As with any trade one needs to have many tools in their tool kit. To remove these nasty programs takes a set of tools and not one. Why? It would seem reasonable to an outsider that a single program and/or suite would do the trick. Remember, it's hard to drill holes with a table saw and it's hard to make strait cuts with a drill press. Newer malware will snap themselves in as hidden device drivers, or other services marked as safe mode to fool AnitVirus and other spyware removal tools.
Here are the tools that I use:
- ComboFix (get this from http://www.bleepingcomputer.com/combofix/how-to-use-combofix and NOT www.combofix.org!)
- Microsoft's Malicious Software Removal Tool
- Windows Update
- Spybot Search & Destroy (http://www.safer-networking.org)
- AdAware (http://www.lavasoft.com)
- MyDefrag (http://www.mydefrag.com)
Once all of the old AntiVirus software is removed, run Combofix on the computer. This tool alone will remove an incredible amount of junk. This creates a great starting point for getting the machine back in working order.
An old trick is for hackers to hijack your hosts file. This file can override address lookup and direct your browser to a different site without your knowledge. This file is located in the Windows directory, which is usually C:\Windows. You may use Notepad to edit C:\Windows\System32\drivers\etc\hosts. The only line that is needed in this file is this:
127.0.0.1 localhostIf you have more entries then this your host file has most likely been hijacked. You can edit this file and reduce it just down to the line above.
Next download and run Spybot Search and Destroy. DO NOT install TeaTimer. This tool will need to be run on all profiles residing on the machine. Next immunize the machine using Spybot. This will help keep away the bad stuff. From the advanced menu you can also view what is starting on the machine and uncheck items that are not needed.
Spybot has a good host file hijacking system where they can put in entries that will blunt any malware on the machine. I do this as a good course to prevent any malware from calling home.
Also from within Spybot you may run the system check. This will help to clean up the registry.
Reboot the machine and run Windows Update. This may take several passes and reboots to get all of the required patches installed. This alone will go along way to keeping the hackers out.
Once the machine has all of the Microsoft updates, run the Malicious Software Removal tool by running MRT. A quick scan is usually sufficient.
Then, download and run AdAware. This may or may not turn up more malware. Simply follow the instructions.
At this point the machine is clean, but may still be slow. Download and install MyDefrag. Once installed run the Slow Optimize. This will take a long time on some very fragmented computers. This is a good thing to start and then head to bed.
The final step is to install some legitimate Anti Virus software. I recommend Nod32 from eSet systems (http://www.nod32.com). I do not recommend Norton or McAfee, however, if you have paid for them and your subscription is current put it back on the machine and run it until the contract runs out.
If you don't like to pay for protection, AVG from GriSoft is an excellent free (as in beer or lunch) AntiVirus program. You can download the current one from (http://free.grisoft.com). They have a paid version too if you feel better about paying for protection.
Scan the computer for viruses, just to be sure.
Make sure that Automatic Updates is setup and running.
Keep in mind that these procedures will take a considerable amount of time. But in the end the machine will be clean and running like new again. In addition it will be hardened against possible future attacks.
I hope this helps some folks out. Stay safe out there!
