I normally blog about virtualization topics, but I saw a tweet from a guy I follow, and noticed that he spent some money getting his PC cleaned by the Geek Squad.
Well, I was shown a method that has worked pretty well for me, and I figured I would share it.
The primary component necessary, is Process Explorer from Microsoft (formerly a Sysinternals tool). This tool looks similar to the native Windows Task Manager, but is much more powerful. The reason why it is an important component, is because it can suspend Explorer.exe and Winlogon. These two processes are core pieces to the Windows operating system. Viruses and Spyware often times hook into these, and as long as they are still running, can not be cleaned.
To start, download Process Explorer. |
Right click on the ProcessExplorer.zip file, and choose extract. |
When the extraction is complete, choose Show extracted files, and click Finish.
Double click on procexp.exe to launch Process Explorer. |
When presented with the license agreement, select Agree. |
An application that looks like Task Manger will now be running. |
Minimize Process Explorer.
The second component, can be the antivirus or antispyware software package of your choice. I often choose Malwarebytes, because I’ve seen quite a bit of success with it. To get Malwarebytes, go to their web site: http://www.malwarebytes.org/ and click Download Free Version. Once it is downloaded, double click on mbam-setup.exe to install it. Choose all of the defaults. When the Malwarebytes installer is complete, make sure to Update Malwarebytes. |
Once Malwarebytes is at the main application screen, choose Perform Full Scan, but don’t click Scan yet! |
Now restore Process Explorer, and make sure that both Process Explorer and Malwarebytes can be seen (clicked on) on the screen. This is because we won’t be able to use our Taskbar, ALT+TAB, or any other Explorer features shortly. |
Now right click on winlogon.exe and select Suspend. |
Do the same to Explorer.exe, by right clicking Explorer.exe and selecting Suspend. |
Now click on the still visible Malwarebytes application, and choose Scan. Choose any drives you wish to scan, and continue. |
When the scanning is done, delete any spyware found, or any viruses. Malwarebytes will tell you that Windows needs to be restarted to complete the process (most likely). Answer Ok, but do not resume winlogon.exe or explorer.exe. They could still be infected.
Now power off the system. Don’t reboot. Don’t shutdown. POWER OFF the system with the power switch. I know, a No-No in the old days, but Windows XP and above do fine with this crash method.
When the system boots back up, Malwarebytes may perform some additional actions, or it may not, it depends on what you were infected with.
The important thing to remember, is suspending winlogon.exe and explorer.exe are crucial while scanning and cleanup. As mentioned before, often times, spyware and viruses will hook themselves into these processes.
This method has worked for me with about a 95% success rate, with some nasty viruses/spyware needing a little more effort. The vast majority of junk out there should be cleaned with this method.
I hope this helps anyone looking to get rid of unwanted junk.
Sometimes I don’t feel like grabbing and unzipping Process Explorer. You can elect to run the executable directly from http://live.sysinternals.com/procexp.exe
I never heard about malware bytes up until a few months ago when I had a nasty trojan and only this piece of unknown software managed to get rid of it, and even detect it. PC tools failed, even though it has never failed before, so since then I use it, it’s quite heavy though, the scan takes forever…