Malware/spyware authors can bite me. Hard. I spent hours this past weekend cleaning off crap from my PC. The crapware has gotten smarer, too: it either renames and prevents from running some of my antimalware programs, prevents me from opening task manager to kill the process, or both. I'm relegated to booting from a write-protected CD to disinfect my hard drive. Actually, that is a fine and dandy thing to do and is how you should proceed with your malware removal.
What's that, you say? You're running up-to-date antivirus software (McAfee. Norton, AVG) and you never visit pr0n sites, so you MUST be okay, right? RIGHT? WRONG. Unless your computer isn't connected -EVER- to the Internet and you never install 3rd party software on your PC, you're at risk. In fact, I'd say that the odds of you having a current infection are probably 50-50, and I consider that an optimistic assessment. In any event, here are some things that you should be doing, and software that you should be running, on a regular basis.
Top of the line spyware, malware and general bad software identification and removal tool. It's a commercial product, but you can use it for free forever as long as you plan to run all of the scans manually. There are benefits to purchasing the software, but I haven't. However, be sure to perform the update each time you run the software. Perform the quick scan first and have Malwarebytes remove all problems it finds (exception: McAfee disables Windows security center, so you should uncheck that particular box in the results pane). Reboot and run the thorough scan, removing everything it finds.
Note The infection I just had renamed mbam.exe to dork.exe and, when I tried reinstalling it, did it again. Also, the dork.exe file is corrupted and cannot be run. Which leads me to the next product.
Spybot Search and Destroy
This is extremely robust antimalware/antispyware software, and it's always free. The creators do accept donations, and it's not a bad idea to do so, since they work hard to keep Spybot S&D up to date. Anyway, run the scan (let it remove all of the temp files when it asks) and go grab an enormous cup of coffee as it takes a while. When it's done, examine the results and choose which ones to fix. Again, it identifies when Windows security center has been disabled, so feel free to uncheck that box if you're running McAfee or Norton. When it's complete, it might suggest that you reboot and have it automatically load upon restart. Say yes, as S&D manages to load itself before most Windows programs (and malware). After fixing all of the problems it finds, make sure that you have Tea Timer (resident program that searches for registry changes and such) load automatically. Also, run the innoculation for IE and Firefox. This adds some passive protections to your browsers and every added layer is helpful. This process takes a little while, but it's well worth it.
IObit Security 360
IObit 360 is good piece of antimalware which has three things going for it: it is and probably will always remain free; it works pretty well; and it has a feature that allows you to create an entirely portable version of the software, which you can then load on a bootable CD (BartPE anyone?) or USB stick. The portable version is what cleaned my PC enough to allow me to successfully run Malwarebytes Anti-Malware, so I give it a thumbs up.
Super Antispyware is still another weapon in your "screw you, assholes" arsenal of antimalware. Much like Malwarebytes, it's commercial, but you can use the free version forever, which means that you don't get any automatic updates or scans. But since I like being in control, having to run the updates and scans myself is simply a bonus. YMMV.
Other Tools for the Toolbox
These are quite helpful and I highly recommend using them on a regular basis. I won't go into any detail here, but rather simply link to them.
BartPE bootable CD/thumb drive with these tools on them and do your disinfecting from there.
IMPORTANT***: Be sure to back up your data before performing these tasks. Malware has a tendency to fubar your hard drive, especially when you try to clean it. Forewarned is forearmed.
Update: I forgot to mention BitDeffender Rescue CD. BitDefender is a commercial product, but they offer a Linux-based (Knoppix) bootable CD which does a bit by bit scan of your entire system. This takes a while, so start it right before bedtime and don't worry about it until morning. Full disclosure: one of my home computers will not boot, failing at the X-Windows load. I've tried adding the command "all_generic_ide irqpoll" at the end of the default options, but it still won't work. I've got a help request in to the support center, but I expect the reply to be slow in coming, as they focus their attention on their commercial products. For the record, I give the thumbs up to their pay option. It works great. But if you want to save the Benjamins, try the free option, which they will update to the latest version of Knoppix sometime this year. Download the latest ISO image here.
Update Mike Duncan from Superantispyware (really!) posted the following comment which provides even more useful information about ridding yourselves of the bane of my PC's existence:
I took note of your issue with a renamed exe file due to infection. We have a couple of tools that may help in those cases. Our online scanner is available at www.superantispyware.com/onlinescan.html and can be run if infection blocks exe files or hinders software installation. Our new, portable version is available at www.superantispyware.com/portable and can be run from a USB drive without software installation or internet access. Both tools are free for home/personal users.
Interesting. You never know who will stop by. I guess it's a good thing that I kept the salty language to a minimum in this post. Anyway, thanks to Mike Duncan for providing the update. It's greatly appreciated.
Update: You know what's interesting? The things on your PC that will work properly once you disinfected them. There is some risk removing spyware. Some of them dig their roots so deeply into your system that your PC can be rendered not bootable upon removal of the crap. However, using the IObit 360 tool above actually fixed my wife's computer. Her computer had been damaged by some malware months ago and once a day, she would be unable to browse the Internet. You could ping sites in a DOS prompt, but the browser would simply fail to load websites. Best I could tell, the socket was corrupted. The problem could be temporarily fixed by rebooting, but that solution wasn't making the spousal unit happy. Anyway, after using the toolkit above, I finally noticed that my wife's computer hadn't had to be rebooted in a week. She's happy, and so am I.
Oh sure, I could have wiped the disk and started over, but it's kind of a last ditch approach. The data was backed up (I'm anal about that), but I hate having to rebuild a system to get it to where I like it. It's a sucky task, albeit a sometimes necessary one. I'm glad that I didn't have to do that in this case.
Update to the update: I just checked out Superantispyware Portable and it has a killer feature:
You might wonder why a portable version is so importantÖ the problem is that the worst malware infections block you from installing malware removal software, and even if you manage to get it installed, most of the time when you try and launch it, youíll get an error like this one:
Note: thatís a real screenshot from a real virus that we cleaned with SUPERAntiSpyware Portable.
SUPERAntiSpyware Portable solves this problem by not only giving you a completely portable version of the application, which consists of a single file you can copy to your USB drive without requiring installation, but it also automatically gives you a random filename so the malware canít detect it as easily.
That's so awesome that I want to grab some butterscotch pudding a la Ace last night to, well, you know.Posted by Physics Geek at January 19, 2010 11:27 AM | TrackBack Stumble It!