a companion discussion area for blog.codinghorror.com

How to Clean Up a Windows Spyware Infestation


#81

I LOVE YOU. i was near reformatting my computer becuase i could not do anything about it, no matter where i looked. And then luck had it that i saw your post on iGoogle. Thank YOU!!!


#82

cmon_:

I don’t know what version you were trying to get rid of, but there’s an option in quicktime’s prefs to remove the autorun. :wink:


#83

NO, NO, NO!

Like the other rootkit people have mentioned - you CANNOT clean an infected system from within itself. If you’ve got a rootkit, you’re fucked.

Rootkits load themselves into the kernel and modify it. Yes, simply they can just hide processes from task manager (though there are other ways of doing this). But there’s no reason why, if a rootkit get onto your system before you start running process explorer or rootkit revealer, it couldn’t hide itself from those either. Or even if it gets on after.

After you’ve been hit with any malware that’s been able to run as administrator, you cannot trust anything that system tells your, or anything that any program that runs on that system tells you. You either need to go one level higher - to the hypervisor if it’s a VM and fix from there, or you need to boot from known safe media (CD-ROM) and replace all files containing executable code - exes, dlls, etc… and start again from there.

Do not try to clean a system that’s been infected from that same system. It’s not worth it.

Save your data elsewhere (take off), wipe the system (nuke the site from orbit), and start again - it’s the only way to be sure.


#84

ditch Windows and switch to Linux or Mac. problem solved
Of course if everyone did this, then it wouldn’t be long before they had problems too


#85

Thank you so much for this post. I call myselef an advanced user of Windows, I’ve been a coder for years and consider myself security-savvy… but a piece of spyware my 12 year old picked up recently has been driving me nuts. I’ve gone though these steps and still am fighting this thing. Reading this convinced me to rebuild the system and take any admin rights away from the li’l shaver.

To all of y’all who said to switch to Ubuntu or MacIntosh… yes, you are correct, you don’t pick this crud up with those very fine OS’s. I run them too, but our gaming system … and also the .NET dev work I do gotta be Windows. Changing OS’s is not like changing socks.


#86

Thanks for posting this great stuff.

How do I handle the situation when two processes or DLLs, A and B, keep monitoring when the other is killed and re-creating/re-launching each other? I can’t kill them both simultaneously … or can I?


#87

This kind of stuff drove me to mac.


#88

Hi Jeff, why is “Company Name” such a good indicator of a product’s spamminess? Can’t spyware makers just put “Microsoft Corp” into those fields?

(The only Windows application development I’ve done has been in IIS, so I’m pretty ignorant.)


#89

Wish I had known about all this back when I got nailed a year ago. Took me a week to get everything sufficiently scrubbed.

Question about relying on the “missing publisher” to identify malicious processes. Isn’t it possible for these processes to just give themselves an identity of “Microsoft Corporation” or something?


#90

Jeff,

Another free program that’s worth a mention: Spyware Terminator.
http://www.spywareterminator.com/

It will effectively remove spyware, adware, trojans, keyloggers, home page hijackers and other malware threats. It is easy to use, requires minimal PC resources and has ultra fast scanning speed.


#91

Yes, you all are correct on saying that the only way to make sure all spyware/whatever is gone is to reformat. But, some nicely written malware requires a low-level format, or use of Dban. I like the scope of this article and what it covered, it did an excellent job of providing an alternative to reformatting.


#92

I’ll reiterate the best piece of advice given thus far: format and reinstall. Its the only way to know.


#93

@Separatist:
I run windows because I have a large number of programs that are windows only. I’d rather not mess with incomplete interpreters (WINE) and the like.

If I could run these programs outside of windows, then I would switch. I really don’t like the look and feel of MacOS. So, that switch would probably be to a popular Linux Distro.

@Jeff:
Nice article. I will definitely look into those tools. I usually reformat a computer that I find to be riddle with malware (and may continue to do so), but those tools could really help if reformats are not available.


#94

Fantastic post Jeff!


#95

It’s just outrageous that Microsoft’s OS/browser security was so terrible for so long. I guess they’ve gotten their act together with Vista, but the internet will remain polluted with botnets and malware for years to come.

Jeff, just curious, have you ever used OS X or Linux enough to really get a sense of them? Would you ever switch if you weren’t a Windows Developer?

BTW, I met Woody Pewitt of Microsoft at a Rails Meetup and he had a huge Coding Horror sticker on his laptop :slight_smile:


#96

Jeff,

2 quick notes, as obvious as this may sound, login on to safe mode would’ve helped you get rid of most of those process with a simple registry edit, and running ad-aware /Spybot

secondly, you could’ve simply used a live cd to get rid of the infected files, I’ve had to do that to remove a rootkit.

Gotta love Linux Live CDs


#97

As someone who is a contractor in a large company (hence no admin access), can I say this article was a life-saver!

I got infected by spyware somehow (I haven’t done anything dodgy, but it must have got in some how) and was dreading calling IT to ask them to log in as an administrator so I could run spybot as admin.

This article helped me whack the files myself!

You can’t imagine how grateful I am!


#98

What are the results if you’re not running as administrator?

Trying it in the VM now. So far so good. I don’t see any change in Task Manager with multiple GCW browser windows open.

I agree this is a logical thing to do, but not on a dedicated gaming system.

I lost my enthusiasm for limited user accounts when Microsoft didn’t have the guts to make standard users (instead of administrators) the default-- as they absolutely should have-- in Windows Vista. I swore they would. Instead we got hybrid administrator weirdness and the “Cancel or Allow”. Sigh. I guess that’s another thing we can sacrifice at the altar of backwards compatibility.


#99

Jeff,

As interesting and complete as this was, isn’t it an awfully lot like Mark Russinovich’s presentation entitled: “Enterprise Malware Solutions”?

Considering your background, I’d be willing to accept that you came to the same conclusion independently. However, if that presentation was your source, you should really give credit where it’s due.

Long-time reader, first-time commenter,

-Jeff


#100

As interesting and complete as this was, isn’t it an awfully lot like Mark Russinovich’s presentation entitled: “Enterprise Malware Solutions”?

I’ve never seen this presentation. But any comparison between me and Mark Russinovich is a tremendous compliment. Mark is the real deal; without his tools, none of this would be possible.

I have the utmost respect for Mark and you can rest assured I’d never copy his work. What I did, I did on my own with a few Google searches… and I posted it largely because the Google results weren’t very good, and I felt I could provide a better resource for the next poor souls to have the same problem I did.

Plus, have you met Mark Russinovich? He’s like 6 foot 3 and literally could be a male model. Between his encyclopedic, world-renowned guru-level knowledge of every part of Windows, and his unnatural good looks, he makes the rest of us geeks look like… well, the geeks that we are. :slight_smile: He’s a fantastically nice guy, too.