Spyware Removal and Maintenance

Add Your Comments

Like it says – Brad Shepard

I work for a small computer company doing mostly repair, cleaning spyware and removing viri. When I clean a PC here is a list of things I do:

1. Scan PC for virus from a DOS boot disk using F-Prot antivirus for DOS (we use F-Prot because Norton would cause an error when using NTFSDOS). F-Prot not only scans for virus but also will remove some of the major spyware programs – it labels them security risk or suspicious files and deletes them.

2. Use msconfig and clean out the start up programs – anything that isn’t a default system process or antivirus, I stop from being loaded. For Windows 95, use msconfig from 98; for 2000, use msconfig from XP or edit the registry HKLMsoftwareMicrosoftWindowscurrent versionrun. Always make a back up before editing the registry.

3. Go into the control panel and into add remove programs and remove programs that are known spyware, such as Kazza, N-case, and any tool bars or web search.

4. Install, update, and run SpyBot Search & Destroy, one of the few things that will completely remove Bonzi Buddy. With version 1.3 of SpyBot, switch to advanced mode and under tools, enable the host file, BHO’s and Active X tools. The Host file can be cleaned and locked read only; additionally, SpyBot’s list can be added to the host file. This sends several known bad sites to the loop back address of 127.0.0.1; this stops the user from even getting to the site.

In the BHO and Active X tools, remove anything that has a yellow check beside it, meaning it is known spyware or malware. Use the immunize function of SpyBot to block more known spyware from being installed by Active X drive bys. After all the above, scan for spyware and remove all that is found. A word of caution: If Kazza is not removed from add remove programs, SpyBot will remove the spyware from it but the program will no longer work and the uninstaller will not work either.

5. Install, update, and run Spyware Blaster. Spyware Blaster does the same thing as the immunize function of SpyBot but blocks more.

6. Install, update, and run Ad-aware. Optimize it by setting the options to unload processes and unregister process prior to deletion. After it completes the scan, remove everything it has found.

7. If either Ad-aware or SpyBot find VX2 Better internet use a program called VX2 Finder – it searches the registry and system folders for this specific piece of malware and can sometimes delete the registry entries and the files associated with it.

After all the above, the systems are generally clean, but not always. Sometimes a file or directory cannot be deleted (the BDE directory in the windows directory, installed by Kazza comes to mind); boot from a boot disk and manually remove them.
On my boot disk I also have Regview, which allows the registry to be viewed and edited from DOS. If I have a registry key I cannot delete in Windows, I write it down and boot to DOS and remove it.

8. After the system is clean, install all the Windows updates – this will help prevent things like the Blaster and Sasser virus from taking down so many PC’s. After all this is done, open msconfig again and go back through the start up programs and enable only what is necessary.

9. Install antivirus – we use Norton exclusively because we feel it is the most user friendly when it comes to updating and scanning with it. Norton 2004 also will scan for spyware but will usually not delete all the files. Just click on the file get the location and delete it manually if needed.
{mospagebreak}

10. Configure IE. Open a browser, under tools at the top of the page, go to internet options. In the General tab ,click on delete cookies,

Opt

When that is done, click on delete files. When this box pops up, select delete all offline content and click OK:

Del

Wait for it to complete. Click on the settings tab, set the MB to 10 or 20 and check the every visit to the page radio button. Click OK:

Set

Click on the privacy tab,

Priv

Click on the advanced button; check the override automatic cookie handling and the rest of the options are no longer grayed out. Accept first party cookies and always allow session cookies and block third part cookies. Click OK:

Adv

This allows the user to use cookie-enabled sites, but helps to prevent cookies that the user wouldn’t normally know about that may or may not be tracking what the user is doing.

SpyBot, Ad-aware and Spyware Blaster should be updated and run at least once a month.
{mospagebreak}

My personal view on popup blockers and toolbars:

Popup Blockers: I dislike these because they only mask the true problem. If a user has enough popups that they need a blocker, they either need to have their PC cleaned by one or all of the mentioned programs or they are going to sites that they probably shouldn’t be at anyway.

Toolbars: Generally these are not good things. They are installed without the user even knowing it most of the time, and those are the ones that are spyware. The only toolbar I will tolerate is the Google toolbar – any other toolbar on the system I completely remove.

The easiest way to prevent spyware is to educate users. Just as most people are educated about viri and the way they spread, the same approach needs to be taken with spyware; once people understand they should not click yes or OK on every window that pops up with out reading it, spyware will not be as big a problem.

All the programs I use except NTFSDOS are free for personal use. The personal (read free) version of ad-aware cannot legally be installed on any business PC, according to the license agreement. NTFSDOS can be purchased from Winternals – they have a trial version but it is read only.

Programs mentioned above can be downloaded from the following web sites:

F-Prot antivirus for DOS

SpyBot Search & Destroy (home page does not always work) or
HERE.
Spyware Blaster

Ad-aware

Regview site is in Russian, download links are in English. I am using the older version.

VX2 finder

More information about NTFSDOS available in the administrators pack.

Shep

Leave a Reply

Your email address will not be published. Required fields are marked *