This post is very old and likely contains information that is no longer accurate and links which no longer work. Proceed with caution.
So you’ve found yourself fighting a machine loaded to the gills with crap. Lucky you. Hopefully this helps make the job a little easier. I deal with spyware on pretty much a daily basis. I hate it. The only ones who like it are the ones making money off of it, and I don’t mean the poor techs stuck cleaning up the mess.
This article is geared more toward Windows XP/2k, though it can apply to earlier releases. Some of this may be useful to the home user, but it may be more helpful to those who have to work on many machines (for work, for family, for the neighborhood). I’m open to comments, I’d love it if someone would suggest better methods to accomplish any of the tasks I describe. I’d also appreciate hearing about other utilities that are used.
Please remember that these are not rigid instructions that should be followed to the letter. This is not a how-to that anyone can pick up and follow. Do not blame me if anything you do messes up the PC you are working on. This article’s main purpose is to provide tips to those who may not have heard of some of these tools or who want a better way of dealing with spyware. This is also a work in progress. I’ll clean it up a bit as I smooth out the details.
Section 1: Learn to love BartPE
I say we dust off; nuke the site from orbit - it’s the only way to be sure.
If you know a drive is infected, why trust anything on it including the OS? A handy BartPE image with an installation of ClamWin (plugin) and up-to-date definitions helps a lot. You can boot off the CD, scan the HDD and be reasonably confident that the worst of the files are gone. The downside is that the system needs to have a decent amount of RAM, and a working CD-ROM that your BIOS can boot from – These are not problems for any reasonably modern PC. Before something like BartPE came along, I’d yank the whole drive out and hook it up to another PC and scan there.
Building the BartPE image and adding ClamWin are left as exercises for the reader. BartPE has plenty of documentation, and it’s not as hard as it may seem at first. You can forget about BartPE unless you have access to Windows XP installation media.
Remember to unpack the ClamWin definitions before running the program. If you have a broadband connection, you can even use the online update to get the latest defs right from within BartPE.
Unless you change the clamwin.conf for the plugin before burning the image, you
will need to manually set it to move/delete the files. I have it move them into
a quarantine directory. I use something like
c:\qtn - just in
case it’s a critical file that gets moved, and also to keep the files around if
they are needed for further analysis.
While ClamWin scans, go watch a movie or do something much less stressful than cleaning up a PC. It will take a while anyhow.
When the scan is over, make sure to save a copy of the log to the HDD, and note what viruses were found. It’s a good idea to look them up and check out what, if any, other changes may be needed to remove them entirely.
After a good scan with ClamWin, you can also use a file manager to browse around looking for suspicious files. Looking at the Windows and System32 directories sorted by date can make some malicious files show up easily. Knowing what’s good and what’s bad still takes a trained eye, but it will give you a list of files that you can look up, inspect closer, or move out of the way temporarily (perhaps to the quarantine directory made for ClamWin). You may also want to take a look around the Program Files directory, and the Common Files directory under there. A less common place for them to hide is in the Application Data folder under individual users, but it’s worth checking out.
If you’re a fan of McAfee Stinger, you can also run that from BartPE. I haven’t had as much success with it as I have with others. I prefer ClamAV/ClamWin and Trend Micro Damage Cleanup. I have had issues running TMDC under BartPE, so I run that in safe mode.
If you’ve found any other interesting BartPE plugins or if you have anything else you want to do while booted from BartPE, do it now. As you may have noticed, BartPE ignores the ACLs on the hard drive, so you can see everything. Because of that, tow is a good time to clean out the temporary files. You can try this little tempcleaner program I scripted up quick in Python, but it may not work for everyone. If you run it from BartPE it’s a good idea to run it again in Safe Mode. The script I wrote will clean out the temp directories for each user as well as the system-wide temp directories. It also clears the Temporary Internet Files folders. Another side effect of being booted off the CD, it will actually remove the index.dat’s that you can’t delete if you’re logged in.
Section 2: Safe Mode is your friend
After you’ve shut down BartPE, ejected the CD, and started rebooting the PC, smack F8 repeatedly until you get to the boot menu. Choose Safe Mode (I wouldn’t choose the Safe Mode With Networking option, as the networking may be broken anyhow) Login as Administrator, not as a regular user. Since it’s in Safe Mode, this will work on XP Home and Pro.
Once logged in, now is a good time to copy your anti-virus/anti-spyware utilities over to the hard drive, unless they’re already there.
It’s probably best to start out running another virus scan, something that will also make corrections to the registry if needed as well. I like using Trend Micro Damage Cleanup (pattern file) for this. Think of it like an all-encompassing removal tool. Norton puts out 50,000 individual scanners, Trend Micro puts out one that gets them all. Be patient with TMDC. It does three passes. The first pass is the quickest and checks for the worst infections. The other two passes scan every file looking for viruses.
After the second pass of TMDC has started, go watch another movie, read part of a book, do a puzzle, or sit in a comfy chair and sip a beverage of your choice.
Just like with the ClamWin scan, when it has finished make sure to save a copy of the log and note what viruses were found.
Whew. After those two full virus scans, you’ve probably gotten the worst of the files that may be lurking around (there are never any absolutes…)
Now it’s time to install Ad-Aware. Before you run it, install an updated defs.ref file into the Ad-Aware directory. You’ll have to download this before you start (it’s on your regularly-updated-and-burned-to-a-cd-rw utilities CD, right?). Run Ad-Aware and let it scan all the way through. Remove whatever it finds, and you may want to make a note of the names of the malware it found.
Similarly, install and run Spybot Search & Destroy. They also have updated definitions that you can download separately.
After the automated tools are done, you can run
HijackThis. Several malware
packages target this gem specifically, so it’s a good idea to rename the
executable before you run it. I like to rename it to
It’s a good idea to only remove things here that you know are bad. If you have
any doubt, post a log of the scan to one of the many boards dedicated to
removing spyware, or look up as much as you can. The good news is that HJT does
keep backups, but you can still mess up a PC if you use it improperly.
This is another good time to clean out the temporary files. You can do it
cd %temp%; rd /s/q . ) or with a
Now for the bad news. Remember all those cool profiles setup on that PC for everyone that would ever touch it? Did your cat really need its own profile? Well, you need to re-run Ad-Aware, Spybot S&D, HijackThis, etc in each and every profile to be sure that all of the registry settings have been removed. You may not be able to log into every profile in safe mode, so get as much as you can.
It might be a good idea to have another look at the
directories. Check for anything that looks out of place.
At the end you can run special purpose utilities like
LSPFix to remove malicious LSP entries,
to get rid of
se.dll hijacker, About Buster if SPHJFix didn’t
help, ADS Spy to look for
bad Alternate Data Streams,
and whatever else you can find to throw at the problem.
Section 3: Tidying Up
It should be safe to boot into normal mode now. If you couldn’t login to a profile in safe mode, login now and run the scans. It isn’t ideal – you could reinfect the whole PC – but it’s better to find out if a problem remains now than leave it to spring up a few days later when fluffy signs on to check out catnip dealers.
It may be a good time to remove the profiles that aren’t really necessary.
Other things to consider:
Start > Run:
sfc /scannow - Will check to make sure all of the core
Windows files are correct, and replace them if needed.
Make sure you have SP2 applied, and run Windows Updates.