programming and human factors
by Jeff Atwood
I recently upgraded my dedicated racing simulation PC, so I was forced to re-install Windows XP SP2, along with all the games. As I was downloading the no-cd patches for the various racing sims I own, I was suddenly and inexplicably deluged with popups, icons, and unwanted software installations. I got that sinking feeling: I had become the unfortunate victim of a spyware infestation.
Of course, this is completely my own fault for browsing the web using the 2004-era web browser included with a default install of Windows XP Service Pack 2. If I was thinking rationally, I would have downloaded Firefox first, or at least connected to Windows Update to get the latest patches, before venturing on to the open internet. But I figured I'd save myself that work, and just pop into a few specific web sites for a few quick downloads. Couldn't hurt, right? Let my mistake be a lesson to everyone reading this: never browse the web without the very latest version of your preferred web browser. Intentionally choosing to browse the web with a three year old browser, as I did, is an incredibly dangerous thing to do.
The consequences in this case are fairly minimal since this isn't even my secondary machine-- it's a special-purpose PC dedicated to gaming. Reinstalling the operating system is no big deal. But it's still an inconvenient timesink, and in any case, the spyware infestation has to be dealt with because it causes serious performance problems and will even interrupt gameplay with incessant popups.
The two most common sites for no-cd patches are MegaGames and GameCopyWorld. In case you're wondering, yes, I do own all my games. I download no-cd patches for convenience's sake; I consider them a privilege of ownership for knowledgeable, ethical PC gamers. I figured the infection came from one of these sites. So I set up a honeypot virtual machine under Virtual PC 2007, using the ancient, original 2001 release of Windows XP and the classic Devil's Own key, and began testing.
Here's a shot of Task Manager at the desktop, after installing the necessary virtual machine additions. This is a completely plain vanilla, clean Windows XP installation: no service packs, no updates, no nothing. This system is connected to the internet, but it's not as dangerous as it sounds. Because it's behind a NAT router that blocks all incoming connections, there's no way it can get passively infected. I let it connect to the internet and quiesce at the desktop for about an hour, just to prove my point. No passive infections occurred behind a NAT router, even for this woefully out of date September 2001 era install of Windows XP.
Now we're leaving passivity behind, and unwisely browsing the open internet with the unpatched, six year old original version of Internet Explorer 6.0. Danger, Will Robinson! I left Task Manager running as I browsed to MegaGames, downloaded a no-cd patch, and... nothing. I then visited GameCopyWorld, downloaded a no-cd patch, and... all of a sudden, it's crystal clear who the culprit is. Check out Task Manager now:
This comes as a shock to me, because GameCopyWorld is recommended often in gaming forums. I consider(ed) it a reputable web site. I've never had a problem with the site before, because I usually surf with the latest updates. But the unpatched browser spyware infestation from visiting GCW-- just from visiting the web pages, even if you don't download a single thing-- is nearly immediate and completely devastating. The virtual machine desktop, after a few scant minutes, tells the story:
It isn't pretty, and let me tell you, I have a new degree of sympathy for the poor users who become the unfortunate victims of spyware infestations. The machine becomes borderline unusable, between...
... it's a wonder people don't just give up on computing altogether. Once the door is open, it seems the entire neighborhood of malware, spyware, and adware vendors take up residence in your machine. There should be a special circle of hell reserved for companies who make money doing this to people.
At first, I was mad at myself for letting this happen. I should know better, and I do know better. Then I channeled that anger into action: this is my machine, and I'll be damned if I will stand for any slimy, unwanted malware, adware, or spyware that takes up residence on it. I resolved to clean up my own machine and fix the mess I made. It's easier than you might think, and I'll show you exactly how I did it.
Our first order of business is to stop any spyware that's currently running. You'll need something a bit more heavy-duty than mere Task Manager-- get Sysinternals' Process Explorer. Download it, run it, and sort the process list by Company Name.
Kill any processes that don't have a Company Name (with the exception of DPCs, Interrupts, System, and System Idle Process). Right-click the processes and select Kill, or select them and press the Delete key. You can use my initial screenshot of Task Manager, at the top of this post, as a reference for what should be running in a clean Windows XP installation. But there's usually no need to be that specific; unless it has a Company Name you recognize, it's highly likely to be a rogue application and should be terminated.
Stopping the running spyware is only half the battle. Now we need to stop the spyware from restarting the next time we boot the system. Msconfig is a partial solution, but again we need something more powerful than what is provided out of the box. Namely, SysInternals' AutoRuns utility. Download it, run it, and start browsing through the list that appears:
As you can see, there's a bunch of spyware, malware, adware, and god knows what else gunking up the works-- all from visiting a single website! Scroll through the list, all the way to the bottom, scanning for blank Publishers, or any Publisher you don't recognize. If you see anything that's suspect, delete it! In a default Windows install, 99.5% of the entries will have "Microsoft Corporation" as the Publisher. Any reputable vendor will have no problem attaching their name to their work, so it's generally only the blank entries you need to worry about.
Now reboot the system. We've removed most of the spyware infestation, but there's a certain much more virulent class of spyware that can survive this treatment. We'll deal with them next.
After rebooting, check Process Explorer and Autoruns for anything suspicious, exactly as we did before. The first thing I noticed that "came back" in Autoruns was a suspicious driver, core.sys, that didn't have a Publisher. I used the powerful Find | Find Handle or DLL menu in Process Explorer to locate any active references to this file.
Unfortunately I didn't capture the right screenshot at the time, so I'm showing a generic search result above. Anyway, there was exactly one open handle to the core.sys file. I selected the result, which highlights the corresponding handle in the lower pane of the Process Explorer view. Right-click the handle entry in the lower pane and click "Close Handle".
After I closed the handle, I could physically delete the rogue core.sys file from the filesystem, along with the Autoruns entry for it. Problem solved!
The other item that reappeared in Autoruns after the reboot was an oddly named DLL file with hooks into Winlogon and Explorer. In addition to the suspicious name, each entry carries the tell-tale sign of the missing Publisher value:
Delete the entries in Autoruns all you want; they'll keep coming back when you press F5 to refresh. This rogue, randomly named DLL continually monitors to make sure its ugly little hooks are in place. The nasty thing about processes attached to Winlogon is that they're very difficult to kill or remove. We can kill Explorer, but killing Winlogon is not an option; it's the root process of Windows, so shutting it down causes the OS to restart. It's a difficult catch-22.
But we're smarter than the malware vendors. Fire up Process Explorer and use the Find | Find Handle or DLL menu to locate all the instances of this DLL by name. (See, I told you this option was powerful.) Kill any open handles to this file that you find, exactly as we did before. But you'll need to go one step further. We know from the Autoruns that this DLL is likely to be attached to the Explorer and Winlogon processes, but let the find results be your guide. Double-click on any processes you found that reference this DLL. In the process properties dialog, select the Threads tab. Scroll through the threads and kill every one that has the rogue DLL loaded.
Once you've killed all the threads, you can finally delete the entries in Autoruns without them coming back. Reboot, and your machine is now completely free of spyware. I count 17 entries in Task Manager, exactly the same number as when I originally started.
Of course, the smartest thing to do is not to get infected with spyware, malware, or adware in the first place. I can't emphasize this enough: always browse with the latest patches for your preferred web browser. But if you do happen to get infected, at least now you have the tools and knowledge to banish these evildoers from your machine forever.
Update: If you're worried about spyware, malware, and adware, you should strongly consider not running as an Administrator.
Oh - one last funny thing - people in my office are surprised how much you flaunt using CD-cracks. Although I agree with you morally, it is *illegal* under the DMCA, even for stuff you legally own, to circumvent copyright protection technology. Posting about it to others opens you up to legal hassle you might not want.
I could make up some cock-and-bull story, but why not just tell the truth?
I strongly support buying software. Software is part of my livelihood.
http://www.codinghorror.com/blog/archives/000735.html
But I *also* support customer choice, and the idea that the customer is *not* my enemy, and *not* a criminal-- as so many copy protection schemes and DRM approaches assume.
Jeff Atwood on June 19, 2007 3:05 AMI think someone should police the internet with webpages that has spyware..... isnt that kinda breaching into someones property without asking???? if there was an organization that would form some type of anti spyware policy out there that would be great! and get people to report sites that have spyware on them and sue their asses... i think its one way to force people to be more responsible on their sites..... and fix the problem rather than just turning the face the look the other way hoping that no one would do something about it.......
Sam on June 19, 2007 3:43 AMI have had a guy here to do what you have suggested and also ran sypbot and anivir and the only things that we still can't get rid of is something called virtumonde and smitfraud, nothing seems to work. My son was using my computer for games so I am assuming he infected it in this way. I am constantly getting pop ups and things that knock me out of what i am doing. Anyone encounter these two? Anything work?
Sandra on June 19, 2007 3:54 AMgood work!
i actually use this style with a different variation since i didnt know you can kill the threads within the process.
if for some reason i cant kill the spyware process or delete it, i simply remove the startup entries and autoruns and pull the plug in the computer, after that since upon reboot, the startup entries are clear of spyware/worms, it is same to assume you can already delete the spyware programs. this is also assuming unlocker doesnt work as well.
the problem with spybot or even combinations of antispyware or antivirus is the programmers of these spywares/worms lock their process within a legit process making them undeletable, anyway, the killing of threads idea is really new to me and i think is a lifesaver.
thanks for the tip! i thought i already new many stuff regarding this, glad to know somebody else has better idea than me... great to have new insights!
Earl on June 19, 2007 4:09 AMJust use ad-aware, spybot, and CWShredder (http://us.trendmicro.com/us/products/personal/CWShredder/index.html) first. I install those, along with Firefox, on a clean install, as my first thing. Use AVG Free too, for Anti-virus. I've never had a persons computer that didn't get cleaned up with these tools.
Use Spybot to its full capability! Download the beta detection rules!
Set Ad-aware to scan Full!
and I sometimes run CWShredder every day. It only takes a few seconds, and it's just as long to download.
These are good tips, if you can't do it with the easy way. This is the REALLY REALLY HARD way. But it is good, if you can't get rid of everything with the above mentioned.
Gabriel J. Smolnyki on June 19, 2007 5:06 AMI would echo that *nix and macs systems aren't less prone because of a smaller userbase. Just look at IE vs Firefox for a comparitive situation.
However, if more people moved over to these systems there *would* be a higher percentage of holes found, just not necessarily to the same degree.
Automatically switching to a *nix or mac system doesn't mean you don't have to take the same precautionary measures. Those that use these systems tend (though not always) to be those that automatically take the required measures anyway. And I'm talking about regular checks, not running using insecure software, not visiting suspect websites/running suspect programs etc.
In my experience (and echoed by many others) if you follow these measures on a Windows system you very rarely run into any problems.
The Vista security model makes the best, in my opinion, of a tricky situation. The justification behind quick elevation is that, given the inconvenience people find the existing solution to be, if it were any more inconvenient people would turn it off (they are more likely to turn it off completely than downgrade to something like the current model). You then have no more security than previous versions.
Vista is a transition OS, designed largely to facilitate a change from bad practices and train users in the new ways. Microsoft rightly take a few years with gradual steps to introduce big changes (that's not to say that they haven't been too late in introducing many of the changes for a lot of things).
[ICR] on June 19, 2007 6:20 AMYou do realize that by posting this the malware,adware writers only have to put "Microsoft Corporation" in the publisher section to thwart your attempts?
hoaX on June 19, 2007 6:30 AMWell, this article arrived in the nick of time.
So, a couple days ago, I get a new freelance 3D job. I haven't worked at home in my 3D app (Maya if anyone cares) in quite a while, and I'd since upgraded my network card. Since Maya's activation key is tied somehow to the network card, my perfectly legal, bought-and-paid-for license was no longer valid. Transferring the license became a nightmare of poor customer service calls, so I decided to surf the web for a way to crack it. I'm on a deadline you know?
Long story short, after surfing the myriads of admittedly unsafe sites (even with the latest version of Firefox installed) I got hit, and couldn't quite mop of the vestiges of the infestation. Then along comes this article, and *presto* my machine is clean again.
Thanks.
Oh, that's also another argument against ridiculous copy protection mechanisms. One of the reason's for Maya's popularity was that it was so widely pirated. Students steal the software, and when they start actually making money in the field, they go with what they already know. Anyways, down with lame-o copy protection.
Trevor on June 19, 2007 6:36 AMHoax: Process Explorer can verify the publisher by the executable's signature. Unfortunately, not even Microsoft appears to sign all of their stuff properly, so this isn't a solved problem yet.
Eam on June 19, 2007 7:30 AMAs I mentioned, and a few informed people reiterated, it would be easy and best to reformat and start over. Since this is only a gaming box, and newly installed, is should be painless to redo it correctly and avoid later hassle. If you ever plug this machine on your network on the safe side of your firewall then it is likely your safe machines, the ones you do use for banking and such, will get owned.
More than half of modern malware comes with a rootkit, according to recent studies (Google rootkit increase). Thus you can assume for each piece of malware that you removed above, there is one still hidden. Tools running within the OS like RootkitRevealer are now easily bypassed, and sample code to do this (and much more) can be found online, making it trivial to get past the methods above.
Modern malware is designed to update itself, and will use the most recent attack vectors to capture neighboring machines. Even if all your machines are currently patched, but one on your network is owned, once a new hole is discovered and rolled out to your owned machine, the rest of your machines will soon be owned. Putting an easily fixable machine back into service can easily lead to all your machines being rooted, which would require a lot more reinstalling. I do research into malware and work on rootkits, and I do see this happen.
As to another person's question - you can modify the kernel without a reboot. So that is no guarantee that you avoided a rootkit. An easy way to do it is to use Device/PhysicalMemory and change links in the process list to hide things. You can change *whatever* you want on a running system with this, since you have full unfettered access to RAM for every process, including kernel structures.
Packet sniffers do not work on well crafted malware either. Many use very stealthy and low bandwidth communication traffic, and are extremely hard to ferret out with packet traffic.
Putting any compromised machine on your network is a sure way to get them all hosed. Good luck.
What to do? Run behind a hardware firewall. Use antivirus. Use updates. Do not run as admin (I know - hard to do). Vista is likely more secure than XP (the randomized memory layout goes a long way to preventing attacks). Do not run crapware.
Oh - one last funny thing - people in my office are surprised how much you flaunt using CD-cracks. Although I agree with you morally, it is *illegal* under the DMCA, even for stuff you legally own, to circumvent copyright protection technology. Posting about it to others opens you up to legal hassle you might not want. You may as well state you smoke pot often and like to run red lights :)
Chris Lomont on June 19, 2007 7:50 AMIt's not that the mac or linux are great (although they are, except for linux), it's that Microsoft makes horrible, horrible, horrible software. Try living a few months without having to think about viruses and spyware, and you'll never go back.
And believe this too: Even if you enjoy some kind of feeling of mastery, just because you can get your computer to not crash with only a half-day's work, you won't miss it with computers that simply work. You'll get your feeling of mastery from getting actual work done, which feels a whole lot better.
Seriously, PC users are like kidnap victims, who idolize their abusers... It's painful to watch. Get real, get out, get free!
Antoine Valot on June 19, 2007 7:55 AMI skimmed the comments and didn't see this explicity mentioned: it seems more likely to me that one of the no-cd patches itself gave you the malware. After all, these patches are made by anonymous people, and are *illegal*. They are the perfect vector for malware.
I hate IE and Windows as much as the next guy, but it might not be at fault in this case?
What a great post. i fix pc's for a living and hadn't come across this handy tool, fills the gaps that the anti-malware programs leave.
Dan on June 19, 2007 8:19 AMHmm Going through all this comment I starts to wonder why to read a blog if you can comment it WITHOUT reading it. The article above describe the fastest and easiest way of cleaning malwares. Using common sense when looking of company descriptions is the best way to find malware processes and files. And with using signature check (included in process explorer and autostart)you can make sure that description and other details of the image not spoofed. No descriptionand cryptographic file names raise suspicion. Several post told to use antispyware software. Those products clean only known widespread spywares. Using common sense can identify much more of them. So if you have no other way you can use this method as a last resort. You can learn more on this on microsoft technet. www.microsoft.com/itsshowtime look for Mark Russinovich presentation.
I totally concur with the poster who suggested using BartPE to live-boot a machine with an infected HD. You can add a number of useful modules to BartPE like AdAware, McAfee Stinger and Command Line virus scanner, Firefox, thereby increasing its usefulness.
BartPE has made my de-lousing tasks SOOO much easier over the years. Also great for getting important files off of a system that refuses to boot.
Best of all, because you aren't loading the OS from the infected machine, it's a lot easier to pry those nasty malware hooks from your system since they aren't in use at the time.
HijackThis is crucial. Keep it in your Doctor's bag at all times.
p.s. I'm a hardcore Mac user who still does tech support for Windows. Gotta make a living, ya know.
Heff on June 19, 2007 8:56 AMIf this article confirms one thing, it's that prevention is better than cure. I wouldn't even bother to attempt a fix - how can anyone be certain of the result? All that effort, for what is at best, the hope of a fix and nothing more.
The simplest approach is to rebuild the machine securely, with non-admin accounts and take an image of the drives before putting it to use. There is no point in spending hours half-fixing something when you can restore it perfectly from backup in 15-30 minutes and have the assurance it is pristine.
For what it's worth, I wouldn't recommend any spyware-protection that depends on you running as an Administrator either - it's like a burgular alarm which only works if your house is unlocked and people are free to wander in (much better to just lock the house).
Paul Coddington on June 19, 2007 9:29 AMThanks for the info Jeff, I've used some of those tools for quite a while now, especially process explorer. Very handy when you need to get rid of files that are locked by the OS. I'll definitely be grabbing 'autoruns' now that I am aware of it.
As for people suggesting Firefox (including extension), Linux, or Mac kind of missed the point of this blog I fear. Sure, he can use Linux, Mac, or Firefox and avoid these issues, but he *may* not be able to run his games under the other OSes. (I say may, cause there is a good chance wine, cedega, et all would run them without very much difficulty, but I have no first hand experience getting those sims working on wine, et all). The point was, when you're already screwed, here is what you can do to unscrew yourself, and I believe this article did that quite well.
This is also above the heads of 95% of people out there, as those tools can easily destabilize your system and must be used with caution, or at least on a system that "doesn't matter" (aka, not to be "tested" on the production exchange server at your place of employment). However, using these tools may help you achieve a higher level of understanding about exactly how your OS works, and possibly bump you up into that elite 5% of the people out there, and that is always a good thing.
Tyler on June 19, 2007 10:47 AMTo the rootkit people:
So they can hide even when the operating system is taken-off line, the kernel-mode driver is identified, and a system file-check is run, all without the rootkit running at all? I'm sorry, but your rootkits aren't as invulernable as you think, and the majority cannot hide from RootkitRevealer. The amazing rootkits are still vulnerable outside of Windows, just like any other malware program. Disconnect the NIC. Remove malware using Jeff's procedure, boot outside of the Windows install, scan around, repair install whatever Windows version you're running. Patch up. Check user accounts, reset policies. Done. This can be done in a matter of a couple hours (of actual work, obviously not including sitting around for scans) by a white-hat with intimate Windows knowledge.
In the meantime, compared to what even the most advanced corporate antivirus solutions can muster, Jeff's procedure is the most powerful procedure of manual virus removal accessible to the tech-savvy end-user.
Besides, you're probably not getting infected by HackerDefender Platinum+++ from GameCopyWorld.
Sean Kane on June 19, 2007 10:52 AMOne thing that I used to do was remove the entries that were placed in my registry by the malware.
tenacitus on June 19, 2007 10:57 AM"or ditch Windows and switch to Linux or Mac. problem solved."
Or you could slit your wrists and do the world a favor.
BobTheCow on June 19, 2007 11:43 AMWe need ot consider malware as a question with several answers as to the "why" In the dawn of networks it may indeed have been a proto-"KeWlD00dZ" trip./me more leet... gaming even. But it soon mutated into a cash cow. like many similar cancers even becoming a threat to it's host's health. So we began the zeno race of virii and antivirii writers.
How many cases may there be of the same cockroach both writing a virus and selling an antivirus? Sort of like poisoning someone to sell the antidote eh? In the real world that stunt gets you major jail time.
Why should net crime be more lenient especially in light of the victim pool being XX millions worlld wide so affected.
The answers?
The reason we have malicious code existing at all is primarily monetary.
Strongly punish the monetary aspect and give non-trivial jail time for participating wittingly in computer crime or accept that we condone it.
The concept of RICO laws applying seems most apt to bear drastic force application potential. Hell- why not argue for calculating the "lost time" due to a cyber malfeasance and force the convictiid criminal/s to pay restitution? The recent arrest of a "spam king" provides a chance to reverse engineer how his ilk works and persecute them in a sadly mundane fashion.
The "final fix" thus will be a consensus to make witting participation in cyber crime rewarded by a hard 10 at minimum jail term *PER COUNT*.
"For your deliberate flaunting of interstate wire fraud laws your sentence is 7,394,209 years BEFORE you wil be considered for parole"
Answer Bearer on June 19, 2007 12:12 PMFor all the Mac trolls: http://projects.info-pull.com/moab/
Thomas on June 19, 2007 1:42 PMI've also used ProcesExplorer to remove unwanted junk from a PC. A little tip for the multi-process stuff that detects when you kill it's sibling app: don't just kill the process - pause the processes before you kill them. Most of these apps arn't smart enough to check for a paused app.
Jason on June 20, 2007 2:30 AMrecently i had somethin called clcr.exe om my laptop no idea where it came from...it was puttin the most interesting porn etc on my computer...couldn't get rid it....still cant....gonna try the above steps....the only safe computing im doin right now is thru ubuntu....which is how i was ablt to see the incoming trash....dual booting has its benifets...im a father of three...so im weaning everyone off of window...its tooo vulnerable...but linux has its drawbacks as well...but it does see alot of the sh@t that trojans put in your computer....heres a plug for the people who dont want to dual boot look up something called wubi....
mordeith on June 20, 2007 2:44 AM"One of the reason's for Maya's popularity was that it was so widely pirated."
I can't believe anyone actually believes this nonsense.
Maya made its fortune when it was running on SGI machines at $20K per licence. It became the market leader because it was (and still is) the best software in its field.
The parent company, when it shifted to a platform more easily pirated, started losing money hand over fist and was passed from owner to owner until finally being bought by its main rival for a bargain price.
People will pirate whatever is easy to pirate. Copy protection removes the temptation. Instead of complaining about ALL protection, just complain about the ones that are badly implemented.
Alias user on June 20, 2007 4:08 AMSean Kane:
You give a method to remove rootkits:
"...the kernel-mode driver is identified, and a system file-check is run...", "...the majority cannot hide from RootkitRevealer...", "...boot outside of the Windows install, scan around, repair install whatever Windows version you're running...."
Sounds easy.
Which kernel mode driver? How do you find it? Some rootkits modify existing pieces, so there are no new drivers or registry settings to find/remove. They mutate (simple version - find the code to morphine and study it). Now how do you detect if your kernel32.dll is bad? There are many legit versions from various MS patches, but your repair install should get it. How about other drivers that are not from the XP install, but were installed from other apps, like Quicktime, antivirus :), iTunes, etc? These are not repaired nor removed by your method, and will still be loaded upon reboot, reinfecting anything else the rootkit targets
Your method does not address boot sector rootkits (exist) nor BIOS rootkits (exist). Your method does not clear ADS on the filesystem. It does not check slackspace (methods exist), and does not check sections marked bad by NTFS (where things do hide).
Your method does not address RAM only rootkits (exist), which require shutting down all machines simultaneously on the network, making sure none have a persistent carrier, cleaning, and then putting them all back online.
You say that the majority of rootkits cannot hide from RootkitRevealer, but all it takes is one. Most recent rootkits bypass RootkitRevealer since it is a popular tool, and is easily bypassed. Here is a *year old* forum thread and code showing how to do it: http://www.rootkit.com/board.php?did=edge526closed=0lastx=15.
Not hard at all. Rootkits also exist that bypass IceSword, Blacklight, and Sophos Anti-Rootkit.
You mention white-hats can fix rootkits. The white-hats with detailed windows internal knowledge I know in the malware field across the board recommend reinstallation.
Oh well, stubborn people continue along :)
Chris Lomont on June 20, 2007 8:28 AMGood article! This should be looked at as one more tool/option for the toolkit/notes file. Not all tools are as effective or do as good a job but having the tool/option for your particular situation is valuable.
It's obvious that everyone here has different ideas and using those ideas will result in different outcomes depending on ones situation and circumstances. While throwing out the baby with the bath water may be the answer to one situation it will not be a viable option in answer in another circumstance.
Having choices is what we all are arguing over and I am glad Jeff has given me another choice to put in my took box just as many of the other suggestions that have been added to these posts.
Even the option to switch to Lixux or Mac...just maybe not as many options ;)
pddiver1 on June 20, 2007 10:51 AMAn excellent article, I've a couple of comments. For those that want to grab the systinternals software, Microsoft was nice enough to allow you to grab it all as a bundle here:
http://www.microsoft.com/technet/sysinternals/Utilities/SysinternalsSuite.mspx
(8 MB)
For the use of 'more secure' systems... it doesn't always work that way. Sure you can focus on user space / separation, sandboxes, etc, but you can (inadvertently or not) load and unload unix kernel modules, etc. I can do it even to the big Commercial unices like Solaris / AIX. Personally I don't use Linux (would prefer to install Solaris if I was going that route), and I currently don't have a Mac as I don't like BSD'esque O/S's.
My biggest problem with XP is that it is shipped with IE. It's a cart before the horse problem when you're using an unsafe (unpatched) browser to get patches for the browser to make it safe. IMO - Jeff got what he deserved (not that I wish this stuff on anyone). I wish windows would complete it's installation then (as a clean up task), grab you the newest version of IE, then as a final cleanup, grab all security patches by default.
A good read !
-Drew.
Drew on June 20, 2007 12:55 PMJeff,
This article and all its comments is a wonderful exploration into the the impact of human fear on computing and how it makes people behave (often quite irrationally) as a result.
It's amazing how people seem to fall into different categories of behavior in dealing with computers and their fears [of malware].
1) Switch to a "safer" computing platform
2) Use anti-x protection/cleaning software
3) Learn every possible file/execution/memory interaction
4) Develop a "tried and true" save/restoration process
1 and 2 are clear examples of primitive fight-or-flight behavior. 3 and 4 depict a more evolved knowledge-based approach.
I learned at an early age while playing adventure games that SAVE/RESTORE was the greatest gift of computers to mankind and it should be utilized accordingly in all situations of potential danger.
As a result, I live a happy life free of realtime scanning software, UAC, or limited user privileges, and full of optimal performance, a pragmatic understanding of the risks, and a religious awareness of "Update Tuesday". :)
Keep up the good work. Your site is an inspiration.
Matias Nio on June 20, 2007 1:03 PMThank you so much for this article. I had 2 dlls hooked with winlogon and explorer for about two weeks now. From other info gained from searches I had already tried using Process Explorer and Autoruns both, and to no avail. Your article clearly showed me what integral step I was missing. I didn't know to kill the threads in the process properties dialog of procxp until I read this. Thank you again for this, you saved me many hours of burning cds and formatting to get rid of my issue.
Jay on June 21, 2007 5:20 AM- I thought the thinking went like... Don't log in as admin, ever! If your games won't run as non-admin, make a shortcut and select 'Run as...' to start them. Running as admin + having spyware = told you so, many people told you so.
- Use DaemonTools / DeamonTools for no-cd goodness, that way you can keep out of the dark, shady underbelly of the internets and not have to DJ your game disks. Maybe don't play games that consider DeamonTools a hacker tool.
JJ on June 21, 2007 7:49 AMUse BufferZone (found at www.trustware.com), on a completely clean PC. This is one of the best programs I've found! It will run everything virtually, and nothing is able to access your actual files. If you do get spyware/adware, just empty the "bufferzone" and everything will be back to normal. I have actually tried to get as much spyware, and viruses as I could to test this program, and it removed everything!
Jon on June 21, 2007 9:45 AMYou can still use administrator account and run IE in a limited account:
http://dotmad.blogspot.com/2007/04/running-internet-explorer-in-secured.html
This really helped me out despite the fact that I didn't have spyware. A lot of legitimate companies leave programs that don't do anything but take up processor time. (i.e. my mouse drivers came with a bunch of "configuration software" that starts every time I log on. Adobe reader has a speed loader that starts even though I hardly use it. goggle update. ect.) Without a program like autoruns you can't keep stuff like that from coming back constantly. Thanks for cluing me in.
Nothing on June 23, 2007 12:02 PMThanks for this guide. I had been struggling to remove the same virus "core.sys" from my machine for a couple of weeks and this has sorted me out.
Tristan on June 24, 2007 4:14 AMGreat article, the kind that one needs to always have onhand as a hardcopy.
As an independent IT consultant, I have access to and use all the OS's mentioned in the above postings, and more.
My laptop and main personal computer have been happily running WINDOWS 98SE for many many years. Currently, w/o any antivirus protection or antispyware protection. Firefox is mandatory, and I'm a very happy camper -
Current TaskList= net surfing, writing MSAccess code, using RDP to my 2K3 server, VNC from laptop to desktop, RDP to my XP/Knoppix box, listening to music from desktop to laptop via Media Player
Classic, snapshotting desktops for maps edited in MSPaint and printed, Nero disk burning, dual monitors, an (occasional) bunch of (slightly) naughty jpegs. Word and/or Excell open, a Post-It note program, Outlook Express, writing (simple) C programs in the CLI, and even sometimes routing my neighbors wireless through the NIC into my network when my Internet goes down.
All at the same time, all nice and fast.
Any real problems? Reformat, bring back my previous days's
"echo a|xcopy /d /r /i /c /e /h .\here .\there" backup.
(I've not had to restore for any virus issues, but once recently due to impending drive failure)
Thank you, I've been wanting to get this off my chest for a while now.
The reason I hollered the demon 'W' word in the above text is to be the first one to start the inevitable yelling that I've probably started.........
-Paul
Paul on June 24, 2007 11:33 AMI wanted to thank you for this tutorial, not only was it very informative and insighful but it helped me bring an end to my spyware/malware problem on my workstation computer here at the office. Thanks again and I hope you continue youre work as Im sure many of us appreciate your efforts!
YoureMyHiro on July 10, 2007 4:47 AMto those who said quicktime has an option to disable auto startup.
IT DOES NOT... at least not in its preferences.
the trick only worked for a while, it is again back on every reboot.
that's malware. congrats apple.
cmon_ on July 14, 2007 2:19 AMDude, Cant thank you enough. I ran my McAfee system about 100 times. I would take the spyware off but did nothing for the crap that was hidden in other files. It took a while but this website directed me to kill all the BS on my laptop. It feels liberating to be able to shove it up the hineys of these jerkoffs that do this crap. Thanks again bro.
Tom Whiting
Tom Whiting on July 19, 2007 2:28 AMJeff - I followed your instructions, the rogue dll attach itself to winlogon and explorer, when i remove the threads from all 3 of them it comes right back, and i'm still unable to delete the file. anyway to stop them from reloading?
W on July 26, 2007 4:35 AMW, start Process Explorer, then kill explorer.exe. Process Explorer will still be running-- use it to kill the threads attached to WinLogon.
Jeff Atwood on July 26, 2007 7:34 AMI tried your things yesterday night and it works !!
Thanks a bunch.
Monkios on September 11, 2007 7:11 AMChris Lomont is right - there is only one way and that is a clean rebuild
The question I have for Chris Lomont however is HOW THE HELL DO I DO A CLEAN REBUILD when the rootkit I have hides my DVD drive when it detects an installation disk in it, hides DOS windows when it detects scanning software and disallows me to reformat any of my discs
???
Any help would be greatfully received...
HELP! on October 4, 2007 12:34 PMHELP!, try booting from a bootable Windows install CD.
Jeff Atwood on October 4, 2007 12:44 PMThank you so much for this article. I haven't got a rootkit issue so far(?), but I've been using the other tools for some time now. Using the Process Explorer to kill threads within winlogon and thus freeing the rogue dll was new to me. Thanks for the tip. I used another trick to get around the same problem on my friend's computer. I used the windows explorer to deny read and execute rights to the rogue dlls that loaded themselves into winlogon.exe and lsass.exe (you need ntfs filesystem for this trick to work). Then rebooted the system and did the remaining cleanup as mentioned in the article.
The trick may not work against a spyware that will hook the API itself or monitor the system using a driver, but hopefully most spyware apps aren't that smart.
Awesome article! A must-read for every desktop user out there. Clean, detailed, and based around free software.
I recommend that you make an ebook of this post :-)
For reasons of simplicity, I use 2 windows installations with different security software. This way I can switch from one to another and have a scan from another vendor.
Also, I'd suggest every advanced user have a bootable CD with Avast, Lavasoft and McAfee utilities to run. It does help and is faster than killing nasties from the windows GUI.
Thanks for your great article, it turns out my pc wasn't as bad off as I suspected (I am a pc hypochondriac..) but I did learn a lot about processes and some great free tools. I feel like I have a better understanding about what to look for. Thanks again!
Anna on December 10, 2007 10:51 AMHey Jeff.
Very helpful article. Just wanted to add a few useful tips.
Sometimes spyware installs services that monitor running processes, and keep firing them up as quick as you kill them. A very handy tip from Mark Russinovich (the Sysinternals guy) is to *suspend* the process rather than kill it. The process appears to be running, but it cannot do anything.
Bork Blatt on December 19, 2007 2:30 AMHiya Jeff,
GREAT article. I got nailed by spyware in a bad way (stupidly clicked on something i shouldn't have before installing spybot et-al on a new windows build). I dominated all the spyware thanks to your tips
Cheers!
- Luke
Great article indeed. Adaware spybot only go so far in cleaning up.
Will add Process Explorer autorun in my tools map. Tried a similar autorun program before but I had no idea so many things start at boottime.
Carra on January 11, 2008 1:58 AMFWIW I like your approach in that Antimalware software these days is worthless. I agree with whoever said once its infected it cannot be trusted. Here is what I do now that i work in an IT dept and make decisions to the fate of a computer
Initial contact: Run the antimalware software to make the user and management feel warm and fuzzy.
Run MSconfig and Hijack this. Kill weird processes
Second call: It came back. Make arrangement for a format and reinstall. I dont want rogue s*it on my network and if the simple didnt kill it I am not going to run the risk or waste anymore time beating a dead horse.
I have been a malware killing fool since 2003 and it has come to this.
Spiritbear on March 11, 2008 5:41 AMwould it be okay if I'll just reformat the pc instead?
Jay on March 15, 2008 3:47 AMHey Jeff,
Great article, what an excellent guide for removing malware, and a much better alternative than installing (and paying for) multiple spyware removal products which may or may not do the job.
I'd like to ditto the comments above about the code authentication options in PE and Autoruns, and about running rootkit revealer if there are still persistent nasties. I'd reckon this will get anyone out of trouble *just about* 100% of the time.
Thanks again!
rover on April 6, 2008 4:46 AMAnother handy item for killing these things is a clean install of cygwin on CD. With Cygwin's ps, you can find hidden processes _and_ kill them, which you often can't from Task Manager and sometimes not even from proc explorer.
I agree that everyone should have current browser and patches and run AV, but sometimes it just seems to appear. The sadly pathetic response of most MCSE IT shops is to reimage the drive. They don't care. But it often means days lost while the job is done and the user re-creates their working environment.
That is _not_ the way to handle system administration. Any admin who can't sit down at a PC with his tool cd and fix anything except a hardware fault is not worth hiring. Re-imaging is the first resort of an amateur, not the first response of a pro.
It isn't a quick and easy task, but it's doable in a couple hours. Been there, cleaned that.
flink on June 26, 2008 8:02 AMI'd mention the command-line version of the free a-squad anti-malware. After a short research it turns out that a-squared is just the only company who offers a command prompt based tool. F-prot ceased support to its DOS-compatible version of antivirus, DrWeb and Vexira offer command-line scanners on commercial basis only. Other vendors seem to include this nice feature in enterprise products, which cannot be free by their nature.
To me, it's one more reason to give thumbs up to a-squared.
Thanks for the useful article.
A good 40-page guide on 'How to Secure Windows and Your Privacy' can be downloaded from Scribd's free document library at -- http://www.scribd.com/doc/3091625/How-to-Secure-Your-Windows-PC-and-Your-Privacy
I've found that using Cygwin will let you kill processes that windows refuses to stop. It's handy for removing files, too.
flink on September 5, 2008 4:08 AMPeople on forums and open posts like this one never cease to amaze me. Instead of giving props to the effort and work put into this guide, people start talking about automatic tools that only work on a very small part of the problem.
I am a professional technician and systems admin, and I myself have worked with various spyware tools, HiJackThis, and many others, that really will NEVER be able to get rid of all spyware, trojan and memory resident intrusions that affect a system.
Spybot is good, but not even close to removing some system infestations.
Doing things manually will ALWAYS prove to be more effective a solution because we are living in the NOW and NEW and more lethal spyware threats WILL ALWAYS be created to suck money from the less fortunate that get infected from browsing habits or security holes.
I too use a Norton Ghost Image instead of a reinstall, but that is besides the point for someone who does not have the know how to even build an image of a clean install.
For pesky infestations, I have created a Batch File that automatically kills the spyware processes and removes the file after removing it from running in memory. Although this is a work in progress, it currently removes over 45 known spyware files, folders and memory residents.
People are so dumb now a days, and automatic tools do not help the problem too well. No matter how dumb the average user might be to removing intrusions, the day will come when they say enough is enough and find a way to do it themselves.
King on September 15, 2008 6:44 AMDude, are you using a diiferent version of Process explorer then you gave a link to? The version I downloaded doesn't have a 'process properties dialog' option! Help!
Alex on November 29, 2008 6:18 AMoh wait, scratch that
Alex on December 25, 2008 11:51 AMJust cleaned a PC and I found that extensions with Publisher / Company column of ARNIWORX (A daemon tools component) should be removed. Links to daemon.dll should be removed. I personally don't like daemon tools because of the bundled malware.
Blaine on March 22, 2009 2:55 AMHmm, I agree with most said except for registry cleanups. It's risky. Tackling the Windows registry requires knowledge in the first place, and each and every piece of software that deals with registry should be used for very specific tasks. A registry cleaner is NOT a cure that fixes problems and makes system fast. I've seen too many people who destroyed their computers by running registry cleaners.
Kelly Wright on June 25, 2009 9:56 AMJeff,
Your problem with getting infected with spyware was not the fault of your browser or an unpatched OS. You should never have been running as an Administrator.
You've mentioned it yourself before:
http://www.codinghorror.com/blog/archives/000803.html
And if the game has trouble under non-admin:
http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx
--
Jason
Another Jason beat me to asking the same thing: What are the results if you're not running as administrator?
jayson knight on February 6, 2010 10:07 PMIf you *know* a machine has been compromised (as you did here), the way to fix it is to format and reinstall the OS. Attempts to find and remove all the malware are error-prone and provably inadequate for certain classes of malware. You may end up feeling good thinking you've gotten everything, but well-written malware will remain on your system...
anon on February 6, 2010 10:07 PMJust for completeness. The games might run on Linux. If Wine can't handle it, maybe Cedega can. The odds aren't that great, but it might be worth a shot.
John Nilsson on February 6, 2010 10:07 PMWith regards to rootkits. In this example it seems the damage was identified before Jeff rebooted the virtual PC.
Is it possible to modify a running kernel without a reboot?
If it is not, then wouldn't cleaning the PC before the reboot have prevented infection with a rootkit?
However, I realise that this question is hypothetical because in a real life scenario it is unlikely the infection is going to be discovered before the machine is rebooted.
bon on February 6, 2010 10:07 PMYou can simply use software like unhackme :)
Ron Welba on February 6, 2010 10:07 PMfew free apps that people either dont use or do nto know about,,,
always make sure your PC has a firewall, if it does not, you will sooner or later get a virus.
make sure you also have a virus software, AVG is a free one and you can install it, google it..
here are some free apps that are a must:
spybot
MRU blaster
melwarebytes
CCleaner
if you have any questions, email me or visit my site, i will be more than happy to help :) my spyware removal blog
sonylome on September 15, 2010 4:05 PMJeff, I wrote a fairly lengthy article recently titled How to Clean Malware and Viruses Off a Windows PC with Free Software - http://blog.anthonyrthompson.com/2010/10/clean-windows-malware-viruses-with-free-software/
(The gist of it is that nowadays it's extremely difficult to clean a running system, since spyware often runs multiple copies of itself to stymie strategies like process killing that you describe; instead you really need to boot from alternate media like CD, USB, etc.)
Anthony R. Thompson on November 4, 2010 10:04 PMJeff Atwood: ... killing Winlogon is not an option ...
Yes it is... http://blogs.technet.com/b/markrussinovich/archive/2005/07/24/running-windows-with-no-services.aspx
Hello71 on January 24, 2011 6:09 PMAnd you say you know Mark Russinovich?
Hello71 on January 24, 2011 6:10 PMThis post has saved me a few times.
As a Linux user, I was completely clueless about what to do on a Windows machine, and having caused the spyware/malware situation myself, it was my responsibility to fix it.
After a bazillion Google searches (some of which were hijacked by the malware by proxy settings), I started paying real close attention to the result page URLs that I was clicking on. Seeing codinghorror.com on the serp on my 950th search attempt had me heaving a sigh of relief.
The rest was a walk in the park.
Thanks Jeff.
-T
Nadahalli on February 28, 2011 11:24 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |