My Dad and Mom have a computer and continually have it in a state of confusion.
This is an edit here, it runs XP Home Edition.
Right now, they have tried to install Spy Sweeper and had 2 instances of it. I managed to uninstall one of them. The other will not uninstall and won't let me simply delete everything i.e. the folder. I should say that it doesn't work either. I tried reinstalling it for them, but it says there is a newer instance already installed and you should uninstall that one if you want to install the one on the cd, but no, it won't do it.
I tried to go into safe mode, but now this is wierd, (this is an HP and has a lot of Compaq software built in, it offers 3 different options, i386, something NT, and windows as safe modes, I selected windows and it comes up Dos, Aw man I don't remember any of the commands for dos.
All of the other computers I have used Safe Mode is just bare bones Windows.
Anyhoo, is there some key combination that can be used to delete software that doesn't want to be deleted?
Thanks.
Help deleting some software
-
{DOU}plumber
- Posts: 559
- Joined: Tue Mar 29, 2005 9:31 pm
- Location: Florida
-
QwazyWabbit
- Posts: 162
- Joined: Thu Jun 16, 2005 12:15 am
- Location: Southern California, USA
I assume you are talking about Webroot Spy Sweeper. It looks like it doesn't have a freeware edition, only a $29.95 package for download.
I will restrict my comments to general terms and tools about how to remove unwanted software like Spy Sweeper or programs with failed uninstalls.
Use Explorer to drill down into the Spy Sweeper program folder. Delete any files you find there one at a time until only the stubborn ones remain. These locked files will probably be DLL's or EXE's that are running in the system. Programs like SpySweeper will usually resist attempts to modify or delete them because they consider it an attack, possibly by some malware program.
Once you have identified the stuck files you can use their names in the next step.
Get AutoRuns from here:
http://www.microsoft.com/technet/sysint ... oruns.mspx
This is a tool originally designed by Sysinternals.com before they were bought up by Microsoft.
Start AutoRuns. Once it does it's inventory of the registry and all the DLL's and system hooks, click the Logon tab.
This is the list of all the stuff that gets started by the system when a user logs on. Find the DLL's and EXE's named in the folders of your problem program. The programs are listed by registry entry name and finally the "image path" on the right side of the window, I recommend running Autoruns in maximized mode so you can see everything easily.
Uncheck the checkbox next to the items you don't want to start on the next boot. These will be the problem programs you are going to delete. Unchecking the box stops the program from starting up again by modifying the registry entries. You can also delete the entries but I will usually not do that until I am sure everything is ok without these entries.
Close Autoruns.
Reboot the system.
You should now be able to delete or rename those stuck files. I will usually rename the folder to keep the files in case I need them. If any of the DLL's have been put in WINDOWS or WINDOWS/SYSTEM32 then I will rename them to zzz_originalname.dll or whatever so I can find them later. It's important to give them distinctive names so you can identify them easily.
Remove all shortcuts and folders from the desktop and Start menu that refer to those files/folders.
Do Add/Remove programs on the offending program and it should declare the files missing and offer to remove the program from the installed programs list. Accept this option.
Test the system to be sure everything is working OK.
If everything is fine, delete the files you renamed.
Start Autoruns again and locate the unchecked items, they will show entries but will be unable to locate the executables. Right-click on the entries and delete them.
Congratulations, you have successfully cleaned unwanted dll's.
There are some hard core cases where this process won't work. They are usually Antivirus or virus programs. Two DLL's or EXE's watch each other's entries and status and if one is killed or registry entry is modified, it recreates it and vice versa. This is a nasty one. There are two ways to fix this:
1. Complete reinstall of the system, if they are viruses, you can't trust anything in the system anymore anyway. Clean slate.
2. Remove the HDD and install a new one. Install new OS on it. Connect the old drive to the system and use the new system to access the old disk and kill the offensive files or recover just your data files. Run on the new system or swap back to old system and hope you got rid of all the infections.
Good Luck.
I will restrict my comments to general terms and tools about how to remove unwanted software like Spy Sweeper or programs with failed uninstalls.
Use Explorer to drill down into the Spy Sweeper program folder. Delete any files you find there one at a time until only the stubborn ones remain. These locked files will probably be DLL's or EXE's that are running in the system. Programs like SpySweeper will usually resist attempts to modify or delete them because they consider it an attack, possibly by some malware program.
Once you have identified the stuck files you can use their names in the next step.
Get AutoRuns from here:
http://www.microsoft.com/technet/sysint ... oruns.mspx
This is a tool originally designed by Sysinternals.com before they were bought up by Microsoft.
Start AutoRuns. Once it does it's inventory of the registry and all the DLL's and system hooks, click the Logon tab.
This is the list of all the stuff that gets started by the system when a user logs on. Find the DLL's and EXE's named in the folders of your problem program. The programs are listed by registry entry name and finally the "image path" on the right side of the window, I recommend running Autoruns in maximized mode so you can see everything easily.
Uncheck the checkbox next to the items you don't want to start on the next boot. These will be the problem programs you are going to delete. Unchecking the box stops the program from starting up again by modifying the registry entries. You can also delete the entries but I will usually not do that until I am sure everything is ok without these entries.
Close Autoruns.
Reboot the system.
You should now be able to delete or rename those stuck files. I will usually rename the folder to keep the files in case I need them. If any of the DLL's have been put in WINDOWS or WINDOWS/SYSTEM32 then I will rename them to zzz_originalname.dll or whatever so I can find them later. It's important to give them distinctive names so you can identify them easily.
Remove all shortcuts and folders from the desktop and Start menu that refer to those files/folders.
Do Add/Remove programs on the offending program and it should declare the files missing and offer to remove the program from the installed programs list. Accept this option.
Test the system to be sure everything is working OK.
If everything is fine, delete the files you renamed.
Start Autoruns again and locate the unchecked items, they will show entries but will be unable to locate the executables. Right-click on the entries and delete them.
Congratulations, you have successfully cleaned unwanted dll's.
There are some hard core cases where this process won't work. They are usually Antivirus or virus programs. Two DLL's or EXE's watch each other's entries and status and if one is killed or registry entry is modified, it recreates it and vice versa. This is a nasty one. There are two ways to fix this:
1. Complete reinstall of the system, if they are viruses, you can't trust anything in the system anymore anyway. Clean slate.
2. Remove the HDD and install a new one. Install new OS on it. Connect the old drive to the system and use the new system to access the old disk and kill the offensive files or recover just your data files. Run on the new system or swap back to old system and hope you got rid of all the infections.
Good Luck.
-
*DARKMATTER*
- Posts: 1207
- Joined: Wed Mar 30, 2005 10:41 am
- Location: England
You could try these 2 programs
MOVE ON BOOT
CCleaner
Use the Move on boot to delete and CCleaner to well clean up....
MOVE ON BOOT
CCleaner
Use the Move on boot to delete and CCleaner to well clean up....
-
QwazyWabbit
- Posts: 162
- Joined: Thu Jun 16, 2005 12:15 am
- Location: Southern California, USA
It is generally a Bad Idea(tm) to install more software when an installation of software has already failed. This only compounds the problem. A failed (un)installation usually means something went terribly wrong with the installer programs and trying to use them again when they are not in a known-good state is risky.
Using Autoruns does not require installation of anything, just unzip the files anywhere and click on the Autoruns.exe file. (not the autorunsc.exe, that's a command line version of the tool) I keep a c:/tools folder and put them all in there. Then I can add it to the system path and all my utilities are there. Drag drop a shortcut to the folder to the desktop or system menu.
This moveonboot looks interesting. Probably a nice tool to have installed and ready if you find yourself with stuck files in the future.
CCleaner was a little bit too aggressive for my taste. I missed unchecking the settings for Utilities and it deleted my Adaware and SpyBotS&D logs. No great loss, but it would have been nice to have been a little more aware of that. (PEBKAC)
It looks like CCleaner has a really nice uninstall capability.
Using Autoruns does not require installation of anything, just unzip the files anywhere and click on the Autoruns.exe file. (not the autorunsc.exe, that's a command line version of the tool) I keep a c:/tools folder and put them all in there. Then I can add it to the system path and all my utilities are there. Drag drop a shortcut to the folder to the desktop or system menu.
This moveonboot looks interesting. Probably a nice tool to have installed and ready if you find yourself with stuck files in the future.
CCleaner was a little bit too aggressive for my taste. I missed unchecking the settings for Utilities and it deleted my Adaware and SpyBotS&D logs. No great loss, but it would have been nice to have been a little more aware of that. (PEBKAC)
It looks like CCleaner has a really nice uninstall capability.
-
GRouND ZeRo
- Posts: 1431
- Joined: Sun May 22, 2005 6:21 am
- Location: CaNaDeH???
You can try (Spybot Search & Destroy) & (Ad-Aware) these are excellent spyware removal tools & there free. Just go to there web sights and down load the free editions. http://www.spybot.com/en/index.html http://www.lavasoft.de/ms/ad_aware_free.php
"If one person has an imaginary friend, they're crazy. If multiple people have the same imaginary friend, it's religion."
-
*DARKMATTER*
- Posts: 1207
- Joined: Wed Mar 30, 2005 10:41 am
- Location: England
All you need to protect your system for free in one easy LINK
-
QwazyWabbit
- Posts: 162
- Joined: Thu Jun 16, 2005 12:15 am
- Location: Southern California, USA
OK, I can testify to the effectiveness of CCleaner, AdAware, SpyBotS&D and AVG Free Edition and Windows Defender in combination with some aggressive measures to get rid of some really nasty spyware on wife's laptop.
Scenario:
Wife has Asus laptop and is very computer noobish. Doesn't really need one but her kid gave it to her for xmas gift a couple years ago. She lends it to her brother and friend for use in Taiwan and China, two of the worst places on the planet for malware/spyware. Naturally they go there with expired NAV 2004 and no real protection in place, along with installations of Bittorrent, old Java, IE6, Firefox 1.5 (yikes!), Windows not updated. All users (except for Guest) running as Administrator on Windows XP Home. You name it, it was perfect victim machine. Attempts to do Windows Update or install IE7 end with BSOD.
She brings it home and says it's not working right. Mind you this is Chinese Windows, not english, I have to navigate mostly by feel and memory of the dialogs in a lot of instances. I load up some tools, the installed NAV is expired and won't update, useless crapware anyway. I used to like Symantec's products but not anymore.
First pass uninstall NAV. Removal was incomplete Symantec Live Update remains, we'll deal with that later. Install NOD32 it finds 487 malicious files, several different trojans, spyware, viruses. Too many to name. Successfully removes a lot of them. AdAware, SpyBot, all find more crapware and bad stuff. Clean and reboot, clean and reboot for hours until we get down to a few malicious drivers and dll's. Kit identifies as WANSO.
So here's the deal, we're down to some adware and spyware that keeps itself locked in by watching its own processes, kill one and the other one restores it. The have hooks into the file system so the A-V products can't get at it, lots of tricks hiding the backup executables. System Restore is OFF. Attempts to uninstall Firefox lock up the Add/Remove applet.
Time to get the wrench.
Pull out the HDD and hook it to my IDE/SATA adapter on the all-powerful tower here in my office. Scan it with NOD32 and AdAware, SBS&D, etc. Can't really do the registry this way but maybe we can cripple the crapware enough that we can kill it in the live system. Safe mode wasn't doing the trick in previous iterations. Eventually I get clean reports but you never know. Also deleted some directories in Program Files/Common Files that were characteristic of the malware.
Put the HDD back in the laptop. Restart system, start looking, crapware folders are back. This is not good. Yep, she's still infected. Uninstall NOD32, install AVG Free. AVG finds even more stuff, CCleaner also gets installed and applied, finding stuff but the malware reinstalls itself. MoveOnBoot no good, you can't get all the crap manually. So miss one and the kit reinstalls. Run full scans again in full Windows and Safe Mode. Crapware is still there. Pull out the HDD and scan it again on desktop.
OK, time to get serious! Full NOD32 scan, full iterations with the spyware tools, start deleting the crap folders again. Now this system has Windows Defender on it and as I am exploring the windows/system32 folder and looking at all the dll's it pops up with a warning on some of the very suspicious, non-microsoft, unsigned dll's with descriptions like "A" and "B" and funky file names and version numbers. OK, let's scan this guy with Windows Defender. Sure enough, 141 malicious files and registry entries in various locations. Rescan, clean. Rescan with all the above tools until clean.
Put the HDD back in the laptop, boot to safe mode. Run all the tools again.
Run CClean and it cleans up a lot of registry crap. Clean all the temp folders and caches. Uninstall a lot of crap like Bittorrent, Yahoo messy, MSN messy, Firefox. Run it again to be sure it's not coming back. Reboot to safe mode and repeat scans.
Boot normal. Rescan. Clean. Reboot and repeat scans, clean.
Install IE7 from a file downloaded from web and loaded from USB chip drive. Good install. Yippie. Run Windows Update and install critical updates. Lather, rinse repeat. Several times.
Rescan the entire system with all tools again. Clean, with exception of Symantec LU, use CClean to remove it. Reiterate SBS&D, AdAware, CClean, WU and update install imunizations from SBS&D, install Windows Defender and do deep scan. It finds some more dead dll's laying around.
Do repeated custom Windows Updates until fully updated. Clear out a bunch of exceptions in Windows Firewall for dead NAV, and malware programs.
Very educational. This took 3 days of off and on war with the machines, scanning overnight etc. Time now to backup the drive and make an emergency repair disk before turning it over to wife again.
Lessons:
BACKUP new machine as soon as you get it. Do it in virgin state.
Else make sure you make Windows CD or have the OEM version in safe place.
Keep the defense tools up to date. Don't let them age and become impotent or the malware will compromise it.
Don't let NOOBS run as Administrator. Ever.
Don't let RELATIVES run as Administrator. Ever.
Be prepared to work as Administrator installing software for wife, NOOBS and RELATIVES.
For noob machines, have defense programs default to KILL without mercy any detected malware, without asking the noob if it's ok. They will not understand the question or the reasons.
Don't anyone install software on the noob machine without your testing and approval first. Better yet, just test and install it for them.
Windows Defender is pretty cool tool against common spyware, I was surprised.
All in all, it would have been less time consuming to wipe the drive and reinstall but I wanted to learn about and beat this demon. I also didn't want to backup all the data files, she/they had accumulated.
If you are not a sophisticated user or you don't like delving into the guts of the system, make sure your data is backed up regularly, keep system and defense tools updated and maintained. In cases like this, Wipe and Reinstall.
If your computer Blue Screens frequently or when you attempt a Windows Update, chances are you have some Malware Inside.
QW
Scenario:
Wife has Asus laptop and is very computer noobish. Doesn't really need one but her kid gave it to her for xmas gift a couple years ago. She lends it to her brother and friend for use in Taiwan and China, two of the worst places on the planet for malware/spyware. Naturally they go there with expired NAV 2004 and no real protection in place, along with installations of Bittorrent, old Java, IE6, Firefox 1.5 (yikes!), Windows not updated. All users (except for Guest) running as Administrator on Windows XP Home. You name it, it was perfect victim machine. Attempts to do Windows Update or install IE7 end with BSOD.
She brings it home and says it's not working right. Mind you this is Chinese Windows, not english, I have to navigate mostly by feel and memory of the dialogs in a lot of instances. I load up some tools, the installed NAV is expired and won't update, useless crapware anyway. I used to like Symantec's products but not anymore.
First pass uninstall NAV. Removal was incomplete Symantec Live Update remains, we'll deal with that later. Install NOD32 it finds 487 malicious files, several different trojans, spyware, viruses. Too many to name. Successfully removes a lot of them. AdAware, SpyBot, all find more crapware and bad stuff. Clean and reboot, clean and reboot for hours until we get down to a few malicious drivers and dll's. Kit identifies as WANSO.
So here's the deal, we're down to some adware and spyware that keeps itself locked in by watching its own processes, kill one and the other one restores it. The have hooks into the file system so the A-V products can't get at it, lots of tricks hiding the backup executables. System Restore is OFF. Attempts to uninstall Firefox lock up the Add/Remove applet.
Time to get the wrench.
Pull out the HDD and hook it to my IDE/SATA adapter on the all-powerful tower here in my office. Scan it with NOD32 and AdAware, SBS&D, etc. Can't really do the registry this way but maybe we can cripple the crapware enough that we can kill it in the live system. Safe mode wasn't doing the trick in previous iterations. Eventually I get clean reports but you never know. Also deleted some directories in Program Files/Common Files that were characteristic of the malware.
Put the HDD back in the laptop. Restart system, start looking, crapware folders are back. This is not good. Yep, she's still infected. Uninstall NOD32, install AVG Free. AVG finds even more stuff, CCleaner also gets installed and applied, finding stuff but the malware reinstalls itself. MoveOnBoot no good, you can't get all the crap manually. So miss one and the kit reinstalls. Run full scans again in full Windows and Safe Mode. Crapware is still there. Pull out the HDD and scan it again on desktop.
OK, time to get serious! Full NOD32 scan, full iterations with the spyware tools, start deleting the crap folders again. Now this system has Windows Defender on it and as I am exploring the windows/system32 folder and looking at all the dll's it pops up with a warning on some of the very suspicious, non-microsoft, unsigned dll's with descriptions like "A" and "B" and funky file names and version numbers. OK, let's scan this guy with Windows Defender. Sure enough, 141 malicious files and registry entries in various locations. Rescan, clean. Rescan with all the above tools until clean.
Put the HDD back in the laptop, boot to safe mode. Run all the tools again.
Run CClean and it cleans up a lot of registry crap. Clean all the temp folders and caches. Uninstall a lot of crap like Bittorrent, Yahoo messy, MSN messy, Firefox. Run it again to be sure it's not coming back. Reboot to safe mode and repeat scans.
Boot normal. Rescan. Clean. Reboot and repeat scans, clean.
Install IE7 from a file downloaded from web and loaded from USB chip drive. Good install. Yippie. Run Windows Update and install critical updates. Lather, rinse repeat. Several times.
Rescan the entire system with all tools again. Clean, with exception of Symantec LU, use CClean to remove it. Reiterate SBS&D, AdAware, CClean, WU and update install imunizations from SBS&D, install Windows Defender and do deep scan. It finds some more dead dll's laying around.
Do repeated custom Windows Updates until fully updated. Clear out a bunch of exceptions in Windows Firewall for dead NAV, and malware programs.
Very educational. This took 3 days of off and on war with the machines, scanning overnight etc. Time now to backup the drive and make an emergency repair disk before turning it over to wife again.
Lessons:
BACKUP new machine as soon as you get it. Do it in virgin state.
Else make sure you make Windows CD or have the OEM version in safe place.
Keep the defense tools up to date. Don't let them age and become impotent or the malware will compromise it.
Don't let NOOBS run as Administrator. Ever.
Don't let RELATIVES run as Administrator. Ever.
Be prepared to work as Administrator installing software for wife, NOOBS and RELATIVES.
For noob machines, have defense programs default to KILL without mercy any detected malware, without asking the noob if it's ok. They will not understand the question or the reasons.
Don't anyone install software on the noob machine without your testing and approval first. Better yet, just test and install it for them.
Windows Defender is pretty cool tool against common spyware, I was surprised.
All in all, it would have been less time consuming to wipe the drive and reinstall but I wanted to learn about and beat this demon. I also didn't want to backup all the data files, she/they had accumulated.
If you are not a sophisticated user or you don't like delving into the guts of the system, make sure your data is backed up regularly, keep system and defense tools updated and maintained. In cases like this, Wipe and Reinstall.
If your computer Blue Screens frequently or when you attempt a Windows Update, chances are you have some Malware Inside.
QW
-
{DOU}The Jargonaut
- Posts: 2113
- Joined: Thu Dec 15, 2005 9:25 pm
- Location: North Carolina
-
QwazyWabbit
- Posts: 162
- Joined: Thu Jun 16, 2005 12:15 am
- Location: Southern California, USA
NOD32 has a 30-day trial, full function. They have a really big office building in San Diego with their 1 story tall logo at the top floor.
NOD32 and AVG Freeware compare favorably. I support a friend of mine who runs AVG A-V Network Edition on his church's computers in their office and school library. From the main server you can configure, command and manage the AVG product on all the machines. Pretty cool. It has found and blocked spyware/adware on several occasions where their users were online browsing into traps or downloaded freebie toys loaded with spyware. That seems to have been the case with wifey's computer too.
Effectiveness: The NOD32 in the above scenario may have been compromised since the malware kit was hooking the file system on the disk when it was live and I installed the NOD32 into it. The NOD32 in the laptop didn't get it all and what it found was instantly replaced as soon as it was deleted. Removing the hard disk and scanning it from the desktop removed them but as soon as it went live again they were reinserted. Frustrating. AVG had the same problems. It found more/different files but removal was ineffective. They weren't just different file names or different names for the viruses, they were different viruses. No product seems to be 100% effective, what NOD32 didn't see AVG picked up but neither of them was effective against the spyware itself.
The problem with AV's is they don't work in tandem, you can't use differenet products at the same time without running into problems. They also don't consider some spyware to be viral so they might not remove some things. Windows Defender was actually the key to eradicating this one. AVG sells different products for different kinds of malware. Great marketing, not sure if it makes a better product in each category, certainly could mean the teams can be experts at their tools. Anything is better than Symantec's bloatware with meaningless eye candy.
I am in favor of genetic diversity. For multiple machines I think I would use NOD32 on one and AVG free on another and let them scan each other during off-hours (I leave my computers on a lot.) Let the realtime scanner of each product take care of their own.
After this episode I loaded Windows Defender up on all the Windows boxes here and did a deep scan. You definitely want an AV product and a AS product running in tandem for better all around coverage. If they are different brands like AVG and WD then it seems robust enough. Not sure about compatiblity of AVG-AS with WD.
The advantage of AVG is the freeness, NOD is reasonably priced and so is the full AVG. I don't think you can go wrong with either one. One thing I should mention is NOD32 checks for updates every hour or two, I have even gotten multiple updates in a single day. They are very active. I think AVG does it daily but I don't have continuous exposure to it so I don't know if they do it more often.
NOD32 and AVG Freeware compare favorably. I support a friend of mine who runs AVG A-V Network Edition on his church's computers in their office and school library. From the main server you can configure, command and manage the AVG product on all the machines. Pretty cool. It has found and blocked spyware/adware on several occasions where their users were online browsing into traps or downloaded freebie toys loaded with spyware. That seems to have been the case with wifey's computer too.
Effectiveness: The NOD32 in the above scenario may have been compromised since the malware kit was hooking the file system on the disk when it was live and I installed the NOD32 into it. The NOD32 in the laptop didn't get it all and what it found was instantly replaced as soon as it was deleted. Removing the hard disk and scanning it from the desktop removed them but as soon as it went live again they were reinserted. Frustrating. AVG had the same problems. It found more/different files but removal was ineffective. They weren't just different file names or different names for the viruses, they were different viruses. No product seems to be 100% effective, what NOD32 didn't see AVG picked up but neither of them was effective against the spyware itself.
The problem with AV's is they don't work in tandem, you can't use differenet products at the same time without running into problems. They also don't consider some spyware to be viral so they might not remove some things. Windows Defender was actually the key to eradicating this one. AVG sells different products for different kinds of malware. Great marketing, not sure if it makes a better product in each category, certainly could mean the teams can be experts at their tools. Anything is better than Symantec's bloatware with meaningless eye candy.
I am in favor of genetic diversity. For multiple machines I think I would use NOD32 on one and AVG free on another and let them scan each other during off-hours (I leave my computers on a lot.) Let the realtime scanner of each product take care of their own.
After this episode I loaded Windows Defender up on all the Windows boxes here and did a deep scan. You definitely want an AV product and a AS product running in tandem for better all around coverage. If they are different brands like AVG and WD then it seems robust enough. Not sure about compatiblity of AVG-AS with WD.
The advantage of AVG is the freeness, NOD is reasonably priced and so is the full AVG. I don't think you can go wrong with either one. One thing I should mention is NOD32 checks for updates every hour or two, I have even gotten multiple updates in a single day. They are very active. I think AVG does it daily but I don't have continuous exposure to it so I don't know if they do it more often.
-
{DOU}The Jargonaut
- Posts: 2113
- Joined: Thu Dec 15, 2005 9:25 pm
- Location: North Carolina
I have gotten at least two updates in a single day before on AVG. You are right, you can not beat the price. That I why I was asking. I have not had a problem with AVG at all with virus or malware. Of course, my surfing habits are a little safer than a lot of people.
I was wondering if AVG was good mostly because it is free. Normally, you get what you pay for and pay for what you get.
Thanks QW
I was wondering if AVG was good mostly because it is free. Normally, you get what you pay for and pay for what you get.
Thanks QW