Spyware Removal Guide
2 posts
• Page 1 of 1
- PsycoGeek
Spyware Removal Guide
by PsycoGeek » Wed Sep 22, 2004 10:07 am
Thought I would share this with you all:
Spyware Removal:
This guide is meant for people running a WIN32 platform (Windows 2000 and Windows XP). You will have to do your best to adapt this to your PC is you have Win 9x yet (Windows 95/98/ME). Sorry...
Disclaimer: This is a guide. If you do not feel comfortable doing anything contained here, don't do it. I provide the information AS IS, no warranties... Removing the wrong things from the registry can make the PC inoperable. USE CAUTION WHEN DELETING ITEMS FROM THE REGISTRY! There is NO undelete if you remove the wrong thing. Now here's the kicker, some of the spyware out there today can't be completely removed without editing in the registry. Please make sure you read it completely before attempting removal of any spyware, and print it outas well.
I will say this though, to help put your mind at ease about the information provided here. I am an IT professional of 8 years. I did it for a hobby for an additional 4.5 years, and still continue to do so. I developed these procedures and adapted them to home use after weeks of removing spyware where I work. I have it down to all but a science, and no one I have visited in the last 3 weeks have called back with more spyware problems.
Phase One: Download the necessary programs
1.Find and download Spywareblaster, SpyBot Search and Destroy, and AdAware.
2.Update IE to the latest version if you don’t have it, then install all of the patches for it through Windows Update.
Phase Two: Install protection
1.Run spywareblastersetup.exe. After installing run the program, update its database, and enable all protection.
2.Run the spybot exe.
a.During the install use all the defaults and make sure you check the box to run TeaTimer.
b.Once the install is completed run the program and follows the Quick Start Guide through until you get to “Start using the program”. Make user you do the updates and immunize the system.
c.Do not check for problems yet.
3.Run the adaware exe.
a.After the install run the program.
b.Check for updates and download them.
c.Exit the program.
5.Download and run the two .REG files linked below the instructions. They will move the SpyBot Teatimer from HKEY_CURRENT_USER to HKEY_LOCAL_MACHINE. This is VERY IMPORTANT! If anyone else uses your PC TeaTimer will be enables for ALL users. Without doing this it is only enabled for you.
The PC is now ready for the removal process. It is hopefully immune from further attack during the removal.
Phase Three: Starting Removal
1.Reboot the computer in Safe Mode. (Hit F8 just after you see the Windows loading screen and choose safe mode.)
2.Go to Start\Run and type in regedit, hit enter.
3.Expand regedit to full screen and collapse all folder views in the left hand pane.
4.Browse to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run
5.Remove any entries in the right hand pane that do not belong there. Below is a picture of what a typical registry should look like.
6.Check the RunOnce key that is directly below the Run key. Remove any entries there that do not belong.
NOTE: How do I know what belongs there and what doesn’t? Easy… use the search feature in Windows and find all of the files listed in the right hand side. Typical if there is no version information in the files properties, it isn’t something you want running on your PC. Also, any .EXE files running out of the WINNT or Windows folders, WINNT\System32, or Windows\System32 are highly unusual in Safe Mode. Definitely check the properties on these files. If they are a Windows file, the version information will have Microsoft written all over it.
7.Collapse the HKEY_LOCAL_MACHINE hive and browse to the following:
HKEY_CURRENT_USER\ SOFTWARE\Microsoft\Windows\Current Version\Run
8.Remove any entries there that do not belong.
9.Check the Run Once key that is directly below the Run key in step 6. Remove any entries there that do not belong.
10.Right-click on the Task Bar and run Task Manager. Select the Processes tab. End Task on all unknown processes.
11.Open up Internet Explorer and go to http://www.spywareinfo.com. On the left-hand side there is a link to an online Spyware scanner (it is below the picture of the t-shirt). Follow the link and run the scanner, remove everything it finds. *Note- you will be prompted by SpyBots registry protection to add a key for the scanners active-x component, allow the change. Also, pay attention to the prompts for adding keys (you can just allow all removals) as it may be a program (Spyware) attempting to reinstall itself. Do not allow these changes.
12.Reboot the PC when the scan is completed. Once again, boot into Safe Mode with Networking Support.
Phase Three: Continuing the Removal Process
1.Run SpyBot and Check for Problems. Fix anything it finds.
2.If SpyBot asks if you want it to run on reboot to remove problems it found but could not remove, say YES.
3.If you have been prompted for a reboot, reboot the PC and again start in Safe Mode w/Network Support. SpyBot should run before you get to the desktop and prompt you to remove problems. If it asks for ANOTHER reboot, do not.
4.Run AdAware with a Custom scan.
5.Check off the following: Scan within archives, Scan my IE Favorites for banned URL’s, Scan my Hosts file. Click on Proceed.
6.Click Next and perform a system scan. AdAware may prompt you to allow it to run on a reboot to fix problems it could not. Select YES and reboot the system, bringing it back up in Safe Mode w/Network Support.
7.Run all three scans in the above steps again, removing anything else they find. Do not reboot the PC if prompted.
Phase Four: Final Check
1.Reboot the PC normall.
2.Open up Internet Explorer and go to http://www.pandasoftware.com/activescan. Follow the prompts to run the program. You can use bob@bob.org (a bogus account that will avoid allowing them to send you periodic e-mails on their products. SpyBot will prompt you for a registry key for the active-x control for the program, allow the change.
3.Run SpyBot and check the system again. You can also run AdAware as a double check. If the system is clean (with the exception of a DSO exploit and or and Alexia entry in the registry) you are done.
REG Files:
http://home.comcast.net/~psycogeek/spyware_guide/SpyBot_TeaTimer_UNREG.reg
http://home.comcast.net/~psycogeek/spyware_guide/SpyBot_TeaTimer_REG.reg
Spyware Removal:
This guide is meant for people running a WIN32 platform (Windows 2000 and Windows XP). You will have to do your best to adapt this to your PC is you have Win 9x yet (Windows 95/98/ME). Sorry...
Disclaimer: This is a guide. If you do not feel comfortable doing anything contained here, don't do it. I provide the information AS IS, no warranties... Removing the wrong things from the registry can make the PC inoperable. USE CAUTION WHEN DELETING ITEMS FROM THE REGISTRY! There is NO undelete if you remove the wrong thing. Now here's the kicker, some of the spyware out there today can't be completely removed without editing in the registry. Please make sure you read it completely before attempting removal of any spyware, and print it outas well.
I will say this though, to help put your mind at ease about the information provided here. I am an IT professional of 8 years. I did it for a hobby for an additional 4.5 years, and still continue to do so. I developed these procedures and adapted them to home use after weeks of removing spyware where I work. I have it down to all but a science, and no one I have visited in the last 3 weeks have called back with more spyware problems.
Phase One: Download the necessary programs
1.Find and download Spywareblaster, SpyBot Search and Destroy, and AdAware.
2.Update IE to the latest version if you don’t have it, then install all of the patches for it through Windows Update.
Phase Two: Install protection
1.Run spywareblastersetup.exe. After installing run the program, update its database, and enable all protection.
2.Run the spybot exe.
a.During the install use all the defaults and make sure you check the box to run TeaTimer.
b.Once the install is completed run the program and follows the Quick Start Guide through until you get to “Start using the program”. Make user you do the updates and immunize the system.
c.Do not check for problems yet.
3.Run the adaware exe.
a.After the install run the program.
b.Check for updates and download them.
c.Exit the program.
5.Download and run the two .REG files linked below the instructions. They will move the SpyBot Teatimer from HKEY_CURRENT_USER to HKEY_LOCAL_MACHINE. This is VERY IMPORTANT! If anyone else uses your PC TeaTimer will be enables for ALL users. Without doing this it is only enabled for you.
The PC is now ready for the removal process. It is hopefully immune from further attack during the removal.
Phase Three: Starting Removal
1.Reboot the computer in Safe Mode. (Hit F8 just after you see the Windows loading screen and choose safe mode.)
2.Go to Start\Run and type in regedit, hit enter.
3.Expand regedit to full screen and collapse all folder views in the left hand pane.
4.Browse to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run
5.Remove any entries in the right hand pane that do not belong there. Below is a picture of what a typical registry should look like.
6.Check the RunOnce key that is directly below the Run key. Remove any entries there that do not belong.
NOTE: How do I know what belongs there and what doesn’t? Easy… use the search feature in Windows and find all of the files listed in the right hand side. Typical if there is no version information in the files properties, it isn’t something you want running on your PC. Also, any .EXE files running out of the WINNT or Windows folders, WINNT\System32, or Windows\System32 are highly unusual in Safe Mode. Definitely check the properties on these files. If they are a Windows file, the version information will have Microsoft written all over it.
7.Collapse the HKEY_LOCAL_MACHINE hive and browse to the following:
HKEY_CURRENT_USER\ SOFTWARE\Microsoft\Windows\Current Version\Run
8.Remove any entries there that do not belong.
9.Check the Run Once key that is directly below the Run key in step 6. Remove any entries there that do not belong.
10.Right-click on the Task Bar and run Task Manager. Select the Processes tab. End Task on all unknown processes.
11.Open up Internet Explorer and go to http://www.spywareinfo.com. On the left-hand side there is a link to an online Spyware scanner (it is below the picture of the t-shirt). Follow the link and run the scanner, remove everything it finds. *Note- you will be prompted by SpyBots registry protection to add a key for the scanners active-x component, allow the change. Also, pay attention to the prompts for adding keys (you can just allow all removals) as it may be a program (Spyware) attempting to reinstall itself. Do not allow these changes.
12.Reboot the PC when the scan is completed. Once again, boot into Safe Mode with Networking Support.
Phase Three: Continuing the Removal Process
1.Run SpyBot and Check for Problems. Fix anything it finds.
2.If SpyBot asks if you want it to run on reboot to remove problems it found but could not remove, say YES.
3.If you have been prompted for a reboot, reboot the PC and again start in Safe Mode w/Network Support. SpyBot should run before you get to the desktop and prompt you to remove problems. If it asks for ANOTHER reboot, do not.
4.Run AdAware with a Custom scan.
5.Check off the following: Scan within archives, Scan my IE Favorites for banned URL’s, Scan my Hosts file. Click on Proceed.
6.Click Next and perform a system scan. AdAware may prompt you to allow it to run on a reboot to fix problems it could not. Select YES and reboot the system, bringing it back up in Safe Mode w/Network Support.
7.Run all three scans in the above steps again, removing anything else they find. Do not reboot the PC if prompted.
Phase Four: Final Check
1.Reboot the PC normall.
2.Open up Internet Explorer and go to http://www.pandasoftware.com/activescan. Follow the prompts to run the program. You can use bob@bob.org (a bogus account that will avoid allowing them to send you periodic e-mails on their products. SpyBot will prompt you for a registry key for the active-x control for the program, allow the change.
3.Run SpyBot and check the system again. You can also run AdAware as a double check. If the system is clean (with the exception of a DSO exploit and or and Alexia entry in the registry) you are done.
REG Files:
http://home.comcast.net/~psycogeek/spyware_guide/SpyBot_TeaTimer_UNREG.reg
http://home.comcast.net/~psycogeek/spyware_guide/SpyBot_TeaTimer_REG.reg
2 posts
• Page 1 of 1
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 41 guests