Guide to Spyware/Virus Removal
As well all know spyware is all too common these days and as a network analyst my users have taken it upon themselves to increase my job security by visiting the most ad ridden websites and viewing every joke e-mail attachment they can find. Users are frantically calling about antivirus notifications from fake scanners like:
Antivirus 2009, Antivirus 2011, Total Security, Rapid-antivir-2009, Spyfighter etc…
Spyware like everything to do with technology has evolved over the past few years. Spyware removal simply isn’t as simple as removing the .exe file in question from the startup list and deleting it. Spyware or “malware” as well call it now has evolved into ad-based viruses which if not removed properly can re-infect the workstation and other workstations on the same network. It isn’t uncommon now to see adware which is distributed by means of a Trojan virus or rootkit.
With this all in mind is why I have assembled a list of tools which I have been using to disinfect workstations. I also have listed the tools in the order in which I typically use them because in many cases you will find the need to use multiple tools to remove the spyware at hand. Tricks of the trade if you will—
Rkill– Lawrence Abrams
(I’m trying to give credit to the authors who have developed these tools. If my facts are wrong please let me know) has created a small little tool that attempts to terminate known malware processes and fixes registry values for corrupt file extensions. A lot of malware these days will not allow you to simply stop the process—in fact most malware will keep you from running such things as task manager. It does this by typically changing the value for .exe extensions so it will run unwanted processes instead.
Please note that rkill does not delete any files after running it so it is important to scan your workstation prior to rebooting to help eliminate the infection. You can download rkill at the following link http://download.bleepingcomputer.com/grinler/rkill.com
Unhide – Lawrence Abrams
If you have ever booted up your computer to find that all your desktop items and start menu programs have disappeared fear not because it is fairly common now to have spyware/malware infect your workstation and “hide” these files. This handy little utility will scan your drive and reset the view permissions on each of the files returning your workstation to normal working order. Of course sometimes you may not be able to run unhide which is why you should use this utility in conjunction with rkill and a spyware scanner of your choice. (I recommend malwarebytes). You can download unhide at the following link http://download.bleepingcomputer.com/grinler/unhide.exe
Malwarebytes in my opinion is the best spyware scanner available. There is a free version for you to use however I would recommend paying for the real-time scanning ability because it is worth the money. I am currently contemplating whether to use it in a production environment because it works so well. Other notable spyware scanners would be Super AntiSpyware and Spybot. Available at www.malwarebytes.org
Microsoft Standalone System Sweeper Tool (MSSST)
This utility is as far as I know still a beta however if you’re stuck in a jam and have the need to boot into a PE (pre-installation environment) to scan and remove your spyware this is the tool for you. Upon running this tool it will prompt you for a blank CD, DVD or USB drive with at least 250mb free. It will then download the latest virus/malware definitions and build you a bootable disc/stick so you can boot your workstation and scan/remove your infection without booting into your already infected OS. Other notable bootable scanners are available from AVG and Avast as well. You can download the Microsoft Standalone System Sweeper tool from http://connect.microsoft.com/systemsweeper
Let’s recap. For most spyware/malware removal there are 2 main steps to perform.
1. Identify and stop the infected running process – This is where rkill.exe, unhide.exe and combofix come in.
2. Thoroughly scan the workstation for any other infections. – This is where Malwarebytes, Combofix and MSSST come in.
Hope this helps. If you have any other tips or tricks to remove spyware please share it below in the comments section. By request I can also write guides to remove specific spyware/malware infections.