Removing Spyware or Malware
Overview
Malicious software goes by many names: Spyware, worms, viruses, Trojans, Adware, keystroke loggers, pests, and more. "Spyware" often is used to mean all malicious software other than viruses. I use the term "malware" instead.
The following is a blueprint for removing any and all malicious software from an infected Windows computer. This is not customized for a particular malware program, but applies to all malicious software. The intended audience are computer nerds and, as such, some details have been omitted. It's more a cheat-sheet than a tutorial. If you are not a computer nerd and think your computer may be infected (see Symptoms section below), print this page and give it to your local techie.
The goal described below is to remove the malware from Windows. This should not, however, be the goal in all instances. Depending on the circumstances, the correct approach might be to wipe the hard disk clean and re-install or recover Windows. A clean install is the only 100% guaranteed way to return the computer to a fully functioning state. If the computer is used for anything judged to be important, a clean install is probably called for. If the person who owns the infected computer says there are no important files or that all the important files are backed up, then a clean install is called for. On the other hand, there may be application software that can't be re-installed easily. Regardless of the approach used, the first thing to do is a disk image backup (see below).
There is still another approach, one never mentioned elsewhere. Do both. Keep the old infested copy of Windows and install a new fresh clean copy. This has the advantage of not having to back up all the important files and thus not risk forgetting to back up something. First you need to re-partition the hard disk, which means purchasing software. Also, this assumes there is enough free space for a new instance of Windows. For desktop computers, you can add a second internal hard disk to hold the new clean copy of Windows.
The steps below are designed for a computer brutally infested with malicious software. Some of the symptoms of a Spyware infection are at the bottom of the page.
The main phases of the cleanup are: backup, stop the malware from running, check for other errors, delete the malware, and finally, prevention from this sort of thing happening again. Some malware is very well defended, so it's worth some time and effort to prevent it from running in the first place before trying to remove it.
Preparation
Disconnect the infected machine from any and all computer networks (the Internet and/or Local Area Network). If possible use a PS/2 based mouse and keyboard rather than USB (if you have to boot to DOS or Linux there may not be USB drivers). Have these programs ready to run off removable media (floppy, CD, USB flash drive): a disk imaging program, a program to control auto-started programs, a process monitor, a utility to disable Browser Helper Objects (BHOs) and a firewall. (more on this below) It is best to run this software from removable media both to insure it is not compromised and because some malware may prevent the use of equivalent Windows based software on the infected machine. Also, there are a number of steps that should be taken before connecting the infected machine to the Internet to download any other software.
Backup
Make a disk image backup using bootable removable media. My preference would be for the image backup to reside outside the computer. If the machine does not have an internal CD or DVD burner, use an external model (which means adding drivers for the external burner to the list of software you need up-front). Another options is to copy the Windows partition to a hidden partition on the hard disk.
Make a registry backup too.
Stop Malware From Running
Boot to Safe Mode via F8.
Stop the obvious malware from running at boot time with a utility that controls auto-started programs. This is best done from Safe Mode because I have seen malware that puts itself back into the list of auto-started programs as soon as its removed.
The AutoRuns program from SysInternals is a free program that controls auto-started programs. It is small, safe program from a reliable source. No installation is needed, you can run autoruns.exe from removable media.
Beware of malware with a good name in a bad directory. For example, the real version of winlogon.exe resides in the C:Windowssystem32 directory. A copy of winlogon.exe in the C:Windows directory is trouble. Likewise, winlogin.exe (slight name change) in the C:Windowssystem32 directory is also bad news.
Check the "hosts" file and if it has any entries other than 127.0.0.1, comment them out.
For Windows XP and 2000 look in C:WINDOWSSYSTEM32DRIVERSETC
For Windows 98ME look in C:WINDOWS
Check My Network Places and delete anything suspicious, especially FTP sites referenced by IP address.
If the computer is behind a router, change the administration password for the router and tape the new password to the box.
Look for BHOs and disable anything you don't recognize. When in doubt disable it, you can always re-enable a BHO later.
You want to do this early because BHOs are kicked off by both Windows Explorer and IE. For this, I like BHODemon from Definitive Solutions. Windows XP SP2 has the IE Add-On manager. However, BHODemon can run off removable media without being installed to Windows, works with all versions of Windows and offers opinions about the BHOs, making it the far better choice. An actively maintained list of BHOs is available at ComputerCops.biz (thanks Larry) but beware, it's a very big page. In the Status column "X" means malware, "L" means benign. Sysinfo.org also has a list of known BHOs but I'm told this is no longer maintained.
Review the list of auto-started Services (for Windows XP/2000) and disable the ones you don't recognize. Pay special attention to services that have no description.
Services are one of many ways to auto-start a program at boot time. To research Windows 2000 services see Purpose of Windows 2000 Services and Glossary of Windows 2000 Services. For XP see Windows Server 2003 System Services Reference or System Services for the Windows Server 2003 Family and Windows XP Operating Systems. To research the EXE that underlies a service see Windows Startup Online or WinTasks Process Library or Task List Programs at AnswersThatWork.com.
Examine the scheduled tasks for any obvious malware that kicks itself off this way.
Make sure Windows Explorer is displaying hidden and system files.
Re-boot back to Safe Mode.
The previous steps were the low hanging fruit. Rebooting in Safe Mode is to find any malware that auto-starts despite the initial steps above. Eventually, we reboot normally and look for malware that snuck through the steps below. The goal is that by the time we run anti-Spyware software there's a clean playing field for malware removal.
Use a Process monitoring program to examine all the running programs. For each malware program, note the location of the underlying executable file. Kill the process and rename the underlying EXE. If it resides in its own directory rename that too. Give it a name something on the order of: someprogram.DONOTRUN.exe. If you can't kill the process, boot to DOS or the Recovery Console and rename the underlying file from there.
For this, I like Process Explorer, another free program from SysInternals.com. Like AutoRuns, it requires no installation, you can run it directly from removable media. It can also drill down into svchost.exe and report the underlying services.
Even with newer versions of Windows such as XP, older mechanisms for automatically running a program at startup time still work. If you want to manually inspect these holdovers, check:
The [windows] section of Win.ini looking for an entry such as load=spyware.exe and run=spyware.exe
The [boot] section of System.ini looking for an entry such as Shell = Explorer.exe spyware.exe
Autoexec.bat looking for something like c:spyware.exe
Boot normally.
Use a process monitor to check for any malware that might have been auto-started. Anything that shows up here is pretty darn resistant. It may have detected that its process was being terminated and created a new instance of itself. Or, it may use different names and run from different locations at each startup. Or it may be auto-started from an obscure part of the registry that the software you used to control automatically run programs does not handle (AutoRuns seem pretty complete to me). Note the underlying EXE, reboot to DOS or the Recovery Console and rename this file. Trying to kill the process may only tell it that we are on its existence and trigger a defense mechanism.
In Windows XP and Me make a Restore Point.
Delete:
* All ActiveX controls (see below)
* The web browser cache (Temporary Internet Files), for each user, if necessary
* Temporary files
* Cookies (perhaps overkill, I admit)
* The web browser history
* Empty the recycle bin
* Disable System Restore to delete the old Restore points, then re-enable it and take a new Restore point
Active X programs/controls reside in C:WINDOWSDownloaded Program Files
on Windows XP/ME/98 and in C:WINNTDownloaded Program Files
in Windows 2000. With IE6 and Windows 2000 and XP, the cache and cookies
reside in C
ocuments and SettingsuseridLocal SettingsTemporary Internet Files
Windows XP SP2 displays the installed ActiveX controls and offers to disabled them, but I would rather delete them.
Reboot normally. Hopefully, no malware is auto-started at this point.
In Windows XP and Me make a Restore Point.
Review the IE Trusted Zone (Tools -> Internet Options -> Security Tab -> Trusted Zones -> Sites button) and delete any web sites there. Review the IE Favorites and delete anything that looks suspicious. Change the IE home page to a blank page (if you can). On the Content tab, click the Publishers button and remove any trusted publishers.
Get a firewall program up and running.
If the machine already had a firewall installed, review the rules, it only takes a single exception to punch a big hole in the protection. Better yet, uninstall the current firewall and do a clean install of the latest version of the free edition of ZoneAlarm. ZoneAlarm is better than the firewall in Windows XP SP2 because it starts out with no exception rules and because it is more resistant to being shut down by malware.
Log on to the Internet.
Scan the entire hard disk with Housecall from Trend Micro, then scan it again with another Anti-Virus scanner such as Security Check from Symantec.
Any computer infected with malware, is also likely to be infected with viruses. Better to get rid of the viruses first. Online virus scans should be used because client side anti-virus software may have been crippled. I suggest using Housecall first because my experience has been that new virus definitions are added to it very quickly. A second scan with another product may be overkill, but better safe than sorry.
In Windows XP and Me make a Restore Point.
At this point, none of the installed malicious software should be running automatically at system start-up and the machine should be virus free. This is the time to run a barrage of anti-Spyware programs. It's a shame that you need to run more than one, but you do. Opinions vary as to the "best" anti-Spyware programs, however, the following are generally respected and free.
* The classic programs are Ad-aware and Spybot.
* There is a 30 day free trial version of Spy Sweeper from Webroot
* Mic*ft has an Anti-Spyware program that, as of this writing, is still in beta.
* Run the ActiveX based online CounterSpy scan from Sunbelt software (I've experienced some false positives with it). This is only a scan, if it finds something you want to remove, there is an installable free trial version.
* The Yahoo IE Toolbar uses the Pest Patrol engine and both detects and removes Spyware
* Can't hurt to run the ActiveX version of Mic*ft's Malicious Software Removal Tool
* CA offers a free ActiveX scan with Pest Patrol. However, if it finds anything there is no free trial. There used to be manual removal instructions, but that was before the product was purchased by Computer Associates.
If Spyware was detected and removed by the above programs, then you should also remove any Restore Points (Windows XP and Me only) that may include the malicious software. You do this by turning off System Restore. Then turn it back on and make a new Restore Point.
Make sure that you can change the IE home page and security settings and that Internet Options appears in the Control Panel. If not, try HijackThis and/or read this article by Mike Healan.
In a Baltimore Sun article, (Patience, basic toolkit, updates to security can block spyware July 29, 2004) Mike Himowitz suggested that the cleanup is not done at this point. On NT class machines with multiple users he warns that "Spyware programs embed themselves in each user's personal settings" which requires you to log off the current userid, logon as each of the other users and run the Spyware removal software again. He says "If you don't do this, your Spyware may come back." Makes a clean install look better and better.
Be aware that running the usual anti-malware software can create problems. In the September 21, 2004 issue of PC Magazine, Bill Machrone wrote about malware that infests the TCP/IP stack. The usual anti-malware products removed only half the infection resulting in corrupted TCP/IP software. He found software to fix the problem under Windows XP avoiding the need to un-install and re-install TCP/IP itself. See Corruption at the Jersey Shore.
Prevention and Cleanup
This is a good time to round up the usual suspects: run Windows Update manually, adjust IE settings for high security, lower the size of the IE cache and the System Restore cache (XP and Me only), defrag, delete TEMP files and (for XP,2000) disable the Messenger service. Install an anti-virus product and get it up to date (bug fixes and virus definitions). Set both the anti-virus software and Windows Update for automatic updates. Needless to say, set up an anti-Spyware program to run in auto-protect mode.
For Windows XP and 2000, let me suggest setting task manager to run automatically in the system tray at boot time and train the user to watch for cpu spikes, a good first indicator of Spyware running in the background.
If ZoneAlarm is installed, set it to protect the Hosts file. If Norton AntiVirus is installed set a password for its configuration options. If your firewall allows, set a password on it to protect configuration changes. Likewise, the anti-Spyware software may also offer this feature.
Install the free SpywareBlaster program to update the kill bits in the registry and the IE Restricted Zone. This protection is partial, but better to have than not. Use it to make an IE settings snapshot backup.
Use my Java Tester web site to see which JVM, if any, is installed. If none, fine. If there is a Mic*ft JVM, maybe upgrade to the current Sun JVM. This Macromedia page tells you the version of Flash that is installed and this page tells you what the latest Flash version is.
Install Firefox and a non-Mic*ft email program (such as Thunderbird) and show the computer owner how to use them. Install the Flash plug-in for Firefox and possibly also Shockwave, Java and QuickTime. If the computer user is a beginner and unable or unwilling to deal with Firefox extensions, turn off the Firefox option that allows new extensions to be installed (Tools -> Options -> Web Features -> Allow web sites to install software). This should prevent future accidental software installs.
Show the user(s) how to back up their most important files (I teach a short class on backups, but only in New York City).
To prevent malware infections in the future, teach the user safe Internet techniques. The time spent here is probably well spent when compared to using software that automatically watches for new installs of malicious software (Spybot, BHODemon and the paid versions of Ad-aware can do this, among others). Any such software would need to be maintained and, when it finds something, the user may not fully understand the situation. Also, the software applies to a single computer, whereas safe computing habits apply everywhere. Along this line, I have a web page about recognizing and dealing with bad emails and maintain a page with malware links. I also teach a class on Protecting Your Computer, but only in New York City.
And, Finally
If you need to run a web browser from removable media (that is, a program that does not need to be installed on the hard disk) I know of two:
* On the low end, there is Off By One, a single, standalone EXE that supports all versions of Windows
* On the high end, John Haller has created a Portable Firefox. As of October 2004, the latest stable version was 0.9.3 but he also has version 1.0PR available as a test.
A reader of this page suggested Bart's Preinstalled Environment (BartPE). It lets you boot from a CD into Windows, totally bypassing the corrupted copy of Windows. This lets you run your favorite malware removal software unmolested. I'll have to look into this . . .
Some Symptoms of Spyware, Adware, Malware Infection
The symptoms of a malware infection vary.
Your web browsing speed may be slow. Your computer, in general, may be slower that it was and may take much longer to start up than it used to.
It is likely Internet Explorer is modified. You homepage and/or search page may be changed, new favorites that you didn't create may appear, a new toolbar may appear or you may end up at unknown web sites when you try to do a search.
To prevent you from undoing the browser modifications made by a malware program, some of them remove or disable the Internet Options from the Tools Menu and from the Control Panel. If you try to reset your home page and can't, it's likely due to malware. If you can't get to anti-virus or security web sites, but can get to other web sites, it's likely due to malware.
Adware will bombard you with pop-up ads. More malicious programs serve up a constant barrage of ads for pornographic web sites. That's on top of the pop-ups from the web sites you're viewing. If you see pop-up ads even when you are offline, it's due to malware.
Actual Spyware (as opposed to other malware) has to phone home to report what it found. If your firewall provides outbound protection you may see the "phone call" and be able to stop it.
Malicious software may also shut down or disable your anti-virus program or your firewall program. It may prevent the normal activity of your anti-Spyware software. It may prevent you from accessing Task Manager or msconfig or regedit.
Adware programs may create new icons on the Windows desktop, task bar, or system tray. They may also create popup windows that you are unable to close. If your computer mysteriously dials the phone on it's own, it may be infected with a porn dialing program.
ort, click okay and that's it! Don't forget to check with
