I really wanted to post this at the andandtech forums, but something is mega-screwed - both accounts I have there won't work in IE, FF, or opera, and one is uber-brand-new. Sigh, I just need to post it here so it gets found by google - it was written for someone else because google lacked any info. Locking it would be nice, heh.
-------------------------------------------------------------
how to remove installed spyware with "iCodecPack":
You might fare better with trial versions of other commercial scanners, but I have no experience with any.
Removing spyware manually can be quite troublesome - some spyware is as easy as locating the exe's process, killing it, and deleting the file. Some embed themselves in windows quite well (most commonly, having themselves loaded into explorer.exe). I've decided to just install icodepack myself, seeing as this is a fun challenge (although I should not be lazy -- instead, I should go use VMWare on my desktop system to safely install it without infecting my laptop!). Here we go:
I like how you get "Virus-Burst" with this, which immediately identifies several real trojans, including the stuff that came with icodepack. Removal time...
1) "Virus Burst" nicely includes a formal uninstaller that ...almost... removes itself
- After running uninstaller, make sure you alt+ctrl+del > processes tab > end task "virus-burst.exe"
- Delete the folder C:\Program Files\Virus-Burst
2) C:\Program Files\iCodecPack\unist.exe exists, but it tells you to reboot first. I don't really want to, and I'm betting it just does that every time in hopes of you going away.
- C:\Program Files\iCodecPack contains plenty of EXEs and DLLs, which are currently in use.
- At this point, I realize they've made it quite hard to kill the processes. They are working together to some extent to keep each other alive - it is impossible to kill them with task manager...
- You now get to have fun gathering the running process IDs. alt+ctrl+del, go to processes tab, view > select columns > check the "PID (Process Identifier)" option.
- You can now get the process IDs of everything running. You will need look for every executable in the iCodePack directory and record its ID. I found isamonitor, isamini, pmsngr, and pmmon all running.
- Using the process IDs you just found, you can go to Start > run > "kill -f <Number here> <number here..>" - in my case, I executed the following: "kill -f 3644 620 4840 3996" (rememeber that PIDs are unique for every EXE session, not reusable after the process is killed), indicating I want to forcefully kill those four process IDs.
- If you did it correctly, you can now delete all files in the directory except for isaddon.dll.
- Spyware apps love to load themselves inside explorer/IEXPLORE.exe, I am using a free advanced process manager from
http://www.sysinternals.com/SystemInformationUtilities.html called "Process Explorer" to discover which processes have which .dll file loaded - it is helpful to have, but hopefully you won't need it.
- To get isaddon.dll unlocked so you can delete it, kill IEXPLORE.exe in task manager. Now you can remove isaddon.dll. sysinternals has another app that I've not tried, which locates the processes that have a file locked up, so that might be useful in the future.
At this point, I am fairly confident that everything is removed. sysinternals has a lot of great freeware tools to assist in the manly task of removing your own spyware, but be careful about deleting things you aren't sure about.
Luckily, I had the advantage of being able to identify all of these files upon installation - hopefully, these steps will work for you too, without hunting down additional things.