{"id":31,"date":"2009-02-24T23:19:00","date_gmt":"2009-02-24T23:19:00","guid":{"rendered":"http:\/\/mikemartinezonline.com\/blog\/?p=31"},"modified":"2009-02-24T23:19:00","modified_gmt":"2009-02-24T23:19:00","slug":"lets-kill-some-spyware","status":"publish","type":"post","link":"https:\/\/mikemartinezonline.com\/blog\/2009\/02\/24\/lets-kill-some-spyware\/","title":{"rendered":"Let&#8217;s Kill Some Spyware!!"},"content":{"rendered":"<p>I recently had to help some people remove some serious spyware\/malware\/virii.<br \/>No normally if I can&#8217;t &#8216;kill&#8217; the bad stuff fairly quickly. I will simply get the persons &#8216;data&#8217; &#8211; documents, pics, music etc. &#8211; off the machine and then delete the partitions. wipe the drives, re-format and re-install the operatiing system clean.<br \/>But sometimes in a business situation this is not always possible.<br \/>Or sometimes all the needed applications are not available for &#8216;re-install&#8217;<br \/>For this you must try and &#8216;save&#8217; your system without the &#8216;nuclear option&#8217;.<br \/>So here is one of the best methods I use on a &#8216;running&#8217; active system.<br \/>Read all the instructions and download ALL of the suggested applications from a &#8216;non-infected&#8217; machine 1st. <br \/>Then place them on a portable drive &#8211; usb or a directory on the infected system [c:\\killmalwareapps or something]<br \/>Ok let&#8217;s start.<br \/>1st on the infected machine delete the &#8216;hosts&#8217; and &#8216;lmhost&#8217; files.<br \/>They will be located in the c:\\windows\\system32\\drivers\\etc folder.<br \/>[Possibly c:\\winnt\\system32\\drivers\\etc]<br \/>First try an online scan from Trend Micro.<br \/>To do this safely &#8211; using an &#8216;external non-infected browser&#8217; you need to run &#8216;Firefox portable&#8217; off USB drive. <br \/>This will allow a &#8216;clean run&#8217; of a browser for a live malware\/spyware scan:<br \/>How To:<br \/>The article here:<br \/><a href=\"http:\/\/firefox-fangirl.livejournal.com\/1977.html\">http:\/\/firefox-fangirl.livejournal.com\/1977.html<\/a><br \/>explains how to download the latest portable Firefox builds and how to correctly install it as a &#8216;portable app&#8217; on a separate folder or usb drive. I &#8216;install&#8217; it to a directory called &#8216;portablefirefox&#8217; and then I copy that to my USB drive.<\/p>\n<p>Then go to Trend Micro USING THE PORTABLE FIREFOX and run their housecall application and run a scan:<br \/><a href=\"http:\/\/housecall65.trendmicro.com\/\">http:\/\/housecall65.trendmicro.com\/<\/a><br \/>Make sure you do NOT use any browser installed on the infected system!!!<br \/>Use the &#8216;Firefox Portable&#8217; application to get to the web.<\/p>\n<p>Other tools to have on hand (on your usb drive) before starting.<br \/>From Sysinterals<br \/><a href=\"http:\/\/technet.microsoft.com\/en-us\/sysinternals\/default.aspx\">http:\/\/technet.microsoft.com\/en-us\/sysinternals\/default.aspx<\/p>\n<p><\/a>Get the following apps. Download on clean system and transfer to usb.<br \/>Autoruns &#8211; Finds all the crap actually loading at startup.<br \/>You will finds all kinds of &#8216;crap&#8217; that shouldn&#8217;t be there.<br \/><a href=\"http:\/\/download.sysinternals.com\/Files\/Autoruns.zip\">http:\/\/download.sysinternals.com\/Files\/Autoruns.zip<\/a><br \/>Extract and run this to show EVERYTHING that is loaded at start up.<br \/>This includes applications, scripts, drivers, active X controls, dll&#8217;s and more.<\/p>\n<p>Process Explorer<br \/><a href=\"http:\/\/download.sysinternals.com\/Files\/ProcessExplorer.zip\">http:\/\/download.sysinternals.com\/Files\/ProcessExplorer.zip<\/a><br \/>This helps find unwanted running strigs and helps in there termination.<br \/>Run the application to see every currently running process\/application on your system.<\/p>\n<p>You will often need some or all of the following applications to &#8216;kill&#8217; bad processes.<br \/>That is, malicious programs that are running &#8216;un-authorized&#8217; processes.<\/p>\n<p>unlocker<br \/><a href=\"http:\/\/ccollomb.free.fr\/unlocker\/\">http:\/\/ccollomb.free.fr\/unlocker\/<\/a><\/p>\n<p>wholockme<br \/><a href=\"http:\/\/www.dr-hoiby.com\/WhoLockMe\/\">http:\/\/www.dr-hoiby.com\/WhoLockMe\/<\/a><\/p>\n<p>file assassin<br \/><a href=\"http:\/\/www.malwarebytes.org\/fileassassin.php\">http:\/\/www.malwarebytes.org\/fileassassin.php<\/a><\/p>\n<p>A great spyware finder:<\/p>\n<p>spybot s&d;<br \/><a href=\"http:\/\/www.safer-networking.org\/en\/spybotsd\/index.html\">http:\/\/www.safer-networking.org\/en\/spybotsd\/index.html<\/a><br \/>I install this as my online scan is running (if possible).<br \/>Don&#8217;t confuse this application with other that are trading on the &#8216;Spybot&#8217; name and are in and of themselves ACTUALLY spyware. The one and only original FREEWARE application is here.<br \/><a href=\"http:\/\/www.spybotupdates.biz\/files\/spybotsd162.exe\">http:\/\/www.spybotupdates.biz\/files\/spybotsd162.exe<\/a><\/p>\n<p>Remember to have all these files already downloaded and copied to your portable drive.<\/p>\n<p>And to assist in cleaning our all &#8216;temp&#8217; type files:<br \/>CCleaner<br \/>Especially usefull if there is an &#8216;unseen&#8217; internet app (ie or firefox) downloading malware in the background continually<br \/>I will run this over and over while running spybot scans.<\/p>\n<p><a href=\"http:\/\/www.filehippo.com\/download_ccleaner\/download\/d1565b7fb77b48a3692a199d871845fd\/\">http:\/\/www.filehippo.com\/download_ccleaner\/download\/d1565b7fb77b48a3692a199d871845fd\/<\/a><\/p>\n<p>Anyhow this is just a quick but I think fairly thorough way of cleaning an infected system if you don&#8217;t have a &#8216;Live&#8217; type of utility or rescue disk available such as UBCD (ultimate boot cd), Hiren&#8217;s, or a custom Bart PE disk.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently had to help some people remove some serious spyware\/malware\/virii.No normally if I can&#8217;t &#8216;kill&#8217; the bad stuff fairly quickly. I will simply get the persons &#8216;data&#8217; &#8211; documents, pics, music etc. &#8211; off the machine and then delete the partitions. wipe the drives, re-format and re-install the operatiing system clean.But sometimes in a &hellip; <a href=\"https:\/\/mikemartinezonline.com\/blog\/2009\/02\/24\/lets-kill-some-spyware\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Let&#8217;s Kill Some Spyware!!&#8221;<\/span><\/a><\/p>\n","protected":false},"author":587,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[25,52,18,51,24,1,61,11,62],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/posts\/31"}],"collection":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/users\/587"}],"replies":[{"embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/comments?post=31"}],"version-history":[{"count":0,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/posts\/31\/revisions"}],"wp:attachment":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/media?parent=31"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/categories?post=31"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/tags?post=31"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}