a companion discussion area for blog.codinghorror.com

How to Clean Up a Windows Spyware Infestation


#61

AVG Avast are two exceptional, FREE antivirus applications. I highly recommend either one to any person using an expired antivirus application.

For detecting malware, I recommend AVG Anti-spyware, A-squared Free, A-squared HiJackFree, HiJackThis, AdAware.

I also recommend using CrapCleaner to remove temporary data from your machine, like temporary files, browser data, etc. It also has a registry cleaner that is most exceptional.


#62

Great post! And the follow-up about root-kit monitor was important as well. This stuff can get really nasty- I’ve read an article where the author was able to hide malware in EEPROM chips on the motherboard or graphics card. It’s designed to mimic most of the original functionality of the chip, but when the OS tries to load the driver the malware gets run instead. And, it could in some instances be run on the gpu. This means that even a complete re-format of the hard drive would not be enough to remove it.


#63

Although this is an interesting article, it in no way can deal with modern malware. Most modern malware incorporates kernel-mode rootkits, which can (and do) easily hide from tools like Rootkit Revealer. Your only chance is to detect them without booting the infected OS - you need a boot CD and knowledge about how things get hidden in the registry and file system. Some malware hides on the hard drive not in common files, but in alternate data streams, slack space, boot sectors, etc., and are not found by tools running in the OS itself. Someone mentioned Hacker Defender, which is an ancient rootkit, and easily detected/removed now. Source code is readily for HackerDefender and many other rootkits, and all of these are weak compared to modern standards.

It seems a lot of people on here think removing malware is easy to do by hand, which is false. It is easy to find some malware, and sometimes you can remove it by hand, but the point of a rootkit is that the OS will never tell you about the files, registry locations, etc. that contain the malware.

System Restore does not remove malware, since it does not fix the registry back to a previous state, nor does it remove files that contain malware. It merely tries to restore driver settings AFAIK, and things in start locations in the registry will reinstall themselves.

Running in a VMWare session is also insecure. It is possible for malware to escape to the host system, as shown by research at IntelGuardians. In short, VMWare does host-guest communication through a channel they created, and reverse-engineers have shown how to subvert this to do malware transfer. I don’t know if there are exploits in the wild yet, but you can bet there will be.

I’d be willing to bet that your article above only removed obvious, older, sloppy malware. There are most likely things still on your PC that are hidden much better.

Protocol for many secure places is that once a machine has been exposed to possible infection, it gets wiped and rebuilt. Very secure places scrap the machine completely after any possible infection.

In short, if you got a modern infection, odds are that the above methods would not even detect it. Unfortunately in many cases you’ll spend less time formatting and reinstalling your apps than trying to ferret out all the places things can hide.

For info, read www.rootkit.org.

Chris Lomont
www.lomont.org


#64

Links do not work for Sysinterals utils. Here are the correct ones (ddl)
Autoruns: http://download.sysinternals.com/Files/Autoruns.zip
Process Explorer: http://www.sysinternals.com/Files/ProcessExplorerNt.zip
Above links are for NT os, search softpedia for others.
Cheers.


#65

David L: good idea. I should report GCW to google, as they are clearly hosting malware.

Chris: I hear what you’re saying, but I don’t like making decisions based on fear of undetectible unkowns. And for a standalone gaming rig, probably not worth it…


#66

On an XP reload, NEVER connect to the 'net or surf without at A BARE MINIMUM turning the Windows Firewall on and applying ALL updates and patches.

http://autopatcher.com gets you all the post-SP2 patches in one download. Keep it around on CD or a thumb drive, and fully patch your stuff BEFORE connecting.

Also, for those of you who think Firefox = automatic security on XP, read this: http://www.firefoxmyths.com


#67

Wow, you can do all that, or you can just not use Windows and never have to deal with scumware again. The choice was pretty simple for me :slight_smile:


#68

It’s not even necessarily GCW’s direct fault - a banner ad could’ve done it, or one of their mirrors could’ve been comprimised. It seems kind of silly for such a popular site to deliberately push malware, although I guess NoCDs and trainers are in kind of a shady area.

Still their fault for not taking care of it even if it’s not intentional, of course.


#69

Just had to say thank you very much for publishing this article. I’m a long time lurker, and I keep coming back here because with every single post I learn something.


#70

I am reposting the hook on qt3 with a link, hope you don’t mind.


#71

I’ve had this very problem tonight - apart from this ddcaxyy.dll thing you also had, I also had some wierd rootkit thing.

I’ve just spent the last 6 hours recovering the machine. I was going to use procps like you but couldn’t find it so used the trial version of Kaspersky (www.kaspersky.com) instead. After many safe boots I managed to get rid of everything except for the damn rootkit which had winlogon hooked.

I eventually booted into the Recovery Console on the XP disk and just del’d the thing from the DOS prompt. Done.

Gotta reccommend Kaspersky though:- looks like a nice solid, honest product that seems to do the job very well. I’ll keep it around for the trial period and buy it if it works out.

But, #$^^^$^-hell, 6 hours of lost time just because my son visited some kids gaming website? What sort of damn’d operating system is this pile of junk?


#72

I don’t get why people run windows. Its crap. Don’t run it. You’ll get screwed multiple times from multiple directions. The evidence is overwhelming. Just say no. Don’t say nobody ever told you. You will eventually get hosed.


#73

hey, great article, seems like finally i managed to remove one malware: apple’s quicktime from autorun.

could not do it using msconfig even after disabling a specific service relevant to it.

yeah the only apple software on my precious pc (except for the safari beta which is utter crap and not because of the fonts) and this one has to be malware.

…don’t tell me anything that will not let itself removed from startup using the normal msconfig practice isn’t malware!!!

other than this, ive never had problems with virii or anything.

thanks again. i hope it will not come back.


#74

(just to be more clear, uninstallation of the crap (quicktime) is sadly not an option)


#75

“I don’t get why people run windows. Its crap. Don’t run it. You’ll get screwed multiple times from multiple directions. The evidence is overwhelming. Just say no. Don’t say nobody ever told you. You will eventually get hosed.”

And before you get hosed, you just might see some network benefits from to sticking with the market leader.


#76

Excellent guide on how to fix a shafted machine, a while back I got infected by an IRC bot, thanks to a vulnerability in VNC, which took me ages to fix, going through similar processes to what you have detailed above.
Thankfully I traced their ip address and the IRC host, and had them taken down, but not before I’d pulled out an awful lot of my hair.

To those who keep recommending Linux/Macs, how many racing simulation games for this system do you think your beloved OS supports? Clearly a windows machine is the only thing that’s going to do the job.


#77

@cmon_
Are you talking about qttask.exe? If so, that can easily be disabled through QuickTime. If you’re like me and you don’t like QuickTime then there’s always QuickTimeAlternave (and RealAlternative). Those will let you play MOV and HDMOV files in Media Player Classic which I much prefer over QuickTime anyway, as well as have proper plugins/settings for your browser(s).


#78

Instead of hunting nocd patches on lousy sites how about dumping your games into iso files and mount them with programs like daemon tools when you feel like sitting behind the wheel?


#79

The first order of buisness, before killing a spyware process is to look where it is located and to erase it once the process is killed. this is an almost sure way to make sure it won’t come back.


#80

A couple things to note, a very nice article. The only thing I would add would be IceSword, excellent program from finding “hidden” processes. The other thing to note is, regardless of the OS this can happen, the only reason it doesn’t happen on other OS’s, is simply market share. On top of that, this was a base install of a 5-6 year old OS, to expect it to preform fine is foolish, no patches were done on it. If this were a fully updated version of XP, running a virus scan, I think the results would be different. In fact, that would be a wonderful thing to try. If I had the time I may just do that.