a companion discussion area for blog.codinghorror.com

How to Clean Up a Windows Spyware Infestation


#1

I recently upgraded my dedicated racing simulation PC, so I was forced to re-install Windows XP SP2, along with all the games. As I was downloading the no-cd patches for the various racing sims I own, I was suddenly and inexplicably deluged with popups, icons, and unwanted software installations. I got that sinking feeling: I had become the unfortunate victim of a spyware infestation.


This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2007/06/how-to-clean-up-a-windows-spyware-infestation.html

#2

After carrying out the above steps, your system is clean in the sense that it isn’t actively running adware/malware/spyware any more. However you should still run Ad-Aware, Spybot, and/or HijackThis to get rid of any spoor left behind by the adware. Things like orphaned files, tracking cookies, obsolete registry entries, and so forth.

http://www.lavasoftusa.com/products/ad_aware_free.php
http://www.safer-networking.org/en/download/index.html
http://www.spywareinfo.com/~merijn/programs.php#hijackthis

Microsoft also has a malicious software removal tool which is freely downloadable:

http://www.microsoft.com/security/malwareremove/default.mspx


#3

With all due respect and without trying to sound noobish, wouldn’t it have been better if I had left the job to a combination of Spybot SD, Ad-Aware and HijackThis instead of rummaging through tons of process threads and startup entries and then deleting them. These can do the job pretty efficiently with HJT being the best choice for getting rid of BHOs.

There is no doubt this post is a highly knowledgeable one considering that it delves deep into the manipulation of things at the process and registry level, places about which people are either totally unaware or even if they are in the know, they choose not to fix what ain’t broken. From the sole viewpoint of academic interest, this is an excellent post. But if I wanted to do the job faster and more efficiently, I would have rather gone for the above mentioned tools.


#4

Very helpful, thanks. Spybot SD isn’t as powerful as this.

Another recommendation would be to have Firefox with the NoScript addon. It disables all scripts on pages, and has a whitelist function. After installing it I’ve received alot less adware.

Cheers.


#5

I would also consider running RootKitRevealer from sysinternals for those extra sneaky spyware that don’t even show up in ProcessExplorer.

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx


#6

These can do the job pretty efficiently with HJT being the best choice for getting rid of BHOs

Both Ad-Aware and Spybot FAILED to remove the multiple winlogon infections, including Virtumonde. They were the first thing I tried! After that I figured, the heck with it, I can do it better myself.

Those programs are good for cleaning up leftover files on disk and miscellaneous registry keys after the steps I outlined above.


#7

Thanks for the explanation of the latter-stage removal, thread killing, etc.

It just boggles the mind that a user application could put this much debris in the system directories (I’m assuming that you were browsing as an unprivileged user.) Not to be naive or a troll, but honestly, what the hell were they thinking when they expanded IE into something so complex with such loose security? With all the convoluted access control that Windows offers, the OS app vendor couldn’t or wouldn’t obviate this problem during the design phase; it’s pathetic.

In a related exercise, try downloading a Firefox installer as Administrator on Windows 2003 Server. The combination of Mozilla’s random download mirrors and IE’s twitchy security model make it improbable you’ll ever get the installer downloaded. So even if you want to use a browser that is unlikely to run with elevated privileges, you can’t get it because the existing browser knows what’s best for you, security-wise.

There’s a balance between protecting the user and giving them enough control to make the system usable. The problem here is lack of visibility and choice - in the former case you have software that installs without giving you any notice or choice, in the latter you have plenty of alerts, but very little choice because the alerts appear after the browser has interfered with your request.

Why the OS installer decides (again, without giving me a choice) that I need a graphical desktop environment, a media player, and a browser more complex than lynx on a headless server mounted in a rack in a datacenter is a separate question that nobody has satisfactorily answered (Microsoft is the major culprit, but not the only one.) I think you’re on the right track with virtualization.


#8

obligatory Linux post:

I really doubt the average user could do all that. It would be much easier to just use a user-friendly Linux distribution like Ubuntu (after getting a knowledgeable friend to do the initial setup of course).


#9

or ditch Windows and switch to Linux or Mac. problem solved.


#10

It’s amazing how something as small as this gets overlooked by so many blogs and self-help articles out there. Ad/Spyware is one of the biggest problems plaguing the general computing world today! :frowning:

Thanks for the steps and the programs Jeff! I’ll use this guide if (keep my fingers crossed) I ever get infected with those things! :slight_smile:


#11

or ditch Windows and switch to Linux or Mac. problem solved

Well, except for the fact that the excellent PC racing simulators I referenced in the very first paragraph-- the entire reason this machine exists-- don’t run on Linux or Mac. :slight_smile:


#12

Perhaps Im a little biased, and perhaps I should ignore the trolls, but I dont see too many Racing sim titles on mac:
http://www.apple.com/games/
or on ubuntu:
http://doc.gwos.org/index.php/Simulation_Games


#13

What about…

  • attaching to internet explorer [start page, search address, plugin, toolbar…]
  • changing proxy settings
  • editing the hosts file

Admittedly you did a very thorough job, but there’s so many places things can get that I will never trust a machine as clean once it has anything on it.


#14

i think you are wrong here in 2 points:

1: if there was a process running as a administrator your system is corrupt. (regardless of what your process list says) either look for the names of the programs and find antispyware/antivirus/antiwhatever software. if every program could get identified and removed, your system is restored. if you don’t know what the program does you just can’t only remove them because you don’t know where the program writes something into.

2: your company name search pattern is too vague. there will be good software without and there will be bad software with a company name.


#15

So, you cleaned an infestation without resorting to cleaners? You know your way around a computer? Feeling “all high and mighty, eh?”

I did once, too, until I met my first rootkit. One of my production servers on a remote data server was “infected” with a pirate FTP server and numerous little applications to administer and protect it. On top of them all was a damned little tool called “Hacker Defender”, a rootkit based tool that can hide processes, directories, files and even ports at the kernel level.

There was 5 or 6 processes that were hidden by HD and Process Explorer did not even see them. I had to use a special tool to even be aware of them. And what’s more, most of those hidden processes, when killed, took the system down with them, as well. A remote server crashing and restarting itself? Fun.

So, don’t become over-confident on your abilities and tools. Be like the Zen and add the Rootkit Unhooker to that toolkit (http://rkunhooker1.narod.ru/)


#16

what a nice *nix fanbase you have jeff. :slight_smile:

Sad that no-cd patches is important. This is a typical example on how the fight against pirated software do more harm to those who buy the software. The ones that wanted a pirated version would probably get it anyway.

Maybe IE had some security breaks, but it should not be possible for IE to act as an administrator. No software is perfect, no operating system is perfect, and for sure no human is perfect.
Compared to Unix, Windows never seemed to be designed for the net; you could maybe say that Windows had the network as a feature.
Where a windows commercial would go “Use this software to go on the internet”, you could say that with a *nix machine you already where a part of the net and was forced to think of security.

I am by no means a security expert, but I can say it has been healthy for me installing linux distributions after several years as a Microsoft developer.


#17

autoruns + processxp indeed.

My gf had a root-kit on her computer, nobody realized it who had worked on it before. She was just randomly getting pop-ups and nothing was running. Rootkit revealer, also from sysinternals is also a nice program to run. finds most of them.


#18

On the interminable linux point:

I’ve seen what end-users do with linux. They’ll happily just run, as root (either directly or via sudo) any random .rpm or .deb they think has The Coolest Thing (say, oh, “EverythingYouNeedForBeryl!!! OMGITZKOOL !!! JustLikeVistaOnlyLinux!!!InOneFile!!!.rpm” - I exaggerate, but only a little.).

If Ithat/i contains a rootkit, they’ve just screwed themselves as well as anyone running Windows running a random .exe.

The problem is not so much the OS (not to let MS off the hook - various versions of IE 7, for instance, would run 3rd party code from a popup ad even if you clicked the close icon on the IE window frame, nothing inside the popup - that’s just intolerable), as users.

Users are lazy and clueless, and will happily disregard your security infrastructure if there’s any way for them to do so, if they think it’ll make their lives temporarily easier, or faster.

MS has done pretty well at preventing attacks that Iaren’t due to the user/i, these days, with XP SP2+ or Vista. Nothing can save the user from user stupidity.

(Vista UAC helps, but just today, somewhere else, I saw someone say “first thing, turn UAC off!” … I suppose the only way people are going to be satisfied is if the default install simply installs a fast virtual machine and that’s all you ever run, to just reinstall it whenever necessary.)


#19

And they say Linux isn’t ready for the desktop…


#20

If it’s just a gaming rig, don’t connect it to the internet (ignore if you’re playing networked games!). Download your no_cd hacks on a fully patched PC (or a Mac or Linux box).