Solution to adware/spyware/viruses
July 8, 2005 2:36 PM Subscribe
Spyware, adware, and viruses. I'm sick of feeling like a moron.
I've went to college for electrical engineering, and have worked as a software developer for the last 8 years, so all my friends and family want me to fix their computers. Invariably, it's the same thing, removing spyware,adware and viruses. The problem? It takes me 3-8 hours each time to fix someone's computer. Is there an easier way?
I have a CD with the following software that I bring (including updated signature files):
Service Packs (W2K SP4, XP SP2)
Spyware Detectors (Ad-Aware,Spybot Search and Destroy, eWido Security Suite)
Startup/Browser Tools (BHO Demon, Hijack This, Toolbar Cop)
Winsock Fixes (Windows XP Winsock Fix, Generic Winsock Fix)
Special Cases (CWS Shredder)
My general methodology is to:
1.Reboot the computer in Safe Mode
2.Run HijackThis, and remove almost everything I know to be a virus/adware/spyware.
3.Run eWido (still in safe mode), and clean all infected files.
4.Reboot computer normally, and run Toolbar Cop, Spybot, and Ad-aware.
5.Install the latest service pack
And still I'm somtimes there, for hours, trying to clean out one last popup, or remove a local proxy, or something, it's frustrating! Is there an easier way to do this? Most of the time, reformatting isn't a real option, since most of the time, they only have one drive, and they don't want to lose their files.
I've went to college for electrical engineering, and have worked as a software developer for the last 8 years, so all my friends and family want me to fix their computers. Invariably, it's the same thing, removing spyware,adware and viruses. The problem? It takes me 3-8 hours each time to fix someone's computer. Is there an easier way?
I have a CD with the following software that I bring (including updated signature files):
Service Packs (W2K SP4, XP SP2)
Spyware Detectors (Ad-Aware,Spybot Search and Destroy, eWido Security Suite)
Startup/Browser Tools (BHO Demon, Hijack This, Toolbar Cop)
Winsock Fixes (Windows XP Winsock Fix, Generic Winsock Fix)
Special Cases (CWS Shredder)
My general methodology is to:
1.Reboot the computer in Safe Mode
2.Run HijackThis, and remove almost everything I know to be a virus/adware/spyware.
3.Run eWido (still in safe mode), and clean all infected files.
4.Reboot computer normally, and run Toolbar Cop, Spybot, and Ad-aware.
5.Install the latest service pack
And still I'm somtimes there, for hours, trying to clean out one last popup, or remove a local proxy, or something, it's frustrating! Is there an easier way to do this? Most of the time, reformatting isn't a real option, since most of the time, they only have one drive, and they don't want to lose their files.
Convince them to buy a Mac when they replace the computer. Until then, save for taking periodic snapshots of the system registry, you'll have to deal with the fact that Windows spyware is a reality of using Windows. Even Microsoft's own antispyware tool is unsafe.
posted by Rothko at 2:53 PM on July 8, 2005
posted by Rothko at 2:53 PM on July 8, 2005
You know, you can reinstall windows without reformatting the whole hard drive.
Just whipe the C:\windows directory and the program files directory and install windows from scratch.
Of course with all the 'activation' crap microsoft throws in your face that's not as easy to do as it used to be.
posted by delmoi at 3:03 PM on July 8, 2005
Just whipe the C:\windows directory and the program files directory and install windows from scratch.
Of course with all the 'activation' crap microsoft throws in your face that's not as easy to do as it used to be.
posted by delmoi at 3:03 PM on July 8, 2005
With XP user education is the key. Once you set them up with a scrubbed system give them personal accounts with restricted privileges and explain that they should only use the admin account to install or configure.
I remove all the obvious links to explorer and install firefox, AVG, and Microsoft's AntiSpyware (which is one of the best - slashdot whinging aside). After that - no problems.
Oh, and now the only computer I am willing to fix is my wife's. The moment you touch a problem computer people seem to think that everything new that goes wrong with it is something you did. It just isn't worth the hassle anymore.
posted by srboisvert at 3:41 PM on July 8, 2005
I remove all the obvious links to explorer and install firefox, AVG, and Microsoft's AntiSpyware (which is one of the best - slashdot whinging aside). After that - no problems.
Oh, and now the only computer I am willing to fix is my wife's. The moment you touch a problem computer people seem to think that everything new that goes wrong with it is something you did. It just isn't worth the hassle anymore.
posted by srboisvert at 3:41 PM on July 8, 2005
Yeah, delmoi, but then they just let their "My Documents" fill up to the point of bursting. After the inevitable HDD failure and their complaining it's "your fault" they lost their stuff, stuff them. Besides, if you limit yourself to a destructive option, there's a good chance they'll stop calling on you to do the job. Which is good if you're not being paid at all.
posted by shepd at 3:47 PM on July 8, 2005
posted by shepd at 3:47 PM on July 8, 2005
Best answer: A few suggestions...
- Add/Remove Programs is your friend. Seriously. I've tested this pretty extensively, and you will be astounded how well this works in many cases.
- Empty the browser cache. There might be tens of thousands of files in there (the default IE disk cache size is insanely large on a system with a good size hard-drive) and any deep scan you run with an automated tool is going to have to open each one. Do this for all accounts if several are used. Delete as much as you can out of the user profile temporary directories as well.
- If you're particularly brave, you could even disable-then-reenable System Restore to clear that out so nothing ends up scanning huge numbers of .dll and .exe files that are never run or used.
- Automated HijackThis logfile analysis is available here and here. Don't follow their suggestions blindly, though -- HijackThis is best avoided altogether unless you're ultra-confident that you know what you're doing. (This isn't directed particularly at patrickje, but to anyone reading the thread.)
- Kaspersky Anti-Virus is the anti-virus product with the best reputation for removing crapware, and their 2006 release is in free beta now. (The included beta license is good through the end of November.) You're going to want to do a thorough anti-virus scan anyway, so there's no reason not to pick this one.
- Microsoft Anti-Spyware is pretty decent and (again) in free beta at the moment. It won't catch everything (people have complained recently about it downgrading Claria for commercial reasons, for example), but nothing else does either.
- Webroot's SpySweeper and Sunbelt Software's CounterSpy are both well-regarded and have free trials. An install, update, scan, reboot, uninstall cycle takes around ten minutes each, which is a far more efficient use of your time than messing around with regedit.
- In addition to ewido, there's also a-squared which I haven't really played with yet.
- While you're poking around, I like to run Crap Cleaner.
- Imaging backups are awesome, but only really work if people keep My Documents and local e-mail storage on a separate drive, never save anything important on C:, and accept that the recovery process might mean they lose customisations stored in the profile or registry, such as software licenses, passwords, address books, and so on.
- If you want to look into image backups, I heavily recommend Acronis TrueImage which has a free trial (time-limited) but which lets you burn the boot CD (which isn't.) [I think this is the case - I bought a license.]
- I really wasn't kidding about Add/Remove Programs.
posted by rjt at 3:55 PM on July 8, 2005 [1 favorite]
- Add/Remove Programs is your friend. Seriously. I've tested this pretty extensively, and you will be astounded how well this works in many cases.
- Empty the browser cache. There might be tens of thousands of files in there (the default IE disk cache size is insanely large on a system with a good size hard-drive) and any deep scan you run with an automated tool is going to have to open each one. Do this for all accounts if several are used. Delete as much as you can out of the user profile temporary directories as well.
- If you're particularly brave, you could even disable-then-reenable System Restore to clear that out so nothing ends up scanning huge numbers of .dll and .exe files that are never run or used.
- Automated HijackThis logfile analysis is available here and here. Don't follow their suggestions blindly, though -- HijackThis is best avoided altogether unless you're ultra-confident that you know what you're doing. (This isn't directed particularly at patrickje, but to anyone reading the thread.)
- Kaspersky Anti-Virus is the anti-virus product with the best reputation for removing crapware, and their 2006 release is in free beta now. (The included beta license is good through the end of November.) You're going to want to do a thorough anti-virus scan anyway, so there's no reason not to pick this one.
- Microsoft Anti-Spyware is pretty decent and (again) in free beta at the moment. It won't catch everything (people have complained recently about it downgrading Claria for commercial reasons, for example), but nothing else does either.
- Webroot's SpySweeper and Sunbelt Software's CounterSpy are both well-regarded and have free trials. An install, update, scan, reboot, uninstall cycle takes around ten minutes each, which is a far more efficient use of your time than messing around with regedit.
- In addition to ewido, there's also a-squared which I haven't really played with yet.
- While you're poking around, I like to run Crap Cleaner.
- Imaging backups are awesome, but only really work if people keep My Documents and local e-mail storage on a separate drive, never save anything important on C:, and accept that the recovery process might mean they lose customisations stored in the profile or registry, such as software licenses, passwords, address books, and so on.
- If you want to look into image backups, I heavily recommend Acronis TrueImage which has a free trial (time-limited) but which lets you burn the boot CD (which isn't.) [I think this is the case - I bought a license.]
- I really wasn't kidding about Add/Remove Programs.
posted by rjt at 3:55 PM on July 8, 2005 [1 favorite]
Oh, and a few more unstructured comments on helping prevent future problems:
- Make sure their anti-virus program is running and up-to-date, or install the free e-trust anti-virus if they don't have one (requires a real email address to send the license key to.)
- Go here to test whatever anti-virus they're using actually works.
- Software firewalls are not really suitable for most end-users, and are unlikely to be for a few more years yet (if ever.)
- Firefox is good, but not all sites work with it. If you do install it for a user, delete whichever shortcut they normally use to launch IE and replace it with a FireFox one.
- Spyware Blaster and IE Spy-Ad are also pretty good.
posted by rjt at 4:08 PM on July 8, 2005
- Make sure their anti-virus program is running and up-to-date, or install the free e-trust anti-virus if they don't have one (requires a real email address to send the license key to.)
- Go here to test whatever anti-virus they're using actually works.
- Software firewalls are not really suitable for most end-users, and are unlikely to be for a few more years yet (if ever.)
- Firefox is good, but not all sites work with it. If you do install it for a user, delete whichever shortcut they normally use to launch IE and replace it with a FireFox one.
- Spyware Blaster and IE Spy-Ad are also pretty good.
posted by rjt at 4:08 PM on July 8, 2005
And finally: teach them not to open unexpected e-mail attachments or files sent over chat networks, and that 'yes' is almost certainly the wrong reply to any web popup. (This can actually be pretty tricky as too many peoples' muscle memories have been so effectively trained the other way by Windows.)
posted by rjt at 4:17 PM on July 8, 2005
posted by rjt at 4:17 PM on July 8, 2005
One thing I'd like to add is always turn on the auto-update feature. Come on people! Keep those machines patched!
Seriously, just set it to automatically download updates and install them at 12pm (when, presumably, most people are at work).
That, plus Firefox, will keep about about 95% of what's out there off those machines. Unless, of course, you want to start charging for your visits. That's a completely different story. ;)
On preview: Yeah, educate the users. Tell them that if they open another unsolicited email attachment your next visit will not be free. They'll listen.
posted by purephase at 4:21 PM on July 8, 2005
Seriously, just set it to automatically download updates and install them at 12pm (when, presumably, most people are at work).
That, plus Firefox, will keep about about 95% of what's out there off those machines. Unless, of course, you want to start charging for your visits. That's a completely different story. ;)
On preview: Yeah, educate the users. Tell them that if they open another unsolicited email attachment your next visit will not be free. They'll listen.
posted by purephase at 4:21 PM on July 8, 2005
I don't fix the computer unless they let me reformat and reinstall XP (if this means they have to go out and buy a retail box so they're in compliance, so be it).
First thing is to set an administrator password that they don't know.
Secondly, first thing upon entering windows is right click my computer, go to manage, local users and groups, groups, Administrators, and remove everyone except the local admin account.
Reboot, log in as admin, install the software they need, log out, and let them in.
Running as non-admin is THE ONLY WAY to prevent users from hosing their systems.
posted by chota at 4:26 PM on July 8, 2005
First thing is to set an administrator password that they don't know.
Secondly, first thing upon entering windows is right click my computer, go to manage, local users and groups, groups, Administrators, and remove everyone except the local admin account.
Reboot, log in as admin, install the software they need, log out, and let them in.
Running as non-admin is THE ONLY WAY to prevent users from hosing their systems.
posted by chota at 4:26 PM on July 8, 2005
Damn. And people say Macs cost more. This thread is a great example of a major flaw in that argument. You should charge for your time. Within a year they'll all own iBooks.
posted by realcountrymusic at 5:01 PM on July 8, 2005
posted by realcountrymusic at 5:01 PM on July 8, 2005
Patrickje,
Say no. That's all. Literally a day of me working on their machine runs the cost of a cheap pc.
Or, have them trade in time. Really. Since they're friends/family. Tell them it's a pretty bad chore, it's mindless...and expensive to keep you there. Each of them can do something you need.
posted by filmgeek at 5:13 PM on July 8, 2005
Say no. That's all. Literally a day of me working on their machine runs the cost of a cheap pc.
Or, have them trade in time. Really. Since they're friends/family. Tell them it's a pretty bad chore, it's mindless...and expensive to keep you there. Each of them can do something you need.
posted by filmgeek at 5:13 PM on July 8, 2005
Damn. And people say Macs cost more. This thread is a great example of a major flaw in that argument. You should charge for your time. Within a year they'll all own iBooks.
posted by realcountrymusic at 5:01 PM PST on July 8 [!]
Quoting previous comment for emphasis. And to use a phrase often lobbied at Linux/Unix geeks, usually by Windows users: PCs only cost less if your time (or your resident geek's time) is free.
I don't have anything to add on-topic, but only because everyone else has covered all I knew (which is a good year, year and a half out of date by now, as I no longer work tech support) and then some. My mother's and sisters' machines are all fine because I keep them auto-updated, make sure they all run Firefox, and they only get online behind a NAT-capable router.
Poof, no issues, except when the 14-year-old runs IE anyways to use her asinine little chat boards *rolls eyes* And I've been something like 150-200 miles away from home since I moved out a year and a half ago, so these machines are only serviced about once every six months.
posted by cyrusdogstar at 5:45 PM on July 8, 2005
posted by realcountrymusic at 5:01 PM PST on July 8 [!]
Quoting previous comment for emphasis. And to use a phrase often lobbied at Linux/Unix geeks, usually by Windows users: PCs only cost less if your time (or your resident geek's time) is free.
I don't have anything to add on-topic, but only because everyone else has covered all I knew (which is a good year, year and a half out of date by now, as I no longer work tech support) and then some. My mother's and sisters' machines are all fine because I keep them auto-updated, make sure they all run Firefox, and they only get online behind a NAT-capable router.
Poof, no issues, except when the 14-year-old runs IE anyways to use her asinine little chat boards *rolls eyes* And I've been something like 150-200 miles away from home since I moved out a year and a half ago, so these machines are only serviced about once every six months.
posted by cyrusdogstar at 5:45 PM on July 8, 2005
Best answer: I currently do this for a living, so I see this at least a couple times a day, five days a week. You're right, it typically takes several hours to do a really good job of cleaning everything out. If you can actually get it all - sometimes the wrong combination of crap infests the machine to the point that you may never really get it all - without a wipe and reload.
Don't do it unless you make a business of it - have a form for them to sign, releasing you of all responsibility for their data. Charge a standard amount. Etc, etc. If you don't feel comfortable doing this for your friends and family, don't work on their machines. How uncomfortable will it be when their family pictures and doctoral thesis gets hosed because XYZ Spaminator-o-Rama won't die without taking everything else with it?
But, if you're still gonna do it: your current procedure is pretty good. rjt has some great tips. Run Crap Cleaner and clean out internet temp files & cookies before doing any major scans; it needs to be done anyway, and it will make the scans quicker. If you have any reason to suspect they have any virii, especially trojans, do a virus scan first. Depending on how it turns out, run a Spybot scan - quick, effective, and quick. Key here is quick. Talk to them during the virus scan - give them a rundown on malware, tailored to their level of understanding. Paint a pretty bleak picture and give them the worst case scenario. If Spybot finds over say, 300 objects, stop. Tell them they are going to be better off all around with a wipe and reload, or a new machine. I would almost go as far as refusing to try to clean their machine beyond a certain point of infection. Several hours of cleaning is worse than a few hours of formatting/reinstalling is worse than buying a new machine. I always expect people to reject this, but no one has yet. It doesn't take too many hours of work at most professionals' rates to approach the price of a new system. Offer to help them pick out their new computer, help them get one that does all the stuff they wish their current one could do but can't. You will both come away with a much better experience than the same amount of money spent trying to clean up their old one, with questionable results. And with a fresh machine, you can make sure they have all the right antis- to begin with. Teach them how to do the necessary maintenance on their computer. Equate it to maintenance on their home, or their car. Make them self-sufficient, and you'll soon have another geek friend to talk shop with, instead of another victim friend asking you for help with "this damned thing".
posted by attercoppe at 6:29 PM on July 8, 2005
Don't do it unless you make a business of it - have a form for them to sign, releasing you of all responsibility for their data. Charge a standard amount. Etc, etc. If you don't feel comfortable doing this for your friends and family, don't work on their machines. How uncomfortable will it be when their family pictures and doctoral thesis gets hosed because XYZ Spaminator-o-Rama won't die without taking everything else with it?
But, if you're still gonna do it: your current procedure is pretty good. rjt has some great tips. Run Crap Cleaner and clean out internet temp files & cookies before doing any major scans; it needs to be done anyway, and it will make the scans quicker. If you have any reason to suspect they have any virii, especially trojans, do a virus scan first. Depending on how it turns out, run a Spybot scan - quick, effective, and quick. Key here is quick. Talk to them during the virus scan - give them a rundown on malware, tailored to their level of understanding. Paint a pretty bleak picture and give them the worst case scenario. If Spybot finds over say, 300 objects, stop. Tell them they are going to be better off all around with a wipe and reload, or a new machine. I would almost go as far as refusing to try to clean their machine beyond a certain point of infection. Several hours of cleaning is worse than a few hours of formatting/reinstalling is worse than buying a new machine. I always expect people to reject this, but no one has yet. It doesn't take too many hours of work at most professionals' rates to approach the price of a new system. Offer to help them pick out their new computer, help them get one that does all the stuff they wish their current one could do but can't. You will both come away with a much better experience than the same amount of money spent trying to clean up their old one, with questionable results. And with a fresh machine, you can make sure they have all the right antis- to begin with. Teach them how to do the necessary maintenance on their computer. Equate it to maintenance on their home, or their car. Make them self-sufficient, and you'll soon have another geek friend to talk shop with, instead of another victim friend asking you for help with "this damned thing".
posted by attercoppe at 6:29 PM on July 8, 2005
I *don't* fix computers for free, family or not. I got tired of relatives who never contact me otherwise, begging me to fix their machines. My reasoning is that I went to college for my computer degree, and it is how I make my money, so I'm not going to give it away. I will do it insanely cheap, and I have a list of the rough prices it would cost for them to take their computer to Best Buy or somewhere to have it done... once they see I'm the least-expensive option (ESPECIALLY for a house call), they have no problem paying me.
posted by IndigoRain at 9:06 PM on July 8, 2005
posted by IndigoRain at 9:06 PM on July 8, 2005
Just another repetition: stop! Do it for exchange, and don't be exploited. It's better for you and it's better for them.
posted by anadem at 11:06 PM on July 8, 2005
posted by anadem at 11:06 PM on July 8, 2005
As has already been pointed out, you look fairly well organised from a technical persective.
Unfortunately cleaning infected PCs does take a long time to do properly and a rebuild is quite often the the quickest and cleanest (in the long run) method of fixing it.
Personally, if I'm at the house of a paying customer and the problem looks like it's going to take more than, say, an hour to fix I will offer to take it away sort it and return it the next day. Watching a virus scan run whilst sitting round someone else's house is just painful for both of you.
If it's friends or family (or friends of friends, friends of friends of friends, etc, etc) get them to drop their PC off at your house. There you have all the software you'll need, a reliable net connection and a spare PC to chuck their HDD to retrieve their data off before a rebuild. And of course, four hours of virus/malware scanning or PC rebuilding is far less of a chore if you're in your own home and can watch TV/smoke/read a book and just occasionally look up and click 'next' on the screen. At the end of the day, you're the one doing them the favour and getting them to make your life a little easier is the least they can do.
posted by qwerty155 at 1:57 AM on July 9, 2005
Unfortunately cleaning infected PCs does take a long time to do properly and a rebuild is quite often the the quickest and cleanest (in the long run) method of fixing it.
Personally, if I'm at the house of a paying customer and the problem looks like it's going to take more than, say, an hour to fix I will offer to take it away sort it and return it the next day. Watching a virus scan run whilst sitting round someone else's house is just painful for both of you.
If it's friends or family (or friends of friends, friends of friends of friends, etc, etc) get them to drop their PC off at your house. There you have all the software you'll need, a reliable net connection and a spare PC to chuck their HDD to retrieve their data off before a rebuild. And of course, four hours of virus/malware scanning or PC rebuilding is far less of a chore if you're in your own home and can watch TV/smoke/read a book and just occasionally look up and click 'next' on the screen. At the end of the day, you're the one doing them the favour and getting them to make your life a little easier is the least they can do.
posted by qwerty155 at 1:57 AM on July 9, 2005
Here's another useful system update tool: BigFix. It regularly finds things Microsoft's autoupdate does not, or it finds them hours or days before they show up in Microsoft's tool.
posted by kindall at 4:21 AM on July 9, 2005
posted by kindall at 4:21 AM on July 9, 2005
Best answer: Let me save you a lot of time: go and get HitManPro.
It's a self-running shell for
Ad-Aware SE 1.06
Spybot Search & Destroy 1.4
Webroot Spy Sweeper
Spyware Doctor 3.2
CWShredder 2.15
SpywareBlaster 3.4
Spyware Block List
Trend Micro Sysclean Package
McAfee SuperDAT VirusScan
It will first download all the latest updates to these programs, then auto-run them all, with NO user input.
http://www.hitmanpro.nl/ (click on 'download' and it will start)
I give this to all people who 'use' me as the resident computer-wizz, and it saves me hours each week.
In addition to running this each month or so, I tell them to install Microsoft Anti-Spyware as a stay-resident progam.
Together with an Antivirus (Kaspersky is the one of my choice), you shouldn't have much to worry about anymore.
O, and get everyone to use FireFox instead of IE.
posted by Grensgeval at 4:39 AM on July 9, 2005 [3 favorites]
It's a self-running shell for
Ad-Aware SE 1.06
Spybot Search & Destroy 1.4
Webroot Spy Sweeper
Spyware Doctor 3.2
CWShredder 2.15
SpywareBlaster 3.4
Spyware Block List
Trend Micro Sysclean Package
McAfee SuperDAT VirusScan
It will first download all the latest updates to these programs, then auto-run them all, with NO user input.
http://www.hitmanpro.nl/ (click on 'download' and it will start)
I give this to all people who 'use' me as the resident computer-wizz, and it saves me hours each week.
In addition to running this each month or so, I tell them to install Microsoft Anti-Spyware as a stay-resident progam.
Together with an Antivirus (Kaspersky is the one of my choice), you shouldn't have much to worry about anymore.
O, and get everyone to use FireFox instead of IE.
posted by Grensgeval at 4:39 AM on July 9, 2005 [3 favorites]
Lots of good advice in this thread. But I'd say the most vital part of the process is getting your friends / family to change their browsing / email handling habits, and trying to instil some kind of common sense in them.
posted by coach_mcguirk at 7:20 AM on July 9, 2005
posted by coach_mcguirk at 7:20 AM on July 9, 2005
This thread is closed to new comments.
Next time, it'll be a 10 minute repair. As a bonus you'll never be called to recover data from a bad HDD since these people will learn the backup lesson well.
posted by shepd at 2:49 PM on July 8, 2005