IT consultants need to remove persistent, regenerative and corrupted spyware and viruses from client computers on a regular basis. These pointers will help you put systems back into stable operation.
It is inevitable that clients will infect workstations, PCs and laptops with spyware and viruses. Regardless of preventative measures, from gateway protection to automated scans to written Internet use policies, malware threats sneak through even layered defenses. What makes the situation worse is that many customers are unwilling to invest in standalone anti-spyware software, even though they understand the need for minimal anti-virus protection.
A live Linux system could be used to back up the data on the malware-infected computer before reinstalling it
Some IT experts advocate simply wiping systems and reinstalling Windows, while others suggest that this means giving up and letting the bad guys win. The truth lies somewhere in between. After creating an image copy of the drive (it's always best to have a fallback option when fighting malicious infections), here are the measures I find most effective.
1: Isolate the drive
Many rootkit and Trojan threats are masters of disguise, hiding from the operating system as soon as or before Windows starts up. I find that even the best antivirus and antispyware tools – including AVG Anti-Virus Professional, Malwarebytes Anti-Malware and SuperAntiSpyware – sometimes struggle to remove such entrenched infections. For this very reason, you should always use only the best anti-malware software.
They require systems to remove. Pull the hard drive from the faulty system, provide it to the dedicated test computer and run several virus and spyware scans on the entire slave drive.
2: Remove temporary files
Navigate to all users' temporary files while the drive is still active. These are usually located in the C: \ Documents and Settings \ User Name \ Local Settings \ Temp on Windows XP, or in the folder C: \ User \ User name \ App data \ Local \ Temp under Windows Vista.
Delete everything in the temporary folders. There are many threats hiding there, which should be regenerated at system startup. Since the drive is still slave, it is much easier to remove these bad files.
3: Return the drive and repeat these scans
Once you have run a full antivirus scan and run two full antispyware scans with two current, recently updated and different antispyware applications (removing all infections found), return the drive to the system. Then run the same scans again.
Despite the scans and prior disinfection, you may be surprised at how many active infections the anti-malware applications subsequently find and remove. Only through these additional native scans can you be sure that you have done everything possible to locate and remove known threats.
4: Test the system
Once you have completed the previous three steps, it is tempting to think that a system is ready for use. Do not make this mistake. Launch it, open the web browser and immediately delete all offline files and cookies. Next, go to Internet Explorer connection settings (Tools | Internet Options and select the Connections tab in Internet Explorer) to confirm that a malicious program has not changed a system's default proxy or LAN connection settings. Correct any problems you find and make sure the settings match those on your network or the client's network.
Then visit 12 to 15 random websites. Look for anomalies, including the obvious pop-ups, redirected web searches, hijacked home pages and similar frustrations. Don't consider the computer cleaned until you can open Google, Yahoo and other search engines and complete the search with a string of half a dozen terms. Be sure to test the system's ability to access popular anti-malware sites such as AVG, Symantec and Malwarebytes.
5: Dig deeper for remaining infections
If infection remnants are still present, e.g. redirected searches or blocked access to certain websites, try to determine the file name for the active process causing the problem. Trend Micro's HijackThis, Microsoft's Process Explorer and Windows' native Microsoft System Configuration utility (Start | Run and type msconfig) are excellent utilities for locating errant processes. If necessary, scan the registry for a malfunctioning executable and remove any incidents. Then reboot the system and try again.
If a system still proves corrupted or unusable, it's time to consider reinstalling. If an infection persists after all these steps, you are likely in a losing battle.
Other strategies
Some IT consultants swear by fancier tricks than those described above. I have investigated KNOPPIX as an alternative. In some cases, I have transferred infected Windows drives to my Macintosh laptop to delete particularly stubborn files without a boot disk. Other technicians recommend using tools like Reimage, although I had trouble getting the utility to recognize common network cards, without which the automated repair tool can't work.