Remove Spyware Manually
Sometimes it comes in handy to be able to manually remove spyware. Too often, techs and hobbyists hit a brickwall with these rogues. So they format the hdd and reload Windows, often discarding data, installed apps and other sundry settings. Manually removing infected files offers a more surgical approach.
The best way to remove spyware and viruses, of course, is the SOB (standard operating Brocedure). Run apps like Ad-Aware, Spybot, Ccleaner, SpySweeper, Ewido, or whatever. Update your AV app and run it. Run online scans. Do the SOB first. But this often fails to remove newer, persistent forms of spyware.
When running the SOB, there”s no sense in watching the paint dry, so start hunting. Search the system for any recently added dll”s or exe”s. Also, for any null files (xxx.~) or tmp”s. The time stamp”s important. One of the first things to determine is how long a user”s been having problems. This will help refine your search for any recently added files.
Do your homework here. Google any dll”s or exe”s you find in your search-by-date. No sense in deleting any legitimate app files. Sometimes you”ll find dll”s and exe”s in odd places: temp folders, even the Windows” font folder. Use common sense. If you”re not sure, backup the dll or exe to a usb drive. Null files and tmp files are safe to add to your list. Crap cleaner (Ccleaner) will clear the stuff in the temp folders generally but not always. Don”t take anything for granted.
An excerpt from a professional:
Recently I ran across the dreaded “Spy Falcon”. The user said he had been having problems for 4 days or so. While running the SOB, a search for week-old dll”s yielded ginuerep.dll, the only one to turn up in my search-by-date. Googling “ginuerep.dll” yielded the info I needed: confirmation ginuerep.dll was spyware and also Spy Falcon removal instructions. By the time I found out Spybot wasn”t going to remove it, I was ready to manually do it. No sense in wasting time.
Online AV scans such as Panda and Trend micro will often reveal infected files other apps won”t find, such a java downloaders (rogue jar files). But they won”t remove them. Rootkitrevealer, the same (beware false positives with this one). These infected files sometimes won”t be visible from Windows. You can verify that if need be by booting to a live cd (Insert”s good for this) or running old DOS utilities (co.com or dr.com).
Up to this point, we”ve been compiling a list of files from a number of sources. We”re haven”t removed any files yet. It”s really important to keep accurate notes. To manually remove rogue files, we”re finding them in one step and removing them in another.
So we got our list, then see what we can delete from Windows Explorer, or whatever file manager you use, before rebooting. Again, don”t assume that if you can”t see it, it”s not there. Delete from a command prompt if you can (better know some DOS stuff!).
Removing our little friends is a process of booting and rebooting till they”re gone. You need a live linux cd. First, so we can see what”s on the Windows” partition. And second, so we have another option for removing the rogues (they can get tricky). You can hide from Windows” API, but you can”t hide from Midnight Commander.
There”s really no set order for booting between safe mode and the live cd. You”re flying by the seat of your pants at this point. Booting into safe mode is best done with command prompt, one of the safe mode options you”ll get after hitting F8. I prefer using the “del” command. It works better than to use a file manager like Explorer. In my experience, the “del” command will still delete files not visible by the API.
Spyware Tools:
https://www.adaware.com/
https://www.ccleaner.com/de-de/ccleaner
https://www.spybot-free-download.com/
https://download.cnet.com/s/spysweeper/ (not checked 100%)
https://ewido-anti-malware.softag.com/download
Task Manager Tools:
www.softpedia.com/get/System/System-Info/System-Explorer.shtml
https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
