fixing spyware + crap

[CaveMan]

Ok, my friend has a windows installation, and he is lending me his laptop to fix the spyware + crap

I was thinking of using

Ad-aware se (or whateva)

Spybot search and destroy

AVG Free

Is there anything i should know/do for i havn't needed to fix spyware for many years

A format isn't out of the question, but he prefers it to be a last resort

[VaKo]

Check for root kits and host file mods. But, beyond a certain point Windows cannot recover from an infection and a reinstall is your only option.

[Guest ABC]

put linux on it .. will protect him forever

[Deveant]

hmm if its only damage, then u can install over, though if the Virus / Spyware are still intact, well yea reinfection. Though only problem with install over is if there running SP2 (or 1 for that matter :P) then u will need to use a XPSP2 disk or a XP Slipstream, though in the past i have had troubs with these not correctly re-installing the visual styles :S

[CaveMan]

put linux on it .. will protect him forever

He is pretty crap with computers and wouldn't be able to work linux,

Check for root kits and host file mods. But, beyond a certain point Windows cannot recover from an infection and a reinstall is your only option.

Host files, as in for the net? or something differant?

And root kits? (ill google after this)

And one problem with formatting laptops, is i have to find wireless drivers and so forth, i havn't seen the laptop and dont know if its a band name, therefor easy to find the drivers

[VaKo]

http://www.hak5.org/forums/viewtopic.php?t=4736

Should explain it...

Basically if:

start -> run -> "cmd /k cat C:windowssystem32driversetchosts"

Returns anything other than:

# Copyright (c) 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host



127.0.0.1       localhost

then you may have a problem...

[CaveMan]

i completely understand host file, ive used it many of times, i was more wondering if there was a similar file which i was getting it confused with

also

root kits?

wiki basically says "If its screwed, than your screwed" but how do i find out if its screwed? :P

[Sparda]

wiki basically says "If its screwed, than your screwed" but how do i find out if its screwed? :P

The only way to find out if one OS is screwed is to use a different OS to analyse the first OS. The potently screwed OS could change the out comes of your tests to show that it isn't screwed even when it is.

[CaveMan]

hmm ok :P

[moonlit]

You can use Sysinternals' Rootkit Revealer (free) to check for possible rootkits under Windows.

Be aware thought what because of the limited ways you can actually check for a rootkit (its purpose is to make the system lie about what's happening on it), it returns things that MIGHT be rootkits and most systems will give you results because of the way Windows works. These results do not automatically mean you must reformat. If your do find a real, undispitable rootkit though, your only option is to reformat.

As I said up there, basically a rootkit is a program that alters the system in some way to hide its (and often other programs') presense. It might do this by tricking Windows in to not telling you there's a particular app running, it might make Windows appear to 'forget' that there are malicious files in your System32 folder.

Basically it's there to decieve you, so there's never real proof that it's totally gone because in theory that rootkit could make your antivirus believe it's been killed or make you think you deleted it's files/registry keys. It's also too entwined in the OS by that point for it to be worth trying to remove, a format is infinitely quicker, safer and more reliable.

[Guest ABC]

is a "repair" installation to replace the reg out of the question?

[VaKo]

Yes, your "fixing" a comprised system. Your best bet, if you cannot just nuke it and start again, is to reinstall windows over your current install without formatting the disk. The installer will remove all of the current windows install, and put a fresh install in its place, without removing stuff like your accounts and the data contained within them. But, make sure you remove all forms of protection from the accounts before hand, otherwise the new windows install will not have the permissions it requires to access the data. And make sure you do not reuse the usernames. Then, when you boot your fresh install, you can access the users data under c:documents and settings<old usernames>.

Its not 100% going to remove a root kit or nastys if there still on your hard disk, but it will give you a clean system to backup the users data from. Once you have done this, you can nuke the disk, do a fresh install on the clean disk, and once the backups have been audited you can restore the data to the users account.

Then just set them up with some decent protection, and explain why the talking moose on crack.bd doesn't need any credit-card details or to be installed.

As for linux, its not an option. People who keep shouting this forget that we are geeks, and by our very nature we don't find the command line or unix disk layouts that threatening. But, when your dealing with Mrs J. Public and her irrational fear of anything new, or even slightly different its not going to work. All you can really do for the non-geeks you help out is teach them how to lock down windows properly. If you can do it in 5 mins, they can do it in 5 hours.

[moonlit]

As for linux, its not an option. People who keep shouting this forget that we are geeks, and by our very nature we don't find the command line or unix disk layouts that threatening. But, when your dealing with Mrs J. Public and her irrational fear of anything new, or even slightly different its not going to work. All you can really do for the non-geeks you help out is teach them how to lock down windows properly. If you can do it in 5 mins, they can do it in 5 hours.

QFE

[cooper]

Let me just pitch in by stating what I would consider to be the obvious:

Someone or something FUCKED with your machine

You can't trust the software on this machine any longer and it requires a reinstall. Don't bother trying to repair it, as it's impossible for you to know for sure if you've gotten everything in order.

Let's try an analogy. What has happened is that while walking home you've found a bunch of posters attached to trees and such in your neighborhood containing your credit card details. What are you going to do? Your credit card has somehow been comprimised. Are you going to try your best to locate all the posters, and hope you'll wind up finding all of them (without having any real way to see if you actually did get all of them), or do you go through the hassle of calling the credit company, blocking your card and get to work on getting a new one?