Michael Horowitz
Home => Removing Spyware
[Formatted for Printing] From the personal web site of  Michael Horowitz
 
Removing Spyware

July 2009 Revision

This page was originally created in August 2004, then wasn't seriously updated from 2006 until July 2009 when this was written. The world has changed much since this page was first created. For a more recent look at the same subject, I wrote a series of articles at eSecurity Planet.

The basic premise is that malware can be very good at defending itself, so the best way to remove it, is not to let it run in the first place. You can do this by booting an infected machine from a CD and running an operating system off the CD that treats the C disk as a data disk. You can then run anti-malware software either from the bootable CD (I like The Ultimate Boot CD for Windows) or from another machine on the network.

It turns out that this is a good first step, but is not sufficient as the only step (see Part 3). There is great news ahead however. Both MalwareBytes and SUPERAntiSpyware are working on being able to mount the registry as a registry, even when running outside the infected Operating System. This will be a big improvement and go further to making my scan-from-the-outside approach even better.

The Best Way to Remove Viruses, Spyware and other Malware (Part 1) May 19, 2009

How to Remove Malware: Booting from a CD (Part 2) June 16,2009

The Best Way to Remove Viruses and Malware: The Clean-Up (Part 3) July 20,2009

My first writing on this topic, which went more into other approaches to malware removal, was my April 16, 2009 Computerworld blog posting Different approaches to removing malware.




Original Page Follows

Topics Below
  1. Overview
  2. Preparation
  3. Backup
  4. Stop Malware
  1. Other Errors
  2. Repair, Delete and Re-build  
  3. Prevention
  4. Symptoms of Infection

Overview

Malicious software goes by many names: Spyware, worms, viruses, Trojans, Adware, keystroke loggers, pests, and more. "Spyware" often is used to mean all malicious software other than viruses. I prefer the term "malware" as it's a bit more descriptive. This page is for removing any type of malware. 

The following is a blueprint for removing any and all malicious software from an infected Windows computer. This is not customized for a particular malware program, but applies to all malicious software. The intended audience here are computer nerds and, as such, some introductory details have been omitted. It's more a cheat-sheet than a tutorial. If you are not a computer nerd and think your computer may be infected (see Symptoms section below), tell your local techie about this page. 

The goal described below is to remove the malware from Windows. This should not, however, be the goal in all instances. 

Depending on the circumstances, the correct approach might be to wipe the hard disk clean and re-install or recover Windows. A clean install is the only 100% guaranteed way to return the computer to a fully functioning state. If the computer is used for anything judged to be important, a clean install is probably called for. Likewise, it it's used for home banking a clean install may be the best approach. Also, a clean install takes only so much time. The procedure described below can drag on and on ...  

For another opinion on rebuilding the OS vs. fixing it see Help: I Got Hacked. Now What Do I Do? Part 1 (May 2004) and Part 2 (July 2004) by Jesper M. Johansson Security Program Manager Microsoft Corporation

The two big downsides to a clean install are losing the installed applications and all user data files. Trying to backup data files before wiping the hard disk clean is an accident waiting to happen, you're bound to overlook some. One way to insure that all files are backed up is to make a disk image backup. In fact, it can't hurt to make an image backup, even when you opt to remove the malware rather than doing a clean install of Windows. From the new copy of Windows (or another computer altogether) you can cherry pick data files off the image backup at your leisure.

Even without disk image backups, it is possible to both do a clean install of Windows and also save the existing infested copy of Windows (not for the applications necessarily but to insure that you have all your data files). How? Hard disk partitions. You can keep the old copy of Windows in one partition and install the new, fresh, clean copy in a different partition.

When running the freshly minted copy of Windows, the old infested copy can either be visible to it or not. If it is visible, then data files can be copied from it to the new Windows instance as needed. And, you might use anti-virus and anti-Spyware software running in the new clean copy of Windows to remove the malware from the old copy. If you think you've cleaned out the old copy of Windows, then you may want to boot it to run your applications. If so, be sure to hide the new copy of Windows from the old copy - just in case there is still an infection.

Hard disk partitioning tips: Disk imaging tips:

Then again, why bother at all? An article in The New York Times reported that some people are throwing away their infected computers and buying new ones rather than remove all the malicious software. See Corrupted PC's Find New Home in the Dumpster   July 17, 2005

The steps below are designed for a computer brutally infested with malicious software.

The main phases of the cleanup are: backup, stop the malware from running, check for other errors, delete the malware, and finally, prevention from this sort of thing happening again. The reason for first preventing the malware from running is that some such programs are very well defended and may not be removable while they are executing.

[Overview last updated July 12, 2006] 

Preparation TOP

Disconnect the infected machine from any and all computer networks (the Internet and/or Local Area Network).

If possible use a PS/2 based mouse and keyboard rather than USB (if you have to boot to DOS or Linux there may not be USB drivers). Have as many of these programs ready to run off removable media (floppy, CD, USB flash drive) as you can. It is best to run this software from removable media both to insure it is not compromised and because some malware may prevent the use of equivalent Windows based software on the infected machine.

If possible download a Windows/software firewall, such as ZoneAlarm, on another computer and store it on removable media such as a flash drive. Likewise, the trial version of an anti-virus program such as NOD32 or Kaspersky is good to have on hand.

And speaking of firewalls, if there is a broadband connection, it can't hurt to have the machine positioned behind a hardware firewall such as that found in normal ordinary routers from Linksys, Belkin, Netgear and the like. There is nothing wrong with a software firewall such as ZoneAlarm but two levels of protection better than one. I suggest using a router just for its internal firewall even if there is only a single computer connected to the Internet. Wired routers offer a bit more safety than wireless routers and although they may be harder to find, they do still exist.

Backup TOP

In case anything goes wrong, it's always good to be able to start over. To this end, make a disk image backup using a bootable CD, or any other bootable media such as a flash drive. Since the computer has been compromised, it's best if the image backup is made to an external device, typically CDs, DVDs, a LAN resident computer or an external hard disk. If you have partitioning software instead of disk image software, then shrink the Windows partition and copy it to a hidden partition on the hard disk.

Stop Malware From RunningTOP

Boot to Safe Mode via F8.

Make a registry backup.

Stop the obvious malware from running at boot time with a utility that controls auto-started programs. This is best done from Safe Mode because I have seen malware that puts itself back into the list of auto-started programs as soon as its removed.

The AutoRuns program from SysInternals is a free program that controls auto-started programs. It is small, safe program from a reliable source. No installation is needed, you can run autoruns.exe from removable media. This June 2007 article by George Ou at Zdnet describes using AutoRuns and includes pictures: How to fully de-gunk a PC of Crapware

June 22, 2006: According to Didier Stevens, some malware can disable Safe Mode. Ugh.
February 9, 2007: Didier Stevens released a .REG file that can be used to restore Safe Mode. See Restoring Safe Mode with a .REG file

Beware of malware with a good name in a bad directory. For example, the real version of winlogon.exe resides in the C:\Windows\system32 directory. A copy of winlogon.exe in the C:\Windows directory is trouble. Likewise, winlogin.exe (slight name change) in the C:\Windows\system32 directory is also bad news.

Check the "hosts" file and if it has any entries other than 127.0.0.1, comment them out. Sample clean hosts file.

For Windows XP and 2000 look in C:\WINDOWS\SYSTEM32\DRIVERS\ETC     
For Windows 98\ME  look in  C:\WINDOWS   
I have seen the hosts file locked by malicious software such that it couldn't be updated, deleted or even renamed.

Check My Network Places and delete anything suspicious, especially FTP sites referenced by IP address. 

If the computer is behind a router, change the administration password for the router and tape the new password to the box. 

Look for BHOs and disable anything you don't recognize. When in doubt disable it, you can always re-enable a BHO later. 

You want to do this early because BHOs are kicked off by both Windows Explorer and IE. For this, I used to like BHODemon from Definitive Solutions. Unfortunately development of BHODemon has been discontinued. :-(  Windows XP SP2 has the IE Add-On manager. However, BHODemon could run off removable media without being installed to Windows, works with all versions of Windows and offers opinions about the BHOs, making it the far better choice. Deleting BHOs can be tricky because they are active if either Windows Explorer or IE is running. I used to suggest running BHODemon from removable media with Start -> Run -> x:\dir\someprogram.exe (modifying as appropriate).

An actively maintained list of BHOs is available at ComputerCops.biz (thanks Larry) but beware, it's a very big page. In the Status column "X" means malware, "L" means benign. Sysinfo.org also has a list of known BHOs but I'm told this is no longer maintained.

Review the list of auto-started Services (for Windows XP/2000) and disable the ones you don't recognize. Pay special attention to services that have no description. 

Services are one of many ways to auto-start a program at boot time. To research Windows 2000 services see Purpose of Windows 2000 Services and Glossary of Windows 2000 Services. For XP see Windows Server 2003 System Services Reference or System Services for the Windows Server 2003 Family and Windows XP Operating Systems. To research the EXE that underlies a service see Windows Startup Online or WinTasks Process Library or Task List Programs at AnswersThatWork.com.

Examine the scheduled tasks for any obvious malware that kicks itself off this way. 

Make sure Windows Explorer is displaying hidden and system files. 

Re-boot back to Safe Mode. 

The previous steps were the low hanging fruit. Rebooting in Safe Mode is to find any malware that auto-starts despite the initial steps above. Eventually, we reboot normally and look for malware that snuck through the steps below. The goal is that by the time we run anti-Spyware software there's a clean playing field for malware removal.

Use a Process monitoring program to examine all the running programs. For each malware program, note the location of the underlying executable file. Kill the process and rename the underlying EXE. If it resides in its own directory rename that too. Give it a name something on the order of: someprogram.DONOTRUN.exe. If you can't kill the process, boot to DOS or the Recovery Console and rename the underlying file from there.

For this, I like Process Explorer, another free program from SysInternals.com. Like AutoRuns, it requires no installation, you can run it directly from removable media. It can also drill down into svchost.exe and report the underlying services. 

Even with newer versions of Windows such as XP, older mechanisms for automatically running a program at startup time still work. If you want to manually inspect these holdovers, check:

The [windows] section of Win.ini looking for an entry such as load=spyware.exe and run=spyware.exe
The [boot] section of System.ini looking for an entry such as Shell = Explorer.exe spyware.exe
Autoexec.bat looking for something like c:\spyware.exe

 

Check For Other ErrorsTOP

Before removing and deleting anything, ensure that malware is the only problem with the computer. Run a full Scandisk or Check Disk. Also, make sure the hard disk is using Ultra DMA as opposed to PIO - we will be doing a lot of hard disk activity. Make another registry backup.

 

Repair, Delete and Re-build TOP

This would be a good time to run anti-virus and anti-Spyware software to clean things up. Considering the system is infected, it's best to run the software from outside of Windows, that is, from a bootable CD. Much software can't run this way, but some can. 

A good place to start is with Bart's Preinstalled Environment (BartPE). It lets you boot from a CD into a stripped down version of Windows, totally bypassing the corrupted copy of Windows on the hard drive. I have not used Bart PE. For more see: A Must-Have Repair And Recovery Tool by Fred Langa August 8, 2005.

I have used a similar tool, the free Ultimate Boot CD for Windows. It too is a bootable Windows CD with software to repair, restore and diagnose problems. All the software is freeware and it actually uses Bart's PE. It does, however, require a Windows license to create the CD. Specifically, you need a Windows OS disc, preferably with SP2 on it.

A huge amount of free software is included in the Ultimate Boot CD for Windows. For our purposes here, it comes with multiple anti-virus and anti-Spyware programs. As of March 2007, the anti-virus programs are F-Secure Anti-Virus for DOS, AntiVir Personal, Avast!, ClamWin, McAfee Stinger, Dr.Web CureIT and Trend Micro SysClean. Anti-Spyware choices include the popular Spybot and Ad-aware. In addition there is aSquared Free, CWShredder, EzPCFix, Hijack This, Rootkitty, WinSock Fix, XBlock. In theory, these programs can be updated so that they run with the latest definitions. In July 2007 I tried to run AntiVir Personal from a CD created in March 2007 and it couldn't or wouldn't download the latest virus signatures. Still, running with signatures a few months old is way better than not scanning at all. The Ultimate Boot CD includes networking support and you can run IE or Firefox or other web browsers directly off the CD to access the Internet.

I also suggest scanning for rootkits. The two programs below are free and do not need to be installed. They are each a single file and can be run from a flash drive.

In addition: 

Next boot normally. 

Remove the relatively honest Adware using Add/Remove Programs in the Control Panel.

Use a process monitor to check for any malware that might have been auto-started. Anything that shows up here is pretty darn resistant. It may have detected that its process was being terminated and created a new instance of itself. Or, it may use different names and run from different locations at each startup. Or it may be auto-started from an obscure part of the registry that the software you used to control automatically run programs does not handle (AutoRuns seem pretty complete to me). Note the underlying EXE, reboot to DOS or the Recovery Console and rename this file. Trying to kill the process may only tell it that we are on to its existence and trigger a defense mechanism.

In Windows XP and Me make a Restore Point. 

Delete:

Active X programs/controls reside in C:\WINDOWS\Downloaded Program Files 
on Windows XP/ME/98 and  in C:\WINNT\Downloaded Program Files  
in Windows 2000. With IE6 and Windows 2000 and XP, the cache and cookies
reside in C:\Documents and Settings\userid\Local Settings\Temporary Internet Files
Windows XP SP2 displays the installed ActiveX controls and offers to disabled them, but I would rather delete them.

I have read that Ad-aware can run from a USB thumb drive, but haven't verified this myself. If it can, this would be a good time to run it.

This is great time to run the free McAfee AVERT Stinger. Nice thiing about it is that it does not have to be installed, thus it can be run from a flash drive. In fact, it's a single .EXE file. Down side is that it only detects some viruses, it is not a full anti-virus product. As of July 2007 it detected 187 viruses.

I haven't tried it, but I've read that the free AntiVir PersonalEdition Classic from Avira can also run off a flash drive. This is a full blown anti-malware program.

Reboot normally. Hopefully, no malware is auto-started at this point.

In Windows XP and Me make a Restore Point.

Review the IE Trusted Zone (Tools -> Internet Options -> Security Tab -> Trusted Zones -> Sites button) and delete any web sites there. Review the IE Favorites and delete anything that looks suspicious. If there are too many malicious Favorites, then just rename the directory where they live (see below). Change the IE home page to a blank page (if you can). On the  Content tab, click the Publishers button and remove any trusted publishers. 

Internet Explorer Favorites live in  C:\Documents and Settings\ userid\Favorites

Get a firewall program up and running.

If the machine already had a firewall installed, review the rules, it only takes a single exception to punch a big hole in the protection. Better yet, uninstall the current firewall and do a clean install of the latest version of the free edition of ZoneAlarm. ZoneAlarm is better than the firewall in Windows XP SP2 because it starts out with no exception rules and because it is more resistant to being shut down or disabled by malware.

Log on to the Internet.

Scan the entire hard disk for viruses. I used to like Housecall from Trend Micro but as of March 2006 it hasn't worked for me in months and I've tried it on many machines. Security Check from Symantec only finds bad stuff, it does not delete it. My virus links page has links to other online virus scanners. 

Any computer infected with malware, is also likely to be infected with viruses. Better to get rid of the viruses first. Online virus scans should be used because client side anti-virus software may have been crippled.

In Windows XP and Me make a Restore Point.

At this point, none of the installed malicious software should be running automatically at system start-up and the machine should be virus free. This is the time to run a barrage of anti-Spyware programs. Sometimes, however, removing Spyware breaks TCP/IP. If the computer is running Windows XP SP2, then now is the time to display a list of all the software using Layered Service Provider. Run this command and save the output:

      netsh winsock show catalog

Finally, it's time for anti-Spyware software. It's a shame that you need to run more than one, but you do. Opinions vary as to the "best" anti-Spyware programs, however, the following are generally respected and free.

If Spyware was detected and removed by the above programs, then you should also remove any Restore Points (Windows XP and Me only) that may include the malicious software. You do this by turning off System Restore. Then turn it back on and make a new Restore Point. 

Make sure that you can change the IE home page and security settings and that Internet Options appears in the Control Panel. If not, try HijackThis and/or read this article by Mike Healan. 

In a Baltimore Sun article, (Patience, basic toolkit, updates to security can block Spyware July 29, 2004) Mike Himowitz suggested that the cleanup is not done at this point. On NT class machines with multiple users he warns that "Spyware programs embed themselves in each user's personal settings" which requires you to log off the current userid, logon as each of the other users and run the Spyware removal software again. He says "If you don't do this, your Spyware may come back."  :-(   Makes a clean install look better and better.
 

Did you create a new problem?

Running the usual anti-malware software can create problems. In the September 21, 2004 issue of PC Magazine, Bill Machrone wrote about malware that infests the TCP/IP stack. The usual anti-malware products removed only half the infection resulting in corrupted TCP/IP software. He found software to fix the problem under Windows XP avoiding the need to un-install and re-install TCP/IP itself. The article: Corruption at the Jersey Shore. The software: WinSock XP Fix 1.2 (alternate link).

The problem has to do with the LSP feature of TCP/IP. The fixes described here reset the TCP/IP stack which will effect software that was using LSP (the software may need to be un-installed and re-installed). But which, if any, software depends on LSP? The output of the netsh command suggested earlier is that list. It may include anti-virus and firewall programs. 

In Windows XP SP2 you can reset the LSP feature of TCP/IP with this command:

netsh winsock reset catalog

Then reboot.

Another free program along the same lines is LSP-Fix from Counterexploitation (cexx.org). It too, may help when the removal of Spyware programs disables Internet access. It fixes problems with Layered Service Provider (LSP) software that can be inserted into TCP/IP software. Spybot Search and Destroy may also be able to help with this problem. 

And another problem can be created by removing Spyware: 

 

Prevention and CleanupTOP


Unauthorized Copying
The spyware-dr.com web site copied most of this web page without asking. Don't buy anything there.
Someone using the alias Zinho copied this page to www.hackerscenter.com without asking permission.
The spywareremoveguide.info website is an un-authorized copy of this page. June 25, 2007. Don't trust it.

This is a good time to round up the usual suspects: run Windows Update manually, adjust IE settings for high security, lower the size of the IE cache and the System Restore cache (XP and Me only), defrag, delete TEMP files and (for XP,2000) disable the Messenger service.  Install an anti-virus product and get it up to date (bug fixes and virus definitions). Set both the anti-virus software and Windows Update for automatic updates. Needless to say, set up an anti-Spyware program to run in auto-protect mode. 

For Windows XP and 2000, let me suggest setting task manager to run automatically in the system tray at boot time and train the user to watch for cpu spikes, a good first indicator of Spyware running in the background. 

If ZoneAlarm is installed, set it to protect the Hosts file. If Norton AntiVirus is installed set a password for its configuration options. If your firewall allows, set a password on it to protect configuration changes. Likewise, the anti-Spyware software may also offer this feature. 

Install the free SpywareBlaster program to update the kill bits in the registry and the IE Restricted Zone. This protection is partial, but better to have than not. Use it to make an IE settings snapshot backup. 

Use my Java Tester web site to see which JVM, if any, is installed. If none, fine. If there is a Microsoft JVM, maybe upgrade to the current Sun JVM. This Macromedia page tells you the version of Flash that is installed and this page tells you what the latest Flash version is. 

Install Firefox and a non-Microsoft email program (such as Thunderbird) and show the computer owner how to use them. Install the Flash plug-in for Firefox and possibly also Shockwave, Java and QuickTime. If the computer user is a beginner and unable or unwilling to deal with Firefox extensions, turn off the Firefox option that allows new extensions to be installed (Tools -> Options -> Web Features -> Allow web sites to install software). This should prevent future accidental software installs. 

Show the user(s) how to back up their most important files (I teach a short class on backups, but only in New York City). 

To prevent malware infections in the future, teach the user safe Internet techniques. The time spent here is probably well spent when compared to using software that automatically watches for new installs of malicious software (Spybot, BHODemon and the paid versions of Ad-aware can do this, among others). Any such software would need to be maintained and, when it finds something, the user may not fully understand the situation. Also, the software applies to a single computer, whereas safe computing habits apply everywhere. Along this line, I have a web page about recognizing and dealing with bad emails and maintain a page with malware links.

Whew.

Some Symptoms of Spyware, Adware, Malware InfectionTOP

The symptoms of a malware infection vary.

Your web browsing speed may be slow. Your computer, in general, may be slower that it was and may take much longer to start up than it used to.

It is likely Internet Explorer is modified. You homepage and/or search page may be changed, new favorites that you didn't create may appear, a new toolbar may appear or you may end up at unknown web sites when you try to do a search.

To prevent you from undoing the browser modifications made by a malware program, some of them remove or disable the Internet Options from the Tools Menu and from the Control Panel. If you try to reset your home page and can't, it's likely due to malware. If you can't get to anti-virus or security web sites, but can get to other web sites, it's likely due to malware.

Adware will bombard you with pop-up ads. More malicious programs serve up a constant barrage of ads for pornographic web sites. That's on top of the pop-ups from the web sites you're viewing. If you see pop-up ads even when you are offline, it's due to malware.

Actual Spyware (as opposed to other malware) has to phone home to report what it found. If your firewall provides outbound protection you may see the 'phone call' and be able to stop it.

Malicious software may also shut down or disable your anti-virus program or your firewall program. It may prevent the normal activity of your anti-Spyware software. It may prevent you from accessing Task Manager or msconfig or regedit.

Adware programs may create new icons on the Windows desktop, task bar, or system tray. They may also create popup windows that you are unable to close. If your computer mysteriously dials the phone on its own, it may be infected with a porn dialing program.

And, FinallyTOP

Someone gave me a computer recently with hundreds upon hundreds of instances of malware (not including cookies). It was so badly infected that two hours after the Windows 98 boot process started, the desktop still had not displayed. Getting rid of the malware took a lot of time start to finish, but not that much of my time as I mostly let assorted utilities run for hours on end. For example, after its initial detection scan, Spy Sweeper took hours to delete the malware it had found.

A few days later there was an article in the Washington Post about removing malware from a badly infected Windows 98 machine. The approach the author took to removing the malware was flawed and I was appalled that the author would, in effect, brag about his incompetence in writing the story. Thus this page. See my gripes regarding the Washington Post.

If you need to run a web browser from removable media (that is, a program that does not need to be installed on the hard disk) I know of two:

Unbeknownst to me, the US Government put out a document on this same subject just days before I put up this page (Recovering from a Trojan Horse or Virus).


 

 @defensivecomput TOP Home => Removing Spyware   
 Previous Update: July 11, 2007 Created: August 2004 Last Updated: July 23, 2009  
   License Plate
Copyright 2001-2013
Copyright 2001-2013    
Printed at:   April 19, 2014 5:56pm   ET
Viewed 383,014 times since May 26, 2010 (269/day over 1,424.1 days)