Flying Penguin's DIY Spyware Removal

[FlyingPenguin]

Since Evil asked about this recently, I decided to update my Spyware Removal Procedure web page since it hasn't been updated since Sept. 2006:

http://www.soldcentralfl.com/flyingpeng ... oval.shtml

[swinada]

FP the link to Trojan Remover on Majorgeeks downloads an update file not the actual Application, so when one tries to install its looking for the original software and cant find it of course because its not there.

Would you know of any spyware, trojan remover software that could be run off a flashdrive.
As in: plug flashdrive into clients computer, run the removal tool without having to install anything on a clients computer?

[Executioner]

I think Trojan Hunter can. They do give you a free version, but the database can be 2-3 months old. It has a decent scanner.
Another one that detects trojans is SuperAntiSpyWare. It can be updated any time manually with the latest definitions.

[FlyingPenguin]

Thanks Swinada, I fixed the link.

I'm not aware of any way to use these either of them from a flash drive without installing.

Honestly, I don't think it's necessary. Most of the time I find they work just fine if you install them and run them from Safe Mode.

If the system is so compromised that you can't do that, you shouldn't bother trying to clean it - it's time for a clean OS install.

You can also try scanning the drive with your AV app and these tools from a clean PC by installing the infected drive as a spare. That will remove the infected files but NOT any altered registry entries, so you have to run them again from the previously infected OS to fix the registry.

The Ultimate Boot CD for Windows also has several AV and malware cleaners that you can run on the drive remotely, but again you have to run the cleaners in the previously infected OS when your done to fix the registry.

[swinada]

I'm not aware of any way to use these either of them from a flash drive without installing.

Honestly, I don't think it's necessary. Most of the time I find they work just fine if you install them and run them from Safe Mode.

It is more for convinience level for my self. I see many computers a day for anykind of reason and I have a few tools on a flashdrive that I use to quickly scan and clean a clients computer without having to install anything on their machine. Si I'm looking to add a Spyware - Adaware scanner to those tools.

I got on it so far Windows Clean Up http://www.stevengould.org/index.php?Itemid=69&id=15&option=com_content&task=view
Cleans out all your tempfolders, cached files, cookies etc.

RegCleaner http://www.majorgeeks.com/download460.html

Spacemonger to find big files that take up to much room. http://www.sixty-five.cc/sm/

JkDefrag for a quick and good defrag.http://www.kessels.com/Jkdefrag/

Hijackthis - everybody knows this one

Sysinternal Process explorer. You see all running processes can stop them suspend them kill them start them etc. very handy little tool.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx


So that is why I'm looking for a scanner on flash.
Hope I didnt hijack your treath to much, otherwise just move it to somewhere more appropriate.
thanks,

[FlyingPenguin]

Not at all. Discussion is good.

I love it when someone makes a portable version of something. For instance I use the Portable version of CCLeaner so I can run it from my Flash drive. I also don't install HijackThis, I use the standalone EXE - but I DO copy the folder with the executable off my flash drive to the root of the infected drive so that any registry backups HijackThis makes are stored on the infected drive. I also always allow CCLeaner to save the registry backup to the root of the C drive.

I carry all my tools on a flash drive and I have this down to a routine that takes about 1 hour for a normal spyware/virus cleaning assuming it's not something serious and it's a reasonably fast PC. SuperAntiSpyware takes the longest, even on quick scan. Can't see that being able to run them all from the Flash drive would save all that much time. The install is quick for all the tools I use and you still have to run the update no matter what. I also always uninstall Trojan Remover because it leaves a background app running. The others can stay. I usually show the client how to do a scan in SAS and recommend they do it once a month. When a PC won't boot due to a corrupt registry it's almost always just the SYSTEM registry.

What WOULD be nice is if there was some reliable way to boot a BartPE type OS environment (or better yet a small light-weight Linux OS) from a USB stick or external HDD. That way you could do all the primary scans outside the infected OS without lugging around another PC. It can be done, but it's very unreliable because booting from a USB drive has not been standardized across all BIOSes.

I've played around with bootable USB drives a lot and reliability and performance wildly varies. Some systems won't boot a USB drive unless it's formatted a certain way, but then other systems can't boot that format and want it another way. Additionally most PCs boot SLOWER from a USB drive than they do from a CD - even if you use a fast USB hard drive.

We ARE starting to see some new mobos that have a built-in small Linux OS on ROM though, which would be neat if it was standardized. The idea is if you need to boot your laptop to just watch a DVD or browse, why boot all the way into Windows? You boot instantly into the ROM Linux and then do your thing. It would be nice to have a CD of tools that would run in that.

As for the tools I carry, there's a lot of them in my nearly full 1Gb stick but here's the common ones (in addition to the ones mentioned in my blog):

CCLEANER: This is by far the most reliable and least tedious way to remove temp files and other uneccesary files. However it is a bit slow so if you KNOW you have a huge TEMP folder (over 500Mb) it's better to nuke it manually first, and then run CCLeaner to get everything else. I also use CCLeaner's often neglected built-in registry cleaner. That's the only Reg cleaner I use.

SPACEMONGER: Yeah I use this too. Way handy to find wasted space on your HDD

SYINTERNALS PROCESS EXPLORER: Yeah I use this too. One feature a lot of people don't realize if that you can setup the columns in Process Explorer to show "Virtual Size", "Private Bytes" and "WS Private Bytes". This is that "hidden" RAM that doesn't show up as being used in Task Manager. Anything hogging a lot of this type of memory should be viewed suspiciously. Often it's legit, but a malcious process may also hide the RAM it's using.

SYSINTERNALS TCPVIEW: Shows you what apps might have left a port open and phoning home.

HOSTSXPERT: Easy way to check the HOSTS file and make it read only

UNHOOKEXEC: Symantec tool that resets the shell\open\command keys in the registry which are often altered by a virus

REGSEEKER: Much more powerful registry search and editing than REGEDIT

ERUNT: Excellent registry backup utility. I backup a PC's registry with this before and after working on it. The nice thing about it is that even if the PC is unbootable, you can easily restore a backed up registry. Each backup is in a separate folder and has an executable, Run that executable from the Windows Recovery console or BartPE or UBCD4W and it instantly restores that registry backup. NOTE: You need to run ERUNT with Administrator permission in Vista or it fails to access the registry since it's not signed and Vista blocks attempts to even read the registry from an unsigned app without admin privileges.

Can't tell you how often I've saved the day with ERUNT by walking into an office with a mission-critical PC that won't boot due to a corrupt registry, and it also won't boot to Safe Mode or "Last Known Good..". So instead of tediously doing a manual registry restore from system restore from the recovery console, I just restore the most recent ERUNT backup I made the last time I was there. You can selectively only restore the SYSTEM registry leaving the USER registry alone.

[swinada]

thanks for sharing FP. I'm sure I'll find some good use with those too.

[FlyingPenguin]

Updated on 11/29/08: http://penguinblog.com/spyware-removal.shtml

Replaced SuperAntiSpyware (which is still an excellent spyware scanner) with Malwarebytes AntiMalware because the latter fully supports 64bit operating systems.

[EvilHorace]

Is the free version of SuperAntiSpyware adequate? That's all I'm using now on various PCs.


Btw, your link above isn't working. I added a "www" and it then goes here: http://soldcentralfl.com/flyingpenguin/ ... oval.shtml

[DaMaN]

Great write up!

[FlyingPenguin]

EVIL: I user SuperAntiSpyware as a secondary cleanup tool nowadays. Malwarebytes is a better free scanner/cleaner, although SAS gets a few things that MBAM misses.

[FlyingPenguin]

Just upgraded my DIY Spyware Removal page again with some slightly different procedures:

http://www.soldcentralfl.com/flyingpeng ... oval.shtml

[normalicy]

Combofix huh? Odd, haven't heard of them yet. I'll try it on the next rash of spyware infected PCs I get (they come in phases).

[FlyingPenguin]

ComboFix is almost overkill but yeah, I added it because most people who go to that page have something pretty nasty that the normal scanners won't touch. I've been using it for a year now. For a while it was the only thing that would touch some of the worst rougeware out there.

It takes a LONG time to run, and it tells you next to nothing while it's doing it, except for a cryptic report that tells you nothing, but it has removed some serious rootkits that nothing else even sees.

I actually rarely use ComboFix except as a last resort because it takes so long. Not something I generally want to do on location either since it could take anywhere from 30 minutes to 3 hours.

I may actually update the page again later and list ComboFix last and recommend only using it if necessary.

[normalicy]

Yeah, it does appear to be a rude crude sort of fixer, but sometimes those are the best because the viruse/malware writers don't prepare for them. I'll try to remember it for the next nasty one I run into.