Willisburg.org

I wound up posting this on a message board a few days ago, figured that I’d share it with a few others as it’s relatively handy to have around. Might even clean it up, add a few image caps and possibly submit it as an article to TR or something. *shrug* Gotta do something until I can find a job again.

The following are some of the most comprehensive but not necessarily difinitive procedures on performing a Windows spyware/virus exorcism. These are instructions for 2K/XP, folder locations change for older systems. YMMV. Just remember that I’m posting this out of the kindness of my heart for free and have no control over any potential variables that could crop up and hose your system. That means if you inadvertantly screw the pooch while using this guide, you’ve been warned about the risks and you assume full responsibility for the possible consequences before you start. Anyway, on with the guide!

1) In “Folder Options”, turn on “show hidden files and folders” as well as turning off “hide protected operating system files”.

2) Proceed to every instance of “\\Documents and Setting\(user name)\Local Settings\Temporary Internet Files\Content.IE5″ including the “Default User” profile in every profile on your system. Make sure IE is closed, and purge EVERYTHING INSIDE OR OUTSIDE a random string folder (for example: QBIXIVA7). In order to access the folders in the profile you’re logged in under, you’ll have to access it through another profile with Admin privledges.

3) Go into “Internet Options” “Temporary Internet Files Settings” and click on “View Objects” on the new window that should have popped up. DELETE EVERYTHING THERE.

4) Run “msconfig” and perform the following: under the “services” tab, select “hide all Microsoft services” and proceed to deselect anything running that isn’t directly related to your antivirus or firewall software (or if you’re running an old copy of iTunes, leave gearsec if you want to continue burning CDs). Then go to your “start up” tab and deselect anything that you don’t need except anything related to antivirus or firewall software. (Hint, you can safely deselect EVERYTHING under the start up tab, they’re non-critical. You may lose functionality like with multimedia keyboards, but come on, who actually uses those things. )

5) Find all your temp directories and delete everything in them. If you’re unsure where your temp directories are, just do a folder search for “temp”.

6) Empty your Recycle Bin.

7) Reboot.

Install and update the following programs (if allowed) (links at the end): AdAware, Spybot S&D, SpySweeper, Eset NOD32 AntiVirus, HijackThis!, SpywareBlaster.

9) Reboot system and press F8 before the bootstrap logo (Windows splash screen) to enter into safe mode.

10) RUN THE FOLLOWING PROGRAMS IN THIS ORDER:
Eset NOD32 AntiVirus (go into settings and enable deep scan and search everything before starting)
HijackThis! (if you don’t know what you’re doing, get help and advice on what’s safe to delete)
Spybot S&D (immunize system before running, remove everything it finds)
AdAware (remove everything it finds)
SpySweeper (remove everything it finds)
SpywareBlaster (enable protection)
Eset NOD32 AntiVirus (yes, again… there are some things that try to replicate when removed with spyware removal apps)

11) Reboot into regular mode.

12) If you’re on DSL and can’t connect back to the internet, your DSL client probably had BackWeb in it. Either reinstall the client or leave BackWeb off your system and buy a DSL router with firewall, you’ll be safer with the latter choice. If you’re on any other type of internet connection and can’t reconnect to the internet, you’ll need to run either WinSock XP Fix or LSP-Fix to get internet connectivity back.

13) Proceed to have your computer scanned for a second opinion on viruses at housecall.trendmicro.com using your IE browser and remove anything else it finds.

14) Update Windows, dammit!

15) Install the Google Toolbar if you haven’t already.

16) If you don’t have a good antivirus program already, purchase NOD32. If you do, update it. Same with a software firewall. Might I suggest ZoneAlarm.

17) Uninstall NOD32 if you already have an antivirus program and you weren’t impressed with it’s performance to uninstall your old software and purchase a license for it.

18) Download and install Mozilla Firefox and Thunderbird.

19) Defragment the hard drive.

20) Set the Recycle Bin size as close to 200MB as you can.

21) Under IE’s Internet Options, go into “temporary internet files settings” on the first tab, and set the cache size to 20MB.

22) Install AnalogX’s Script Defender and block all listed scripts.

23) Download and run RegSupreme to clean up your registry.

Pat yourself on the back. This process is 100% effective 95% of the time. If you still have problems, rerun the entire process, but add in running KazaaBegone and CWShredder and make sure you’ve emptied out all the temp directories and removed any suspicious BHOs in HijackThis! and got rid of the ActiveX handlers in the internet objects folder from step 3.

If it fails after all that, find a local geek to do it for you.

And now, software:
NOD32 Antivirus
Ad Aware
Spybot S&D
SpySweeper - (use the try it for free button)
SpywareBlaster
CWShredder
HijackThis! & KazaaBegone
Winsock XP Fix
LSP-Fix
Firefox & Thunderbird
RegSupreme
Script Defender

Share and Enjoy!

Update! 07 October 2005 - With the advent and current spread of rootkit viruses, this cleanup process has the potential to still leave things behind. I haven’t had much opportunity to deal with this new breed of misery, so I don’t currently have much advise on rootkit virus removal at this time. What little I have dealt with them, I’ve found that Sysinternals’ RootkitRevealer seems to be fairly good at the job, but not a tool to be used by your average novice. Unfortuantely there’s not much in the whitehat community as of yet dealing with the topic of rootkits, so there’s not really anywhere I know of to point you towards for further information.

Additionally, MS AntiSpyware Beta has been proving itself useful the past few months as well in the fight against malware. It seems like a fairly solid defense line against malware, but I have noticed that there tends to be a bit of a performance penalty on lower end systems as it likes to run in the background and is a bit of a resource hog in the classic Microsoft fashion. If you use this in conjunction with the above guide, slip in the install along with the other anti-malware utilities.

Another good subscription based anti-spyware/malware utility I’ve found has been Sunbelt Software’s CounterSpy. They have a trial version for download just like SpySweeper, and I believe they both cost about the same. I’ve found them both to be about equal, so you don’t have to install both trials during the clean-up process. Pick either SpySweeper or CounterSpy, it’s about six one way and half-a-dozen the other. As far as using this in the above guide instead of SpySweeper, just substitute the one for the other in the install, update and run sequence. I also wouldn’t advise running MS AntiSpyware in parallel with this for long term… and if I had to choose between the two for long term use, I’d pick CounterSpy or SpySweeper over MS AntiSpyware depending on what you choose.

If I ever post an update to this guide, I’ll make sure it’s readily available and easy to find from here. As for why I haven’t continued to make a massive effort to advance knowledge on the Windows Security front for my readers is because I’ve instead started to focus my energies on potential alternatives that could actually help eliminate dealing with this madness entirely, instead of continuing to pursue this sadistic battle in a rather quixotic fashion.

Yes I know, the subject line isn’t a full-on movie quote. Instead, it’s a minor paraphrase. You’ll see why.

It’s been an eventful week. The mighty Willismobile finally came back from repair, and oddly enough, the battery is now apparently dying. Great! Add that to the list of balding tires and worn brakes! At least it drives well again. All I can ask, I suppose.

Also had a knock-down-drag-out fight with my body yesterday. My mind doesn’t remember the day. My body won’t let me forget it. I don’t remember the last time I had these kinds of health issues, and it concerns me… the worst part is I know how to prevent it, and because I’m unemployed and broke, I can’t. *sigh* Damned if I do, damned if I don’t.

On to other things. Rewatched Amelie a couple nights ago. As you can see, one of the quotes stuck with me. It seems fitting for the coming screed.

I’ve been wanting to actually comment on this for quite some time now, but haven’t had the chance yet. You see, I noticed that the Big Blue juggernaut recently re-did the Geek Squad website. Additionally, they launched a Canadian version as well. Do yourselves a favor and witness the house of cards and it’s sturdy base.

Read the rest of this RANT! »

Today was a… … …sore day. *crack* *snap* It’s embarrassing how quickly health and fitness can slip away.

I mowed the back fourty yesterday. Non-riding mower. Propelled. Long grass. Outside of a couple bad blisters on the hands, didn’t do anything to me yesterday.

That was yesterday. Today, I feel like I got in a fight with and lost to an angry, drunk elephant.

Didn’t bother hitting the streets looking for a job. Instead stuck to phone and Internet followups since I didn’t need the following scenario:

“So, Mr. McClintock… it says here that you have experience with QuarkXPress… what versions have you used and for what platform?”

“Well, Sir… I’ll readily admit that my experience with Qua—-” *suddenly leans back and to the left* “—(sucking noise) AAURGH! (panting) Quark (gasp gasp) has mostly been… (groans) on Win—”

“Are you all right?”

“(sharp sucking noise)I’m fine….” *tears roll down cheeks* “—on Windohhhs owww… and (gasp gasp) a (gasp gasp) a (gasp) a little outdated.”

“Thank you Mr. McClintock, we’ll get back with you. Good day.”

“Could you at least (assorted grunts) help (gasp gasp) me out of theunghhh… chair?”

“Uh… no.”

Read the rest of this RANT! »