PDA

View Full Version : What's your spyware/virus removal procedure?


vr6rafal
11-27-2007, 03:01 AM
What's your spyware/virus removal procedure. I'm trying to find the best and most time efficient way to clean computers of spyware and viruses. What programs you found to be most efficient, which anti-virus scanner is the fastest but still thorough? Any tips and tricks?

gunslinger
11-27-2007, 03:37 AM
I like to run Ad-aware SE , Spybot S&D and McAfee stinger right off of my flash drive. If the stinger wont get rid of a virus Clamwin is also good.

XT18
11-27-2007, 03:43 AM
I like to run Ad-aware SE , Spybot S&D and McAfee stinger right off of my flash drive. If the stinger wont get rid of a virus Clamwin is also good.

adaware and spybot are good but calmwin is the slowest scanner i have ever used id rather use dr. web cure it seems a lot faster and does the job just as well. I usually boot into ubcd4win and scan with avg and antivir or whatever.

gunslinger
11-27-2007, 05:47 AM
dr. web cure ? Is It portable? Can I run it off of my USB drive?

XT18
11-27-2007, 08:27 AM
ya its portable http://pendriveapps.com/2007/04/18/drweb-cureit-stand-alone-antivirus-utility/

greggh
11-27-2007, 04:01 PM
I boot into their environment (if it isnt already booted.) Give it a quick look to see how bad it is. Then I reboot into my bootable windows environment (I made my own and keep it highly customized and up to date, but you can use ubcd4win just fine.) First thing I do is run EZ-PC-Fix and clean up the temp files, this speeds up the spyware/virus scans a lot. Then I run spybot. Next a good antivirus scan, right now I use kaspersky because I think its one of the best.

After all the scanning is done with spybot and kaspersky I load up EZ-PC-Fix again and clear out all the bad startup items. Reboot into their windows and run spybot one more time to make sure it catches anything that it couldnt see from outside.

Easily 90% of the time I am done with anything acting up at this point. Now I do the final removal. Uninstall anything obvious, I use Revo uninstaller for this. Then I go remove any directories that need to be deleted from Program Files. Next up I go into the windows/system32 directory and clear out anything that needs to be deleted there (a lot of times this is just experience telling me what I can and can't delete.) One of the easiest ways to tell if something is fishy in system32 is to add the Company column to the list of things its showing in detail view. Sort by company and anything (excluding .nls files) that doesnt have a company, and specifically microsoft, needs to be looked at.

After that I reboot and everything should be done on the cleanup side. I make sure to update the system to the latest possible patches and am done.

vr6rafal
11-27-2007, 04:42 PM
How long does this take you, it sounds like way over an hour.

greggh
11-27-2007, 04:50 PM
Usually an hour and a half to two hours. But it is actually clean. If you dont do those steps some things can come back. Especially some of the Zlob and Smitfraud variants that after initial cleanup wait a few days before re-activating (they are the main reason I go through the system32 directory by hand afterword.)

JohnR
11-27-2007, 06:57 PM
For severe infections (as in, more than one infection) I tend to boot into Linux off a liveCD, copy any critical data off the machine and scan/repair it there, and then wipe the entire disk down to bare metal and reinstall.

This is reliable, simple, and takes about an hour and a half.

This is, in fact, the computer equivalent of "take off and nuke the place from orbit. It's the only way to be sure".

Since I work in corporate environments, this tends to be a much more acceptable solution for my clients than it would likely be for most home users.

greggh
11-27-2007, 10:14 PM
For severe infections (as in, more than one infection) I tend to boot into Linux off a liveCD, copy any critical data off the machine and scan/repair it there, and then wipe the entire disk down to bare metal and reinstall.

This is reliable, simple, and takes about an hour and a half.

This is, in fact, the computer equivalent of "take off and nuke the place from orbit. It's the only way to be sure".

Since I work in corporate environments, this tends to be a much more acceptable solution for my clients than it would likely be for most home users.

In corporate environments that is absolutely right. A lot of home situations that just doesn't work for. In most of the corporate environments I work in (including my office,) we have some kind of deployment option in place. Be it system images that will restore to any pc and work (sysprep,) or an automated deployment solution that also includes all the application installs and basic configuration for the network.

But in a lot of home setups it just doesn't work that way. They have tons of software and/or games installed. Gigs of files that would need to be backed up (easily an hour of copying.) There are many reasons cleanup is the right option. One of the most common ones is software they NEED NOW and don't have the discs for anymore. Thats just some of the reasons why I do more cleanups than reinstalls for home computers.

SandTech
11-28-2007, 03:26 AM
can you explain the bootable windows enviroment?

NWPhotog
11-28-2007, 04:04 AM
He is talking about a Windows PE boot disk like UBCD4Windows.

Stu
12-01-2007, 06:42 AM
I simply remove the client's hard drive, attach it as a slave to a dedicated test PC and then set NOD32 to scan and clean the entire drive. I've been pretty successful with this so far, I don't think I've yet had to use any additional products to NOD32.

dipper
12-02-2007, 08:52 AM
I simply remove the client's hard drive, attach it as a slave to a dedicated test PC

I have a few PCs with removable drive bays which I do the same thing with.

I've been pretty successful with this so far, I don't think I've yet had to use any additional products to NOD32.

How do you know the system is clean if you haven't run any other anti virus programs? I run at least 3 through all systems when cleaning a system. I've found out that what one antivirus picks up another misses and vice versa.

Stu
12-02-2007, 10:27 AM
How do you know the system is clean if you haven't run any other anti virus programs? I run at least 3 through all systems when cleaning a system. I've found out that what one antivirus picks up another misses and vice versa.

Good point. Up until now I've always taken a 'visual' approach, i.e., if after running NOD32 the problem appears to have gone and I'm not getting any pop-ups when browsing the 'Net, I consider my work done. Of course, if the problem was still there I would reach for other alternatives, but I've been fortunate not to have to do this since switching to NOD32.

But yeah, that definately sounds like a good plan, time permitting, scanning with at least three different products. Just out of interest, what are you using? Do you have to disable the antivirus auto-protect features to stop the applications conflicting with each other?

greggh
12-02-2007, 01:44 PM
To catch everything you need to use anti virus and anti spyware scanners. After running multiple scanners you then need to go in by hand and remove the rest of the leftover junk. Scanning with one tool will leave some behind. Since a lot of the newer ones will hibernate now (they wait a few days before re-activating,) you cant just use one tool anymore. In a few days your customers will be infected again.

Stu
12-02-2007, 01:55 PM
To catch everything you need to use anti virus and anti spyware scanners. After running multiple scanners you then need to go in by hand and remove the rest of the leftover junk. Scanning with one tool will leave some behind. Since a lot of the newer ones will hibernate now (they wait a few days before re-activating,) you cant just use one tool anymore. In a few days your customers will be infected again.

Thanks greg, I will bear this helpful info in mind. Since you are using multiple tools, do you have any particular favorites?

Simmy
12-02-2007, 03:01 PM
My usual routine is Spyware Doctor followed by Kaspersky. I've run NOD32 on several hard drives and I was surprised at just how many infected files slipped by. I also like to throw in a Spybot scan + immunize for good measure.

jamesbhp
12-02-2007, 03:41 PM
I agree with most of the methods posted. The variant stands I run into as of late and tougher cases are the Vundo and Smitfraud variants. My procedure at where I work is: usually to scan the HDD on a test bed system with an AV (the one at work happens to be SAV) and then scans with Spyware Doctor and AVG Antispyware. This usually removes the tier 1, lower level spyware and viruses. Putting the system back to the original box, I then start working with hijackthis and safe mode scanning with Super-Antispyware. This usually removes up to tier 2-3 level malware. Leaving only 1-2 strands of malware that needs manual removing; such as Vundo or Smitfraud; which there is vundofix and smitfraud applications you can use.

RKDus
12-02-2007, 06:06 PM
My procedure is:
Delete temp files with CCleaner
Disable system restore
If Zlob/Smitfraud is present I boot into safe mode and use SDFix/SmitRem
McAfee Virus
AVG Antivirus
Spyware Doctor
Spysweeper
Spybot
Ad-aware
AVG Antispyware
Spycatcher express

If I'm still finding infections :
Pest patrol
Xoftspy

I run so many because I want to avoid formatting as much as I can
It takes about a day altogether to finish a computer so obviously I don't do all this on the customer's premesis ;)

RKDus
12-02-2007, 06:10 PM
I am experimenting with Auto-It to reduce my involvement in the process, it looks like it's going to save me a lot of time in the future.

Simmy
12-02-2007, 07:32 PM
I run so many because I want to avoid formatting as much as I can
It takes about a day altogether to finish a computer so obviously I don't do all this on the customer's premesis ;)

Why do you want to avoid formatting? It only takes a couple of hours including backing up and restoring the customers personal data.

Stu
12-02-2007, 08:54 PM
Does anyone have much experience of Prevx? This seemed really promising a while back...

greggh
12-03-2007, 01:58 PM
Thanks greg, I will bear this helpful info in mind. Since you are using multiple tools, do you have any particular favorites?

Absolutely I do. I listed it all off near the beginning of this posting.

greggh
12-03-2007, 01:59 PM
I am experimenting with Auto-It to reduce my involvement in the process, it looks like it's going to save me a lot of time in the future.

Have you looked at http://www.hitmanpro.nl/hitmanpro/ . Hitman Pro does exactly what you are asking, and does it well. It is using a modified AutoIt engine and works really well.

Stu
12-03-2007, 10:17 PM
Absolutely I do. I listed it all off near the beginning of this posting.

Sorry greg, I should've looked harder.

Reading this thread has got me thinking. Is there any benefit in running the scans while booted in Windows? I know this will pick up the running processes, but will the files responsible for these not get picked up when scanned as slave in another machine?

RKDus
12-03-2007, 11:44 PM
Have you looked at http://www.hitmanpro.nl/hitmanpro/ . Hitman Pro does exactly what you are asking, and does it well. It is using a modified AutoIt engine and works really well.

Yeah I have recently heard of this. I will start using it since you recommend it, thanks. :)

RKDus
12-03-2007, 11:49 PM
Why do you want to avoid formatting? It only takes a couple of hours including backing up and restoring the customers personal data.

Mainly because of the risk of losing customer's data. Not that I would be careless enough to miss something they had asked me to back up, but because they might fail to mention something that they actually wanted.
To a lesser extent also because they have to go through all the hassle of setting it up the way it was before, profiles, programs etc.

greggh
12-04-2007, 03:22 AM
Sorry greg, I should've looked harder.

Reading this thread has got me thinking. Is there any benefit in running the scans while booted in Windows? I know this will pick up the running processes, but will the files responsible for these not get picked up when scanned as slave in another machine?

Really depends on the virus/malware/spyware. A lot of them can be found just as easily in either environment. Especially using a tool like spybot 1.5 that can scan the registry of the local hard drive natively from the PE environment (without the runscanner hack.) But you will have just the same number of evil ones that really need to be caught running. A lot of the time you can't clean them there. At that point right down everything you can from the scan results and go deleting files and registry entries from the PE environment.

Tech01
12-13-2007, 02:28 AM
I think the only way to go is with multiple products and scans.
If you want to automate this process as much as possible I would recommend using any scanner that supports command line options. You can daisy chain the scans using a script (Autoit3). This will allow you to use a KVM switch to work on multiple machines at a time; thus you can double or triple your hourly earnings.

I work for a Mom and Pop store part time and I am just beginning to automate the process.:)

GraemeP
12-13-2007, 03:05 AM
What virus and spyware software do you use?

greggh
12-13-2007, 03:11 PM
I think the only way to go is with multiple products and scans.
If you want to automate this process as much as possible I would recommend using any scanner that supports command line options. You can daisy chain the scans using a script (Autoit3). This will allow you to use a KVM switch to work on multiple machines at a time; thus you can double or triple your hourly earnings.

I work for a Mom and Pop store part time and I am just beginning to automate the process.:)

Thats where I throw hitmanpro on. It does exactly what you said, and has a few of its own things built in.

nonchalant
12-15-2007, 12:12 PM
If a system is really bad (and most of them seem to be these days) I just format. The problem is with an infested system, the chances are you can run a gazillion programs and not find everything. And even if you do the chances are the OS is still damaged.

A cleanup can take a day. I can have a system formatted and everything reinstalled in 1.5 hours. And this all comes down to time and money.

gunslinger
12-15-2007, 03:57 PM
While it is true that a format will zap all the problems and is faster than cleaning the system, there are times when backing up all the customers stuff to get ready for a format would take even longer. I don't mean just pics and mp3 collections either. There are email contacts, game settings, and other things to consider. Its easy to just throw in an XP disk an walk away but its not always the best option.

Nathan H
01-15-2008, 09:02 PM
Hi greggh
Dont suppose your willing to supply a copy of your bootable windows environment cd that you made to a would be very greatful tech in the UK Namely Me...........lol

iladelf
01-16-2008, 11:30 AM
Ok, Gregg, this Hitman Pro software. Is it possible to install it on infected machines, then use it, or do you have to put it on a PE disk?

And, once installed, better for scans to be done in Safe Mode or normal mode?



Appears to be a "Swiss-Army Knife" tool to use. I'm against these as Internet Security progs, but in this case, sounds like it would make life easier. What does it do, run scans from ALL its software simultaneously, or do you have to do them one at a time?

Simmy
01-16-2008, 12:02 PM
You can install it on an infected machine. I have run it in both safe mode and normal mode, but it does suggest you don't run it in safe mode.

You make you selection from a list of available programs, and then hitman pro installs, updates and scans one program at a time until they have all been run. It's all automated once you set it running.

gunslinger
01-16-2008, 12:10 PM
The only problem I have with hitmanpro is that it installs programs on the infected machine.I like to use portable apps and or boot disks so that I don't have to install anything. Its almost always better to do scans in safe mode if you can. Another problem is that hitman needs the internet to be in working order so that it can download these programs and update them. If the system is badly infected it may not be able to connect to the internet at all.