A computer technician's advice on removing Spyware



  • I'm rather new so I'm not quite sure if this qualifies for a tiny WTF.

    The War on Spyware

     
     One of my favourites is:

     

    Security Settings

    Find the exe that is causing you your
    grief and set the NTFS security settings on it so that no user has any
    access to the file. Then pull the plug on the PC while it’s still on so
    the software is unable to do anything you don't want it to. This makes
    it so when the system tries to execute the file next time the computer
    is turned on, it finds that it does not have access to the file and
    thus cannot execute the code.

     

    or maybe this one... 

    Unplugging the PC While It’s On

    This is a trick I use
    often. Although drastic, it’s the best way to ensure the machine does
    not execute something after you do a Hijackthis cleaning. If I am able
    to remove a file from the startup, I just yank out the power cord ASAP.
    This ensures that if the process is still running, it does not have the
    chance to put itself back in the startup. Holding the power button down
    for 4 seconds takes too long. You can also use the power switch on your
    power supply, but it’s just not as fun =).

    This is a tactic I
    use as little as possible (although that’s still often enough) as it’s
    not healthy for a computer to be shut off like that. But if you’re at
    the point where you’re considering formatting anyway, may as well give
    it a try.

     

     



  • Well, when they charge ya $200 to install a power supply, or replace a hard drive.... Go figure that the advice they give ya will turn your box into a paperweight... 



  • Tiny, shit. They're Just Plain Retarded (tm).
    Here's my totally proprietary, enterprise, patented method for dealing with Spyware:

    Find the exe.
    Rename the exe.
    Restart the computer.
    Delete the exe.
    Patch the computer.
    Double check, repeat steps 1-4 if patching takes too long and it catches it again. (happens occasionally)
    Turn on Automatic Updates.
    Charge obscene amounts of cash.
    Leave.

    Anyone who thinks that yanking the power is any help when working with a software problem is a danger to themselves and those around them. Not electrically necessarily, but it can't be good to be that stupid in general.



  • --- If I am able to remove a file from the startup, I just yank out the power cord ASAP. This ensures that if the process is still running

     Naw, you woudn't want to kill the process and then delete the file now would you.



  • that's not enterprisey enough.  :-)



  • My favorite part of the article regarding the unplugging of the PC...

    "This is a trick I use often."

    <next paragraph>

    "This is a tactic I use as little as possible..."

     

    They say 60% of the time it works every time.



  • [quote user="HitScan"]

    Tiny, shit. They're Just Plain Retarded (tm).
    Here's my totally proprietary, enterprise, patented method for dealing with Spyware:

    Find the exe.
    Rename the exe.
    Restart the computer.
    Delete the exe.
    Patch the computer.
    Double check, repeat steps 1-4 if patching takes too long and it catches it again. (happens occasionally)
    Turn on Automatic Updates.
    Charge obscene amounts of cash.
    Leave.

    Anyone who thinks that yanking the power is any help when working with a software problem is a danger to themselves and those around them. Not electrically necessarily, but it can't be good to be that stupid in general.

    [/quote]

     

    Unfortunately, that often doesn't actually work.  Renaming the exe may fail if Windows thinks it is still in use.  If you can get rid of it on disk (Sysinternals has a special utility for scheduling moves and deletions at shutdown) -- then you still have to deal with the fact that the running process can repair itself  (write itself back out to disk, re-add itself to the registry to run at startup).  Just kill the process?  Well, some things come as multiple processes which will restart each other.

     

    Some spyware really does need the power-kill trick in order to get any headway. 



  • [quote user="forkazoo"]

    Unfortunately, that often doesn't actually work.  Renaming the exe may fail if Windows thinks it is still in use.  If you can get rid of it on disk (Sysinternals has a special utility for scheduling moves and deletions at shutdown) -- then you still have to deal with the fact that the running process can repair itself  (write itself back out to disk, re-add itself to the registry to run at startup).  Just kill the process?  Well, some things come as multiple processes which will restart each other.

     

    Some spyware really does need the power-kill trick in order to get any headway. 

    [/quote]

    I'm not a computer technician nor do I have too much experience in that, but isn't there some rather professional way to do that? I mean can't one just scan for the files and processes in question or identify them othewise then let's say save the results to a log file and then plug in the hard drive in question to another computer and have it removed accordingly?  

     



  • If you install all of those antivirus/antispyware programs that he recommends it'll slow your computer down more than the spyware did :)



  • [quote user="Phalphalak"][quote user="forkazoo"]

    Unfortunately, that often doesn't actually work.  Renaming the exe may fail if Windows thinks it is still in use.  If you can get rid of it on disk (Sysinternals has a special utility for scheduling moves and deletions at shutdown) -- then you still have to deal with the fact that the running process can repair itself  (write itself back out to disk, re-add itself to the registry to run at startup).  Just kill the process?  Well, some things come as multiple processes which will restart each other.

     

    Some spyware really does need the power-kill trick in order to get any headway. 

    [/quote]

    I'm not a computer technician nor do I have too much experience in that, but isn't there some rather professional way to do that? I mean can't one just scan for the files and processes in question or identify them othewise then let's say save the results to a log file and then plug in the hard drive in question to another computer and have it removed accordingly?  

     [/quote]

    Or boot from a Knoppix CD and do the same if you don't have another computer at hand.



  • Related, especially to the thread title, but slightly OT from the thread:

     My mother-in-law recently had a problem with Norton Antivirus. The settings all changed, and she couldn't change them back. (She got a message saying she did not have access. Logging in the Admin account got the same result.)

    She called Norton (well, Symantec). After some hemming & hawing, they said she probably had a virus. "Well, how can I get a virus when I have Norton AntiVirus?" More hemming and hawing. They offered 2 solutions, one costing $40.00 (they would log in somehow to her computer) and another $70.00 (she had to ship the computer somewhere).

    I was not privy to the conversation, so I don't know how accurately she remembered the conversation. But I would have 'thrown down,' as they say, if a tech from my anti-virus company suggested I got a virus (assuming I kept it updated, and she does.)

     
    I really don't know what the problem was. We rolled back to the last "good" configuration and that was that.
     



  • [quote user="biziclop"][quote user="Phalphalak"][quote user="forkazoo"]

    Unfortunately, that often doesn't actually work.  Renaming the exe may fail if Windows thinks it is still in use.  If you can get rid of it on disk (Sysinternals has a special utility for scheduling moves and deletions at shutdown) -- then you still have to deal with the fact that the running process can repair itself  (write itself back out to disk, re-add itself to the registry to run at startup).  Just kill the process?  Well, some things come as multiple processes which will restart each other.

     

    Some spyware really does need the power-kill trick in order to get any headway. 

    [/quote]

    I'm not a computer technician nor do I have too much experience in that, but isn't there some rather professional way to do that? I mean can't one just scan for the files and processes in question or identify them othewise then let's say save the results to a log file and then plug in the hard drive in question to another computer and have it removed accordingly?  

     [/quote]

    Or boot from a Knoppix CD and do the same if you don't have another computer at hand.

    [/quote]

     

    I actually kinda like this Windows Live CD Tisn't too bad compared with his other highly unstable and unusable "versions" of windows. Or you could just make your own live cd with Bart's PE builder and add in what ever apps you want/need. works a charm.



  • [quote user="HitScan"]

    Tiny, shit. They're Just Plain Retarded (tm).
    Here's my totally proprietary, enterprise, patented method for dealing with Spyware:

    Find the exe.
    Rename the exe.
    Restart the computer.
    Delete the exe.
    Patch the computer.
    Double check, repeat steps 1-4 if patching takes too long and it catches it again. (happens occasionally)
    Turn on Automatic Updates.
    Charge obscene amounts of cash.
    Leave. 

    [/quote]

    My technique is much simpler: Stick an Ubuntu CD in the drive and superglue the door shut, then reboot.  I don't even charge them for it.



  • [quote user="ogilmor"]

    --- If I am able to remove a file from the startup, I just yank out the power cord ASAP. This ensures that if the process is still running

     Naw, you woudn't want to kill the process and then delete the file now would you.

    [/quote]

    That's all fun and well, but lots of spyware these days spawns several processes, each checking on eachother and regenerating themselves as you kill/delete them. Incredibly hard to deal with.

    Personally, given that anti-virii have the groin-kickingly fun tendency to slow the system down to a halt, I just prefer to wipe the OS clean at first sight of spyware. Not using IE and not being retarded about opening email attachments usually makes sure that happens only about once a year.



  • I have rescued my computer from some pretty bad spyware and viruses, and I never once contemplated pulling out the power cord while it was on.  not only does that have a chance of frying your motherboard, destroying your power supply, and ruining your hard drive...  it's just dumb.



  • All you should need is a tiny app which gets a process list, and allows you to 'mutli-select ... kill'. Then go rename/delete the EXEs. Hmm, maybe I should write one. The only thing is I don't know if you can forcibly kill a process from another application (other than Task Manager, obviously).



  • [quote user="Bob Janova"]All you should need is a tiny app which gets a process list, and allows you to 'mutli-select ... kill'. Then go rename/delete the EXEs. Hmm, maybe I should write one. The only thing is I don't know if you can forcibly kill a process from another application (other than Task Manager, obviously).
    [/quote]

    Try Taskkill



  • [quote user="forkazoo"] 

    Unfortunately, that often doesn't actually work.  Renaming the exe may fail if Windows thinks it is still in use.  If you can get rid of it on disk (Sysinternals has a special utility for scheduling moves and deletions at shutdown) -- then you still have to deal with the fact that the running process can repair itself  (write itself back out to disk, re-add itself to the registry to run at startup).  Just kill the process?  Well, some things come as multiple processes which will restart each other.

     Some spyware really does need the power-kill trick in order to get any headway. 

    [/quote]

    I've yet to see it not work. You can't delete or move the file if it's running, but you can change the name. (Last I tried this was on 2000, though I suspect it works on XP also) Occasionally setting the Deny Execute bit in the Security tab for Everyone will work, but it takes more time and I have seen things that get around it if memory serves.



  • [quote user="forkazoo"]Unfortunately, that often doesn't actually work.  Renaming the exe may fail if Windows thinks it is still in use.  If you can get rid of it on disk (Sysinternals has a special utility for scheduling moves and deletions at shutdown) -- then you still have to deal with the fact that the running process can repair itself  (write itself back out to disk, re-add itself to the registry to run at startup).  Just kill the process?  Well, some things come as multiple processes which will restart each other.

    Some spyware really does need the power-kill trick in order to get any headway.[/quote]Wait - you know of Sysinternals, but don't know of the Suspend process option in ProcessExplorer? No need to yank the power cord out.



  • [quote user="Bob Janova"]All you should need is a tiny app which gets a process list, and allows you to 'mutli-select ... kill'. Then go rename/delete the EXEs. Hmm, maybe I should write one. The only thing is I don't know if you can forcibly kill a process from another application (other than Task Manager, obviously).
    [/quote]

    Lots of spyware hooks into the system calls for getting a process list and make sure they never show up on the list in the first place.  Those are the really fun nes to deal with.  I usually boot in the Recovery Console and rename exe and dll files with a recent last modified date.


Log in to reply