a companion discussion area for blog.codinghorror.com

How to Clean Up a Windows Spyware Infestation


#21

Hurray for Norton Ghost and the 10 minute rebuild. I dont bother with anti-virus/anti-spyware eating my resources - just keep your eyes on your CPU/network usage, and when ready nuke it!

Do this to XP every 3 months or so anyway - fast and clean windows.


#22

I wonder how long it takes for the spyware/adware people (slime?) to start setting “Microsoft Corporation” as the publisher.

Hrm…is the publisher a cryptographically signed field?


#23

hi jeff

There isd a nice bit of software that allows you to not need to get a no-CD crack for your own software try Alcohol 120%, allows you to backup the cd /dvd then run the disk in a virtual drive, what i do as some online games think the no cd crack is a cheat.


#24

Perhaps the reason that the freeware tools you used completely failed was that they are increasingly really pretty (comparatively) useless…

http://www.av-comparatives.org/

This doesn’t include the freeware stuff, but I did see a comparison in one of the PC mags some months ago (something similar to PC World) that did, and it found the freeware tools only had a detection rate of around 55%… They were compared to McAfee which at the time showed a 97% removal rate. Now, if you look at the above link you’ll find that McAfee has a pretty poor showing when compared to a few of the winners (in order - G-Data AVK (Anti-Virus Kit), Avira AntiVirus, NOD32, and iirc the next one was Sytmantec)…

To me, this suggests that these winning entries (Avira did especially well at heuristics - detecting stuff for which no product has signatures for) are waaaay ahead of the trusted freeware alternatives.

That said, you want good protection, pay or pirate…


#25

A machine which was infected by a virus, trojan or any other badware must be cleaned from scratch - burn the data to DVD, and scrub the rest.

Rootkits are very challenging to detect - to take no risk, set up the system from ground off.

For your gaming machine your actions taken may by ok - but if it was a machine used for business i could never sleep well again, if the machine is not purified to the very last bit.

Of course, the saved data must be analyzed by a number of virus-scanners before being used again.

Paranoia is useful even for non-paranoids :slight_smile:


#26

When it comes to malware removal, I really like a combination of safe mode and AVG Anti-Spyware/AVG Anti-Virus. When preventing malware, safe browsing habits and a secure browser are tops. And you always need a good firewall when connected to the Internet.

My system of monthly full scans using AVG’s products and weekly quick scans using the same programs (both using up-to-date definitions), Firefox, safe browsing habits, and a firewall (in my case, ZoneAlarm), I haven’t had any malware worse than a tracking cookie (which isn’t a program or application anyway, at least to my knowledge).

In fact, I even carry a CD with the installation files for the free versions of AVG, the latest Firefox, and ZoneAlarm with my computer. I’ve set up systems for friends that have these, and I haven’t been asked to fix a spyware problem since then.


#27

+10 for SysInternals RootKit Revealer

I recently had my very first virus in all of 15+ years of computing. There is a mechanism where by which the rootkit installs itself as a service in the registry (HKLM\System\CurrentControlSet\Services…). It doesn’t appear in the task manager, nor could I find it in Process Explorer. The rootkit will actually prevent you from modifying the registry entry either via RegEdit, Win32 API, or Native NT functions. The rootkit in turn, makes sure that a browser helper object is always loaded. Of course I couldn’t delete the .sys or .dll files, they were locked and/or the rootkit installed hooks preventing the files deletion.

The only way to clear this infection is to mount the HD onto another machine and remove offending files, or, what I did in the end, create a BartPE windows “live” cd and delete the files that way. Then after booting off the HD, the service wasn’t being loaded, and I could repair the registry.

Jeff, I really recommend you run RKR.


#28

Run IE in a sandbox. Sandboxie.com has a free tool and it’s better than running a VM because it tells you which files and processes have been touched in a virtual HD. Plus it’s lightweight and runs fast.


#29

“I have been running Windows XP without any firewall or antivirus applications for years with no virus or spy/adware infections. It often makes me wonder how I seem like the only person who manages to do that…”

Me too… same wonder.


#30

your demonstrations was another great suggestion,
browse the internet from a virtual pc.


#31

First: Jeff, thanks for the article. It does resemble Russinovich’s presentation, but since his is video and yours is text, I find this more valuable. Good job - now I can paste a link rather than giving a 20 minute demonstration!

To some of the extra-paranoid folks who’re head-desking and shouting reformat and reinstall: you are right - they are out to get you! But different situations have different security needs. If the system is used to manipulate highly valuable data (like your bank account, or your connection to the company VPN), then yeah. Reformat, reinstall. But Jeff was at pains to note that this is only a gaming system, so he was happy once the system stopped acting infected. Me, I might have done a little packet sniffing to be sure, but again, Jeff’s choices are based on his own perception of risk level. Not all systems need to be run as if they were full of Top Secret data!

(If Helen Keller gets a virus that presents no symptoms at all, is she actually sick?)

To those of you suggesting all sorts of antimalware tools: run nonadmin, stay patched (and actually reboot when the OS tells you to, m’kay?), turn on the Windows Firewall, pay attention to what you are allowing whenever the ‘OK’ button pops up. Skipping these measures and running a ton of antimalware tools slows down your system and leaves you fighting fires constantly. Scan your system with a reputable antimalware scanner weekly or so. You’ll be surprised how secure the OS is once you start using it properly!


#32

and after all that effort you still can’t trust that installation again.
You are much better off reinstalling from scratch and this time, install all patches and don’t run as administrator.


#33

I would also compare listening pids to tasklist, and msconfig to rule out ms processes if your going thru all the trouble of checking processes.


#34

The Unix root user security model is not what makes Unix secure. A limited user account might have saved your system data. That’s not much use when user data is the important data anyway. System data is cheap to restore: the system disk comes on its own CD with a new computer.

On a multiuser system limited users are vital. I maintain several Unix servers and see user accounts get hijacked every now and then due to bad passwords, insecure web sites, ssh keys hijacked from a home machine, etc. Users are limited to damaging their own accounts, so long as the systems are kept up to date.

There are privilege escalation attacks available against unpatched systems, and those do get tried. I live in fear of zero-days, of course. That would mean a wipe and restore from tape.

I wouldn’t trust a manual clean up like you’ve just done. As other users have pointed out, root kits are easy. Root kit revealers are not nearly as reliable as virus scanners, which are themselves not especially reliable. If you’ve got a root kit, your machine can be re-hijacked at any time to send spam or whatever, just by the bad guy connecting in.

Linux or Macs are one kind of solution, as others have pointed out. I’ve seen too many Unix security incidents to consider them any sort of ecosystem solution – if everybody adopted Linux, we’d be exactly where we are with Windows, once all the bad guys began writing their tools for it.

My own belief is that things are as good right now as they are going to get. There is no technical solution to the problem of software security bugs. If we ever want to end the spam, the identity theft, and the viruses, we’re going to have to do it with international legislation and international enforcement. Doesn’t seem likely to me.


#35

I also get no-cd patches and other goodies from gamecopyworld.
I’ve been doing this for some years and always found the process tedious (if you have some games and don’t want to “filter” before downloading, that’s an awful lot of links to click on)

As some kind of a programmer (at least that’s what i do for a living), i quickly hacked together a lil’ perl script that does “automatic downloading” of all files related to the games i own.

The big advantage is I only need one click to check if there’s any new (updated ?) no-cd/trainer/savegame/gameguide/etc… for any game of my collection and to download it.

It was really an easy thing to do and a big time savior…

So what made me post this is how somebody like you could possibly go through the hassle of doing it manually…
I mean you could’ve submitted the task of writing this script as a substitute to “FizzBuzz” in you interviews :wink:


#36

Friends don’t let friends use IE :slight_smile: It’s a massive front door for every piece of malware that dubious parties want to install remotely on your PC. I never use IE to visit any unknown or untrusted site, and the first thing I do with it on a new computer is, invariably, downloading Firefox.


#37

I’ve used these tools often to remove spy/adware as well. My friend’s PC recently had a particularily nasty piece of adware which wouldn’t leave without hacking it away from Safe Mode.

I have been running Windows XP without any firewall or antivirus applications for years with no virus or spy/adware infections. It often makes me wonder how I seem like the only person who manages to do that… and yes, I do browse the net, download um… “Linux distros” and… the usual suspects, so the PC is used for a lot of things.


#38

Interesting your “completely my own fault” comment. I have done the same thing … I preach security all day long at my job and on my own time to friends and family. But then … for some reason … I forget my own advice and don’t patch, or post personal info somewhere, or something. I guess its human nature sometimes to “just get the job done” and feel sick with all the dumb precautions. Can’t the world just be free of bandits?


#39

This reminds me of a video (or was it a series of screenshots? Whatever it was i’d love to find it again if anyone else remembers) of a virtual machine after bonzi-buddy was installed on it.

Anyone else remember this?


#40

Block startup leechers, or at least get warning:
http://www.mlin.net/StartupMonitor.shtml