My New Spyware/Virus Removal Procedure

[Steve Winograd [MVP]]

Hi, Everyone.

I've recently changed the spyware/virus removal procedure that I use
to clean up clients' 2000/XP computers, and I'd like to know how your
experience compares with mine and if you have suggestions for other
tools.

I carry the latest versions (programs and definition files) of several
removal tools on a USB thumb drive for use on clients' computers.

My former procedure was:

1. Run Ad-Aware SE Personal.
2. Run Spybot Search & Destroy.
3. If the client has a working antivirus program, update and run it.
4. If the client doesn't have a working antivirus program, run Trend
Micro Sysclean.

However, in the last few weeks, that doesn't seem to do the job.
Recently, I've had situations where:

A. Microsoft AntiSpyware Beta removed items left by Ad-Aware and
Spybot.

B. F-Secure BlackLight rootkit eliminator removed items left by MAS.

C. Free Avast! 4 Home Edition removed items left by Sysclean.

So, my new procedure is:

1. Run F-Secure BlackLight rootkit eliminator.
2. Run Microsoft AntiSpyware Beta.
3. If the client has a working antivirus program, update and run it.
4. If the client doesn't have a working antivirus program, install and
run Avast! 4 Home Edition or AVG 7.0 Antivirus.

For Win9x computers, I use Ad-Aware and Spybot and do initial virus
removal using F-Prot for DOS.
--
Thanks,
Steve Winograd, MS-MVP (Windows Networking)

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Steve Winograd [MVP]]

[snipped]

I forgot to mention some tools that I use to check the results of the
other spyware removers: HijackThis, CoolWebShredder (original and
Intermute versions), BHODemon, Msconfig Startup tab.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[plun]

So, my new procedure is:

1. Run F-Secure BlackLight rootkit eliminator.
2. Run Microsoft AntiSpyware Beta.
3. If the client has a working antivirus program, update and run it.
4. If the client doesn't have a working antivirus program, install and
run Avast! 4 Home Edition or AVG 7.0 Antivirus.

Hi

Why don´t you as step 1 "house clean" all temporarily files ?

It saves a lot of scanning time, eliminates hidden spyware,
and makes a PC much faster.

 

[Andre Da Costa]

I agree a lot with that one Plun, and do a lot of scanning in safe mode and
remember to disable System restore for doing so.

 

[plun]

I agree a lot with that one Plun, and do a lot of scanning in safe mode and
remember to disable System restore for doing so.

I do not agree about disabling system restore, this is a
last resort.

 

[Andre Da Costa]

This is when you are going into safe mode to do the scan and the re-enable
after doing the scan. I didn't recommend it as a all the while thing.

 

[Jim Byrd]

Hi Andre - For a somewhat different view, extracted from my Blog, Defending
Your Machine, here: http://defendingyourmachine.blogspot.com/


If you're using WindowsME or WindowsXP, SysClean (and the other cleaning
tools below) may find infections within Restore Points which it will be
unable to clean. You may choose to disable Restore if you're on XP or ME
(directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) which will
eliminate ALL previous Restore Points, or alternatively, you can wait until
cleaning is completed and then use the procedure within the *********'s
below to delete all older, possibly infected Restore Points and save a new,
clean one. This approach is in the sprit of "keep what you've got" so that
you can recover to an at least operating albeit infected system if you
inadvertently delete something vital, and is the approach I recommend that
you take.


and


*******ONLY IF you've successfully eliminated the malware, you can now make
a new, clean Restore Point and delete any previously saved (possibly
infected) ones. The following suggested approach is courtesy of Gary
Woodruff: For XP you can run a Disk Cleanup cycle and then look in the More
Options tab. The System Restore option removes all but the latest Restore
Point. If there hasn't been one made since the system was cleaned you should
manually create one before dumping the old possibly infected ones.*******

 

[JoeM]

I take the hard drive out of the users computer scan it with Norton 2005.
Then put the hard drive back into computer and scan it with Adaware & MSAS
I do not like any other antivirus programs, Norton does a very good job.

 

[Andre Da Costa]

Thanks Jim, I will add a link to this on my Space.

 

[Jim Byrd]

YW, Andre - Do you have a link to your Space?

 

[plun]

Hi Andre - For a somewhat different view, extracted from my Blog, Defending
Your Machine, here: http://defendingyourmachine.blogspot.com/
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm)

I have problem to understand any logic with disabling system
restore.

Mostly all antivirus programs can identify in wich specific
restore point
an infected file hides.

If we then follow this kb from MS it is possible to remove
this specific RP.

http://support.microsoft.com/default.aspx?scid=kb;en-us;309531

This is strange and I really hope that MSAS also can
identify specific RP.s containing
hidden spyware.

 

[Andre Da Costa]

Hi Jim, just added the link to my space under the Microsoft AntiSpyware
items:
http://spaces.msn.com/members/adacosta

I will add a blog entry about it later, let me just read it up first.

Thanks,
Andre

 

[Steve Wechsler [MVP]]

The KB article does not recommend removing individual RP's, plun, it's
just showing a way to view the Sys Vol folder.
I would_not_recommend mucking about with the restore hierarchy.
Perhaps in Longhorn one may be able to remove RP's ...

Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005

==============
*-343-* FDNY
Never Forgotten
===============

 

[Steve Wechsler [MVP]]

Hi Steve ... fancy meeting you here !

So, my new procedure is:

1. Run F-Secure BlackLight rootkit eliminator.
2. Run Microsoft AntiSpyware Beta.
3. If the client has a working antivirus program, update and run it.
4. If the client doesn't have a working antivirus program, install and
run Avast! 4 Home Edition or AVG 7.0 Antivirus.

Agree with 1, but I do the virus scanning second, followed by MSAS.
For 3 I like to run another AV tool, i.e. Sysclean, Clrav,etc., in Safe
Mode prior to firing up the installed AV.
Then run the installed AV in Safe, also.

One can empty the TIF and Temp prior to scanning to save time, but,
knowing what's been seeded into these folders is quite helpful in
identifying the infestation/infection in cases where the malware is
relatively new.

Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005

===============
*-343-* FDNY
Never Forgotten
===============

 

[plun]

The KB article does not recommend removing individual RP's, plun, it's
just showing a way to view the Sys Vol folder.
I would_not_recommend mucking about with the restore hierarchy.
Perhaps in Longhorn one may be able to remove RP's ...

Well, if you look at this Sys vol folder it is just standard
folders, RPXXX.

I have removed specific RP.s with no problem and I can´t
understand
why antivirus/spyware software cannot do the same.

No need for Longhorn.....

 

[plun]

One can empty the TIF and Temp prior to scanning to save time, but,
knowing what's been seeded into these folders is quite helpful in
identifying the infestation/infection in cases where the malware is
relatively new.

Hi

Well, within TIF we maybe can see symptoms and for some
spyware also
the root for it but for all we have running processes and I
think thats enough.

Must be a lot of hidden secrets about this temporarily junk
and all MVP, s also
protecting this junk........hmmmm ?

 

[Steve Winograd [MVP]]

Hi Steve ... fancy meeting you here !


Agree with 1, but I do the virus scanning second, followed by MSAS.
For 3 I like to run another AV tool, i.e. Sysclean, Clrav,etc., in Safe
Mode prior to firing up the installed AV.
Then run the installed AV in Safe, also.

One can empty the TIF and Temp prior to scanning to save time, but,
knowing what's been seeded into these folders is quite helpful in
identifying the infestation/infection in cases where the malware is
relatively new.

Hi, Mow. Here are a few more notes on my usual procedure. Please
comment:

I start by running HijackThis and saving the log file to get a picture
of the computer's initial condition.

Then, I either disable System Restore or use Disk Cleanup to remove
all but the latest restore point. I don't want to waste time by
scanning old restore points on an infected system. If the system is
in reasonably good shape, I might make a new restore point in case
something goes wrong during cleanup. So far, I've never had anything
go wrong during cleanup that would require a restore.

Then, I empty TIF, C:\Windows\Temp, and C:\Documents and
Settings\{User name}\Local Settings\Temp to save time in scans.

I'm down on Sysclean right now, since it runs slowly and it missed so
many infections in a recent job. I wasn't aware of Clrav -- thanks
for pointing it out. I don't generally use limited removal tools like
Clrav or McAfee Stinger, but if Clrav runs fast, I might.

I use F-Prot for Windows as the antivirus program on my main computers
and on my wife's computer. A commercial license is so inexpensive
($50/year for 10 computers) that I sometimes copy it to a client's
computer and run it there. You don't need to install the product --
you can run it from a command prompt, just like F-Prot for DOS, using
the "fpcmd.exe" file. And, unlike the DOS version, it understands
NTFS and long file names.

I sometimes do an on-line scan (McAfee, Trend, Symantec) after running
the installed AV and getting Internet access working.

I follow up all the tools by looking at Msconfig | Startup and
manually removing any suspicious objects and the registry keys or
files that they reference.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Steve Wechsler [MVP]]

Steve,

Methodologies may vary but the point is to get the malware removed and
determine, as best as one can, that the system is not compromised.
That's for a Home user. For a business environment, flattening, and
restoring an Image is much preferred.

Comments inline:

Hi, Mow. Here are a few more notes on my usual procedure. Please
comment:

I start by running HijackThis and saving the log file to get a picture
of the computer's initial condition.

Then, I either disable System Restore or use Disk Cleanup to remove
all but the latest restore point. I don't want to waste time by
scanning old restore points on an infected system. If the system is
in reasonably good shape, I might make a new restore point in case
something goes wrong during cleanup. So far, I've never had anything
go wrong during cleanup that would require a restore.

Depends on the size of the Restore directory. In most cases it's set to
the Default level and is a waste of time to scan it all. Have never had
anything go wrong here either and have never had to utilize Restore.
Still, I like the "safety net" feature. Would rather have to remove
malware then reinstall the OS.

Then, I empty TIF, C:\Windows\Temp, and C:\Documents and
Settings\{User name}\Local Settings\Temp to save time in scans.

It does save time. BTW, I like to use Task Manager to kill the malware
Processes right after indentifying them via Hijack This. Then use
MSConfig to prevent them from reloading on startup right after doing so.

I'm down on Sysclean right now, since it runs slowly and it missed so
many infections in a recent job. I wasn't aware of Clrav -- thanks
for pointing it out. I don't generally use limited removal tools like
Clrav or McAfee Stinger, but if Clrav runs fast, I might.

<AOL> Me, too ! </AOL> Sysclean *use* to identify what Trend terms
grayware before other AV vendors did. Am not finding this the case
lately. KAV will find these and have taken to installing a trial version
of it to make the first pass IF it appears to be a newer variant.

I use F-Prot for Windows as the antivirus program on my main computers
and on my wife's computer. A commercial license is so inexpensive
($50/year for 10 computers) that I sometimes copy it to a client's
computer and run it there. You don't need to install the product --
you can run it from a command prompt, just like F-Prot for DOS, using
the "fpcmd.exe" file. And, unlike the DOS version, it understands
NTFS and long file names.

Thanks for the info on F-Prot.

I sometimes do an on-line scan (McAfee, Trend, Symantec) after running
the installed AV and getting Internet access working.

Don't tell Chris Q. about that
It never hurts to seek a second opinion and that's what online AV
scanners are.

I follow up all the tools by looking at Msconfig | Startup and
manually removing any suspicious objects and the registry keys or
files that they reference.

See above.

Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005

===============
*-343-* FDNY
Never Forgotten
===============

 

[Steve Winograd [MVP]]

[snip]

It does save time. BTW, I like to use Task Manager to kill the malware
Processes right after indentifying them via Hijack This. Then use
MSConfig to prevent them from reloading on startup right after doing so.

Some malware seems to have multiple processes that look out for each
other. If you kill one, the others bring it back. How do you deal
with that using Task Manager? I use WinPatrol, which can kill
multiple processes simultaneously.

<AOL> Me, too ! </AOL> Sysclean *use* to identify what Trend terms
grayware before other AV vendors did. Am not finding this the case
lately. KAV will find these and have taken to installing a trial version
of it to make the first pass IF it appears to be a newer variant.


Thanks for the info on F-Prot.


Don't tell Chris Q. about that

I'm not even going to ask why.

It never hurts to seek a second opinion and that's what online AV
scanners are.

I've had a case where the Symantec on-line scanner found items missed
by multiple AV programs.

BTW, the Microsoft Malicious Software Removal Tool now claims to
remove the Hacker Defender user-mode rootkit. I'm adding it to my
toolbox:

http://www.microsoft.com/security/malwareremove/default.mspx
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Steve Wechsler [MVP]]

Some malware seems to have multiple processes that look out for each

other. If you kill one, the others bring it back. How do you deal
with that using Task Manager? I use WinPatrol, which can kill
multiple processes simultaneously.

Kill the right one . Easier said than done. I just rely on instinct to
finger the culprit. Will check out WinPatrol as those instincts are
approaching senior status

Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005

===============
*-343-* FDNY
Never Forgotten
===============

[snip]

It does save time. BTW, I like to use Task Manager to kill the malware
Processes right after indentifying them via Hijack This. Then use
MSConfig to prevent them from reloading on startup right after doing so.

Some malware seems to have multiple processes that look out for each
other. If you kill one, the others bring it back. How do you deal
with that using Task Manager? I use WinPatrol, which can kill
multiple processes simultaneously.

<AOL> Me, too ! </AOL> Sysclean *use* to identify what Trend terms
grayware before other AV vendors did. Am not finding this the case
lately. KAV will find these and have taken to installing a trial version
of it to make the first pass IF it appears to be a newer variant.



Thanks for the info on F-Prot.



Don't tell Chris Q. about that

I'm not even going to ask why.

It never hurts to seek a second opinion and that's what online AV
scanners are.

I've had a case where the Symantec on-line scanner found items missed
by multiple AV programs.

BTW, the Microsoft Malicious Software Removal Tool now claims to
remove the Hacker Defender user-mode rootkit. I'm adding it to my
toolbox:

http://www.microsoft.com/security/malwareremove/default.mspx