Article updated: July 2010
In 2004, spyware/adware became the #1 threat to personal computers. For a definition of spyware, visit Webopedia.
Getting rid of spyware has reached a point that it takes an expert, or a lot of persistence, to really get rid of it totally. Following is a list of steps that we frequently take to completely restore a compromised computer. Depending on the level of problems, we may omit some steps, but this list covers everything we do.
NOTE: These are not steps we recommend for every computer that has a little spyware on it. Also, some of these steps, if not performed properly, can further harm your computer. Proceed at your own risk.
ANOTHER NOTE: For a great list of fake antispyware programs, visit SpywareWarrior’s rogue or suspect anti-spyware comparison.
A THIRD NOTE: We perform most of these operations in Safe Mode (repeatedly push the F8 key on your keyboard at startup to reach safe mode), and if the computer uses Windows XP or newer, we disable the System Restore (RIGHT Click “My Computer”, Click System Restore tab, uncheck the box that says “Use System Restore”, click OK). And lastly, your computer SHOULD NOT BE CONNECTED TO THE INTERNET WHEN PERFORMING MOST OF THESE STEPS. If your system is in really bad shape, you will need to run the recommended tools without updates in Safe Mode, then update them after you get all steps performed and get connected to the Internet again.
A LAST NOTE: Always backup your important data before proceeding…address books, email, documents, pictures, etc.
In some extreme cases, this process can take up to three hours. At times, it makes sense to simply backup important data then reformat the system and install Windows and your programs again.
Do not take spyware lightly, but making it illegal is not the answer. Secure computers and savvy users will be the only thing that stops this nasty digital intrusion. And we know that listeners and followers of our program maintain secure computers because they are smart and informed computer users!
If all of this seems overwhelming to you, by all means don’t wade into these dangerous waters…call a professional (like me)!
Related articles:
Loading ...
,
Nice detailed list Rick!!
I’d like to add that I also use rkill by Bleeping Computer right before I run malware bytes.
you can read one of there forums and download from here:
http://www.bleepingcomputer.com/forums/topic308364.html
Basically it just stops some of the active virus/spyware processes from running, and allows MalwareBytes (and other anti-virus/anti-spyware) to run and do their job.
There’s even different extensions of rkill so that processes that are monitoring for certain extensions won’t stop it from running.
I’ve not used CCLeaner or CleanUp, so maybe this does the same thing, but if not, I’d add rkill to the list.
Good add Matt…thanks. The CCleaner and Cleanup only delete temp files/logs/etc….nice to do first to help speed up other scans.
Rick,
I use Rkill as well. It only takes a few seconds to run and does a good job of shutting down active malware.
In step 4 do you recommend running them in the order listed? I usually run Combofix first because it seems to get rid of the nasty items and then Malwarebytes and the rest can do their job.
I know you are recommending free software here, but I can’t help but put in a plug for the paid version of Malwarebytes. I am not at all affiliated with them, but I can tell you that the customers who call me regularly to clean up malware stop calling after they buy Malwarebytes. It’s only $25 for lifetime updates. And when you buy it, it automatically updates itself and monitors system start up processes.
Bruce
Delta, CO is having lots of bad stuff on computers and most of them are connected to Bresnan cable…Can they possibly come through a cable company? Both daughters went down, and I got them back using your suggestion tools….Yeah!Thanks, Rick! J
Joyce,
I have many customers in the Grand Valley. I have not seen any greater prevalence of viruses on customers who use Bresnan versus other internet service providers.
Bruce
ComboFix should NOT be recommended as a catch-all, run as you will program. It should only be deployed by those trained in it’s use, and only after an initial analysis of symptoms and logs. The disclaimer of ComboFix clearly states it is for private use only.
I am with Cody. I have managed to kill a few (barely) bootable computers with Combofix. If Combofix tries to repair Windows OS critical files it may completely prevent the PC from booting. Someone who does not know how to salvage a corrupt Windows OS or how to re-load Windows should leave Combofix for the experts.
Again, be careful to be sure. And also keep in mind that sometimes the shortest and only route to completely fixing an infected system is reformatting and starting over.
have cleaned p over 10,000 (ten thous.) machines from nasties with combofix in regular mode AFTER turning off sysrestore.
Works every single time. No need to run it in safemode.
Is it true that you don’t get Spyware problems in Ubuntu?
Steve –
Linux systems (of which Ubuntu is one flavor of Linux) aren’t susceptible to virus’s, spyware, etc like Windows machines are.
Linux is still vulnerable to other things, but are much more resilient against spyware, and their security model is much more coherent and intuitive than Windows.
Here’s a nice article that talks a little bit about Ubuntu security that might help you as well.
http://www.itsecurity.com/features/ubuntu-secure-install-resource/
Great Link…thanks Matt!
Yes…it is true.
Familiarity with the Windows Task Manager is one of the things I stress repeatedly to my clients. I tell them to a) Remove the Windows Task Manager, b) Replace it with Process Explorer (from SysInternals.com), and c) Look at it from time to time. Know how many processes should be running on your machine. What kind of system resources are being consumed in normal usage? Task Manager or Process Explorer can be the best indicator(s) that something isn’t right with your Windows PC.
Karl A. Krogmann
Aging Uber Nerd
How much luck are you having with your clients actually using/following this advice?
Rick,
I noticed You don’t have AVG on your links anymore, Why??? Is the new version too much of a pain or what?