Lately I've had 3 users contract the mother of all adware viruses (not to mention several others that have been infected to a lesser degree with all of the usual offenders i.e. coolbar, sidesearch, hotbar, etc...), and as a result I've become pretty good at removing them "Columbo style" by hand, and would like to share my findings.
This latest, especially nasty piece of spyware/adware manifests itself when IE is opened, doing all of the usual stuff (search hooks, pop-ups, reinstalling itself, installing other spyware, trying to download trojans, adding all kinds of "helpful" search bars, the whole nine yards...). The idea here is not so much to fixate on which piece of malware you have, but rather learning how the game is played- and just being better at it.
I've also received a comment about whether or not to turn system restore off while going through this removal process. As far as I can tell (but I may be wrong), when you are dealing with common adware/spyware this does not seem to be necessary; when a virus is at the core of the matter, however, it's probably a good idea.
ADDENDUMS[1]:
Many spyware/adware programs name their files with a randomly generated string (wpoxrtt.exe, for example). This is to confuse scanners and the almighty Google. You can't search on something that has a different name every time! The beauty of this is that while it may confuse scanners, random filename spellings stick out like a sore thunb to someone familiar with common Windows file conventions.
END ADDENDUM[1]
ADDENDUM[2]:
Spybot Search & Destroy (look for it on www.downloads.com or just Google it, it's free...free I say!) does a great job at removing much spyware when updated and run properly, but I've nailed down something that help it do its thing even better.
After you run Spybot S&D and fix the items that are bad, reboot your machine at once (DO NOT open Internet Explorer or even Windows Explorer at all until after the reboot). Here is my reasoning as to why this helps:
Spybot S&D may fix your registry, but until you reboot the machine, many of the rogue processes set in motion by those bad registry settings are still alive in the machine's memory. If these processes are designed to run a check and download more evil components when you open IE (or Windows Explorer and the like, which use the IE rendering engine component to display directory contents), then they will reinstall those bad settings immediately. By rebooting the machine immediately after running the program, they never make it into memory in the first place.
Try it, it helps!
END ADDENDUM[2]
The iShrubble way of spyware removal (USE AT YOUR OWN RISK!):
Works very well with Windows 98/2000/XP, although the search dialog in Windows 98 is not as full-featured as the NT based releases, so it's just a little more of a pain.
NOTE: If you don't have a copy of HijackThis, get it. It's your mom, your girlfriend/boyfriend, your best friend, and your dog all rolled into one. Also (important)- when I say "delete" or "fix" something, I mean delete or fix it after you've researched that thing and know it to be malicious. Use some common sense here; put the stuff in the recycle bin, and when in doubt, Google. Don't do anything unless you understand why you're doing it!
1) Reboot in safe mode. This keeps the processes that run most of these programs from starting when you boot up. If you try this after a regular boot, many of the .exe and .dll files associated with these programs simply will not delete because they are in use.
Check your running processes (in safe mode) to be sure that they are all legitimate; if you see a process called something like "adshopper.exe" (for instance) running while you're in safe mode, it's a safe bet to kill the process, which will allow you to delete the offending executable later.
2) Update your definitions and run a virus scan in safe mode. Many spyware/adware apps are let in "through the back door" by trojans. If you remove all of the spyware/adware and leave the trojan, it'll just just set you up for round two of the same thing.
3) Do a Windows search, via the search dialog, for *.exe (all executables) on the machine, then resort them by date. It's also not a bad idea to also do the same for all files created on that date (especially .dll's), just to see what's there. Evil .dll's are often the the reason why, after deleting a bunch of bad stuff, it "magically" reappears.
4) Delete all strange executables (and .dll's) installed on or after the date the spyware first manifested itself (see note above!). Make sure you delete them to the recycle bin, so if you make a bad call, it's easy to restore them back to where they belong. Also- doing all of this right through the search dialog ensures that you will find the files no matter where they are hiding.
ADDED NOTE: Many spyware programs appear (to me, at least) to be written in Visual Basic or with MFC in Visual C++. Why is this important? I'm sure many of the programmers in this forum know what the default VB and VC++ MFC icons look like. Most (but not all) spyware/adware writers seldom take the time to give their apps a pretty icon, so seeing a stock VB or MFC icon should set off a red flag. That being said, many valid "under-the-hood" utilities also retain that same stock icon (HP is a serious offender, A LOT of their stuff has the MFC icon)... again, check it before you delete it.
5) Run HijackThis- fix all suspicious entries, especially ones that bear the names of the executables that you just deleted. There are many excellent posts on this site to help you decipher your HijackThis results. Be especially wary of .exe files that start up when the machine boots. If you're not sure about the validity of something, ask your pal Google, he usually knows. KEEP YOUR BACKUPS! Again, see note concerning deletion above.
ALSO- because there are usually multiple instances of svchost.exe processes running at any given time on your machine (this is normal), spyware/adware .exe files are often named this (or something similar) to avoid detection. If you see that svchost.exe was installed on your machine at the same time as the rest of your spyware/adware executables, it's pretty safe to say that that one (and ONLY THAT ONE!) is a hoax.
6) Peruse, with Windows Explorer, all of the directories located in C:/program files/. Often you will find directories with names that are obviously adware (it's almost comical!). I would list some, but believe me, it's obvious. Check the creation date of these directories, and delete the ones created on or after the date of the infection. Again- see above note concerning deletion. You will often see files in these directories with either strange extensions, or no extension at all. Opening these files in notepad will often reveal exactly what kind of information the spyware/adware is storing, or the IP address of the servers providing the content for the popups. You may want to adjust your firewall accordingly.
7) Reboot in normal mode and see what happens! It's worth saying that if you miss just one of the many bad HijackThis registry entries, malicious .exe's, or evil .dll's associated with the particular piece of spyware/adware that you have, there's a good chance that one missed piece contains enough functionality to reinstall everything you just removed, and then some. If that happens, don't lose hope; consider it a learning experience, and repeat the whole process again until you find the "Holy Grail" that puts an end to the whole mess!
Hope this helps! Removing this crap by hand gives you a sense of satisfaction similar to building your own machine, or catching a trout on a fly you tied yourself. It's actually kinda fun...
Above all, remember this:
THE LOSER PROGRAMMERS THAT WRITE THESE PROGRAMS ARE NO MORE SKILLED, CLEVER, OR INTELLIGENT THAN YOU. IF THEY WERE, THEY WOULD HAVE REAL JOBS, SERVING AN ACTUAL PURPOSE... INSTEAD OF FORCING THEIR GARBAGE INTO YOUR LIFE. YOU CAN BEAT THEM.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.