a companion discussion area for blog.codinghorror.com

How to Clean Up a Windows Spyware Infestation


#161

oh wait, scratch that


#162

Just cleaned a PC and I found that extensions with Publisher / Company column of ARNIWORX (A daemon tools component) should be removed. Links to daemon.dll should be removed. I personally don’t like daemon tools because of the bundled malware.


#163

Hmm, I agree with most said except for registry cleanups. It’s risky. Tackling the Windows registry requires knowledge in the first place, and each and every piece of software that deals with registry should be used for very specific tasks. A registry cleaner is NOT a cure that fixes problems and makes system fast. I’ve seen too many people who destroyed their computers by running registry cleaners.


#164

Jeff,

Your problem with getting infected with spyware was not the fault of your browser or an unpatched OS. You should never have been running as an Administrator.

You’ve mentioned it yourself before:
http://www.codinghorror.com/blog/archives/000803.html

And if the game has trouble under non-admin:
http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx


Jason


#165

Another Jason beat me to asking the same thing: What are the results if you’re not running as administrator?


#166

If you know a machine has been compromised (as you did here), the way to fix it is to format and reinstall the OS. Attempts to find and remove all the malware are error-prone and provably inadequate for certain classes of malware. You may end up feeling good thinking you’ve gotten everything, but well-written malware will remain on your system…


#167

Just for completeness. The games might run on Linux. If Wine can’t handle it, maybe Cedega can. The odds aren’t that great, but it might be worth a shot.


#168

With regards to rootkits. In this example it seems the damage was identified before Jeff rebooted the virtual PC.

Is it possible to modify a running kernel without a reboot?

If it is not, then wouldn’t cleaning the PC before the reboot have prevented infection with a rootkit?

However, I realise that this question is hypothetical because in a real life scenario it is unlikely the infection is going to be discovered before the machine is rebooted.


#169

You can simply use software like unhackme :slight_smile:


#170

few free apps that people either dont use or do nto know about,
always make sure your PC has a firewall, if it does not, you will sooner or later get a virus.
make sure you also have a virus software, AVG is a free one and you can install it, google it…

here are some free apps that are a must:

spybot
MRU blaster
melwarebytes
CCleaner

if you have any questions, email me or visit my site, i will be more than happy to help :slight_smile: my spyware removal blog


#171

Jeff, I wrote a fairly lengthy article recently titled How to Clean Malware and Viruses Off a Windows PC with Free Software - http://blog.anthonyrthompson.com/2010/10/clean-windows-malware-viruses-with-free-software/

(The gist of it is that nowadays it’s extremely difficult to clean a running system, since spyware often runs multiple copies of itself to stymie strategies like process killing that you describe; instead you really need to boot from alternate media like CD, USB, etc.)


#172

Jeff Atwood: … killing Winlogon is not an option …

Yes it is… http://blogs.technet.com/b/markrussinovich/archive/2005/07/24/running-windows-with-no-services.aspx


#173

And you say you know Mark Russinovich?


#174

This post has saved me a few times.

As a Linux user, I was completely clueless about what to do on a Windows machine, and having caused the spyware/malware situation myself, it was my responsibility to fix it.

After a bazillion Google searches (some of which were hijacked by the malware by proxy settings), I started paying real close attention to the result page URLs that I was clicking on. Seeing codinghorror.com on the serp on my 950th search attempt had me heaving a sigh of relief.

The rest was a walk in the park.

Thanks Jeff.

-T