Hey all!

   I've been fixing computers as a freelance technician as a hobby for the last 5 
years.  Lately, however, I've been having a lot of trouble cleaning computers swamped 
with virus and spyware activity.  This is my current procedure to fight it:
1.  I log in to safe mode with networking.
2.  I run a virus scan at www.trendmicro.com.  When this is not available, I use 
the available antivurs software or recommend that they purchase PC-Cillin and use 
that.
3.  I run ad-aware and spybot off my pen drive and remove everything I can.
4.  I go into the registry under HKEY_CURRENT_USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENT 
VERSION/RUN and remove anything suspicious.  I then do the same with HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/CURRENT 
VERSION/ under anything with the word RUN in it.  I also check out HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/Internet 
Explorer/Plugins for anything suspicious.
5.  I delete all temporary Internet Files, System Restore Cache and the recycle bin.
6.  I go into add/remove programs and remove anything suspicious.
7.  I check Internet Explorer to make sure the homepage has not been changed.
8.  I check the start menu and desktop for suspicious shortcuts.
9.  I run Windows Update and download all available updates.
10.  I check win.ini and autoexec.bat for anythign suspicious
11.  I check out the HOSTS file in the windows folder for anything suspicious.

What am I missing?  The other day I removed 2,600 instances of spyware and fixed 
136 files infected with viruses off a customer's computer when I did my repair run 
and there wasn't even a noticable difference in the computer's performance.

Any suggestions at all are greatly appreciated.

Tip: Run a free scan for common Windows errors ad

Standard Utilites Monday, March 7, 2005 at 10:02 am Posted by joe (7018 messages posted) As a standard I recommend all of these utilites, it sounds like you are doing everthing right with the exception to SpywareBlaster, Firewalls, and suggestions of a NAT enabled router, and cleaner browsers like Mozilla/Firefox and or Opera. Also, quite possibly, alot could stem from bad or rougue products being used, logging onto Rogue/Suspect Anti-Spyware Products & Web Sites by Eric L. Howes will let you know what is legit and what is not. FREE Spyware, Maleware, ADware scanner/removers and other utilities AdAware SE Spybot- Search and Destory Spybot - Search and Destroy DSO Exploit Fix 1.3.1 TX a-squared (a²) Micro$oft Windows AntiSpyware (Beta) CWShredder CWShredder (Last Merijn Version) 159.1 HijackThis FREE AntiVirus Software AVG AntiVirus Avast! AntiVir Bit Defender Ver.7 FREE Firewall Software Sygate Kerio Personal Firewall/ Limited Edition Zone Alarm OutPost Firewall 1.0 Tiny Personal Firewall Security Scans/Port Scanners ShieldsUp (GRC) Sygate Online Services (SOS) Audit My PC FREE Online AntiVirus/Malware Scanners HouseCall Panda ActiveScan RAV AntiVirus Scan Bit Defender Symantec Security Check TrendMicro-Europe for Firefox Browser support includes all major browsers that support the Java 2 Platform: Microsoft Internet Explorer Netscape (6+) Mozilla (1+) Firefox (all) Opera (7.5+) Operating Systems currently supported are: Microsoft Windows 9x (Me) Microsoft Windows NT Microsoft Windows 2k/XP Linux Solaris FREE AntiVirus/Malware stand alone utilites Stinger FREE Malware/Bad ActiveX/Browser Hijack Prevention and Winsock Fix SpywareBlaster SpywareGaurd MRU Blaster LSP-Fix Winsock XP FREE Browsers safer to use the Internet Explorer Firefox Opera Starting your computer in Safe mode How to Disable System Restore in Windows ME or Windows XP Clean XP install/Reformat [Reply or follow-up to this message] one more thing.... Monday, March 7, 2005 at 10:36 am Posted by joe (7018 messages posted) start-search-in search box put C:\Documents and Settings\userneme\Local Settings\Temporary Internet Files and/or *.tmp and removing anything it finds helps, also, i really can't remember in your original posting if you are checking your ActiveX under Internet Options....opening it up under the Settings tab and removing anything that is marked "damaged" or "unknown". Setting your History down to 10 days or less and under the "settings tab (again) setting the Amount of Disk Space Used to around 5mb or less is a general thing that i do as well. [Reply or follow-up to this message] re: I need spyware and virus removal tips Monday, March 7, 2005 at 11:45 am Posted by Falcon (13489 messages posted) Trusted Zone win.ini and system.ini are in the registry now. AppInit_DLLs Winlogon\Notify ShellDelayLoad objects File associations UserInit Active Setup stubs ICQ scripts Screensaver Browser Helper Objects Task Scheduler jobs LSP handlers Services autochk BootExecute key Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run That's most of them. Any questions? HijackThis log and a full StartupList log will show all of these, except in a few cases where the malware hides itself. The Wereotter [Reply or follow-up to this message] re: I need spyware and virus removal tips Thursday, March 10, 2005 at 11:47 am Posted by Jacques (38 messages posted) Hey, thanks to both of you. Good tips, all. I was able to make a big dent on the CPU, but it still runs too slowly. Hijack this helped a lot too, and I ended up reinstalling Windows in repair mode to fix miscellaneous errors that seemed like they may be virus related. I couldn't have done it without you. Thanks! ~Jacques :-) [Reply or follow-up to this message] re: I need spyware and virus removal tips Thursday, March 10, 2005 at 12:41 pm Posted by Jacques (38 messages posted) A lot of this is new, and there's a few on here that I'm having trouble researching. The ones that are either new to me or confusing are: Trusted Zone AppInit_DLLs Winlogon\Notify ShellDelayLoad objects UserInit Active Setup stubs ICQ scripts Browser Helper Objects LSP handlers Services autochk BootExecute key Do you know how I could teach myself more about these? Sorry for my ignorance. ~Jacques On Monday, March 7, 2005 at 11:45 am, Otter wrote: > > Trusted Zone > win.ini and system.ini are in the registry now. > AppInit_DLLs > Winlogon\Notify > ShellDelayLoad objects > File associations > UserInit > Active Setup stubs > ICQ scripts > Screensaver > Browser Helper Objects > Task Scheduler jobs > LSP handlers > Services > autochk BootExecute key > Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run > >That's most of them. Any questions? HijackThis log and a full StartupList log will >show all of these, except in a few cases where the malware hides itself. [Reply or follow-up to this message] re: I need spyware and virus removal tips Thursday, March 10, 2005 at 1:01 pm Posted by Falcon (13489 messages posted) I'll get to the rest later. Busy with other stuff right now... Trusted Zone -- Control Panel->Internet Options->Security tab->Trusted->View sites. The information you see there, as well as under the other three zones, is stored in the registry under {HKLM|HKCU}\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap. Sites in this zone are granted more access to your computer. AppInit_DLLs -- Specifies a list of .dll files to load into every process. It is under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows. Winlogon\Notify -- Each subkey of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify specifies a DLL to load into the WinLogon.exe process (a critical system process). When certain events occur, such as logon and logoff, a function in the DLL may be called. ShellDelayLoad objects -- COM objects loaded by explorer.exe some time after boot. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad. The value in brackets is a CLSID, which you can look up under HKEY_CLASSES_ROOT\CLSID UserInit -- Manages Windows startup. The value controlling this is under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. It specifies a comma-separated list of programs to run. By default, the value should be C:\WINDOWS\system32\userinit.exe, Active Setup stubs -- ICQ scripts -- Browser Helper Objects -- LSP handlers -- Services -- autochk BootExecute key -- The Wereotter [Reply or follow-up to this message] re: I need spyware and virus removal tips Thursday, March 10, 2005 at 4:04 pm Posted by Jacques (38 messages posted) This is highly appreciated. I'm going to look into this over the next few days- it should help me significantly. Thanks so much! :-D ~Jacques On Thursday, March 10, 2005 at 1:01 pm, Otter wrote: >I'll get to the rest later. Busy with other stuff right now... > > Trusted Zone -- Control Panel->Internet Options->Security tab->Trusted->View >sites. The information you see there, as well as under the other three zones, is >stored in the registry under {HKLM|HKCU}\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet >Settings\ZoneMap. Sites in this zone are granted more access to your computer. > AppInit_DLLs -- Specifies a list of .dll files to load into every process. >It is under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows. > Winlogon\Notify -- Each subkey of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows >NT\CurrentVersion\Winlogon\Notify specifies a DLL to load into the WinLogon.exe process >(a critical system process). When certain events occur, such as logon and logoff, >a function in the DLL may be called. > ShellDelayLoad objects -- COM objects loaded by explorer.exe some time >after boot. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad. >The value in brackets is a CLSID, which you can look up under HKEY_CLASSES_ROOT\CLSID > UserInit -- Manages Windows startup. The value controlling this is under >HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. It specifies >a comma-separated list of programs to run. By default, the value should be > >C:\WINDOWS\system32\userinit.exe, > > Active Setup stubs -- > ICQ scripts -- > Browser Helper Objects -- > LSP handlers -- > Services -- > autochk BootExecute key -- > [Reply or follow-up to this message] re: I need spyware and virus removal tips Saturday, March 12, 2005 at 6:07 am Posted by Falcon (13489 messages posted) Active Setup stubs -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components. Some subkeys under that key have a value titled "StubPath", which is sometimes run--I'm not sure when, though I guess whenever a new account is created. ICQ scripts -- Browser Helper Objects -- COM objects loaded into Internet Explorer and Windows Explorer. Registered under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. (As CLSIDs...) LSP handlers -- Basically a network filter. I don't know much about how they work internally, as I haven't experimented, but you can view/remove them with LSPFix. Services -- Start->Run->services.msc. The Services MMC snap-in only shows some of them. The full dirt can be found under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Note that device drivers, which are registered under the same key, may be associated with a device under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum. If you then remove that driver without removing the "UpperFilters" or "LowerFilters" value that references it, you may make that device unable to start. This is very bad if the device in question is you hard drive... autochk BootExecute key -- Specifies a program to run at boot to check the partitions, if needed. A value under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager. Default is autocheck autochk * The Wereotter [Reply or follow-up to this message] re: I need spyware and virus removal tips Saturday, March 12, 2005 at 4:22 pm Posted by 666 (2255 messages posted) Having to find/install/runupdate a bunch of different antispy/adware programs sucks! It's a lot easier to use Hitman Pro, which combines 8 different anti-malware apps in a single program with a single user interface. Also includes SurfRight, which strips administror rights from browsers, instant messengers and other internet programs, even when your logged in as administrator. Only available in dutch, but maybe someone will make an english version. You found 2600 pieces of spyware? Are you sure? Many anti-spyware apps inflate their detection numbers by calling every cookie in your browser cache a piece of spyware. [Reply or follow-up to this message] re: one more thing.... Sunday, June 5, 2005 at 7:16 am Posted by William (1 messages posted) Hi Joe, I have seen your message including the down loads, I also have Norton 2004, but my screen keeps refreshing, I am convinced that the system has a spyware or adware virus but Norton is not picking it up, Can you tell me would I be able to down load other virus software without it battling against Norton, therefore making none of it effective, I would appreciate your advice or anyone else who can help me, I also rcvd the same message from Norton as Linda but am not willing to disable audit mode as I am not sure what to do and what will happen if I disable audit mode, Thanks & Rgds William (sorry I forgot to mention my system is windows 98 second edition) [Reply or follow-up to this message] Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows XP Discussion Forum