a companion discussion area for blog.codinghorror.com

How to Clean Up a Windows Spyware Infestation


#41

http://housecall.trendmicro.com

I use the above whenever I wonder about the state of my WinXP partition.

BTW- it bugs me to no end when people think that *nix boxes are only saf(ER) because fewer use them. It has much more to do with native userspace security and the bleedingly fast development curve.

“Linux and Apple boxes are safer because no one uses them” -Bah! Microsoft propaganda…

Sorry- but I’ve been meaning to rant on that for a while now. Most of the people I hear say that in real life are too clueless to understand the concepts anyway, so I just keep it to myself… I’m glad it came up here amongst this audience.


#42

A few other suggestions (for when you just can’t nuke the box).

Use “Verify Signatures” + “Hide Signed Microsoft Entries” if (when!) you’re using Autoruns.

Instead of killing the threads with the dlls loaded, suspend them. You’ll be able to remove the files/registry entries and reboot without the malicious code replacing them since it won’t be re-run by any logoff/shutdown hooks.

The Recovery console almost guarantees success if you’re intimately familiar with Windows.

A port scan from “the outside” (and an IP Bridge you can watch network traffic on) can go a long way to having confidence the box is clean(ish).


#43

Have you asked GameCopyWorld to 'splain themselves? If you can get to GCW via a Google search, have you notified Google?


#44

Jeff,

Fantastic (and timely) article, this is exactly the level of detail I needed. I have just managed to clean 2 bad infestations which where proving particularly resilient, but thanks to your thread killing advice it all didn’t end in tears, a full rebuild of this ugly sucker would have taken days to weeks to have back in shape. Many many thanks

cl3ft


#45

Windows is in desparate need of a robust package system.

Problems

  • inability to install multiple copies of the same program
  • problems removing old applications cleanly
  • conflicts between installed programs
  • no way of specifying an applications interactions with the system and other programs
  • no enforcement mechanism for declared interactions
  • compromised applications typically have access far beyond their needs

Implementation

  • each application must provide a manifest documenting all possible interactions
  • the application would explicitly document its dependencies
  • the administrator chooses whether to activate an application, possibly with additional restrictions
  • the user may be enabled to activate applications as well but this is an explicit process
  • the application interacts with the system through a layer that restricts what the app can do
  • when a violation is detected, the application is halted and flagged
  • the wrapper layer provides a view of the filesystem that only includes areas it needs to see
  • the wrapper layer can restrict access to the file types declared in the manifest
  • developer tools should help autogenerate the manifests and packages

Benefits

  • solves much of the configuration decay issues that Windows has
  • the manifest driven wrapper layer helps to control compromised executables
  • malware (and any application) is easily uninstalled
  • you can run multiple versions of the same program (e.g. Word)
  • easier to run programs remotely, or from removable media

Notes

  • SoftGrid, et al, is a step in this general direction
  • Unix world have various parts and techniques (packages, chroot, executable bit, privilege separation, etc)
  • no complete or consistent system applied to all apps though

#46

It’s been my experience that System Restore can be pretty evil, and cause the reinstallation of viruses and malware once you’ve cleaned them up. Of course it’s entirely possible that such cases are do to multiple malware installations.

If you encounter a rash of malware you can’t get rid of, try turning off system restore, that may solve the “recurring infection” problem.


#47

“MS has done pretty well at preventing attacks that aren’t due to the user, these days, with XP SP2+ or Vista. Nothing can save the user from user stupidity.”

Oh come on. Vista still gladly gives you administrator rights by default, and the “notifications” you get before messing up your system come in the form of a rather innocuous alert box that doesn’t even require you to type anything more than the enter key to dismiss.

It’s not a robust mechanism, but it does allow Microsoft to say “well, we warned you so it’s your own fault”. It won’t do a great job protecting anyone except the Microsoft Corporation.


#48

My recipe: Disable java, javascript and active-x.

Problem solved.

No need for spyware searchers, AV or other “security” packages that attempts to detect a threat retroactively.

Of course, in theory a security hole could exist in the jpg rendering engine (and such has been found before), but most (if not near-all) holes seem to hit the script engines and active-xs.

Or just leave the admin account alone until needed. (Ironically… Game copy protection checks rely on admin rights to install their drivers, which is probably why MS started distributing some of the copy protection engines as part of the standard OS installation)


Rune


#49

Uhm, Grant: You can already run multiple versions of Word. Word 2003 can co-exist with Word 2007… User settings are stored separately and they are by default installed to separate folders.


#50

Wow, these posts sure do demonstrate the level of superstition around malware. The typical user machine that is loaded with malare can be cleaned by hand, as Jeff demonstrates, and as I’ve done numerous times. You can even get away with not using the tools he suggested and going straight to safe mode, regedit, and unlinking the DLLs from the Command Prompt.

It’s entirely possible and has always worked just as well as SpyBot or AdAware did for me. People seem to think that these tools implement some magical techniques, but really they are just doing exactly what Jeff outlined above, but automatically. No tricks, no industrial-strength algorithms, just killing processes, removing files, and removing registry entries.


#51

But an Apple Mac or an easy install like Ubuntu or Mandriva


#52

Jeff, it’s often amusing when someone of your stature gets “bitten”. A few months ago I think you went on about how you didn’t need anti-virus software and intimated that it was really necessary only for users who hadn’t quite arrived.

At any rate, after Windows 3.11 it seems that it became the norm for vendors to write files to my PC at will, usually without my consent or prior knowledge. Software connects back to the vendor with no action taken on my part.

Until laws are passed that make it a crime for anyone to put software on my PC without my consent, we will be in the prevent mode that is illustrated here, which makes it clear that most users should not browse the web at all – it is too dangerous.

You also should mention some of the tools at grc.com.


#53

Thanks, excellent post. I’m gonna save a copy
of this post as reference.


#54

This EXACT same thing happened to me even with what I thought was the latest of everything. The kicker was I didn’t have my antivirus’ active scanner running. I’ll never do that again.

The funny thing is I never had trouble with GameCopyWorld before and now I go there and get popups and wierdness even through all of the protection.

Now I go there using Firefox with all of the scripting disabled. :slight_smile: Moral of the story, use protection when venturing into possibly infected ‘websites’.


#55
  1. Always run as a Limited User.

  2. Gaming, sports, gambling, music/lyrics, and porn sites can never be trusted.

  3. If you need to go to the types of sites listed under #2 above, always do so using Virtual PC or VmWare and throw away any changes to the virtual hard disk when you are done.

  4. Ignore the Linux and Mac trolls. Using tip #1 above levels the playing field. The Linux and Mac folks will have their comeuppence anyway on the day that people actually start USING those operating systems. :wink:


#56

Couldn’t you have just done a ‘System Restore’ instead of all that work?


#57

I won’t get into the whole Mac-vs-Linux-vs-Win argument, we’re talking about specialized software/hardware that only run on win. What the hell is wrong with IE that it installs software without user notification? The fact that this is the REQUIRED browser for federal employees should make all taxpayers very very nervous.

A virtual machine might be a good way to handle doing the regular restores of a stable base system every few months.


#58

Also it’s a simple possibility to check what was changed in your system. Use a scan tool like systracer (http://www.blueproject.ro/systracer) from time to time, and see which files or registry entries are newly added.


#59

ThanQ very much for this useful article.


#60

Heres how i clean a scumware laden windows install:

backup docs
format c:
Patch immediately
Install firefox and anti-spyware measures
create a ghost dvd

I used to have to clean this junk of computers daily… its just not worth the hassle if you have all the stuff you need to reinstall. No matter how deep you go, there is a chance you missed something that can bring it all back in no time. I say nuke it and start over.