PDA

View Full Version : Steps to remove spyware/malware


cis4smack
08-13-2007, 12:31 AM
I'm curious to know what steps you guys take to remove spyware/malware from a clients computer. What tools you use to determine what actions need to be done inorder to disinfect the machine.

:cool:

youngwun0
08-13-2007, 01:10 AM
I'm wondering the same thing, me personally i am just starting out as a tech i am in school to get my A+ i do not get viruses on my PCs! i am always careful and only allow limited use for guest and family, i have a friend whom i reinstalled Windows XP for and after only a week she caught a nasty virus, i tried multiple virus removers and nothing worked, i told her I'd get back to her but never did as I've been busy with school and all but i wish i knew exactly what I'm looking to do as i think virus detectors aren't working so well for this bugger.

She gets multiple pop-ups when opening internet explorer and just a few when opening firefox, homepage isn't hijacked but by the way these popups appear it seems like it, sometimes when the cable modems internet is on she will get the popups anyway, i'm pretty sure it's spyware but then again i have only been through 2-3 viruses in my 7 years of owning multiple machines so far so I'm not so sure.

Bryce W
08-13-2007, 03:12 AM
You might find these 3 articles useful. They are examples of what I have done on real onsite jobs.

Case Study: Removing a virus/adware (AntiSpyLab) (http://www.technibble.com/forums/../case-study-removing-a-virusadware-not-detected-by-scanners/)

Case Study: New Malware Hiding in Task Scheduler (http://www.technibble.com/forums/../case-study-new-malware-hiding-in-task-scheduler/)

Case Study: Attack of the Legitimate Programs (http://www.technibble.com/forums/../case-study-attack-of-the-legitimate-programs/)

Blues
08-13-2007, 01:52 PM
I run a couple of the free tools you will find repeated a fair bit in the section on virus/trojan/malware. I tend to give Spybot S&D the first go at spyware and such. Trend Micro House Call is usually my first AV tool and it also knocks out some spyware. I will usually leave them with AVG installed at the end for a good free AV along with a few suggestions of pay options they may consider. HiJackThis is usually last line for spyware since it requires looking over the log. I forgot the tool as I don't use it much but is mentioned here somewhere it shows running processes thats a good tool for manual AV options.

Simmy
08-13-2007, 02:49 PM
I'm sure the above links more than cover what I'm about to say, but I need to get my post count up. So here goes :D

I use the following applications when removing viruses/spyware;
Kaspersky
NOD32
Spyware Doctor (brilliant program)
Spybot
HijackThis!
and then I install ClamWin for them.

I also find it's best to plug the infected hard drive into another computer, or use a BartPE CD. This way, the files on the infected hard drive won't be locked/in use by the OS when it comes to removing them.

However, in my experience, I find it's usually a better option to simply backup and reinstall the operating system. Simply because scanning for viruses doesn't guarantee to get rid of them all, whereas formatting and reinstalling windows does. Seeing as I supply a 30-day labour guarantee with my work, I may aswell cover myself by guaranteeing to get rid of any malware.

Reinstalling takes roughly the same amount of time (especially once you make your own custom Windows DVD (http://www.technibble.com/forums/showthread.php?t=1096)) as scanning the hard drive and will sort out any other problems the computer may have had.

I make sure to create an image using Acronis though, just incase I need to restore it to exactly the way it was before (malware and all!). I then copy across any of the customers data to the new install and keep the acronis image for 30 days, so they can figure out if anything is missing.

cis4smack
08-14-2007, 07:18 AM
Is there a portable version of Spybot search n destroy? I don't want to install it on the clients computer when I'm just doing scans. Also the same thing for Adaware? I was trying to search on google, but I couldn't find it...I may have just overlooked it.

Have you guys tried to put BartPE on a usb instead of a CD?

cis4smack
08-14-2007, 07:22 AM
I'm sure the above links more than cover what I'm about to say, but I need to get my post count up. So here goes :D

I use the following applications when removing viruses/spyware;
Kaspersky
NOD32
Spyware Doctor (brilliant program)
Spybot
HijackThis!
and then I install ClamWin for them.

I also find it's best to plug the infected hard drive into another computer, or use a BartPE CD. This way, the files on the infected hard drive won't be locked/in use by the OS when it comes to removing them.

However, in my experience, I find it's usually a better option to simply backup and reinstall the operating system. Simply because scanning for viruses doesn't guarantee to get rid of them all, whereas formatting and reinstalling windows does. Seeing as I supply a 30-day labour guarantee with my work, I may aswell cover myself by guaranteeing to get rid of any malware.

Reinstalling takes roughly the same amount of time (especially once you make your own custom Windows DVD (http://www.technibble.com/forums/showthread.php?t=1096)) as scanning the hard drive and will sort out any other problems the computer may have had.

I make sure to create an image using Acronis though, just incase I need to restore it to exactly the way it was before (malware and all!). I then copy across any of the customers data to the new install and keep the acronis image for 30 days, so they can figure out if anything is missing.

Is CLAMWIN a good antivirus? What is your experience with it?

Bryce W
08-14-2007, 09:11 AM
Is CLAMWIN a good antivirus? What is your experience with it?
I have tried Clamwin Portable and found out it was a good Antivirus. I detected a nastie on my computer that AVG never found.

Check out the story here:
http://www.technibble.com/repair-tool-of-the-week-clamwin-portable/

Simmy
08-14-2007, 09:20 AM
from what I've read, it's up there with the likes of Kaspersky and NOD32. I've only recently started using it though, whereas before I would give the customer AVG or Avira.

gunslinger
08-15-2007, 04:15 AM
I have a portable tool kit I carry on a 2 gig USB drive. On this I have many different virus/adware/spyware/malware scanners, portable Ccleaner, and a few reg. cleaners. Some of these are Spybot S&D, Ad-aware se, Clamwin Portable, and many others. I have found that most times if this kit will not kill the offending item more drastic measures are in order.

swany971
08-17-2007, 09:32 PM
For $30 i bought a universal hard drive adapter, so that i can take any hard drive (IDE,Laptop,SATA) connect it to another pc USB, then run Kaspersky & Webroot SS. Work nicely if you're at you're bench. If i was on the road I suppose I would go with a good PE boot disk or portables.

Mac
08-18-2007, 01:28 AM
The thing with malware is all it takes to make it undetectable to AV’s is to modify the source code or pack n crypt it. Once the byte signatures have changed the AV’s will go rite past the file/s and not even notice them. Kids get the source of some evil prog, modify it and bam. Just think for every bit of malware that is detected there could be another 100, 1000? versions of the same thing that’s undectable.

So unless you are using something to monitor system changes like RegRun you can have all the AV’s in the world and still not know if you’re infected.

People know this but are in denial. So they think a firewall will save them. Nope this wont save you either. All the malware created in the last few years use FWB technology. The process of the evil software is hooked into a trusted process like explorer and then makes a reverse connection (you connect to them) and it will go straight through your firewall and you won’t even know it.

The truth of the matter is ANY TIME you run an executable file you could be infected.

Any of the kids with evil software that have half a clue will use a rootkit in conjunction with their file. The process, reg entries etc will all be hidden from view. The rootkit binary will be binded with the malware binary and they will be run at the same time. Processes, handles, modules, files & folders, registry keys & values, services, TCP/UDP sockets, systray icons can all be hidden.

The ONLY true way to make sure your customers comp is no longer infected is to format and reinstall the OS.

Short of that you could try some software to unhook rootkits to check for infection. Vice, rootkit hook analyzer, rootkit unhooker (a very good prog made by some russians).

Find the start up entry of the infection and remove it. Bam no longer infected. ALL malware has to have a start up entry somewhere to run once the comp is restarted. Find it and remove it and you’re no longer infected (once you restart that is)

It’s all a bit more complex than that. But that’s basically it. I like to do things manually rather than rely on AV’s but that’s just me.

You will find it’s much quicker just to format and reinstall. ;)

Mac
08-18-2007, 03:04 AM
Reinstalling takes roughly the same amount of time (especially once you make your own custom Windows DVD (http://www.technibble.com/forums/showthread.php?t=1096)) as scanning the hard drive and will sort out any other problems the computer may have had.



Yep :D


I had a customer a while back. This guy was going nuts. He had taken his comp to 3 computer repair shops and had one tech out to his house before me. Spent over $1000 and still had no result.

Computer was running slow, the hard drive free space was shrinking and his download quota was being used up in the first week of the month. The poor guy was on a plan that wasn’t shaped. He was paying extra when he went over his quota.

To make a really long story short….

His 17yo daughter had been on msn messenger and received a jpeg file. This jpeg file contained an exploit. Jpegadmin will make an administrator acct on the machine. After the admin acct was made the hacker connected and installed an ftp server. The computer was being used to serv files. Pirate movies & porn 700mb+ each. The computer was setup to scan the net for other vuln machines and use various other exploits to infect them.

The moral of the story is it doesn’t even need to be an executable file. Be careful what you run.

Btw I told the nice man that the best solution was to format and reinstall the OS. But he had been told by all the other wonderful computer guys that it was a big expensive job and not necessary. No matter what I told him his experience was that most computer techs didn’t really know what they were doing. So I did all the work and showed his exactly what had happened.

I gave him his huge bill for my time and he happily paid knowing that the prob had been fixed. Never heard from him again. :confused:

Bryce W
08-19-2007, 11:25 AM
For $30 i bought a universal hard drive adapter, so that i can take any hard drive (IDE,Laptop,SATA) connect it to another pc USB, then run Kaspersky & Webroot SS. Work nicely if you're at you're bench. If i was on the road I suppose I would go with a good PE boot disk or portables.
Got a name or model number for it? Google Link?

Simmy
08-19-2007, 12:51 PM
Got a name or model number for it? Google Link?


This (http://cgi.ebay.com.au/USB-2-0-to-IDE-SATA-S-ATA-2-5-3-5-HDD-Adapter-Cable_W0QQitemZ300142617333QQihZ020QQcategoryZ4199 3QQssPageNameZWDVWQQrdZ1QQcmdZViewItem) is exactly the same one I use. Really useful for onsite work, if you've got a laptop you can use for scanning.

youngwun0
08-19-2007, 02:43 PM
can i ask a stupid question kind of unrelated here guys ? lol what exactly is bench ? i hear this and thta relating to bench work or w/e and have no idea what it means :confused:

cis4smack
08-20-2007, 06:34 PM
Its a place home/office where you have all your tools,spare parts, so forth at and of course a bench(table i suppose) to work at.