a companion discussion area for blog.codinghorror.com

How to Clean Up a Windows Spyware Infestation


#101

Great article, and great explanations. Of course there is no perfect place ! If you like other operating systems, good for you I say. I have run everything over the past 30 years, nothing compares with Windows, nothing. All one has to do is look at the take up rate of Windows and it’s easy to see that it is the easiest and most popular, and as a result the best target for the pirates to attack, as they are likely to get a return on their investment…and they do, because it all comes down to the user and their inability to detect and defend against them. The average user is not very knowledgeable about computers and just wants to download or buy something, and they get caught. Articles like this will help those people a little more each time and by the time the next generation comes along, they will begin to win against the pirates. Nothing is easy or free !


#102

Oh - one last funny thing - people in my office are surprised how much you flaunt using CD-cracks. Although I agree with you morally, it is illegal under the DMCA, even for stuff you legally own, to circumvent copyright protection technology. Posting about it to others opens you up to legal hassle you might not want.

I could make up some cock-and-bull story, but why not just tell the truth?

I strongly support buying software. Software is part of my livelihood.
http://www.codinghorror.com/blog/archives/000735.html

But I also support customer choice, and the idea that the customer is not my enemy, and not a criminal-- as so many copy protection schemes and DRM approaches assume.


#103

I think someone should police the internet with webpages that has spyware… isnt that kinda breaching into someones property without asking??? if there was an organization that would form some type of anti spyware policy out there that would be great! and get people to report sites that have spyware on them and sue their asses… i think its one way to force people to be more responsible on their sites… and fix the problem rather than just turning the face the look the other way hoping that no one would do something about it…


#104

I have had a guy here to do what you have suggested and also ran sypbot and anivir and the only things that we still can’t get rid of is something called virtumonde and smitfraud, nothing seems to work. My son was using my computer for games so I am assuming he infected it in this way. I am constantly getting pop ups and things that knock me out of what i am doing. Anyone encounter these two? Anything work?


#105

good work!

i actually use this style with a different variation since i didnt know you can kill the threads within the process.

if for some reason i cant kill the spyware process or delete it, i simply remove the startup entries and autoruns and pull the plug in the computer, after that since upon reboot, the startup entries are clear of spyware/worms, it is same to assume you can already delete the spyware programs. this is also assuming unlocker doesnt work as well.

the problem with spybot or even combinations of antispyware or antivirus is the programmers of these spywares/worms lock their process within a legit process making them undeletable, anyway, the killing of threads idea is really new to me and i think is a lifesaver.

thanks for the tip! i thought i already new many stuff regarding this, glad to know somebody else has better idea than me… great to have new insights!


#106

Just use ad-aware, spybot, and CWShredder (http://us.trendmicro.com/us/products/personal/CWShredder/index.html) first. I install those, along with Firefox, on a clean install, as my first thing. Use AVG Free too, for Anti-virus. I’ve never had a persons computer that didn’t get cleaned up with these tools.

Use Spybot to its full capability! Download the beta detection rules!
Set Ad-aware to scan Full!
and I sometimes run CWShredder every day. It only takes a few seconds, and it’s just as long to download.

These are good tips, if you can’t do it with the easy way. This is the REALLY REALLY HARD way. But it is good, if you can’t get rid of everything with the above mentioned.


#107

I would echo that *nix and macs systems aren’t less prone because of a smaller userbase. Just look at IE vs Firefox for a comparitive situation.

However, if more people moved over to these systems there would be a higher percentage of holes found, just not necessarily to the same degree.

Automatically switching to a *nix or mac system doesn’t mean you don’t have to take the same precautionary measures. Those that use these systems tend (though not always) to be those that automatically take the required measures anyway. And I’m talking about regular checks, not running using insecure software, not visiting suspect websites/running suspect programs etc.

In my experience (and echoed by many others) if you follow these measures on a Windows system you very rarely run into any problems.

The Vista security model makes the best, in my opinion, of a tricky situation. The justification behind quick elevation is that, given the inconvenience people find the existing solution to be, if it were any more inconvenient people would turn it off (they are more likely to turn it off completely than downgrade to something like the current model). You then have no more security than previous versions.

Vista is a transition OS, designed largely to facilitate a change from bad practices and train users in the new ways. Microsoft rightly take a few years with gradual steps to introduce big changes (that’s not to say that they haven’t been too late in introducing many of the changes for a lot of things).


#108

You do realize that by posting this the malware,adware writers only have to put “Microsoft Corporation” in the publisher section to thwart your attempts?


#109

Well, this article arrived in the nick of time.

So, a couple days ago, I get a new freelance 3D job. I haven’t worked at home in my 3D app (Maya if anyone cares) in quite a while, and I’d since upgraded my network card. Since Maya’s activation key is tied somehow to the network card, my perfectly legal, bought-and-paid-for license was no longer valid. Transferring the license became a nightmare of poor customer service calls, so I decided to surf the web for a way to crack it. I’m on a deadline you know?

Long story short, after surfing the myriads of admittedly unsafe sites (even with the latest version of Firefox installed) I got hit, and couldn’t quite mop of the vestiges of the infestation. Then along comes this article, and presto my machine is clean again.

Thanks.

Oh, that’s also another argument against ridiculous copy protection mechanisms. One of the reason’s for Maya’s popularity was that it was so widely pirated. Students steal the software, and when they start actually making money in the field, they go with what they already know. Anyways, down with lame-o copy protection.


#110

Hoax: Process Explorer can verify the publisher by the executable’s signature. Unfortunately, not even Microsoft appears to sign all of their stuff properly, so this isn’t a solved problem yet.


#111

As I mentioned, and a few informed people reiterated, it would be easy and best to reformat and start over. Since this is only a gaming box, and newly installed, is should be painless to redo it correctly and avoid later hassle. If you ever plug this machine on your network on the safe side of your firewall then it is likely your safe machines, the ones you do use for banking and such, will get owned.

More than half of modern malware comes with a rootkit, according to recent studies (Google rootkit increase). Thus you can assume for each piece of malware that you removed above, there is one still hidden. Tools running within the OS like RootkitRevealer are now easily bypassed, and sample code to do this (and much more) can be found online, making it trivial to get past the methods above.

Modern malware is designed to update itself, and will use the most recent attack vectors to capture neighboring machines. Even if all your machines are currently patched, but one on your network is owned, once a new hole is discovered and rolled out to your owned machine, the rest of your machines will soon be owned. Putting an easily fixable machine back into service can easily lead to all your machines being rooted, which would require a lot more reinstalling. I do research into malware and work on rootkits, and I do see this happen.

As to another person’s question - you can modify the kernel without a reboot. So that is no guarantee that you avoided a rootkit. An easy way to do it is to use Device/PhysicalMemory and change links in the process list to hide things. You can change whatever you want on a running system with this, since you have full unfettered access to RAM for every process, including kernel structures.

Packet sniffers do not work on well crafted malware either. Many use very stealthy and low bandwidth communication traffic, and are extremely hard to ferret out with packet traffic.

Putting any compromised machine on your network is a sure way to get them all hosed. Good luck.

What to do? Run behind a hardware firewall. Use antivirus. Use updates. Do not run as admin (I know - hard to do). Vista is likely more secure than XP (the randomized memory layout goes a long way to preventing attacks). Do not run crapware.

Oh - one last funny thing - people in my office are surprised how much you flaunt using CD-cracks. Although I agree with you morally, it is illegal under the DMCA, even for stuff you legally own, to circumvent copyright protection technology. Posting about it to others opens you up to legal hassle you might not want. You may as well state you smoke pot often and like to run red lights :slight_smile:


#112

It’s not that the mac or linux are great (although they are, except for linux), it’s that Microsoft makes horrible, horrible, horrible software. Try living a few months without having to think about viruses and spyware, and you’ll never go back.

And believe this too: Even if you enjoy some kind of feeling of mastery, just because you can get your computer to not crash with only a half-day’s work, you won’t miss it with computers that simply work. You’ll get your feeling of mastery from getting actual work done, which feels a whole lot better.

Seriously, PC users are like kidnap victims, who idolize their abusers… It’s painful to watch. Get real, get out, get free!


#113

I skimmed the comments and didn’t see this explicity mentioned: it seems more likely to me that one of the no-cd patches itself gave you the malware. After all, these patches are made by anonymous people, and are illegal. They are the perfect vector for malware.

I hate IE and Windows as much as the next guy, but it might not be at fault in this case?


#114

What a great post. i fix pc’s for a living and hadn’t come across this handy tool, fills the gaps that the anti-malware programs leave.


#115

Hmm Going through all this comment I starts to wonder why to read a blog if you can comment it WITHOUT reading it. The article above describe the fastest and easiest way of cleaning malwares. Using common sense when looking of company descriptions is the best way to find malware processes and files. And with using signature check (included in process explorer and autostart)you can make sure that description and other details of the image not spoofed. No descriptionand cryptographic file names raise suspicion. Several post told to use antispyware software. Those products clean only known widespread spywares. Using common sense can identify much more of them. So if you have no other way you can use this method as a last resort. You can learn more on this on microsoft technet. www.microsoft.com/itsshowtime look for Mark Russinovich presentation.


#116

I totally concur with the poster who suggested using BartPE to live-boot a machine with an infected HD. You can add a number of useful modules to BartPE like AdAware, McAfee Stinger and Command Line virus scanner, Firefox, thereby increasing its usefulness.

BartPE has made my de-lousing tasks SOOO much easier over the years. Also great for getting important files off of a system that refuses to boot.

Best of all, because you aren’t loading the OS from the infected machine, it’s a lot easier to pry those nasty malware hooks from your system since they aren’t in use at the time.

HijackThis is crucial. Keep it in your Doctor’s bag at all times.

p.s. I’m a hardcore Mac user who still does tech support for Windows. Gotta make a living, ya know.


#117

If this article confirms one thing, it’s that prevention is better than cure. I wouldn’t even bother to attempt a fix - how can anyone be certain of the result? All that effort, for what is at best, the hope of a fix and nothing more.

The simplest approach is to rebuild the machine securely, with non-admin accounts and take an image of the drives before putting it to use. There is no point in spending hours half-fixing something when you can restore it perfectly from backup in 15-30 minutes and have the assurance it is pristine.

For what it’s worth, I wouldn’t recommend any spyware-protection that depends on you running as an Administrator either - it’s like a burgular alarm which only works if your house is unlocked and people are free to wander in (much better to just lock the house).


#118

Thanks for the info Jeff, I’ve used some of those tools for quite a while now, especially process explorer. Very handy when you need to get rid of files that are locked by the OS. I’ll definitely be grabbing ‘autoruns’ now that I am aware of it.

As for people suggesting Firefox (including extension), Linux, or Mac kind of missed the point of this blog I fear. Sure, he can use Linux, Mac, or Firefox and avoid these issues, but he may not be able to run his games under the other OSes. (I say may, cause there is a good chance wine, cedega, et all would run them without very much difficulty, but I have no first hand experience getting those sims working on wine, et all). The point was, when you’re already screwed, here is what you can do to unscrew yourself, and I believe this article did that quite well.

This is also above the heads of 95% of people out there, as those tools can easily destabilize your system and must be used with caution, or at least on a system that “doesn’t matter” (aka, not to be “tested” on the production exchange server at your place of employment). However, using these tools may help you achieve a higher level of understanding about exactly how your OS works, and possibly bump you up into that elite 5% of the people out there, and that is always a good thing.


#119

To the rootkit people:

So they can hide even when the operating system is taken-off line, the kernel-mode driver is identified, and a system file-check is run, all without the rootkit running at all? I’m sorry, but your rootkits aren’t as invulernable as you think, and the majority cannot hide from RootkitRevealer. The amazing rootkits are still vulnerable outside of Windows, just like any other malware program. Disconnect the NIC. Remove malware using Jeff’s procedure, boot outside of the Windows install, scan around, repair install whatever Windows version you’re running. Patch up. Check user accounts, reset policies. Done. This can be done in a matter of a couple hours (of actual work, obviously not including sitting around for scans) by a white-hat with intimate Windows knowledge.

In the meantime, compared to what even the most advanced corporate antivirus solutions can muster, Jeff’s procedure is the most powerful procedure of manual virus removal accessible to the tech-savvy end-user.

Besides, you’re probably not getting infected by HackerDefender Platinum+++ from GameCopyWorld.


#120

One thing that I used to do was remove the entries that were placed in my registry by the malware.