Lihat Semua Daftar PostingRemoving Spyware
Overview
Malicious software goes by many names: Spyware, worms, viruses, Trojans, Adware, keystroke loggers, pests, and more. "Spyware" often is used to mean all malicious software other than viruses. I prefer the term "malware" as it's a bit more descriptive. This page is for removing any type of malware.
The following is a blueprint for removing any and all malicious software from an infected Windows computer. This is not customized for a particular malware program, but applies to all malicious software. The intended audience here are computer nerds and, as such, some introductory details have been omitted. It's more a cheat-sheet than a tutorial. If you are not a computer nerd and think your computer may be infected (see Symptoms section below), tell your local techie about this page.
The goal described below is to remove the malware from Windows. This should not, however, be the goal in all instances.
Depending on the circumstances, the correct approach might be to wipe the hard disk clean and re-install or recover Windows. A clean install is the only 100% guaranteed way to return the computer to a fully functioning state. If the computer is used for anything judged to be important, a clean install is probably called for. Likewise, it it's used for home banking a clean install may be the best approach. Also, a clean install takes only so much time. The procedure described below can drag on and on ...
The two big downsides to a clean install are losing the installed applications and all user data files. Trying to backup data files before wiping the hard disk clean is an accident waiting to happen, you're bound to overlook some. One way to insure that all files are backed up is to make a disk image backup. In fact, it can't hurt to make an image backup, even when you opt to remove the malware rather than doing a clean install of Windows. From the new copy of Windows (or another computer altogether) you can cherry pick data files off the image backup at your leisure.
Even without disk image backups, it is possible to both do a clean install of Windows and also save the existing infested copy of Windows (not for the applications necessarily but to insure that you have all your data files). How? Hard disk partitions. You can keep the old copy of Windows in one partition and install the new, fresh, clean copy in a different partition.
When running the freshly minted copy of Windows, the old infested copy can either be visible to it or not. If it is visible, then data files can be copied from it to the new Windows instance as needed. And, you might use anti-virus and anti-Spyware software running in the new clean copy of Windows to remove the malware from the old copy. If you think you've cleaned out the old copy of Windows, then you may want to boot it to run your applications. If so, be sure to hide the new copy of Windows from the old copy - just in case there is still an infection.
- Shrink and hide the current infested partition, create a new visible and bootable partition, install the clean copy of Windows into this new partition. If you want to make the infested copy of Windows visible as a data-only, non-bootable partition, consider converting it from a primary to logical partition (Windows can't boot from a logical partition). From the infested copy of Windows, delete the paging file, hibernation file, IE cache and System Restore cache as they are no longer needed and occupy a lot of space.
- To me, the best location for the image backup is outside the infested computer, either on CDs, DVDs, an external hard disk or another computer on the LAN. Make the backup from outside Windows (that is, with it down) using the bootable DOS or Linux environment provided by the disk image product. If the image backup software has an option to verify the image backup, turn it on.
Then again, why bother at all? An article in The New York Times reported that some people are throwing away their infected computers and buying new ones rather than remove all the malicious software. See Corrupted PC's Find New Home in the Dumpster July 17, 2005
The steps below are designed for a computer brutally infested with malicious software.
The main phases of the cleanup are: backup, stop the malware from running, check for other errors, delete the malware, and finally, prevention from this sort of thing happening again. The reason for first preventing the malware from running is that some such programs are very well defended and may not be removable while they are executing.
Preparation TOP
Disconnect the infected machine from any and all computer networks (the Internet and/or Local Area Network).
If possible use a PS/2 based mouse and keyboard rather than USB (if you have to boot to DOS or Linux there may not be USB drivers). Have as many of these programs ready to run off removable media (floppy, CD, USB flash drive) as you can. It is best to run this software from removable media both to insure it is not compromised and because some malware may prevent the use of equivalent Windows based software on the infected machine.
- a disk imaging program
- a program to control auto-started programs such as autoruns
- a process monitor such as process explorer
- McAfee AVERT Stinger for virus removal
- a utility to disable Browser Helper Objects (BHOs) The one I used to use has been discontinued and Windows XP SP2 can do this as can the autoruns program discussed below.
If possible download a Windows/software firewall, such as ZoneAlarm, on another computer and store it on removable media such as a flash drive. Likewise, the trial version of an anti-virus program such as NOD32 or Kaspersky is good to have on hand.
And speaking of firewalls, if there is a broadband connection, it can't hurt to have the machine positioned behind a hardware firewall such as that found in normal ordinary routers from Linksys, Belkin, Netgear and the like. There is nothing wrong with a software firewall such as ZoneAlarm but two levels of protection better than one. I suggest using a router just for its internal firewall even if there is only a single computer connected to the Internet. Wired routers offer a bit more safety than wireless routers and although they may be harder to find, they do still exist.
Backup TOP
In case anything goes wrong, it's always good to be able to start over. To this end, make a disk image backup using a bootable CD, or any other bootable media such as a flash drive. Since the computer has been compromised, it's best if the image backup is made to an external device, typically CDs, DVDs, a LAN resident computer or an external hard disk. If you have partitioning software instead of disk image software, then shrink the Windows partition and copy it to a hidden partition on the hard disk.
Stop Malware From RunningTOP
Boot to Safe Mode via F8.
Make a registry backup.
Stop the obvious malware from running at boot time with a utility that controls auto-started programs. This is best done from Safe Mode because I have seen malware that puts itself back into the list of auto-started programs as soon as its removed.
June 22, 2006: According to Didier Stevens, some malware can disable Safe Mode. Ugh.
February 9, 2007: Didier Stevens released a .REG file that can be used to restore Safe Mode. See Restoring Safe Mode with a .REG file
Beware of malware with a good name in a bad directory. For example, the real version of winlogon.exe resides in the C:\Windows\system32 directory. A copy of winlogon.exe in the C:\Windows directory is trouble. Likewise, winlogin.exe (slight name change) in the C:\Windows\system32 directory is also bad news.
Check the "hosts" file and if it has any entries other than 127.0.0.1, comment them out. Sample clean hosts file.
For Windows 98\ME look in C:\WINDOWS
I have seen the hosts file locked by malicious software such that it couldn't be updated, deleted or even renamed.
Check My Network Places and delete anything suspicious, especially FTP sites referenced by IP address.
If the computer is behind a router, change the administration password for the router and tape the new password to the box.
Look for BHOs and disable anything you don't recognize. When in doubt disable it, you can always re-enable a BHO later.
An actively maintained list of BHOs is available at ComputerCops.biz (thanks Larry) but beware, it's a very big page. In the Status column "X" means malware, "L" means benign. Sysinfo.org also has a list of known BHOs but I'm told this is no longer maintained.
Review the list of auto-started Services (for Windows XP/2000) and disable the ones you don't recognize. Pay special attention to services that have no description.
Examine the scheduled tasks for any obvious malware that kicks itself off this way.
Make sure Windows Explorer is displaying hidden and system files.
Re-boot back to Safe Mode.
Use a Process monitoring program to examine all the running programs. For each malware program, note the location of the underlying executable file. Kill the process and rename the underlying EXE. If it resides in its own directory rename that too. Give it a name something on the order of: someprogram.DONOTRUN.exe. If you can't kill the process, boot to DOS or the Recovery Console and rename the underlying file from there.
Even with newer versions of Windows such as XP, older mechanisms for automatically running a program at startup time still work. If you want to manually inspect these holdovers, check:
The [boot] section of System.ini looking for an entry such as Shell = Explorer.exe spyware.exe
Autoexec.bat looking for something like c:\spyware.exe
Check For Other ErrorsTOP
Before removing and deleting anything, ensure that malware is the only problem with the computer. Run a full Scandisk or Check Disk. Also, make sure the hard disk is using Ultra DMA as opposed to PIO - we will be doing a lot of hard disk activity. Make another registry backup.
Repair, Delete and Re-build TOP
This would be a good time to run anti-virus and anti-Spyware software to clean things up. Considering the system is infected, it's best to run the software from outside of Windows, that is, from a bootable CD. Much software can't run this way, but some can.
A good place to start is with Bart's Preinstalled Environment (BartPE). It lets you boot from a CD into a stripped down version of Windows, totally bypassing the corrupted copy of Windows on the hard drive. I have not used Bart PE. For more see: A Must-Have Repair And Recovery Tool by Fred Langa August 8, 2005.
I have used a similar tool, the free Ultimate Boot CD for Windows. It too is a bootable Windows CD with software to repair, restore and diagnose problems. All the software is freeware and it actually uses Bart's PE. It does, however, require a Windows license to create the CD. Specifically, you need a Windows OS disc, preferably with SP2 on it.
A huge amount of free software is included in the Ultimate Boot CD for Windows. For our purposes here, it comes with multiple anti-virus and anti-Spyware programs. As of March 2007, the anti-virus programs are F-Secure Anti-Virus for DOS, AntiVir Personal, Avast!, ClamWin, McAfee Stinger, Dr.Web CureIT and Trend Micro SysClean. Anti-Spyware choices include the popular Spybot and Ad-aware. In addition there is aSquared Free, CWShredder, EzPCFix, Hijack This, Rootkitty, WinSock Fix, XBlock. In theory, these programs can be updated so that they run with the latest definitions. In July 2007 I tried to run AntiVir Personal from a CD created in March 2007 and it couldn't or wouldn't download the latest virus signatures. Still, running with signatures a few months old is way better than not scanning at all. The Ultimate Boot CD includes networking support and you can run IE or Firefox or other web browsers directly off the CD to access the Internet.
I also suggest scanning for rootkits. The two programs below are free and do not need to be installed. They are each a single file and can be run from a flash drive.
- Panda Software's anti-rootkit program both detects and removes rootkits
- BlackLight from F-Sure is a mature beta (as of July 2007). It both detects and removes rootkits and is free until October 1, 2007.
In addition:
- Portable ClamWin is just that, a portable version of ClamWin, a free antivirus program for Windows 98/Me/2000/XP/2003. Alternate Link
- In October 2005 (more or less) McAfee released a version of their anti-virus software that runs completely off a U3 based thumb drive.
- F-Prot is a free virus scanner that you can run under a bootable Linux CD such as Knoppix. I haven't tried this. From Knoppix Hacks by O'Reilly.
- I have not looked into the Ultimate Boot CD.
Next boot normally.
Remove the relatively honest Adware using Add/Remove Programs in the Control Panel.
Use a process monitor to check for any malware that might have been auto-started. Anything that shows up here is pretty darn resistant. It may have detected that its process was being terminated and created a new instance of itself. Or, it may use different names and run from different locations at each startup. Or it may be auto-started from an obscure part of the registry that the software you used to control automatically run programs does not handle (AutoRuns seem pretty complete to me). Note the underlying EXE, reboot to DOS or the Recovery Console and rename this file. Trying to kill the process may only tell it that we are on to its existence and trigger a defense mechanism.
In Windows XP and Me make a Restore Point.
Delete:
- All ActiveX controls (see below)
- The web browser cache (Temporary Internet Files) for each user for each browser.
- Temporary files
- Cookies (perhaps overkill, I admit)
- The web browser history
- Empty the recycle bin for each Windows user
- Clean out the Java cache folder for each Windows user. The current version of Java (1.5) stores the cache in:
C:\Documents and Settings\userid\Application Data\Sun\Java\Deployment\cache\
You can also delete the cache using Control Panel - > Java -> General Tab -> Delete Files button
How to Clean a Java Cache Folder from F-Secure - Disable System Restore to delete the old Restore points, then re-enable it and take a new Restore point
on Windows XP/ME/98 and in C:\WINNT\Downloaded Program Files
in Windows 2000. With IE6 and Windows 2000 and XP, the cache and cookies
reside in C:\Documents and Settings\userid\Local Settings\Temporary Internet Files
Windows XP SP2 displays the installed ActiveX controls and offers to disabled them, but I would rather delete them.
I have read that Ad-aware can run from a USB thumb drive, but haven't verified this myself. If it can, this would be a good time to run it.
This is great time to run the free McAfee AVERT Stinger. Nice thiing about it is that it does not have to be installed, thus it can be run from a flash drive. In fact, it's a single .EXE file. Down side is that it only detects some viruses, it is not a full anti-virus product. As of July 2007 it detected 187 viruses.
I haven't tried it, but I've read that the free AntiVir PersonalEdition Classic from Avira can also run off a flash drive. This is a full blown anti-malware program.
Reboot normally. Hopefully, no malware is auto-started at this point.
In Windows XP and Me make a Restore Point.
Review the IE Trusted Zone (Tools -> Internet Options -> Security Tab -> Trusted Zones -> Sites button) and delete any web sites there. Review the IE Favorites and delete anything that looks suspicious. If there are too many malicious Favorites, then just rename the directory where they live (see below). Change the IE home page to a blank page (if you can). On the Content tab, click the Publishers button and remove any trusted publishers.
Get a firewall program up and running.
Log on to the Internet.
Scan the entire hard disk for viruses. I used to like Housecall from Trend Micro but as of March 2006 it hasn't worked for me in months and I've tried it on many machines. Security Check from Symantec only finds bad stuff, it does not delete it. My virus links page has links to other online virus scanners.
In Windows XP and Me make a Restore Point.
At this point, none of the installed malicious software should be running automatically at system start-up and the machine should be virus free. This is the time to run a barrage of anti-Spyware programs. Sometimes, however, removing Spyware breaks TCP/IP. If the computer is running Windows XP SP2, then now is the time to display a list of all the software using Layered Service Provider. Run this command and save the output:
netsh winsock show catalogFinally, it's time for anti-Spyware software. It's a shame that you need to run more than one, but you do. Opinions vary as to the "best" anti-Spyware programs, however, the following are generally respected and free.
- The classic programs are Ad-aware and Spybot.
- Trend Micro Anti-Spyware for the Web is free online Spyware removal
- Microsoft has an Anti-Spyware program that, as of this writing, is still in beta.
- SpyCatcher 2006 from Tenebril has a free Express edition
- Run the ActiveX based online CounterSpy scan from Sunbelt software (I've experienced some false positives with it). This is only a scan, if it finds something you want to remove, there is an installable free trial version.
- The Yahoo IE Toolbar uses the Pest Patrol engine and both detects and removes Spyware
- Can't hurt to run the ActiveX version of Microsoft's Malicious Software Removal Tool
- CA offers a free ActiveX scan with Pest Patrol. However, if it finds anything there is no free trial. There used to be manual removal instructions, but that was before the product was purchased by Computer Associates. The downloadable 30 day free trial version of Spy Sweeper from Webroot used to remove Spyware, but no more. Now it only detects.
If Spyware was detected and removed by the above programs, then you should also remove any Restore Points (Windows XP and Me only) that may include the malicious software. You do this by turning off System Restore. Then turn it back on and make a new Restore Point.
Make sure that you can change the IE home page and security settings and that Internet Options appears in the Control Panel. If not, try HijackThis and/or read this article by Mike Healan.
Did you create a new problem?
Running the usual anti-malware software can create problems. In the September 21, 2004 issue of PC Magazine, Bill Machrone wrote about malware that infests the TCP/IP stack. The usual anti-malware products removed only half the infection resulting in corrupted TCP/IP software. He found software to fix the problem under Windows XP avoiding the need to un-install and re-install TCP/IP itself. The article: Corruption at the Jersey Shore. The software: WinSock XP Fix 1.2 (alternate link).
The problem has to do with the LSP feature of TCP/IP. The fixes described here reset the TCP/IP stack which will effect software that was using LSP (the software may need to be un-installed and re-installed). But which, if any, software depends on LSP? The output of the netsh command suggested earlier is that list. It may include anti-virus and firewall programs.
In Windows XP SP2 you can reset the LSP feature of TCP/IP with this command:
netsh winsock reset catalog
Then reboot.
Another free program along the same lines is LSP-Fix from Counterexploitation (cexx.org). It too, may help when the removal of Spyware programs disables Internet access. It fixes problems with Layered Service Provider (LSP) software that can be inserted into TCP/IP software. Spybot Search and Destroy may also be able to help with this problem.
And another problem can be created by removing Spyware:
You cannot log on to Windows XP after you remove Wsaupdater.exePrevention and CleanupTOP
The spyware-dr.com web site copied most of this web page without asking. Don't buy anything there.
Someone using the alias Zinho copied this page to www.hackerscenter.com without asking permission.
The spywareremoveguide.info website is an un-authorized copy of this page. June 25, 2007. Don't trust it.
This is a good time to round up the usual suspects: run Windows Update manually, adjust IE settings for high security, lower the size of the IE cache and the System Restore cache (XP and Me only), defrag, delete TEMP files and (for XP,2000) disable the Messenger service. Install an anti-virus product and get it up to date (bug fixes and virus definitions). Set both the anti-virus software and Windows Update for automatic updates. Needless to say, set up an anti-Spyware program to run in auto-protect mode.
For Windows XP and 2000, let me suggest setting task manager to run automatically in the system tray at boot time and train the user to watch for cpu spikes, a good first indicator of Spyware running in the background.
If ZoneAlarm is installed, set it to protect the Hosts file. If Norton AntiVirus is installed set a password for its configuration options. If your firewall allows, set a password on it to protect configuration changes. Likewise, the anti-Spyware software may also offer this feature.
Install the free SpywareBlaster program to update the kill bits in the registry and the IE Restricted Zone. This protection is partial, but better to have than not. Use it to make an IE settings snapshot backup.
Use my Java Tester web site to see which JVM, if any, is installed. If none, fine. If there is a Microsoft JVM, maybe upgrade to the current Sun JVM. This Macromedia page tells you the version of Flash that is installed and this page tells you what the latest Flash version is.
Install Firefox and a non-Microsoft email program (such as Thunderbird) and show the computer owner how to use them. Install the Flash plug-in for Firefox and possibly also Shockwave, Java and QuickTime. If the computer user is a beginner and unable or unwilling to deal with Firefox extensions, turn off the Firefox option that allows new extensions to be installed (Tools -> Options -> Web Features -> Allow web sites to install software). This should prevent future accidental software installs.
Show the user(s) how to back up their most important files (I teach a short class on backups, but only in New York City).
To prevent malware infections in the future, teach the user safe Internet techniques. The time spent here is probably well spent when compared to using software that automatically watches for new installs of malicious software (Spybot, BHODemon and the paid versions of Ad-aware can do this, among others). Any such software would need to be maintained and, when it finds something, the user may not fully understand the situation. Also, the software applies to a single computer, whereas safe computing habits apply everywhere. Along this line, I have a web page about recognizing and dealing with bad emails and maintain a page with malware links.
Whew.
Some Symptoms of Spyware, Adware, Malware InfectionTOP
The symptoms of a malware infection vary.
Your web browsing speed may be slow. Your computer, in general, may be slower that it was and may take much longer to start up than it used to.
It is likely Internet Explorer is modified. You homepage and/or search page may be changed, new favorites that you didn't create may appear, a new toolbar may appear or you may end up at unknown web sites when you try to do a search.
To prevent you from undoing the browser modifications made by a malware program, some of them remove or disable the Internet Options from the Tools Menu and from the Control Panel. If you try to reset your home page and can't, it's likely due to malware. If you can't get to anti-virus or security web sites, but can get to other web sites, it's likely due to malware.
Adware will bombard you with pop-up ads. More malicious programs serve up a constant barrage of ads for pornographic web sites. That's on top of the pop-ups from the web sites you're viewing. If you see pop-up ads even when you are offline, it's due to malware.
Actual Spyware (as opposed to other malware) has to phone home to report what it found. If your firewall provides outbound protection you may see the 'phone call' and be able to stop it.
Malicious software may also shut down or disable your anti-virus program or your firewall program. It may prevent the normal activity of your anti-Spyware software. It may prevent you from accessing Task Manager or msconfig or regedit.
Adware programs may create new icons on the Windows desktop, task bar, or system tray. They may also create popup windows that you are unable to close. If your computer mysteriously dials the phone on its own, it may be infected with a porn dialing program.
And, FinallyTOP
Someone gave me a computer recently with hundreds upon hundreds of instances of malware (not including cookies). It was so badly infected that two hours after the Windows 98 boot process started, the desktop still had not displayed. Getting rid of the malware took a lot of time start to finish, but not that much of my time as I mostly let assorted utilities run for hours on end. For example, after its initial detection scan, Spy Sweeper took hours to delete the malware it had found.
A few days later there was an article in the Washington Post about removing malware from a badly infected Windows 98 machine. The approach the author took to removing the malware was flawed and I was appalled that the author would, in effect, brag about his incompetence in writing the story. Thus this page. See my gripes regarding the Washington Post.
If you need to run a web browser from removable media (that is, a program that does not need to be installed on the hard disk) I know of two:
- On the low end, there is Off By One, a single, standalone EXE that supports all versions of Windows
- On the high end, John Haller has created a Portable Firefox. As of September 2005, the latest version was 1.0.6. Alternate link
Unbeknownst to me, the US Government put out a document on this same subject just days before I put up this page (Recovering from a Trojan Horse or Virus). These instructions are better.
Note: For some reason this page doesn't render perfectly in IE. Beats me why
good luck
[get this widget]
Lihat profil lengkapku
Posting Komentar