nav-left cat-right
cat-right

Extricating Spyware

Extricating Spyware

Article updated: July 2010

In 2004, spyware/adware became the #1 threat to personal computers. For a definition of spyware, visit Webopedia.

Getting rid of spyware has reached a point that it takes an expert, or a lot of persistence, to really get rid of it totally. Following is a list of steps that we frequently take to completely restore a compromised computer. Depending on the level of problems, we may omit some steps, but this list covers everything we do.

NOTE: These are not steps we recommend for every computer that has a little spyware on it. Also, some of these steps, if not performed properly, can further harm your computer. Proceed at your own risk.

ANOTHER NOTE: For a great list of fake antispyware programs, visit SpywareWarrior’s rogue or suspect anti-spyware comparison.

A THIRD NOTE: We perform most of these operations in Safe Mode (repeatedly push the F8 key on your keyboard at startup to reach safe mode),  and if the computer uses Windows XP or newer, we disable the System Restore (RIGHT Click “My Computer”, Click System Restore tab, uncheck the box that says “Use System Restore”, click OK). And lastly, your computer SHOULD NOT BE CONNECTED TO THE INTERNET WHEN PERFORMING MOST OF THESE STEPS. If your system is in really bad shape, you will need to run the recommended tools without updates in Safe Mode, then update them after you get all steps performed and get connected to the Internet again.

A LAST NOTE: Always backup your important data before proceeding…address books, email, documents, pictures, etc.

  1. After downloading all the tools (you may need to do so on a friend’s or neighbor’s computer and copy them to a CD or flash drive) below, disconnect from the Internet. All these tools offer fully functional FREE versions…if you are asked for money, you took a misstep somewhere.
  2. Restart computer in Safe Mode
  3. Delete all temporary files (even the hidden ones). You can do this quickly by downloading and running Cleanup or CCleaner.
  4. Install and run MalwareBytes and SuperAntiSpyware and ComobFix
  5. Search add/remove files for installed spyware programs in the Add/Remove Programs and remove them.
  6. Install, update and run Spybot
  7. In some cases, the spyware will keep coming back due to Trojan viruses that Norton or McAfee do not detect. If this is the case, we uninstall Norton or McAfee and install AVG or Avast anti-virus programs.
  8. Install Firefox or Google Chrome and instruct the user to use Internet Explorer only when Firefox is not able to pull up a particular site.
  9. It is important to disable the System Restore prior to starting this process, but remember to enable it when finished.

In some extreme cases, this process can take up to three hours. At times, it makes sense to simply backup important data then reformat the system and install Windows and your programs again.

Do not take spyware lightly, but making it illegal is not the answer. Secure computers and savvy users will be the only thing that stops this nasty digital intrusion. And we know that listeners and followers of our program maintain secure computers because they are smart and informed computer users!

If all of this seems overwhelming to you, by all means don’t wade into these dangerous waters…call a professional (like me)!

Enhanced by Zemanta

Related articles:

  1. Correcting some spyware infections with an often overlooked tool
  2. Warning: Your computer may be infected with viruses, spyware and exortionware
  3. Slow computer? Viruses? Malware? I can help!
  4. Spyware’s on the rise – Rules to keep your computer safe
  5. The no porn approach to computer maintenance

16 Responses to “Extricating Spyware”

  1. Nice detailed list Rick!!

    I’d like to add that I also use rkill by Bleeping Computer right before I run malware bytes.

    you can read one of there forums and download from here:

    http://www.bleepingcomputer.com/forums/topic308364.html

    Basically it just stops some of the active virus/spyware processes from running, and allows MalwareBytes (and other anti-virus/anti-spyware) to run and do their job.

    There’s even different extensions of rkill so that processes that are monitoring for certain extensions won’t stop it from running.

    I’ve not used CCLeaner or CleanUp, so maybe this does the same thing, but if not, I’d add rkill to the list.

    • Rick says:

      Good add Matt…thanks. The CCleaner and Cleanup only delete temp files/logs/etc….nice to do first to help speed up other scans.

  2. Bruce says:

    Rick,
    I use Rkill as well. It only takes a few seconds to run and does a good job of shutting down active malware.
    In step 4 do you recommend running them in the order listed? I usually run Combofix first because it seems to get rid of the nasty items and then Malwarebytes and the rest can do their job.
    I know you are recommending free software here, but I can’t help but put in a plug for the paid version of Malwarebytes. I am not at all affiliated with them, but I can tell you that the customers who call me regularly to clean up malware stop calling after they buy Malwarebytes. It’s only $25 for lifetime updates. And when you buy it, it automatically updates itself and monitors system start up processes.
    Bruce

  3. Joyce Rodriguez says:

    Delta, CO is having lots of bad stuff on computers and most of them are connected to Bresnan cable…Can they possibly come through a cable company? Both daughters went down, and I got them back using your suggestion tools….Yeah!Thanks, Rick! J

  4. Bruce says:

    Joyce,
    I have many customers in the Grand Valley. I have not seen any greater prevalence of viruses on customers who use Bresnan versus other internet service providers.
    Bruce

  5. Cody says:

    ComboFix should NOT be recommended as a catch-all, run as you will program. It should only be deployed by those trained in it’s use, and only after an initial analysis of symptoms and logs. The disclaimer of ComboFix clearly states it is for private use only.

    • Bruce says:

      I am with Cody. I have managed to kill a few (barely) bootable computers with Combofix. If Combofix tries to repair Windows OS critical files it may completely prevent the PC from booting. Someone who does not know how to salvage a corrupt Windows OS or how to re-load Windows should leave Combofix for the experts.

      • Rick says:

        Again, be careful to be sure. And also keep in mind that sometimes the shortest and only route to completely fixing an infected system is reformatting and starting over.

  6. Jeannie says:

    have cleaned p over 10,000 (ten thous.) machines from nasties with combofix in regular mode AFTER turning off sysrestore.
    Works every single time. No need to run it in safemode.

  7. Steve says:

    Is it true that you don’t get Spyware problems in Ubuntu?

  8. Familiarity with the Windows Task Manager is one of the things I stress repeatedly to my clients. I tell them to a) Remove the Windows Task Manager, b) Replace it with Process Explorer (from SysInternals.com), and c) Look at it from time to time. Know how many processes should be running on your machine. What kind of system resources are being consumed in normal usage? Task Manager or Process Explorer can be the best indicator(s) that something isn’t right with your Windows PC.

    Karl A. Krogmann
    Aging Uber Nerd

  9. tom bell says:

    Rick,
    I noticed You don’t have AVG on your links anymore, Why??? Is the new version too much of a pain or what?

Leave a Reply