Lately I've had 2 users contract the mother of all adware viruses, and I've become pretty good at removing them "Columbo style" by hand, and would like to share my findings. This especially nasty piece of spyware/adware manifested itself when IE was opened, doing all of the usual stuff (search hooks, pop-ups, reinstalling itself, installing other spyware, trying to download trojans, adding all kinds of "helpful" search bars, the whole nine yards...).
The iShrubble way of spyware removal (USE AT YOUR OWN RISK!):
NOTE: If you don't have a copy of hijack this, get it. It's your mom, your girlfriend, your best friend, and your dog all rolled into one. Also- when I say "delete" or "fix" something, I mean delete or fix it after you've researched that thing and know it to be malicious. Use some common sense here; put the stuff in the recycle bin, and when in doubt, Google.
1) Reboot in safe mode. This keeps the processes that run most of these programs from starting when you boot up. If you try this after a regular boot, most of the .exe and .dll files associated with these programs will simply not delete, because they are in use.
2) Do a Windows search for *.exe (all executables) on the machine, then resort them by date. It's also not a bad idea to also do the same for all files created on that date, just to see what's there.
3) Delete all strange executables installed on or after the date the spyware first manifested itself (see note above!). Make sure you delete them to the recycle bin, if you make a bad call, it's easy to put them back where they belong. Also- doing all of this right through the search dialog ensures that you will find the files no matter where they are hiding.
4) Run hijack this- fix all suspicious entries, especially ones that bear the names of the executables that you just deleted. Also- because there are usually multiple instances of svchost.exe processes running at any given time on your machine (this is normal), spyware/adware .exe files are often named this (or something similar) to avoid detection. Be especially wary of .exe files that start up when the machine boots. If your not sure about the validity of something, ask your pal Google, he usually knows. KEEP YOUR BACKUPS! Again, see note above.
5) Peruse, with Windows Explorer, all of the directories located in C:/program files/. Often you will find directories with names that are obviously adware (it's almost comical!). I would list some, but believe me, it's obvious. Check the creation date of these directories, and delete the ones created on or after the date of the infection. Again- see above note concerning deletion.
6) Reboot in normal mode and see what happens!
Hope this helps!
deletion mistake
no I can't recover that
you didn't save it
-Shrubble
The iShrubble way of spyware removal (USE AT YOUR OWN RISK!):
NOTE: If you don't have a copy of hijack this, get it. It's your mom, your girlfriend, your best friend, and your dog all rolled into one. Also- when I say "delete" or "fix" something, I mean delete or fix it after you've researched that thing and know it to be malicious. Use some common sense here; put the stuff in the recycle bin, and when in doubt, Google.
1) Reboot in safe mode. This keeps the processes that run most of these programs from starting when you boot up. If you try this after a regular boot, most of the .exe and .dll files associated with these programs will simply not delete, because they are in use.
2) Do a Windows search for *.exe (all executables) on the machine, then resort them by date. It's also not a bad idea to also do the same for all files created on that date, just to see what's there.
3) Delete all strange executables installed on or after the date the spyware first manifested itself (see note above!). Make sure you delete them to the recycle bin, if you make a bad call, it's easy to put them back where they belong. Also- doing all of this right through the search dialog ensures that you will find the files no matter where they are hiding.
4) Run hijack this- fix all suspicious entries, especially ones that bear the names of the executables that you just deleted. Also- because there are usually multiple instances of svchost.exe processes running at any given time on your machine (this is normal), spyware/adware .exe files are often named this (or something similar) to avoid detection. Be especially wary of .exe files that start up when the machine boots. If your not sure about the validity of something, ask your pal Google, he usually knows. KEEP YOUR BACKUPS! Again, see note above.
5) Peruse, with Windows Explorer, all of the directories located in C:/program files/. Often you will find directories with names that are obviously adware (it's almost comical!). I would list some, but believe me, it's obvious. Check the creation date of these directories, and delete the ones created on or after the date of the infection. Again- see above note concerning deletion.
6) Reboot in normal mode and see what happens!
Hope this helps!
deletion mistake
no I can't recover that
you didn't save it
-Shrubble
![[thumbsup2]](/data/assets/smilies/thumbsup2.gif "[thumbsup2] [thumbsup2]")
![[infinity]](/data/assets/smilies/infinity.gif "[infinity] [infinity]")
![[smile]](/data/assets/smilies/smile.gif "[smile] [smile]")
