Manually removing spyware

Sometimes it comes in handy to be able to manually remove spyware. Too often, techs and hobbyists hit a brickwall with these rogues. So they format the hdd and reload Windows, often discarding data, installed apps and ass't other sundry settings. Manually removing infected files offers a more surgical approach.

The best way to remove spyware and viruses, of course, is the SOB (standard operating bullscheiss). Run apps like Ad-Aware, Spybot, Ccleaner, SpySweeper, Ewido, or whatever. Update your AV app and run it. Run online scans. Do the SOB first. But this often fails to remove newer, persistent forms of spyware.

When running the SOB, there's no sense in watching the paint dry, so start hunting. Search the system for any recently added dll's or exe's. Also, for any null files (xxx.~) or tmp's. The time stamp's important. One of the first things to determine is how long a user's been having problems. This will help refine your search for any recently added files.

Do your homework here. Google any dll's or exe's you find in your search-by-date. No sense in deleting any legitimate app files. Sometimes you'll find dll's and exe's in odd places: temp folders, even the Windows' font folder. Use common sense. If you're not sure, backup the dll or exe to a usb drive. Null files and tmp files are safe to add to your list. Crap cleaner (Ccleaner) will clear the stuff in the temp folders generally but not always. Don't take anything for granted.

Recently I ran across the dreaded "Spy Falcon". The user said he had been having problems for 4 days or so. While running the SOB, a search for week-old dll's yielded ginuerep.dll, the only one to turn up in my search-by-date. Googling "ginuerep.dll" yielded the info I needed: confirmation ginuerep.dll was spyware and also Spy Falcon removal instructions. By the time I found out Spybot wasn't going to remove it, I was ready to manually do it. No sense in wasting time.

Online AV scans such as Panda and Trendmicro will often reveal infected files other apps won't find, such a java downloaders (rogue jar files). But they won't remove them. Rootkitrevealer, the same (beware false positives with this one). These infected files sometimes won't be visible from Windows. But they ARE there. You can verify that if need be by booting to a live cd (Insert's good for this) or running old DOS utilities (co.com or dr.com).

Up to this point, we've been compiling a list of files from a number of sources. We're haven't removed any files yet. It's really important to keep accurate notes. To manually remove rogue files, we're finding them in one step and removing them in another.

So we got our list, then see what we can delete from Windows Explorer, or whatever file manager you use, before rebooting. Again, don't assume that if you can't see it, it's not there. Delete from a command prompt if you can (better know some DOS stuff!).

Removing our little friends is a process of booting and rebooting till they're gone. You need a live linux cd. First, so we can see what's on the Windows' partition. And second, so we have another option for removing the rogues (they can get tricky). You can hide from Windows' API, but you can't hide from Midnight Commander.

There's really no set order for booting between safe mode and the live cd. You're flying by the seat of your pants at this point. Booting into safe mode is best done with command prompt, one of the safe mode options you'll get after hitting F8. I prefer using the "del" command. It works better than to use a file manager like Explorer. In my experience, the "del" command will still delete files not visible by the API.

Booting to the linux CD, mount the Windows partition (usually /dev/hda1/, but not always). If it's a FAT file system you're dealing with here, fine. If you've mounted an NTFS partition, you'll need to run a linux app called "captive" so you can write to it (or delete in this case). Insert (linux) has great instructions for this. I believe it's on all the Knoppix distros, don't know about the others. A caveat here: captive doesn't work everytime. It gets buggy on some volumes, don't know why.

So you'll have two basic options for deleting files: the linux cd and safe mode. Stick to your list. If you're worried something on the list is a system file of some kind, use the linux cd and a usb drive to make a copy before you delete. Midnight Commander (mc) is a handy file manager for this. Make sure you got good notes if you need to put anything back.

And use those online scans, too, until you get an all clear (yes, you'll need the loathesome Internet Explorer for those, replete with ActiveX, so make sure you don't have the screws down too tight on IE). Boot. Reboot. Repeat as necessary.

Happy Hunting!

the SOB method

I've added a link to this thread too, just to keep details in one convenient spot

Good Evening

I love the command line approach, however you can eliminate much of your search by employing some sort of “Change Control” even on your home network.

There are multitudes of Integrity Monitors online. Just pop "Integrity Monitor" into your favorite search engine and select one that best fits your needs. For brevity I only listed two.

One of those programs is GFI LANguard System Integrity Monitor it comes with the ability to determine with files have been changed, deleted or added to Win XP & 2000.

Another similar program is WinPatrol "WinPatrol sniffs out worms, adware, keyloggers, spyware, cookies, and Trojan horses...it uses a heuristic approach, taking a snapshot of your critical system resources, then alerting you to any changes that occur without your knowledge."

cheers

Thanks, foxey, Relyt. A buddy of mine swears by Deep Freeze. I like to keep things really really thin so I haven't tried it yet.

p.s. -- I'm not sure of the ettiquette of editing your own tutorials, but re-reading my post had me thinking I didn't emphasize the "homework" side enough, so I just added paragraph #4.

A good pointer to the basics.. Manual removal is what many of us need to do.. we have no option..

A few points here:
POINT 1: Live CD's.. One tools that is a must when cleaning infected PC's is REMOTE REGISTRY EDITOR's..
It is one thing to remove all the Malware, but if a registry key has been entered that sets a auto download..

You will find that I promote The BART-PE live CD's, Iron Geek has a excellent tutorial here and on his home site.. (this tool is handy as your not having to worry about NTFS/FAT32)...

I find keeping the number of tools to a minimum reduces the confusion, and manually removing files helps keep your witts about you when glancing over a system.. the more you do, the sharper your witts are. And you have the reliability over the auto tools that may still be a week or two from having the bug in their updates..

POINT 2: GOOGLE.. well any search engine thats worth its salt..(your already mentioned..but too many dont seem to use it)

POINT 3: I am yet to find an Automated Tool that is 100%.. manual removal is a bloody good follow through

Point 4: Malware (including adware/spyware) removal is like peeling an onion, you do so a layer at a time.. even when using a live CD system, check once with one then another, back to the first, and second again.. (rootkitrevealer has reduced this need).. then into windows and a couple of restarts after a few cleaning followups.. ..

Thanks for reminding me of the Win boot disks, Und3ertak3r. Both Bart's PE and ERD Commander are part of my reportoire and are great tools. And I've used them both as I would a live CD. They have a tendendency to hang once in a while when a live CD would not. Certainly they would work in here though.

There's so many ways and so many tools for manually removing spyware files, someone could probably write a book. Ccleaner has a great registry cleaner built into it. I use it often. My sense on downloads via a registry entry, and this is by no means gospel, is that there's always an accompanying file of some sort on the partition. It might be an obvious dll like ginuerep.dll, or it might be an executable hiding as a tmp or null file. Anything suspect I can run down, it's g-o-n-e.

Running spyware tools are one of the best methods of removing spyware from a computer. However i would like to add a word of caution. At times the spyware programs would announce files which are not spywares but genuine programs. For example, when I installed a vpn client on my laptop, the spyware program kept bringing 2 files as spywares, while the files were not spywares. So you might also want to research about the file before deleting the file,otherwise genuine application might stop working.The best approach is manual selection and deletion.

Having said so much I would like to add that the best way is to keep spyware out of your computer. How ? Simple. Do not click on anything and everything you see. If you are a windows user, then create a user with minimum administrative rights while using the pc for day to day activities like surfing, email checking, etc. If you donot know to create a user, then just use the guest account. This will help as well.


Hope this helps.