Despite top of the line antivirus and antispyware protections in place, the spyware creators are still able to create items that get through the filters and cause infections. (But that’s not what this article is about). The most common methods of infection are still infected attachments to emails and “drive-by” hits from websites while browsing the Internet. (But that’s not what this article is about either). Having watched the evolution of some of these infections over the past couple of years, I’ve found a couple of tricks that work on many of these infections. That’s what this article is about: revealing a plan of attack that can eliminate most of these spyware infections.
First, the tools you will need:
- Combofix – This free application combines several different cleaners and is updated frequently. Make sure you grab the latest copy. It can be downloaded from bleepingcomputer.com.
I usually do an Internet search on “download combofix” and it pulls up as the 1st or 2nd hit.
- Malwarebytes Antimalware – also known as MBAM. Another free download available from many sources, including www.download.com.
- The operating system’s system recovery CD. This may be the Installation CD for some OS’s (like Windows XP). It doesn’t have to be specific to this computer, as long as it is from the same OS.
That’s all you need. Go ahead and collect them. I’ll be here when you get back.
I didn’t mention that you also need an infected computer to clean, but I took a guess that you knew that already. Depending on the severity of the infection, you have several steps. I’m going to start with the simplest solution, and then get more difficult. Before you get started, keep in mind that spyware evolves all the time and what works now may not work in 6 months, but the basic strategy outlined below should be effective for the foreseeable future. Finally, although I offer these steps as a possible method for cleaning the spyware, keep in mind that it is still your computer. I take no responsibility for any damage caused by the spyware infection or your attempts to clean it up.
Scenario 1 – Computer still works, even though infected.
If you can get to a desktop and run programs, you can often clean the computer before it gets more severely infected.
- Copy Combofix to the computer and run it. Combofix will check for Windows System Recovery and install it if it is missing. You want to allow it to do that, and it will need Internet access to do do. When it is done, it may also want to reboot to finish cleaning up. You want to do that too.
- Install MBAM and update it (the pattern files update every couple of days, this is critical). Then run a full scan. It takes longer, but it doesn’t skip other user profiles, where some infected files might be residing.
- Continue to run MBAM until it comes back with zero infected files. If you repeat the scans and see the same files over and over, you should have enough control of your computer at this point to research those infections and take specific action against those files.
- Finally, you can repair any specific damage caused by the infections.
Scenario 2 – Normal boot doesn’t work, the Internet is blocked, or you can’t run programs
Quite often these days, the infection will block your access to your desktop, or prevent programs from running, or reconfigure your Internet settings so that you can’t successfully run the spyware removal tools. Booting to safe mode quite often prevents the spyware from blocking you.
- Reboot the computer
- Press the F8 key about twice a second until you get the Safe Mode menu. Then select “Safe Mode with Networking”.
- Once the computer boots up, you will have access to your Start Menu and can proceed with the steps from Scenario 1.
Scenario 3 – Safe Mode isn’t working
The trickiest solution is when the infection has blocked your access to the desktop in safe mode. In this case we have to reset a couple of registry settings to re-enable access to the desktop for safe mode to work. WARNING! This routine involves modifying the registry.
- Insert the System Recovery CD in the computer’s CD drive.
- Boot the computer from the System Recovery disk.
- Use the menu to open a command prompt.
- Run the registry editor from the command prompt by typing regedit.exe.
- Hightlight HKEY_LOCAL_MACHINE, click on File menu, then Load Hive
- Browse to the WindowsSystem32Config folder on your system drive (It probably will not be labelled the C drive in Safe Mode) and open the Software file
- Back in the registry, browse to SoftwareMicrosoftWindows NTCurrentVersionWinLogonShell under the loaded hive.
- Remove everything listed there, then add back in Explorer.exe (Anything else you see here was added by the infection)
- Close the file and power off the computer, then Proceed with the steps in Scenario 2.
Because Windows always checks that registry key when it boots, it will now use the built in Explorer you are used to using, allowing you to proceed with the rest of your cleanup without too much difficulty.
If none of these techniques work, you can always check back with us to see if new techniques have been developed.