Spyware Problems

I spend a great deal of my time destroying spyware on customer systems. I know from recent experience, that the problem is getting a lot worse, very fast.

Ken's Approach (well not exactly, but this is how I usually start)

  1. Get the new Spybot Search & Destroy version 1.3 or greater
  2. Make sure you are not doing anything else. Internet Explorer should not be running, fresh reboot, unplug your network (fat phone wire) from the back of your computer, or disconnect if you have dial-up.
  3. Install Spybot Search & Destroy.
  4. Run Spybot Search & Destroy
    • If it is the first time running Spybot; create a registry backup --> immunize --> start using the program
  5. Click Mode->Advanced Mode, say "yes" when it asks if you're sure.
  6. Enable TeaTimer resident object
    1. Click "Tools", then "Resident"
    2. Check the TeaTimer and SDHelper checkboxes
    3. Note for later on (after everything is working fine), turn off TeaTimer if you run Windows Update or update your virus software. You will be much less confused this way. You might enable TeaTimer and do an install to see what happens. Be sure to allow all changes during the updates, including after possible reboot or the update might get messed up. If you ever disable TeaTimer for something, be sure to re-enable it when you're done.
  7. Click "Tools", then "System Startup"
  8. Uncheck EVERYTHING
  9. TeaTimer will begin asking a LOT OF QUESTIONS.
    1. If TeaTimer asks about something being deleted, click "Allow Change"
    2. WARNING... If TeaTimer asks about something being added, select the "Remember this decision" checkbox then click "Deny Change" (unless it is TeaTimer that is being added... that is okay!!)
    3. Once all processes have been removed from startup, anything adding itself is either real player, quicktime, spyware, messengers, or other junk you can run yourself if you need to.
  10. Click Spybot-S&D, then "Check for problems" and let it scan.
  11. After everything seems to have died down, no more questions from TeaTimer, it is time to add your virus software back to the system startup.
    1. Click "Tools", then "System Startup" again.
    2. Open the pane on the right hand side of the screen. It will be blank until you select a process.
    3. Begin selecting processes (without actually checking them) and descriptions will appear in the pane at the right.
    4. Check the ones that mention virus protection software, such as "ccApp" (for Symantec) or "myCIO.com ASaP" (for McAfee ASaP).
  12. Finally, you may find yourself battling some spyware by hand if Spybot can't remove it. My approach is to boot to safe mode and run. Sometimes that works. Another approach is to remove the file by hand from the command line. Finally, it is sometimes necessary to log in as administrator (in safe mode) and take ownership of files before they can be removed. Always do Spybot scans along with removal by hand to see if you did something to enable Spybot to remove the spyware the rest of the way.