particular piece of spyware, or malware that seems to slip past both of those programs (even with the most recent definition updates, and virus definitions). What program combinations, or websites do you use to uproot that last bit of unwanted software intrusion?"

HijackThis + Google

[tansey]

Most of the time if you simply run HijackThis and then search google for any of the suspicious log entries, you'll quickly be directed to a page where someone had a similar log entry, and you'll find out if it's malicious or not.

Well....

[_Sharp'r_]

HijackThis [majorgeeks.com]

Vundo removal tool [symantec.com]

Some Free removal tools and the Bitdefender Live CD [bitdefender.com]

AVG anyone?

[TheMotedOne]

I use a combination of both the previous programs mentioned and the AVG anti virus program and haven't had any problems in 2 years. Download link [grisoft.com]

Prevention is the best cure

[iMaple]

As they say , prevention is the best cure. Repartition the HD (if you are paranoid abt rootkits) and use linux or make sure you dont install random stuff if u choose Windows (and stay away from IE)

Spyware

[queenb**ch]

We use a product called CounterSpy with a trial available here - http://www.sunbelt-software.com/CounterSpy.cfm [sunbelt-software.com]

We use this at a universtiy on lab computers that are available to the public, as well as desktop machines , laptops, etc. So far, I'll say that we've not encountered anything we know about it hasn't handled.

2 cents,

Queen B

Re:HijackThis + Google

[tansey]

For those who don't know about it, you can read up on HijackThis here [spywareinfo.com] and the direct link to the zip dl can be found here [merijn.org].

Prevention

[mnemonic_]

1. Run Windows as a normal user, not as an administrator.
2. Use Mike's ad-blocking hosts file [everythingisnt.com].

Comment removed

[account_deleted]

Comment removed based on user account deletion

Some tools to add to your belt

[DongleFondle]

Adaware and Spybot Search and destroy are your best place to start, but I understand your frustration. Probably three out of the last four times I've dealt with a Spyware infested machine they didn't completely do the trick on their own.

Install and run Adaware and Spybot S&D, making sure you update the programs and select to perform deep scans (within archives, etc) in the custom scan options. This will probably most of the easiest and most common exploits. Reboot.

Go through your Add/Remove programs menu and try removing any programs you can identify as spware. If the programs didn't come with an uninstaller, I would have to officially recommend you do not go through any of their steps to download one and run it. I have tried this in the past with mixed results. Some of these programs truly were just severely annoying adware that actually removed themselves at the end of this lengthy process, but some were truly malicious that simply installed MORE spyware after running the uninstaller. I recommend you don't risk this.

Open up the task manager and go through each and every process, reseaching in if need be [google.au]. I use groups.google.au to get the older version which seems to provide more relavent results. Kill any processes that you find are suspiscious. Hell, kill any processes you can't identify as normal Windows OS or application processes. I dealt with a instance of spyware once that executed two randomly named processes that protected the spyware from removal. If you killed one process, the other would immediately respawn it.

Go through all of your startup locations: C:\WINDOWS\Start Menu\Programs\StartUp C:\WINDOWS\All Users\Start Menu\Programs\StartUp HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run Start --> Run --> msconfig --> Startup tab

Once again, go through each and every item and delete or disable everything that you can identify as malicious. It's likely that when searching you will run across others who have dealt with the same spyware issues in the past and have had to figure out how to remove them.

Run your Adaware and Spybot S&D scans again. Reboot. Test your machine to see if the spyware is still there. Still have problems?

Download and run Hijack This [spywareinfo.com] Pour through your log once more, or alternatively post it to one of the many forums [google.com.au] where professionals are willing to lend you a helping hand. At this point, you may also want to consider downloading and running Rootkit Revealer [sysinternals.com].

Also, try rebooting into safe mode and running your scans. Even though you are in safe mode, you should still monitor and kill processes that are suspicious. Remember, Sony's Rootkit came complete with a safe mode driver.

If all of this hasn't worked, then I suggest you back up your data, scan it for viruses, and do a low level format with a utility such as Killdisk [killdisk.com]. Now that you have to reinstall your OS, perhaps now is the prefect time to make the Linux switch [linuxiso.org].

It's easy...

[Izago909]

Build a Barts PE disc with the following:

Ad-aware
McAfee
Registry Editor PE
Winsockfix
LSPfix
Hijackthis

Begin by going through each users directory in Documents and Settings. Delete the cookies directory, then every directory in the Local Settings except Application Data. Then go to the Windows directory and delete the contents of the following directories: Downloaded Program Files, Prefetch, and Temp. Then finish by going to the root dir and deleting the contents of System Volume Information, and Recycler folders. This will clear out the majority of the places malware hides and code that reactivates any remaining nasties on boot. Also pay very close attention to any DLL and EXE files in the Windows directory. With a few important exceptions, only malware places libraries and executables in the Windows directory. Generally, if you right click the file and choose Properties and it shows detailed copyright info for a legitimate company, the file is safe; if not, change the extension to BAK and remember to change them back if your software has problems.
Then start Regedit PE and load the remote registry files including all user hives. It will launch regedit after they are loaded. Remove all spyware keys in the Software subkeys, and then remove the autorun strings from Run, RunOnce, and RunOnceExec locations. Do NOT close regedit when you're done or it will save the changes. While regedit is still running, run a complete system scan with adaware. When adaware is done, close it then close regedit. Next run McAfee to get trojans and viruses. Before shutting down, it's a good idea to run chkdsk just for good measure.
On reboot, start in safe mode (no network support). Run LSPfix and remove any bad LSP entries (such as newdotnet); most known bad things are automatically put in the right window. If you are unsure about something google it. Be careful or you could destroy your network layer. Then run winsockfix to repair winsock. Then run hijackthis to remove all other unnecessary stuff, but pay attention to path names as to NOT remove good things like antivirus/spyware/firewall entries. Log out (not switch user) and run hijackthis in each users account.
Reboot in safe mode with networking, install, update, and run spybot and adaware. Update any installed antivirus software, and run a final scan. Reboot again, but in normal mode, and run scans again to verify you don't have any persistent malware. If the scans come up clean, your work is done; if not, remove them, reboot, scan again, and if they still come back, cut your losses and restore the machine.

PS: I do this several times a day and have seen about every type of malware out there. Believe it or not, MS antispyware will pick up stuff that adaware, spybot, and webroot leave behind. Even if you don't want to use it, you can't do wrong by installing, updating, scanning, then uninstalling when done. MooSoft's The Cleaner and Bazooka can also help you remove persistent trojans.

Good luck.

Ewido Security Suite

[Anti_Climax]

Ewido Security Suite [ewido.net] has helped me remove some pretty nasty stuff that the others didn't even recognize, but the more eyes scanning your system the better.

Re:Ewido Security Suite

[greg1104]

Finally, someone actually answering the question. It's been months since I had a spyware infection that either Ad-Aware or Spybot were really helpful for; those programs are now obsolete in my opinion. Hijaak This and such are great tools, but with the multi-level spyware infections nowadays (BHO + windows service + constantly reloaded DLL) it's a bear to try and nail everything at once even with it.

I second the recommendation for Ewido for cleaning out nasty infections. The best part is that if your IE still works, you can use their beta free online scanner [ewido.net] to try and clean things up.

I've also had success with the somewhat cryptic but powerful Adware Away [adwareaway.com], which was the only thing I ever found that killed the nastier "about:blank" infections. There used to be a free version of that, but apparently they realized most people ran the program once and never bothered with registering it afterwards. Well worth the $30 if you have one of the infections listed on their site that they kill.

Finally, it's worth mentioning Microsoft's Anti-Spyware package. While it isn't particularly good at killing nasty infections, the proactive tools they include do help at stopping re-infection. For example, when fighting the multi-layer spyware programs, it can stop the service/startup/DLL/BHO sections from re-installing themselves so that you can knock them out one at a time.

Re:Prevention

[Bios_Hakr]

An Ad-Blocking Hosts file is a dumb suggestion. If you can modify the Hosts file, what makes you think that a program you launch can't modify the same file?

And before you suggest running as a non-admin user, don't forget that a lot of programs will not run properly unless you have admin rights.

Now, I guess you could put the hosts file on a floppy and write-protect that. Then you can create a symlink to the file on the floppy.

Re:HijackThis + Google

[stefanlasiewski]

AdAware, SpyBot and MS Antispyware will see many malware programs, but will be unable to remove certain programs. (Virtumondo [nai.com] is one such nasty, as it can bind itself to the winlogon.exe or other critical processes, and the antispyware programs were unable to extract it.

Hijack this will at least let you view the details of your system, and let you remove the malware by hand.

Safe mode, search by date

[dtfinch]

When fighting the kind of malware that installs itself to dozens of executables and dlls, to revive itself later, you can usually isolate most of that crap by searching by creation date, first making sure that explorer shows hidden and system files, and that the search doesn't exclude them.

You may need to disable system restore to remove some malware, or else Windows will automatically reinfect itself when it sees the files are missing. Reenable it before installing any new/updated drivers, as that seems to be when I need it most often.

Just in case, before you delete a bunch of stuff and reboot, check HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit to ensure that it's not pointing to the malware, but to userinit.exe, wherever that is. Messing with userinit can render a system so that you can't log in, even in safe mode. XP SP2 might have fixed this, as I've seen some newer systems survive a broken userinit, or completely ignore it.

Also, empty out your host file (usually c:\windows\system32\drivers\etc\hosts on XP) to prevent browser hijacks.

If you suspect a rootkit, try a detector like rootkitrevealer. It won't remove it, but it might find it. Last resort: take your hard disk and slave it on another system, and remove the infected files.

Stinger is a good standalone virus scanner, and a small download

For future reference: Stop using IE and Outlook Express. Stop downloading free screensavers and other freebies, unless you get them directly from the author's website, and you trust them completely. I've seen places take my own shareware screensavers, bundle them with spyware, and redistribute them without permission or any regard for legality or morality.

Re:HijackThis + Google

[juventasone]

I can tell the parent has had enough experience with spyware to know something most people do not: running any one product is good, and multiple ones is great, but in the spyware environment of yesterday and today, it is still not always good enough. Hence why the original submitter labeled it "stubborn", as in those not detected by current products.

Even though I rely heavily on HijackThis and Google, I also rely heavily on the fact that I've seen so many hundreds of systems, that I can go through the typically enormous lists HijackThis generates, and reliabily filter it down to just a few unknown entries which I can google. One small problem with all this is spyware using legitimate file and process names (getting the thumbs up from anywhere on google) but storing them in a different, unsuspicious path. Finally, there are places spyware can run that aren't listed by HijackThis, but these are covered by StartupList, a utility from the same author. The StartupList lists are grossly enormous (such as the dll lists in each process). Yes, its kind of grim.

Ok, so lets assume by using the above methods you do find each offending entry with complete accuracy. A product could even theoritically do this (one day). Then comes removal. The actual stubborn spyware will automatically regenerate entries deleted with HijackThis or any other method (including products). The files will be locked as well, even if you attempt to kill processes, and in the most stubborn of cases, even in safe mode. In these cases, you need to boot to a independant operating system (recovery console, BartPE, etc), and delete the files from there. In the most extreme of cases the files are located in NTFS's alternate data streams which makes virtually untouchable (assuming they use a critical area). These are identified by colons in the pathname (ie: C:\windows\system32:fdsafdas.dll). This makes fdsafdas.dll unaccessible by windows explorer, the command prompt, the recovery console, or pretty much anything else. If you google around, there are some limited and complicated means to deal with these.

Autoruns and process explorer from Sysinternals

[Johnno74]

Written by Mark Russinovich, the guy who blew the lid on the sony rootkit debacle (and author of other indispensible free windows utils like process explorer, filemon, regmon and many, many others)

His site is http://www.sysinternals.com [sysinternals.com] and autoruns can be downloaded from here [sysinternals.com].

Autoruns shows EVERYTHING that is started on your pc at boot & logon etc, including device drivers, services... everything. It can even filter out binaries not signed by microsoft, to make third party stuff stand out like dogs balls.

Use process explorer to find and kill the spyware processes - you may have to google processes to identify them, but that function is built in. Here is a tip - look for anything that doesn't have a company name of "microsoft"

Some really stubborn spyware has more than one process running, watching each other and restarting each other if you kill them. Use PSKill (command-line process killer) to kill multiple processes at once, so they can't restart.

Once you have cleaned out the running junk, use autoruns to identify where it started from and kill it.

Its never failed for me, and you learn a whole lot about the internals of windows in the process.

just my way...

[Sait-kun]

Of course if you want to be 100% sure a format would work. DO NOT RUN A LOW LEVEL FORMAT! I seen it recommended it's just wrong... Low-level Formatting creates the Tracks and Sectors on a blank hard drive. The drives you buy today are Low-level Formatted at the factory. Low-level Formatting these hard drives yourself is not recommended.

But not everyone can or wants to go trough the trouble of formatting so what can we do next?

My standard way to get spyware of a box:

run crapcleaner this will remove a lot of useless files just make sure you only select the sections you want deleted. Don't use the reg clean unless you know what you're doing.

Next up would be the running the standard anti virus programs I personally use hitmanpro the site is dutch but the program is English it includes most trusted anti-spyware products and runs them all in a row and automatically removes anything and makes up a html page of what it did.

Still not gone?

- If you know the name of the spyware it might be worth googling chances are you find a special removal tool.

- In my case I can spot bad programma's and spyware as a process with the use of HijackThis and sysinternals process explorer. But be sure to google all the processes you don't trust before deleting them. This way of deleting is not recommended for your average computer user (then again you post on slashdot so your probably fine..)

- Some times it's required to boot in to safemode to remove some files

Ok now that you're cleaned you don't want this sort of thing to happen again there are a few common practices:

- Don't be YES man don't just click YES and NEXT on every box that pops-up also instruct any family members to do the same.

- Run as a normal user instead of administrator

- Make sure windows is up to date

- Some browsers such as firefox make it easier to avoid spyware though this requires some plugins. recommended are adblock + gblocklist

Useful links:

google: http://justfuckinggoogleit.com/ [justfuckinggoogleit.com]
;)
crapcleaner: http://ccleaner.com/ [ccleaner.com]

hitmanPro: http://hitmanpro.nl/ [hitmanpro.nl]

HijackThis: http://www.spywareinfo.com/~merijn/ [spywareinfo.com]

Process explorer: http://www.sysinternals.com/Utilities/ProcessExplo rer.html [sysinternals.com]

Firefox browser: http://www.mozilla.com/firefox/ [mozilla.com]

adblock: https://addons.mozilla.org/extensions/moreinfo.php ?id=10&application=firefox [mozilla.org]

gblock list for adblock: https://addons.mozilla.org/extensions/moreinfo.php ?id=1136&application=firefox [mozilla.org]

hope it helps...