Advanced spyware removal

Hello, this time I'll show you how to clean up your computer from spyware, in cases where your antivirus application is not capable of detecting the whole virus signature, or just detects & removes the virus, while in the next scan the virus re-appears infecting even large number of files.

To do this work properly we'll use 3 free applications: Process Explorer, Autoruns and CCleaner.
Here are the detailed steps of the whole cleaning procedure:

1. Restart the computer and enter in SAFE MODE.

2. Start Process Explorer and you'll notice that already started applications(processes), loaded up in the memory at the current time.
Those flashing for a moment and painted with purple are the new / suspicious ones. Point your attention at them particularly.



3. But how to know which ones are suspicious?
Look for:

- those using random names
- not having an icon
- without having a description
- carefully check the child processes ( by pressing the + sign) of the following two processes: rundll32.exe and svchost.exe.
(Here is how to do this: open View and check: 1. Show lower pane, 2. Lower pane
view->dlls). Check out each and every one of their child process, by clicking on the process, while paying attention to the lower left portion of the screen( look out for purple rows)


4. When you found some suspicious ones, enter command prompt from Start->Run->Cmd, and go to the directory containing the suspicious file( usually /system32 ,
/system or /temp and run the following command: calcs file_name.dll /p
everyone:N

This way you'll disable the file from running and re-infecting the system.

5. Next, kill each of the suspicious processes via Kill Process command.
Important: please repeat the above procedure until no new purple processes re-appear (meaning that the virus autoloads itself ). Then find the process explorer.exe and stop it with Kill Process Tree.
 
(don't worry when your taskbar disappears.)

6. Start the AutoRuns:

From Options check: Hide Microsoft and Windows entries, Verify Code Signatures and press F5.
Take a look at the processes appearing as Not Verified - and uncheck the suspicious ones.

7. Start the CCleaner application and click on the Run Cleaner button:


8. Do a final check the processes in Process Explorer - are there a newly started ones? - if so repeat the procedure including: calcs, kill process and refresh Autoruns (F5) to check again for new start up values.

9. Restart the computer directly by using the RESET key - don't worry, if this appears as slightly inappropriate - it's important step for the virus not be able to hook to Windows' Start->Shut down process.

Cheers! by Nevyan Neykov


0 коментара:

Post a Comment

Subscribe to: Post Comments (Atom)