Ever wonder why viruses are so hard to get rid of?  I mean, you spent the effing 50 bucks or whatever on Norton/McAfee/PCTools/whatever……so WHY ARE THESE POPUPS STILL CRUSHING MY SOUL, SYMANTEC SUPPORT TEAM????

I know why.

It’s because those big companies suck are too mainstream to be very effective in a culture where the mainstream software out there is the most easily exploitable angle for anyone trying to subvert your defense against attacks.  It really is that simple.  Yes, your heuristics analysis engine is doing it’s level best to detect new attacks as they come in, but there really is no magic killer app out there for preventing cutting edge (what we call “0-day”) exploits. So, you find yourself with a MOSTLY effective tool against well-defined attacks, but one that is sorely lacking on 0-day defense.  Don’t let their marketing fool you.  It can take days or even weeks for a new exploit to be fully countered in ANY of the mainstream products out there.

Granted, you still have to have those protections, and this is not a bash against the AV industry in general.  But what do you do when you inevitably find Norton has been yet again caught with its pants down, and suddenly your computer has lately taken a keen interest in selling you Viagra or DonkeyLovinCuties.com memberships?

You gotta get out of the mainstream.

There are three very simple tools I use at work, all the time, to get me out of the messes I see everyday. There is a more exhaustive list, but these three programs have saved me literally hours of work, and made a small hero at many offices, time and time again.

Here’s my standard operating procedure, just three small downloads that can save you from, god forbid, calling GeekSquad or some other high-priced horror:

First a small preface, before you get started:   Safe Mode with Networking is your friend and ally in this crisis.

“But hey, smarmy tech guy, I don’t know to get into that mode, and even if I did, I might mess something up!”

Well, that’s not a problem, because I’ll tell you right now. Safe Mode (w/ Networking) is both very easy to access and very safe to use, even for novices.  Just shut down your computer, start her back up, and as soon as you see your screen turn on, start tapping F8, until you get the Windows boot menu.

Boot Menu.  Do not taunt Boot Menu.

Boot Menu. Do not taunt Boot Menu.

Just use your arrow keys to scroll up until you reach the second choice from the top and then hit enter.  That’s it!  Next you’ll see windows start up in a somewhat tacky looking but recognizable way, and then just click YES when it asks if you want to start in Safe Mode.  Done and done.

Now that you are in Safe Mode with Networking, what do you do?  Well, you’ve started in this mode because just starting in Safe Mode alone would not give you any access to the internet at all, and you’re going to need that functionality to get the three programs you need.  So let’s go anti-spyware hunting!

  1. Combofix – this program has been around awhile, and though not a fix-all program, I’ve found that it easily surpasses most of the paid programs out there in terms of addressing the more heinous problems I’ve seen. Just look down the page til you see the link for download, then download this puppy to your desktop. Now, ignore it for a minute while we go get the next proggy which will help you.
  2. SDFix – another direct and very effective program for getting rid of the more obscure mini-atrocities I see every single day. Again, download from the link provided, then forget about it and move on to the pièce de résistance:
  3. Superantispyware – Free Version – this program with the really bad marketing department and yeah, a really dull name, also happens to be a very effective program to use, particularly when used in tandem with the first two.  It is included last in the list because it is the last program you will use in the cycle.  However, I strongly recommend you keep it. Just scroll down the page, and download the free version of the program, and then again, forget about it for a minute. Note: there is also a paid version of the program that includes resident protection, but truth be told, its not much more effective than something like Adaware 200X Pro

Now that you’ve got your three juggernauts sitting pretty on your desktop, it’s time to start letting them go to work for you.  Start with Combofix: just double-click, agree to the various disclaimers that pop up (yes, there are warnings involved with the use of this program – but I have not had a single experience in which this process failed.  Now, it may not have always taken care of the problem in its entirety, but it has NEVER crashed any system I’ve worked on, and we are talking about HUNDREDS of systems.  Therefore:  doubleclick, agree to disclaimers, and then just go get a coffee, a crabcake, and a good Rolling Stone article to read, because it’s going to take upwards of twenty minutes for it to go through its various motions. Note: it may ask you to reboot; when it does, to steal a phrase from the marketing geniuses at Selsun Blue, “that just means it’s working.” Just reboot as normal and let it finish the job it has started.  Once all is said and done, it will pop up a logfile which will describe everything it has (or hasn’t) found.  Since this program has run its course, your final step is to shut down the computer and restart in safe mode again, just like the instructions above illustrated.  But, all told, that’s the end of step one.

Step two is SDFix.  Next verse, same as the first, with a little difference at the beginning.  This time, when you double-click this file, and it will pop up a little self-extraction dialogue asking you to choose where to dump the working files of the program, i.e. where on your system you want the program to be located.  Just click next and it will send the program by default to a directory called SDFix on the root of your C drive. So once that is done, open up My Computer and simply doubleclick on the C drive.  The SDFix folder will usually appear in alphabetical order along with all the other usual directories (e.g, “Documents and Settings”, “Windows”, “Programs Files”, among others). Doubleclick on the SDFix folder and doubleclick on the file called RunThis.  Again, dialogue boxes will pop up and a command prompt telling you to choose Y to being scanning and N to exit the program.  Select Y and then see procedure above regarding coffee, crabcakes, etc.  It will take awhile, almost always at the end of the process it will ask for a reboot.  Just Say Yes, and then, again, wait awhile for it to finish up.  Once again, the process ends, we get a log file pop-up, and hopefully by this time a more stable system.

But, um, well, you may still see evidence of problems.  It happens, and when it does, that’s when we break out the secret weapon: Superantispyware will almost always clean up all the loose ends.  Note: do not restart into Safe Mode again just yet. We need to install Superantispyware from the regular mode of Windows.  I’m not sure why, but when installing in safe mode I have always gotten permissions errors.  I think it’s probably a small glitch in the program, but hey, even pretty girls can have sharp knees, and programs are not perfect either.  Anyway, just install the program as you normally would any other, then let it update itself from its own servers.  After this has completed, you have two choices: you can then start in Safe Mode to do the scan, or just go ahead and run it. Personally, I just go for it right then, because it usually is able to to the job just fine.  Run it, select Full Scan, let it whistle, whir, & wheeze its way about for twenty minutes, and when the job is complete, it will present you with a list of remaining spyware on the system.  Just hit next to get rid of it, and then at this point it will probably ask you to reboot.  FOLLOW THIS ADVICE, because it is key: every file that has been identified as troublesome will likely not be able to be deleted until the system is restarted, because of the way locked files are handled in Windows.  So, just reboot as normal, and when your PC lurches out of its temporary slumber, you SHOULD have a fully working PC again.

Your welcome.    /obligatory Nick Burns catchphrase

Now, what if scenarios abound here that I’m not going to get too deep into, but I’ll mention a couple that have dogged me in my time as a field tech.

  1. What if the process completes, but it’s the same as before?  In that case, you have two options.  Either take it to a pro, someone like me who can actually manually edit your registry hive, and seek out the uncommon .dll and .tmp files in your system32 directory that have slipped past even these stalwart response programs. It’s rare but it does happen, and when it does, it’s usually too much for a novice to handle.  At the very least you can say you practiced due diligence before handing your money over to some geek with bad breath and low social ability. The other options is to run the whole process again.  For some reason, it just seems to work, I guess because maybe since you have just gotten rid of some of the more obvious things, a second round of scans can sometimes pickup extra goods.
  2. What if something goes wrong during the process, and one of the scans doesn’t complete?  That’s usually not a problem, just start over from step one, and the next time should be the charm.  If that still doesn’t work, then, again, you probably have acquired a piece of malware that simply doesn’t have an easy fix, or you might have a broken piece of spyware in the system that is locking up the “catchme scanners” – the realtime in-memory malware locators that are the central reason these programs work so well.  This scenario is RARE, and when it does happen, you can rest assured that when you call a tech to help you out, your money will be well spent – just try to spend it on a local company though, as opposed to the big box stores, because chances are, you’ll get a better deal and a better technician.
  3. What if when you start combofix or sdfix, you can’t even get these programs to run at all in safe mode?  This is something I DO run into a bit, and it usually just means that you have a piece of malware that includes a scanner blacklist.  It’s like an antivirus program for viruses that comes along with the malicious code. To simplify: your particular virus/spyware may have within it a separate process that is constantly screening defensively for files that are known to be capable of destroying it.  When this happens (and it does), it will disallow you to run that program at all, but the fix is usually amazingly stupid simple: just rename the file you are trying to run – if combofix.exe won’t start, just rename it to combofix2.exe, and chances are you will have gotten around the blacklist. Likewise for sdfix.exe and superantispyware.exe.  Some of these programs may have blacklisting enabled, but in my experience it is a piss-poor implementation, and one that can easily thwarted.

So give it a shot.  You can turn that frown upside down!

Caveat:  this tutorial is only approved (as yet) for Windows XP machines running SP2 or above.  I do not recommend using Combofix or SDFix on Vista as yet, as there are still some kinks to be worked out in my experience, but Superantispyware DOES work just fine in all flavors of Vista, so just start with it if you have Vista.  Thanks for reading and if you find any of this useful to you, consider donating to this blog, but if you don’t care to do that, at least give me some comments on how this worked out for you, and I’ll try to keep new procedures up to date in the future.


7 Responses to “Spyware Help”

  1. 1 Violette April 20, 2013 at 7:21 am

    There is this misconception that “fats” are bad, and we should reduce our fat intake because it will lead us
    down a path of gaining weight and or potentially becoming
    fat. I smile a lot and people become taken aback at how perfect my teeth are.

    There are several items you can purchase at your local grocery store to use as masks.

  2. 2 healthy oil April 28, 2013 at 11:24 pm

    Follow these tips and you should be able to maintain healthy
    and hydrated hair during the iciest time of the year.

    Nasal drops are available and some natural oils such as a ready to apply
    ‘rub on’ aromatherapy blend can help. DO NOT keep giving all of your money to the
    companies that manufacture these bottles of shampoo that contain nasty chemicals.

  3. 3 grapeseed oil May 16, 2013 at 8:47 pm

    Additionally, grapeseed oil can help your skin heal, as it has mildly astringent and
    antiseptic properties, which also help to tighten and tone the skin,
    making it a good ingredient for anti-aging skin creams.
    When you see these words on a label, DON’T EAT IT OR GIVE IT TO YOUR FAMILY. These particular changes in the early stages are not actually cancer, but in the later stages they can become cancerous.

  4. 4 sears promo code July 22, 2013 at 2:13 am

    One of the best methods to carry out couponing effectively
    would be to follow the suggestions of other customers.

    It can be your friend, family, and on occasion even the web
    opinions. Following a pattern, where the people are being benefited is obviously reliable.
    It saves your time and effort as well, when you can certainly get information for
    using a discount with sears promo rule. This can also work vice versa, where you can assist others while sharing
    your knowledge on line or during socialization.

    Richard Sears was a lot in tune towards the progressions in
    his country and used them with his new company, as it happened.
    As individuals we’re starting to move west and more railroads were being built, mail demand buying become another routine. Clients from within the region were exceptionally stimulated to truly have the ability to request such excellent things while never needing to leave their homes.
    At sears voucher can be used on jewelries, apparels, automotive products, and loads more. You can get a voucher which can be applied on any particular brand or product class. You’ll find deals which may be employed in a particular amount of purchase.
    In this instance, there might not be any issue for choosing these products.
    Thus, it can be easily understood that how helpful the coupons can be in terms
    of your purchase from Sears is anxious. Beginning with the ladies sandals to the conditioning tools and even the mattresses, the said coupons can be benefited in many
    different goods, as mentioned earlier.

  5. 5 sears promo code July 22, 2013 at 6:10 pm

    Write more, thats all I have to say. Literally,
    it seems as though you relied on the video to make your
    point. You obviously know what youre talking about, why waste your intelligence on just posting videos
    to your site when you could be giving us something informative to read?

  6. 6 Descargas November 27, 2013 at 8:29 pm

    Hola que tal un articulo muy bueno y bien redactado algo util en estos dias Saludos

  7. 7 toothache medicine September 20, 2014 at 9:49 am

    I got this web site from my friend who told me on the topic
    of this web site and now this time I am visiting this
    site and reading very informative articles at this place.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

February 2018
« Jul    

Currently Reading:

Burning in Water, Drowning in Flame - Charles Bukowski

Currently Listening:

Mr. Bungle - California

Why, yes, I am cool as a cucumber in a bowl of hot sauce.

You lika de juice????

%d bloggers like this: