"My computer is doing some weird stuff, can I bring it to you?"As a computer guy, I find that I am the first stop for many folks that have a PC infected with Spyware/Malware or viruses (from here on out, just referred to as "malware"). Some of these infections are pretty nasty...resulting in a system that boots and runs reasonably well performance-wise, but disables key features of the system so you can't easily get rid of whatever it was that infected you in the first place.
For example, the last few infections I've battled have disabled the task manager, desktop properties, and the most recent has disabled the Microsoft Windows Installer, making it impossible to install a valid anti-spyware program (Adaware 2008) without using some knowledge of local Group Policies (the editor was also removed). I smirk to myself every time stuff like this happens, because those are the things that I would disable if I were the type to do such a thing...so I can at least appreciate what is happening, from a technical aspect.
In any case, when these situations arise...there are a few ways you can circumvent the limitations set forth by the malicious software and utilize your own set of tools that fall outside it's nasty influence.
System Cleanup "Rescue" USB Drive
Having a USB drive available that houses a bunch of handy tools can be a lifesaver; you don't have to worry about if the infected PC can connect to the Internet (you should really be offline anyway), or if it will even let you install an application in the first place!
If you don't have one lying around, go out and buy yourself a good USB drive (obviously the bigger, the better), but a 1Gb drive should do.
This is not necessary, but you can install the PortableApps GUI from http://www.portableapps.com. This just makes things a little easier if you want to run your utilities from a single menu.
Note: When I say 'Install to your system, then copy the install folder to your USB drive...' - - if you have the PortableApps GUI installed, you will want to place the folder underneath the 'PortableApps' subfolder on your USB drive...the menu will pick up any executables and list them for you.
Here's a list of must-have apps that I use in every cleanup.
Clamwin PortableThis is the portable version of the popular free virus scanner, Clamwin. This version allows you to download updates directly to your USB drive, making it easier to maintain if you don't use the drive that often.
Download
Instructions - Install to your USB drive (by running the downloaded exe)
Spyware Terminator - reviewSpyware Terminator is one of my favorite Spyware Cleaners (in addition to Adaware), but there isn't an official portable version available. With that being said, you can copy the install folder to your USB drive and it will work.
Download
Instructions - Install to your system, then copy the install folder to your USB drive
SysInternals AutoRuns - reviewAutoRuns is a great utility to find out what exactly is running at startup on your system...it allows you to explore (find the registry key pointing to the entry), delete, lookup (via Google), and perform other operations against various system startup entries on your computer.
Download
Instructions - Extract from the downloaded zip, then copy to a folder on your USB drive.
SysInternals Process ExplorerProcess Explorer is a tool that can discover what is currently running on your system...it also gives you the option to kill, lookup, or even pause the questionable process. You can sort your running processes by path, allowing you to see exactly where the process is being run from.
Download
Instructions - Extract from the downloaded zip, then copy to a folder on your USB drive
Panda Anti-RootkitJust like it says, this utility is great at removing those unseen nasties on your system that get installed, and then hide themselves from prying eyes (sometimes prying experienced eyes!).
Download
Instructions - Extract from the downloaded zip, then copy to a folder on your USB drive.
Unlocker - review This tool allows you to delete files that usually come up as being locked since it is currently running. Also, this tool will help you delete invalid files & folders with wacky characters in the names. This is handy for some malware, but you have to be sure you clear up the "watchdog" processes...i.e. the ones that make sure the malicious software keeps running.
*this is not truly an isolated - i.e. "portable" app (thanks Rarst!) even though it will work without install. Otherwise, try using FileAssassin if you are trying to stay completely portable!
Download
Instructions - Install to your system, then copy the install folder to your USB drive
Glary Utilities - reviewThis is a set of useful utilities, such as a decent registry cleaner, temp files cleaner, startup manager, etc. Just a nice set of utilities to have on hand while you are performing your cleanup.
Download
Instructions - Install to your system, then copy the install folder to your USB drive
Revo Uninstaller PortableUse Revo to uninstall all remnants of an application from your system...including files/folders and residual registry entries. Be sure to download the portable version.
Download
Instructions - Extract the files/folder from the zip file to your USB drive.
Malware Removal Techniques
For some information on removal techniques, see my post from last year:
Article: What to do if you have a pesky virus or malware?
Got any more applications that you use on your portable drives? Share them here!
12 comments:
Unlocker is not portable, it installs driver and that remains as garbage if run from flash drive. I use FileAssassin as portable for this.
RevoUninstaller has separate portable version available for download, no need to install - only unzip.
Need to try Glary Utilitites, I hear more and more about them.
@rarst: Works fine for me as portable...
But I will check out FileAssassin!
Unlocker is portable like "works without install"
But isn't like "self-contained and leaves no traces"
Sometimes former is enough but I prefer latter, portable troubleshooting utils are supposed to fix trouble, not add some more. :)
@rarst:
Ahhh that makes sense.
Yeah, I don't mind having the extras from apps like Unlocker since it doesn't do the harm that the malware does...and I can clean it up afterward without fear of it wreaking havoc on the system the longer it stays.
In either case, true portable is better, so you are spot on!
I will try out File Assassin asap!
John's Malware Guide, at http://www.elitekiller.com/malware.htm is complete and thorough - and contains a link to a free removal toolkit that will do the job.
Follow the directions step-by-step and take your time. There's a .mht file in the kit with tips in it as well.
Use IzArc http://izarc.org instead of the WinRAR mentioned if you need a compression/decompression app.
Use Dial-a-fix http://wiki.lunarsoft.net/wiki/Dial-a-fix instead of the Winsock Repair Tool mentioned in the Malware Guide.
The rest of the article is pretty spot-on. Once the system's clean, that same article has some security suggestions.
I keep this on a thumb drive and fix many machines with it. You do need to copy the files to the root directory of the infected machine (I do this in Safe Mode) to run them.
@carputers:
LOL - I -just- used dial-a-fix today (for the first time) to fix a strange Windows Update issue, and it worked, where the usual fixes did not!
Thanks for the info - haven't heard from ya in awhile!
Love this article. I have use many of these apps in the past. the only problem I am having is the portapp menu, I can' get it to see the other apps as stated, I thought I followed your instructions for it but I guess I am missing something. Great article. I read your site daily. Sometimes a few times a day!!!
@CappyDog:
Hey CappyDog! Thanks for the kind words...!
You will have a 'portableapps' folder on your USB drive after installing the menu system to it.
You will want one folder level below that for each application. For example, one called 'portable-revo', then the executable for the portable application should reside in that folder.
When you load up your menu, you should see each executable found in that folder structure listed.
Thanks for the help, greatly appreciated. Will give it a go.
Why not use a linux liveCD instead. You can have lots of linux tools for this sort of thing, plus wine and the windoze tools of your choice (even if they're not portable you can "install" them in wine's fake windoze environment), and to make it even better, the CD is read-only so it can't get infected by the malware in the PC you're trying to fix (since you're booting off CD and not of the affected HDD), and you can make it a LiveDVD (since the chances of finding a PC old enough to lack DVD-ROM drive is slim to none, and if you do find one chances are it lacks USB ports also and probably won't even run a modern OS due to low RAM/CPU)
Anybody who knows anything about the relationship between Malware vs. Removable USB devices vs. Windows insecure Autorun features... will tell you...
**No. 1** must have tool for a Malware fighting USB toolkit is...
AUTORUN EATER
http://oldmcdonald.wordpress.com/
REMEMBER THIS...
You've got to download AE and run it BEFORE you plug-in your USB stick.
Cheers
--derty2
I think that you should definitely add hijackthis to your list of wonderful freeware tools. It can be run as a portable program, and if you head to http://hijackthis.de with the logfile that it will save for you, you can upload (or just paste the text) there and it will review what is naughty and what's nice. It's a tool that's not for the feint of heart, but it gives fantastic results. Highly recommended.
Post a Comment