After carrying out the above steps, your system is clean in the sense that it isn't actively running adware/malware/spyware any more. However you should still run Ad-Aware, Spybot, and/or HijackThis to get rid of any spoor left behind by the adware. Things like orphaned files, tracking cookies, obsolete registry entries, and so forth.

http://www.lavasoftusa.com/products/ad_aware_free.php
http://www.safer-networking.org/en/download/index.html
http://www.spywareinfo.com/~merijn/programs.php#hijackthis

Microsoft also has a malicious software removal tool which is freely downloadable:

http://www.microsoft.com/security/malwareremove/default.mspx

With all due respect and without trying to sound noobish, wouldn't it have been better if I had left the job to a combination of Spybot S&D, Ad-Aware and HijackThis instead of rummaging through tons of process threads and startup entries and then deleting them. These can do the job pretty efficiently with HJT being the best choice for getting rid of BHOs.

There is no doubt this post is a highly knowledgeable one considering that it delves deep into the manipulation of things at the process and registry level, places about which people are either totally unaware or even if they are in the know, they choose not to fix what ain't broken. From the sole viewpoint of academic interest, this is an excellent post. But if I wanted to do the job faster and more efficiently, I would have rather gone for the above mentioned tools.

Very helpful, thanks. Spybot S&D isn't as powerful as this.

Another recommendation would be to have Firefox with the NoScript addon. It disables all scripts on pages, and has a whitelist function. After installing it I've received alot less adware.

Cheers.

I would also consider running RootKitRevealer from sysinternals for those extra sneaky spyware that don't even show up in ProcessExplorer.

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

> These can do the job pretty efficiently with HJT being the best choice for getting rid of BHOs

Both Ad-Aware and Spybot *FAILED* to remove the multiple winlogon infections, including Virtumonde. They were the first thing I tried! After that I figured, the heck with it, I can do it better myself.

Those programs are good for cleaning up leftover files on disk and miscellaneous registry keys *after* the steps I outlined above.

Thanks for the explanation of the latter-stage removal, thread killing, etc.

It just boggles the mind that a user application could put this much debris in the system directories (I'm assuming that you were browsing as an unprivileged user.) Not to be naive or a troll, but honestly, what the hell were they thinking when they expanded IE into something so complex with such loose security? With all the convoluted access control that Windows offers, the OS & app vendor couldn't or wouldn't obviate this problem during the design phase; it's pathetic.

In a related exercise, try downloading a Firefox installer as Administrator on Windows 2003 Server. The combination of Mozilla's random download mirrors and IE's twitchy security model make it improbable you'll ever get the installer downloaded. So even if you want to use a browser that is unlikely to run with elevated privileges, you can't get it because the existing browser knows what's best for you, security-wise.

There's a balance between protecting the user and giving them enough control to make the system usable. The problem here is lack of visibility and choice - in the former case you have software that installs without giving you any notice or choice, in the latter you have plenty of alerts, but very little choice because the alerts appear after the browser has interfered with your request.

Why the OS installer decides (again, without giving me a choice) that I need a graphical desktop environment, a media player, and a browser more complex than lynx on a headless server mounted in a rack in a datacenter is a separate question that nobody has satisfactorily answered (Microsoft is the major culprit, but not the only one.) I think you're on the right track with virtualization.

Jeff,

Your problem with getting infected with spyware was not the fault of your browser or an unpatched OS. You should never have been running as an Administrator.

You've mentioned it yourself before:
http://www.codinghorror.com/blog/archives/000803.html

And if the game has trouble under non-admin:
http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx

--
Jason

obligatory Linux post:

I really doubt the average user could do all that. It would be much easier to just use a user-friendly Linux distribution like Ubuntu (after getting a knowledgeable friend to do the initial setup of course).

or ditch Windows and switch to Linux or Mac. problem solved.

It's amazing how something as small as this gets overlooked by so many blogs and self-help articles out there. Ad/Spyware is one of the biggest problems plaguing the general computing world today! :(

Thanks for the steps and the programs Jeff! I'll use this guide if (keep my fingers crossed) I ever get infected with those things! :)

> or ditch Windows and switch to Linux or Mac. problem solved

Well, except for the fact that the excellent PC racing simulators I referenced in the very first paragraph-- the entire reason this machine exists-- don't run on Linux or Mac. :)

Perhaps Im a little biased, and perhaps I should ignore the trolls, but I dont see too many Racing sim titles on mac:
http://www.apple.com/games/
or on ubuntu:
http://doc.gwos.org/index.php/Simulation_Games

What about....

* attaching to internet explorer [start page, search address, plugin, toolbar...]
* changing proxy settings
* editing the hosts file

Admittedly you did a very thorough job, but there's so many places things can get that I will never trust a machine as clean once it has anything on it.

i think you are wrong here in 2 points:

1: if there was a process running as a administrator your system is corrupt. (regardless of what your process list says) either look for the names of the programs and find antispyware/antivirus/antiwhatever software. if every program could get identified and removed, your system is restored. if you don't know what the program does you just can't only remove them because you don't know where the program writes something into.

2: your company name search pattern is too vague. there will be good software without and there will be bad software with a company name.

So, you cleaned an infestation without resorting to cleaners? You know your way around a computer? Feeling "all high and mighty, eh?"

I did once, too, until I met my first rootkit. One of my production servers on a remote data server was "infected" with a pirate FTP server and numerous little applications to administer and protect it. On top of them all was a damned little tool called "Hacker Defender", a rootkit based tool that can hide processes, directories, files and even ports at the kernel level.

There was 5 or 6 processes that were hidden by HD and Process Explorer did not even see them. I had to use a special tool to even be aware of them. And what's more, most of those hidden processes, when killed, took the system down with them, as well. A remote server crashing and restarting itself? Fun.

So, don't become over-confident on your abilities and tools. Be like the Zen and add the Rootkit Unhooker to that toolkit (http://rkunhooker1.narod.ru/)

This kind of stuff drove me to mac.

Hi Jeff, why is "Company Name" such a good indicator of a product's spamminess? Can't spyware makers just put "Microsoft Corp" into those fields?

(The only Windows application development I've done has been in IIS, so I'm pretty ignorant.)

Wish I had known about all this back when I got nailed a year ago. Took me a week to get everything sufficiently scrubbed.

Question about relying on the "missing publisher" to identify malicious processes. Isn't it possible for these processes to just give themselves an identity of "Microsoft Corporation" or something?

It's just outrageous that Microsoft's OS/browser security was so terrible for so long. I guess they've gotten their act together with Vista, but the internet will remain polluted with botnets and malware for years to come.

Jeff, just curious, have you ever used OS X or Linux enough to really get a sense of them? Would you ever switch if you weren't a Windows Developer?

BTW, I met Woody Pewitt of Microsoft at a Rails Meetup and he had a huge Coding Horror sticker on his laptop :)

Jeff,

2 quick notes, as obvious as this may sound, login on to safe mode would've helped you get rid of most of those process with a simple registry edit, and running ad-aware /Spybot

secondly, you could've simply used a live cd to get rid of the infected files, I've had to do that to remove a rootkit.

Gotta love Linux Live CDs

Another Jason beat me to asking the same thing: What are the results if you're not running as administrator?

As someone who is a contractor in a large company (hence no admin access), can I say this article was a life-saver!

I got infected by spyware somehow (I haven't done anything dodgy, but it must have got in some how) and was dreading calling IT to ask them to log in as an administrator so I could run spybot as admin.

This article helped me whack the files myself!

You can't imagine how grateful I am!

> What are the results if you're not running as administrator?

Trying it in the VM now. So far so good. I don't see any change in Task Manager with multiple GCW browser windows open.

I agree this is a logical thing to do, but not on a dedicated gaming system.

I lost my enthusiasm for limited user accounts when Microsoft didn't have the guts to make standard users (instead of administrators) the default-- as they absolutely should have-- in Windows Vista. I swore they would. Instead we got hybrid administrator weirdness and the "Cancel or Allow". Sigh. I guess that's another thing we can sacrifice at the altar of backwards compatibility.

what a nice *nix fanbase you have jeff. :)

Sad that no-cd patches is important. This is a typical example on how the fight against pirated software do more harm to those who buy the software. The ones that wanted a pirated version would probably get it anyway.

Maybe IE had some security breaks, but it should not be possible for IE to act as an administrator. No software is perfect, no operating system is perfect, and for sure no human is perfect.
Compared to Unix, Windows never seemed to be designed for the net; you could maybe say that Windows had the network as a feature.
Where a windows commercial would go "Use this software to go on the internet", you could say that with a *nix machine you already where a part of the net and was forced to think of security.

I am by no means a security expert, but I can say it has been healthy for me installing linux distributions after several years as a Microsoft developer.

And they say Linux isn't ready for the desktop...

If it's just a gaming rig, don't connect it to the internet (ignore if you're playing networked games!). Download your no_cd hacks on a fully patched PC (or a Mac or Linux box).

Hurray for Norton Ghost and the 10 minute rebuild. I dont bother with anti-virus/anti-spyware eating my resources - just keep your eyes on your CPU/network usage, and when ready nuke it!

Do this to XP every 3 months or so anyway - fast and clean windows.

I wonder how long it takes for the spyware/adware people (slime?) to start setting "Microsoft Corporation" as the publisher.

Hrm...is the publisher a cryptographically signed field?

hi jeff

There isd a nice bit of software that allows you to not need to get a no-CD crack for your own software try Alcohol 120%, allows you to backup the cd /dvd then run the disk in a virtual drive, what i do as some online games think the no cd crack is a cheat.

A machine which was infected by a virus, trojan or any other badware must be cleaned from scratch - burn the data to DVD, and scrub the rest.

Rootkits are very challenging to detect - to take no risk, set up the system from ground off.

For your gaming machine your actions taken may by ok - but if it was a machine used for business i could never sleep well again, if the machine is not purified to the very last bit.

Of course, the saved data must be analyzed by a number of virus-scanners before being used again.

Paranoia is useful even for non-paranoids :-)

When it comes to malware removal, I really like a combination of safe mode and AVG Anti-Spyware/AVG Anti-Virus. When preventing malware, safe browsing habits and a secure browser are tops. And you always need a good firewall when connected to the Internet.

My system of monthly full scans using AVG's products and weekly quick scans using the same programs (both using up-to-date definitions), Firefox, safe browsing habits, and a firewall (in my case, ZoneAlarm), I haven't had any malware worse than a tracking cookie (which isn't a program or application anyway, at least to my knowledge).

In fact, I even carry a CD with the installation files for the free versions of AVG, the latest Firefox, and ZoneAlarm with my computer. I've set up systems for friends that have these, and I haven't been asked to fix a spyware problem since then.

+10 for SysInternals RootKit Revealer

I recently had my very first virus in all of 15+ years of computing. There is a mechanism where by which the rootkit installs itself as a service in the registry (HKLM\System\CurrentControlSet\Services\...). It doesn't appear in the task manager, nor could I find it in Process Explorer. The rootkit will actually prevent you from modifying the registry entry either via RegEdit, Win32 API, or Native NT functions. The rootkit in turn, makes sure that a browser helper object is always loaded. Of course I couldn't delete the .sys or .dll files, they were locked and/or the rootkit installed hooks preventing the files deletion.

The only way to clear this infection is to mount the HD onto another machine and remove offending files, or, what I did in the end, create a BartPE windows "live" cd and delete the files that way. Then after booting off the HD, the service wasn't being loaded, and I could repair the registry.

Jeff, I really recommend you run RKR.

your demonstrations was another great suggestion,
browse the internet from a virtual pc.

and after all that effort you still can't trust that installation again.
You are much better off reinstalling from scratch and this time, install all patches and don't run as administrator.

I would also compare listening pids to tasklist, and msconfig to rule out ms processes if your going thru all the trouble of checking processes.

The Unix root user security model is not what makes Unix secure. A limited user account might have saved your system data. That's not much use when user data is the important data anyway. System data is cheap to restore: the system disk comes on its own CD with a new computer.

On a multiuser system limited users are vital. I maintain several Unix servers and see user accounts get hijacked every now and then due to bad passwords, insecure web sites, ssh keys hijacked from a home machine, etc. Users are limited to damaging their own accounts, so long as the systems are kept up to date.

There are privilege escalation attacks available against unpatched systems, and those _do_ get tried. I live in fear of zero-days, of course. That would mean a wipe and restore from tape.

I wouldn't trust a manual clean up like you've just done. As other users have pointed out, root kits are easy. Root kit revealers are not nearly as reliable as virus scanners, which are themselves not especially reliable. If you've got a root kit, your machine can be re-hijacked at any time to send spam or whatever, just by the bad guy connecting in.

Linux or Macs are one kind of solution, as others have pointed out. I've seen too many Unix security incidents to consider them any sort of ecosystem solution -- if everybody adopted Linux, we'd be exactly where we are with Windows, once all the bad guys began writing their tools for it.

My own belief is that things are as good right now as they are going to get. There is no technical solution to the problem of software security bugs. If we ever want to end the spam, the identity theft, and the viruses, we're going to have to do it with international legislation and international enforcement. Doesn't seem likely to me.

I also get no-cd patches and other goodies from gamecopyworld.
I've been doing this for some years and always found the process tedious (if you have some games and don't want to "filter" before downloading, that's an awful lot of links to click on)

As some kind of a programmer (at least that's what i do for a living), i quickly hacked together a lil' perl script that does "automatic downloading" of all files related to the games i own.

The big advantage is I only need one click to check if there's any new (updated ?) no-cd/trainer/savegame/gameguide/etc... for any game of my collection and to download it.

It was really an easy thing to do and a big time savior...

...

So what made me post this is how somebody like you could possibly go through the hassle of doing it manually...
I mean you could've submitted the task of writing this script as a substitute to "FizzBuzz" in you interviews ;)

Friends don't let friends use IE :) It's a massive front door for every piece of malware that dubious parties want to install remotely on your PC. I never use IE to visit any unknown or untrusted site, and the first thing I do with it on a new computer is, invariably, downloading Firefox.

I've used these tools often to remove spy/adware as well. My friend's PC recently had a particularily nasty piece of adware which wouldn't leave without hacking it away from Safe Mode.

I have been running Windows XP without any firewall or antivirus applications for years with no virus or spy/adware infections. It often makes me wonder how I seem like the only person who manages to do that... and yes, I do browse the net, download um.. "Linux distros" and... the usual suspects, so the PC is used for a lot of things.

Interesting your "completely my own fault" comment. I have done the same thing ... I preach security all day long at my job and on my own time to friends and family. But then ... for some reason ... I forget my own advice and don't patch, or post personal info somewhere, or something. I guess its human nature sometimes to "just get the job done" and feel sick with all the dumb precautions. Can't the world just be free of bandits?

This reminds me of a video (or was it a series of screenshots? Whatever it was i'd love to find it again if anyone else remembers) of a virtual machine after bonzi-buddy was installed on it.

Anyone else remember this?

Block startup leechers, or at least get warning:
http://www.mlin.net/StartupMonitor.shtml

A few other suggestions (for when you just can't nuke the box).

Use "Verify Signatures" + "Hide Signed Microsoft Entries" if (when!) you're using Autoruns.

Instead of killing the threads with the dlls loaded, suspend them. You'll be able to remove the files/registry entries and reboot without the malicious code replacing them since it won't be re-run by any logoff/shutdown hooks.

The Recovery console almost guarantees success if you're intimately familiar with Windows.

A port scan from "the outside" (and an IP Bridge you can watch network traffic on) can go a long way to having confidence the box is clean(ish).

Have you asked GameCopyWorld to 'splain themselves? If you can get to GCW via a Google search, have you notified Google?

Jeff,

Fantastic (and timely) article, this is exactly the level of detail I needed. I have just managed to clean 2 bad infestations which where proving particularly resilient, but thanks to your thread killing advice it all didn't end in tears, a full rebuild of this ugly sucker would have taken days to weeks to have back in shape. Many many thanks

cl3ft

Windows is in desparate need of a robust package system.

Problems
- inability to install multiple copies of the same program
- problems removing old applications cleanly
- conflicts between installed programs
- no way of specifying an applications interactions with the system and other programs
- no enforcement mechanism for declared interactions
- compromised applications typically have access far beyond their needs

Implementation
- each application must provide a manifest documenting all possible interactions
- the application would explicitly document its dependencies
- the administrator chooses whether to activate an application, possibly with additional restrictions
- the user may be enabled to activate applications as well but this is an explicit process
- the application interacts with the system through a layer that restricts what the app can do
- when a violation is detected, the application is halted and flagged
- the wrapper layer provides a view of the filesystem that only includes areas it needs to see
- the wrapper layer can restrict access to the file types declared in the manifest
- developer tools should help autogenerate the manifests and packages

Benefits
- solves much of the configuration decay issues that Windows has
- the manifest driven wrapper layer helps to control compromised executables
- malware (and any application) is easily uninstalled
- you can run multiple versions of the same program (e.g. Word)
- easier to run programs remotely, or from removable media

Notes
- SoftGrid, et al, is a step in this general direction
- Unix world have various parts and techniques (packages, chroot, executable bit, privilege separation, etc)
- no complete or consistent system applied to all apps though

My recipe: Disable java, javascript and active-x.

Problem solved.

No need for spyware searchers, AV or other "security" packages that attempts to detect a threat retroactively.

Of course, in theory a security hole could exist in the jpg rendering engine (and such has been found before), but most (if not near-all) holes seem to hit the script engines and active-xs.

Or just leave the admin account alone until needed. (Ironically... Game copy protection checks rely on admin rights to install their drivers, which is probably why MS started distributing some of the copy protection engines as part of the standard OS installation)

--
Rune

Uhm, Grant: You can already run multiple versions of Word. Word 2003 can co-exist with Word 2007... User settings are stored separately and they are by default installed to separate folders.

Wow, these posts sure do demonstrate the level of superstition around malware. The typical user machine that is loaded with malare can be cleaned by hand, as Jeff demonstrates, and as I've done numerous times. You can even get away with not using the tools he suggested and going straight to safe mode, regedit, and unlinking the DLLs from the Command Prompt.

It's entirely possible and has always worked just as well as SpyBot or AdAware did for me. People seem to think that these tools implement some magical techniques, but really they are just doing exactly what Jeff outlined above, but automatically. No tricks, no industrial-strength algorithms, just killing processes, removing files, and removing registry entries.

But an Apple Mac or an easy install like Ubuntu or Mandriva

Jeff, it's often amusing when someone of your stature gets "bitten". A few months ago I think you went on about how you didn't need anti-virus software and intimated that it was really necessary only for users who hadn't quite arrived.

At any rate, after Windows 3.11 it seems that it became the norm for vendors to write files to my PC at will, usually without my consent or prior knowledge. Software connects back to the vendor with no action taken on my part.

Until laws are passed that make it a crime for anyone to put software on my PC without my consent, we will be in the prevent mode that is illustrated here, which makes it clear that most users should not browse the web at all -- it is too dangerous.

You also should mention some of the tools at grc.com.

Thanks, excellent post. I'm gonna save a copy
of this post as reference.

This EXACT same thing happened to me even with what I thought was the latest of everything. The kicker was I didn't have my antivirus' active scanner running. I'll never do that again.

The funny thing is I never had trouble with GameCopyWorld before and now I go there and get popups and wierdness even through all of the protection.

Now I go there using Firefox with all of the scripting disabled. :) Moral of the story, use protection when venturing into possibly infected 'websites'.

1) Always run as a Limited User.

2) Gaming, sports, gambling, music/lyrics, and porn sites can never be trusted.

3) If you need to go to the types of sites listed under #2 above, always do so using Virtual PC or VmWare and throw away any changes to the virtual hard disk when you are done.

4) Ignore the Linux and Mac trolls. Using tip #1 above levels the playing field. The Linux and Mac folks will have their comeuppence anyway on the day that people actually start USING those operating systems. ;)

Couldn't you have just done a 'System Restore' instead of all that work?

I won't get into the whole Mac-vs-Linux-vs-Win argument, we're talking about specialized software/hardware that only run on win. What the hell is wrong with IE that it installs software without user notification? The fact that this is the REQUIRED browser for federal employees should make all taxpayers very very nervous.

A virtual machine might be a good way to handle doing the regular restores of a stable base system every few months.

Also it's a simple possibility to check what was changed in your system. Use a scan tool like systracer (http://www.blueproject.ro/systracer) from time to time, and see which files or registry entries are newly added.

ThanQ very much for this useful article.

Heres how i clean a scumware laden windows install:

backup docs
format c:
Patch immediately
Install firefox and anti-spyware measures
create a ghost dvd

I used to have to clean this junk of computers daily... its just not worth the hassle if you have all the stuff you need to reinstall. No matter how deep you go, there is a chance you missed something that can bring it all back in no time. I say nuke it and start over.

AVG & Avast are two exceptional, FREE antivirus applications. I highly recommend either one to any person using an expired antivirus application.

For detecting malware, I recommend AVG Anti-spyware, A-squared Free, A-squared HiJackFree, HiJackThis, & AdAware.

I also recommend using CrapCleaner to remove temporary data from your machine, like temporary files, browser data, etc. It also has a registry cleaner that is most exceptional.

Great post! And the follow-up about root-kit monitor was important as well. This stuff can get really nasty- I've read an article where the author was able to hide malware in EEPROM chips on the motherboard or graphics card. It's designed to mimic most of the original functionality of the chip, but when the OS tries to load the driver the malware gets run instead. And, it could in some instances be run on the gpu. This means that even a complete re-format of the hard drive would not be enough to remove it.

Although this is an interesting article, it in no way can deal with modern malware. Most modern malware incorporates kernel-mode rootkits, which can (and do) easily hide from tools like Rootkit Revealer. Your only chance is to detect them without booting the infected OS - you need a boot CD and knowledge about how things get hidden in the registry and file system. Some malware hides on the hard drive not in common files, but in alternate data streams, slack space, boot sectors, etc., and are not found by tools running in the OS itself. Someone mentioned Hacker Defender, which is an ancient rootkit, and easily detected/removed now. Source code is readily for HackerDefender and many other rootkits, and all of these are weak compared to modern standards.

It seems a lot of people on here think removing malware is easy to do by hand, which is false. It is easy to find *some* malware, and sometimes you can remove it by hand, but the point of a rootkit is that the OS will never tell you about the files, registry locations, etc. that contain the malware.

System Restore does not remove malware, since it does not fix the registry back to a previous state, nor does it remove files that contain malware. It merely tries to restore driver settings AFAIK, and things in start locations in the registry will reinstall themselves.

Running in a VMWare session is also insecure. It is possible for malware to escape to the host system, as shown by research at IntelGuardians. In short, VMWare does host-guest communication through a channel they created, and reverse-engineers have shown how to subvert this to do malware transfer. I don't know if there are exploits in the wild yet, but you can bet there will be.

I'd be willing to bet that your article above only removed obvious, older, sloppy malware. There are most likely things still on your PC that are hidden much better.

Protocol for many secure places is that once a machine has been exposed to possible infection, it gets wiped and rebuilt. Very secure places scrap the machine completely after any possible infection.

In short, if you got a modern infection, odds are that the above methods would not even detect it. Unfortunately in many cases you'll spend less time formatting and reinstalling your apps than trying to ferret out all the places things can hide.

For info, read www.rootkit.org.

Chris Lomont
www.lomont.org

David L: good idea. I should report GCW to google, as they are *clearly* hosting malware.

Chris: I hear what you're saying, but I don't like making decisions based on fear of undetectible unkowns. And for a standalone gaming rig, probably not worth it...

On an XP reload, NEVER connect to the 'net or surf without at A BARE MINIMUM turning the Windows Firewall on and applying ALL updates and patches.

http://autopatcher.com gets you all the post-SP2 patches in one download. Keep it around on CD or a thumb drive, and fully patch your stuff BEFORE connecting.

Also, for those of you who think Firefox = automatic security on XP, read this: http://www.firefoxmyths.com

Wow, you can do all that, or you can just not use Windows and never have to deal with scumware again. The choice was pretty simple for me :)

It's not even necessarily GCW's direct fault - a banner ad could've done it, or one of their mirrors could've been comprimised. It seems kind of silly for such a popular site to deliberately push malware, although I guess NoCDs and trainers are in kind of a shady area.

Still their fault for not taking care of it even if it's not intentional, of course.

Just had to say thank you very much for publishing this article. I'm a long time lurker, and I keep coming back here because with every single post I learn something.

I am reposting the hook on qt3 with a link, hope you don't mind.

I've had this very problem *tonight* - apart from this ddcaxyy.dll thing you also had, I also had some wierd rootkit thing.

I've just spent the last 6 hours recovering the machine. I was going to use procps like you but couldn't find it so used the trial version of Kaspersky (www.kaspersky.com) instead. After many safe boots I managed to get rid of everything except for the damn rootkit which had winlogon hooked.

I eventually booted into the Recovery Console on the XP disk and just del'd the thing from the DOS prompt. Done.

Gotta reccommend Kaspersky though:- looks like a nice solid, honest product that seems to do the job very well. I'll keep it around for the trial period and buy it if it works out.

But, #$^^^$^-hell, 6 hours of lost time just because my son visited some kids gaming website? What sort of damn'd operating system is this pile of junk?

I don't get why people run windows. Its crap. Don't run it. You'll get screwed multiple times from multiple directions. The evidence is overwhelming. Just say no. Don't say nobody ever told you. You will eventually get hosed.

hey, great article, seems like finally i managed to remove one malware: apple's quicktime from autorun.

could not do it using msconfig even after disabling a specific service relevant to it.

yeah the only apple software on my precious pc (except for the safari beta which is utter crap and not because of the fonts) and this one has to be malware.

...don't tell me anything that will not let itself removed from startup using the normal msconfig practice isn't malware!!!

other than this, ive never had problems with virii or anything.

thanks again. i hope it will not come back.

(just to be more clear, uninstallation of the crap (quicktime) is sadly not an option)

"I don't get why people run windows. Its crap. Don't run it. You'll get screwed multiple times from multiple directions. The evidence is overwhelming. Just say no. Don't say nobody ever told you. You will eventually get hosed."

And before you get hosed, you just might see some network benefits from to sticking with the market leader.

Excellent guide on how to fix a shafted machine, a while back I got infected by an IRC bot, thanks to a vulnerability in VNC, which took me ages to fix, going through similar processes to what you have detailed above.
Thankfully I traced their ip address and the IRC host, and had them taken down, but not before I'd pulled out an awful lot of my hair.

To those who keep recommending Linux/Macs, how many racing simulation games for this system do you think your beloved OS supports? Clearly a windows machine is the only thing that's going to do the job.

@cmon_
Are you talking about qttask.exe? If so, that can easily be disabled through QuickTime. If you're like me and you don't like QuickTime then there's always QuickTimeAlternave (and RealAlternative). Those will let you play MOV and HDMOV files in Media Player Classic which I much prefer over QuickTime anyway, as well as have proper plugins/settings for your browser(s).

Instead of hunting nocd patches on lousy sites how about dumping your games into iso files and mount them with programs like daemon tools when you feel like sitting behind the wheel?

The first order of buisness, before killing a spyware process is to look where it is located and to erase it once the process is killed. this is an almost sure way to make sure it won't come back.

A couple things to note, a very nice article. The only thing I would add would be IceSword, excellent program from finding "hidden" processes. The other thing to note is, regardless of the OS this can happen, the only reason it doesn't happen on other OS's, is simply market share. On top of that, this was a base install of a 5-6 year old OS, to expect it to preform fine is foolish, no patches were done on it. If this were a fully updated version of XP, running a virus scan, I think the results would be different. In fact, that would be a wonderful thing to try. If I had the time I may just do that.

I LOVE YOU. i was near reformatting my computer becuase i could not do anything about it, no matter where i looked. And then luck had it that i saw your post on iGoogle. Thank YOU!!!!!!!!!

cmon_:

I don't know what version you were trying to get rid of, but there's an option in quicktime's prefs to remove the autorun. ;)

NO, NO, NO!

Like the other rootkit people have mentioned - you CANNOT clean an infected system from within itself. If you've got a rootkit, you're *fucked*.

Rootkits load themselves into the kernel and *modify* it. Yes, simply they can just hide processes from task manager (though there are other ways of doing this). But there's no reason why, if a rootkit get onto your system before you start running process explorer or rootkit revealer, it couldn't hide itself from those either. Or even if it gets on after.

After you've been hit with any malware that's been able to run as administrator, you *cannot* trust anything that system tells your, or anything that any program that runs on that system tells you. You either need to go one level higher - to the hypervisor if it's a VM and fix from there, or you need to boot from known safe media (CD-ROM) and replace *all* files containing executable code - exes, dlls, etc... and start again from there.

Do not try to clean a system that's been infected from that same system. It's not worth it.

Save your data elsewhere (take off), wipe the system (nuke the site from orbit), and start again - it's the *only* way to be sure.

>ditch Windows and switch to Linux or Mac. problem solved
Of course if everyone did this, then it wouldn't be long before they had problems too

If you *know* a machine has been compromised (as you did here), the way to fix it is to format and reinstall the OS. Attempts to find and remove all the malware are error-prone and provably inadequate for certain classes of malware. You may end up feeling good thinking you've gotten everything, but well-written malware will remain on your system...

Thank you so much for this post. I call myselef an advanced user of Windows, I've been a coder for years and consider myself security-savvy... but a piece of spyware my 12 year old picked up recently has been driving me nuts. I've gone though these steps and still am fighting this thing. Reading this convinced me to rebuild the system and take any admin rights away from the li'l shaver.

To all of y'all who said to switch to Ubuntu or MacIntosh... yes, you are correct, you don't pick this crud up with those very fine OS's. I run them too, but our gaming system ... and also the .NET dev work I do gotta be Windows. Changing OS's is not like changing socks.

Thanks for posting this great stuff.

How do I handle the situation when two processes or DLLs, A and B, keep monitoring when the other is killed and re-creating/re-launching each other? I can't kill them both simultaneously .. or can I?

Jeff,

Another free program that's worth a mention: Spyware Terminator.
http://www.spywareterminator.com/

It will effectively remove spyware, adware, trojans, keyloggers, home page hijackers and other malware threats. It is easy to use, requires minimal PC resources and has ultra fast scanning speed.

Yes, you all are correct on saying that the only way to make sure all spyware/whatever is gone is to reformat. But, some nicely written malware requires a low-level format, or use of Dban. I like the scope of this article and what it covered, it did an excellent job of providing an alternative to reformatting.

I'll reiterate the best piece of advice given thus far: format and reinstall. Its the only way to know.

@Separatist:
I run windows because I have a large number of programs that are windows only. I'd rather not mess with incomplete interpreters (WINE) and the like.

If I could run these programs outside of windows, then I would switch. I really don't like the look and feel of MacOS. So, that switch would probably be to a popular Linux Distro.

@Jeff:
Nice article. I will definitely look into those tools. I usually reformat a computer that I find to be riddle with malware (and may continue to do so), but those tools could really help if reformats are not available.

Fantastic post Jeff!

Jeff,

As interesting and complete as this was, isn't it an awfully lot like Mark Russinovich's presentation entitled: "Enterprise Malware Solutions"?

Considering your background, I'd be willing to accept that you came to the same conclusion independently. However, if that presentation was your source, you should really give credit where it's due.

Long-time reader, first-time commenter,

-Jeff

Just for completeness. The games might run on Linux. If Wine can't handle it, maybe Cedega can. The odds aren't that great, but it might be worth a shot.

autoruns + processxp indeed.

My gf had a root-kit on her computer, nobody realized it who had worked on it before. She was just randomly getting pop-ups and nothing was running. Rootkit revealer, also from sysinternals is also a nice program to run. finds most of them.

On the interminable linux point:

I've seen what end-users do with linux. They'll happily just run, as root (either directly or via sudo) any random .rpm or .deb they think has The Coolest Thing (say, oh, "EverythingYouNeedForBeryl!!! OMGITZKOOL !!! JustLikeVistaOnlyLinux!!!!InOneFile!!!.rpm" - I exaggerate, but only a little.).

If that contains a rootkit, they've just screwed themselves as well as anyone running Windows running a random .exe.

The problem is not so much the OS (not to let MS off the hook - various versions of IE 7, for instance, would run 3rd party code from a popup ad even if you clicked the close icon on the IE window frame, nothing inside the popup - that's just intolerable), as users.

Users are lazy and clueless, and will happily disregard your security infrastructure if there's any way for them to do so, if they think it'll make their lives temporarily easier, or faster.

MS has done pretty well at preventing attacks that aren't due to the user, these days, with XP SP2+ or Vista. Nothing can save the user from user stupidity.

(Vista UAC helps, but just today, somewhere else, I saw someone say "first thing, turn UAC off!" ... I suppose the only way people are going to be satisfied is if the default install simply installs a fast virtual machine and that's all you ever run, to just reinstall it whenever necessary.)

With regards to rootkits. In this example it seems the damage was identified before Jeff rebooted the virtual PC.

Is it possible to modify a running kernel without a reboot?

If it is not, then wouldn't cleaning the PC before the reboot have prevented infection with a rootkit?

However, I realise that this question is hypothetical because in a real life scenario it is unlikely the infection is going to be discovered before the machine is rebooted.

Perhaps the reason that the freeware tools you used completely failed was that they are increasingly really pretty (comparatively) useless..

http://www.av-comparatives.org/

This doesn't include the freeware stuff, but I did see a comparison in one of the PC mags some months ago (something similar to PC World) that did, and it found the freeware tools only had a detection rate of around 55%.. They were compared to McAfee which at the time showed a 97% removal rate. Now, if you look at the above link you'll find that McAfee has a pretty poor showing when compared to a few of the winners (in order - G-Data AVK (Anti-Virus Kit), Avira AntiVirus, NOD32, and iirc the next one was Sytmantec)..

To me, this suggests that these winning entries (Avira did especially well at heuristics - detecting stuff for which no product has signatures for) are waaaay ahead of the trusted freeware alternatives.

That said, you want good protection, pay or pirate..

Run IE in a sandbox. Sandboxie.com has a free tool and it's better than running a VM because it tells you which files and processes have been touched in a virtual HD. Plus it's lightweight and runs fast.

"I have been running Windows XP without any firewall or antivirus applications for years with no virus or spy/adware infections. It often makes me wonder how I seem like the only person who manages to do that..."

Me too... same wonder.

First: Jeff, thanks for the article. It does resemble Russinovich's presentation, but since his is video and yours is text, I find this more valuable. Good job - now I can paste a link rather than giving a 20 minute demonstration!

To some of the extra-paranoid folks who're head-desking and shouting reformat and reinstall: *you are right* - they *are* out to get you! But different situations have different security needs. If the system is used to manipulate highly valuable data (like your bank account, or your connection to the company VPN), then yeah. Reformat, reinstall. But Jeff was at pains to note that this is only a gaming system, so he was happy once the system stopped *acting* infected. Me, I might have done a little packet sniffing to be sure, but again, Jeff's choices are based on his own perception of risk level. Not all systems need to be run as if they were full of Top Secret data!

(If Helen Keller gets a virus that presents no symptoms at all, is she actually sick?)

To those of you suggesting all sorts of antimalware tools: run nonadmin, stay patched (and actually reboot when the OS tells you to, m'kay?), turn on the Windows Firewall, pay attention to what you are allowing whenever the 'OK' button pops up. Skipping these measures and running a ton of antimalware tools slows down your system and leaves you fighting fires constantly. Scan your system with a reputable antimalware scanner weekly or so. You'll be surprised how secure the OS is once you start using it properly!

http://housecall.trendmicro.com

I use the above whenever I wonder about the state of my WinXP partition.

BTW- it bugs me to no end when people think that *nix boxes are only saf(ER) because fewer use them. It has much more to do with native userspace security and the bleedingly fast development curve.

"Linux and Apple boxes are safer because no one uses them" -Bah! Microsoft propaganda...

Sorry- but I've been meaning to rant on that for a while now. Most of the people I hear say that in real life are too clueless to understand the concepts anyway, so I just keep it to myself.. I'm glad it came up here amongst this audience.

It's been my experience that System Restore can be pretty evil, and cause the reinstallation of viruses and malware once you've cleaned them up. Of course it's entirely possible that such cases are do to multiple malware installations.

If you encounter a rash of malware you can't get rid of, try turning off system restore, that may solve the "recurring infection" problem.

"MS has done pretty well at preventing attacks that aren't due to the user, these days, with XP SP2+ or Vista. Nothing can save the user from user stupidity."

Oh come on. Vista still gladly gives you administrator rights by default, and the "notifications" you get before messing up your system come in the form of a rather innocuous alert box that doesn't even require you to type anything more than the enter key to dismiss.

It's not a robust mechanism, but it does allow Microsoft to say "well, we warned you so it's your own fault". It won't do a great job protecting anyone except the Microsoft Corporation.

Links do not work for Sysinterals utils. Here are the correct ones (ddl)
Autoruns: http://download.sysinternals.com/Files/Autoruns.zip
Process Explorer: http://www.sysinternals.com/Files/ProcessExplorerNt.zip
Above links are for NT os, search softpedia for others.
Cheers.

For all the Mac trolls: http://projects.info-pull.com/moab/

> As interesting and complete as this was, isn't it an awfully lot like Mark Russinovich's presentation entitled: "Enterprise Malware Solutions"?

I've never seen this presentation. But any comparison between me and Mark Russinovich is a tremendous compliment. Mark is the real deal; without his tools, none of this would be possible.

I have the utmost respect for Mark and you can rest assured I'd never copy his work. What I did, I did on my own with a few Google searches.. and I posted it largely because the Google results weren't very good, and I felt I could provide a better resource for the next poor souls to have the same problem I did.

Plus, have you *met* Mark Russinovich? He's like 6 foot 3 and literally could be a male model. Between his encyclopedic, world-renowned guru-level knowledge of every part of Windows, and his unnatural good looks, he makes the rest of us geeks look like.. well, the geeks that we are. :) He's a fantastically nice guy, too.

Great article, and great explanations. Of course there is no perfect place ! If you like other operating systems, good for you I say. I have run everything over the past 30 years, nothing compares with Windows, nothing. All one has to do is look at the take up rate of Windows and it's easy to see that it is the easiest and most popular, and as a result the best target for the pirates to attack, as they are likely to get a return on their investment....and they do, because it all comes down to the user and their inability to detect and defend against them. The average user is not very knowledgeable about computers and just wants to download or buy something, and they get caught. Articles like this will help those people a little more each time and by the time the next generation comes along, they will begin to win against the pirates. Nothing is easy or free !

good work!

i actually use this style with a different variation since i didnt know you can kill the threads within the process.

if for some reason i cant kill the spyware process or delete it, i simply remove the startup entries and autoruns and pull the plug in the computer, after that since upon reboot, the startup entries are clear of spyware/worms, it is same to assume you can already delete the spyware programs. this is also assuming unlocker doesnt work as well.

the problem with spybot or even combinations of antispyware or antivirus is the programmers of these spywares/worms lock their process within a legit process making them undeletable, anyway, the killing of threads idea is really new to me and i think is a lifesaver.

thanks for the tip! i thought i already new many stuff regarding this, glad to know somebody else has better idea than me... great to have new insights!

Just use ad-aware, spybot, and CWShredder (http://us.trendmicro.com/us/products/personal/CWShredder/index.html) first. I install those, along with Firefox, on a clean install, as my first thing. Use AVG Free too, for Anti-virus. I've never had a persons computer that didn't get cleaned up with these tools.

Use Spybot to its full capability! Download the beta detection rules!
Set Ad-aware to scan Full!
and I sometimes run CWShredder every day. It only takes a few seconds, and it's just as long to download.

These are good tips, if you can't do it with the easy way. This is the REALLY REALLY HARD way. But it is good, if you can't get rid of everything with the above mentioned.

I would echo that *nix and macs systems aren't less prone because of a smaller userbase. Just look at IE vs Firefox for a comparitive situation.

However, if more people moved over to these systems there *would* be a higher percentage of holes found, just not necessarily to the same degree.

Automatically switching to a *nix or mac system doesn't mean you don't have to take the same precautionary measures. Those that use these systems tend (though not always) to be those that automatically take the required measures anyway. And I'm talking about regular checks, not running using insecure software, not visiting suspect websites/running suspect programs etc.

In my experience (and echoed by many others) if you follow these measures on a Windows system you very rarely run into any problems.

The Vista security model makes the best, in my opinion, of a tricky situation. The justification behind quick elevation is that, given the inconvenience people find the existing solution to be, if it were any more inconvenient people would turn it off (they are more likely to turn it off completely than downgrade to something like the current model). You then have no more security than previous versions.

Vista is a transition OS, designed largely to facilitate a change from bad practices and train users in the new ways. Microsoft rightly take a few years with gradual steps to introduce big changes (that's not to say that they haven't been too late in introducing many of the changes for a lot of things).

You do realize that by posting this the malware,adware writers only have to put "Microsoft Corporation" in the publisher section to thwart your attempts?

Hoax: Process Explorer can verify the publisher by the executable's signature. Unfortunately, not even Microsoft appears to sign all of their stuff properly, so this isn't a solved problem yet.

As I mentioned, and a few informed people reiterated, it would be easy and best to reformat and start over. Since this is only a gaming box, and newly installed, is should be painless to redo it correctly and avoid later hassle. If you ever plug this machine on your network on the safe side of your firewall then it is likely your safe machines, the ones you do use for banking and such, will get owned.

More than half of modern malware comes with a rootkit, according to recent studies (Google rootkit increase). Thus you can assume for each piece of malware that you removed above, there is one still hidden. Tools running within the OS like RootkitRevealer are now easily bypassed, and sample code to do this (and much more) can be found online, making it trivial to get past the methods above.

Modern malware is designed to update itself, and will use the most recent attack vectors to capture neighboring machines. Even if all your machines are currently patched, but one on your network is owned, once a new hole is discovered and rolled out to your owned machine, the rest of your machines will soon be owned. Putting an easily fixable machine back into service can easily lead to all your machines being rooted, which would require a lot more reinstalling. I do research into malware and work on rootkits, and I do see this happen.

As to another person's question - you can modify the kernel without a reboot. So that is no guarantee that you avoided a rootkit. An easy way to do it is to use Device/PhysicalMemory and change links in the process list to hide things. You can change *whatever* you want on a running system with this, since you have full unfettered access to RAM for every process, including kernel structures.

Packet sniffers do not work on well crafted malware either. Many use very stealthy and low bandwidth communication traffic, and are extremely hard to ferret out with packet traffic.

Putting any compromised machine on your network is a sure way to get them all hosed. Good luck.

What to do? Run behind a hardware firewall. Use antivirus. Use updates. Do not run as admin (I know - hard to do). Vista is likely more secure than XP (the randomized memory layout goes a long way to preventing attacks). Do not run crapware.

Oh - one last funny thing - people in my office are surprised how much you flaunt using CD-cracks. Although I agree with you morally, it is *illegal* under the DMCA, even for stuff you legally own, to circumvent copyright protection technology. Posting about it to others opens you up to legal hassle you might not want. You may as well state you smoke pot often and like to run red lights :)

It's not that the mac or linux are great (although they are, except for linux), it's that Microsoft makes horrible, horrible, horrible software. Try living a few months without having to think about viruses and spyware, and you'll never go back.

And believe this too: Even if you enjoy some kind of feeling of mastery, just because you can get your computer to not crash with only a half-day's work, you won't miss it with computers that simply work. You'll get your feeling of mastery from getting actual work done, which feels a whole lot better.

Seriously, PC users are like kidnap victims, who idolize their abusers... It's painful to watch. Get real, get out, get free!

I skimmed the comments and didn't see this explicity mentioned: it seems more likely to me that one of the no-cd patches itself gave you the malware. After all, these patches are made by anonymous people, and are *illegal*. They are the perfect vector for malware.

I hate IE and Windows as much as the next guy, but it might not be at fault in this case?

What a great post. i fix pc's for a living and hadn't come across this handy tool, fills the gaps that the anti-malware programs leave.

Hmm Going through all this comment I starts to wonder why to read a blog if you can comment it WITHOUT reading it. The article above describe the fastest and easiest way of cleaning malwares. Using common sense when looking of company descriptions is the best way to find malware processes and files. And with using signature check (included in process explorer and autostart)you can make sure that description and other details of the image not spoofed. No descriptionand cryptographic file names raise suspicion. Several post told to use antispyware software. Those products clean only known widespread spywares. Using common sense can identify much more of them. So if you have no other way you can use this method as a last resort. You can learn more on this on microsoft technet. www.microsoft.com/itsshowtime look for Mark Russinovich presentation.

I totally concur with the poster who suggested using BartPE to live-boot a machine with an infected HD. You can add a number of useful modules to BartPE like AdAware, McAfee Stinger and Command Line virus scanner, Firefox, thereby increasing its usefulness.

BartPE has made my de-lousing tasks SOOO much easier over the years. Also great for getting important files off of a system that refuses to boot.

Best of all, because you aren't loading the OS from the infected machine, it's a lot easier to pry those nasty malware hooks from your system since they aren't in use at the time.

HijackThis is crucial. Keep it in your Doctor's bag at all times.

p.s. I'm a hardcore Mac user who still does tech support for Windows. Gotta make a living, ya know.

If this article confirms one thing, it's that prevention is better than cure. I wouldn't even bother to attempt a fix - how can anyone be certain of the result? All that effort, for what is at best, the hope of a fix and nothing more.

The simplest approach is to rebuild the machine securely, with non-admin accounts and take an image of the drives before putting it to use. There is no point in spending hours half-fixing something when you can restore it perfectly from backup in 15-30 minutes and have the assurance it is pristine.

For what it's worth, I wouldn't recommend any spyware-protection that depends on you running as an Administrator either - it's like a burgular alarm which only works if your house is unlocked and people are free to wander in (much better to just lock the house).

Thanks for the info Jeff, I've used some of those tools for quite a while now, especially process explorer. Very handy when you need to get rid of files that are locked by the OS. I'll definitely be grabbing 'autoruns' now that I am aware of it.

As for people suggesting Firefox (including extension), Linux, or Mac kind of missed the point of this blog I fear. Sure, he can use Linux, Mac, or Firefox and avoid these issues, but he *may* not be able to run his games under the other OSes. (I say may, cause there is a good chance wine, cedega, et all would run them without very much difficulty, but I have no first hand experience getting those sims working on wine, et all). The point was, when you're already screwed, here is what you can do to unscrew yourself, and I believe this article did that quite well.

This is also above the heads of 95% of people out there, as those tools can easily destabilize your system and must be used with caution, or at least on a system that "doesn't matter" (aka, not to be "tested" on the production exchange server at your place of employment). However, using these tools may help you achieve a higher level of understanding about exactly how your OS works, and possibly bump you up into that elite 5% of the people out there, and that is always a good thing.

We need ot consider malware as a question with several answers as to the "why" In the dawn of networks it may indeed have been a proto-"KeWlD00dZ" trip./me more leet... gaming even. But it soon mutated into a cash cow. like many similar cancers even becoming a threat to it's host's health. So we began the zeno race of virii and antivirii writers.

How many cases may there be of the same cockroach both writing a virus and selling an antivirus? Sort of like poisoning someone to sell the antidote eh? In the real world that stunt gets you major jail time.
Why should net crime be more lenient especially in light of the victim pool being XX millions worlld wide so affected.

The answers?

The reason we have malicious code existing at all is primarily monetary.
Strongly punish the monetary aspect and give non-trivial jail time for participating wittingly in computer crime or accept that we condone it.

The concept of RICO laws applying seems most apt to bear drastic force application potential. Hell- why not argue for calculating the "lost time" due to a cyber malfeasance and force the convictiid criminal/s to pay restitution? The recent arrest of a "spam king" provides a chance to reverse engineer how his ilk works and persecute them in a sadly mundane fashion.

The "final fix" thus will be a consensus to make witting participation in cyber crime rewarded by a hard 10 at minimum jail term *PER COUNT*.

"For your deliberate flaunting of interstate wire fraud laws your sentence is 7,394,209 years BEFORE you wil be considered for parole"

> Oh - one last funny thing - people in my office are surprised how much you flaunt using CD-cracks. Although I agree with you morally, it is *illegal* under the DMCA, even for stuff you legally own, to circumvent copyright protection technology. Posting about it to others opens you up to legal hassle you might not want.

I could make up some cock-and-bull story, but why not just tell the truth?

I strongly support buying software. Software is part of my livelihood.
http://www.codinghorror.com/blog/archives/000735.html

But I *also* support customer choice, and the idea that the customer is *not* my enemy, and *not* a criminal-- as so many copy protection schemes and DRM approaches assume.

I think someone should police the internet with webpages that has spyware..... isnt that kinda breaching into someones property without asking???? if there was an organization that would form some type of anti spyware policy out there that would be great! and get people to report sites that have spyware on them and sue their asses... i think its one way to force people to be more responsible on their sites..... and fix the problem rather than just turning the face the look the other way hoping that no one would do something about it.......

I have had a guy here to do what you have suggested and also ran sypbot and anivir and the only things that we still can't get rid of is something called virtumonde and smitfraud, nothing seems to work. My son was using my computer for games so I am assuming he infected it in this way. I am constantly getting pop ups and things that knock me out of what i am doing. Anyone encounter these two? Anything work?

Well, this article arrived in the nick of time.

So, a couple days ago, I get a new freelance 3D job. I haven't worked at home in my 3D app (Maya if anyone cares) in quite a while, and I'd since upgraded my network card. Since Maya's activation key is tied somehow to the network card, my perfectly legal, bought-and-paid-for license was no longer valid. Transferring the license became a nightmare of poor customer service calls, so I decided to surf the web for a way to crack it. I'm on a deadline you know?

Long story short, after surfing the myriads of admittedly unsafe sites (even with the latest version of Firefox installed) I got hit, and couldn't quite mop of the vestiges of the infestation. Then along comes this article, and *presto* my machine is clean again.

Thanks.

Oh, that's also another argument against ridiculous copy protection mechanisms. One of the reason's for Maya's popularity was that it was so widely pirated. Students steal the software, and when they start actually making money in the field, they go with what they already know. Anyways, down with lame-o copy protection.

To the rootkit people:

So they can hide even when the operating system is taken-off line, the kernel-mode driver is identified, and a system file-check is run, all without the rootkit running at all? I'm sorry, but your rootkits aren't as invulernable as you think, and the majority cannot hide from RootkitRevealer. The amazing rootkits are still vulnerable outside of Windows, just like any other malware program. Disconnect the NIC. Remove malware using Jeff's procedure, boot outside of the Windows install, scan around, repair install whatever Windows version you're running. Patch up. Check user accounts, reset policies. Done. This can be done in a matter of a couple hours (of actual work, obviously not including sitting around for scans) by a white-hat with intimate Windows knowledge.

In the meantime, compared to what even the most advanced corporate antivirus solutions can muster, Jeff's procedure is the most powerful procedure of manual virus removal accessible to the tech-savvy end-user.

Besides, you're probably not getting infected by HackerDefender Platinum+++ from GameCopyWorld.

One thing that I used to do was remove the entries that were placed in my registry by the malware.

"or ditch Windows and switch to Linux or Mac. problem solved."

Or you could slit your wrists and do the world a favor.

Jeff,

This article and all its comments is a wonderful exploration into the the impact of human fear on computing and how it makes people behave (often quite irrationally) as a result.

It's amazing how people seem to fall into different categories of behavior in dealing with computers and their fears [of malware].

1) Switch to a "safer" computing platform
2) Use anti-x protection/cleaning software
3) Learn every possible file/execution/memory interaction
4) Develop a "tried and true" save/restoration process

1 and 2 are clear examples of primitive fight-or-flight behavior. 3 and 4 depict a more evolved knowledge-based approach.

I learned at an early age while playing adventure games that SAVE/RESTORE was the greatest gift of computers to mankind and it should be utilized accordingly in all situations of potential danger.
As a result, I live a happy life free of realtime scanning software, UAC, or limited user privileges, and full of optimal performance, a pragmatic understanding of the risks, and a religious awareness of "Update Tuesday". :)

Keep up the good work. Your site is an inspiration.

recently i had somethin called clcr.exe om my laptop no idea where it came from...it was puttin the most interesting porn etc on my computer...couldn't get rid it....still cant....gonna try the above steps....the only safe computing im doin right now is thru ubuntu....which is how i was ablt to see the incoming trash....dual booting has its benifets...im a father of three...so im weaning everyone off of window...its tooo vulnerable...but linux has its drawbacks as well...but it does see alot of the sh@t that trojans put in your computer....heres a plug for the people who dont want to dual boot look up something called wubi....

"One of the reason's for Maya's popularity was that it was so widely pirated."

I can't believe anyone actually believes this nonsense.

Maya made its fortune when it was running on SGI machines at $20K per licence. It became the market leader because it was (and still is) the best software in its field.

The parent company, when it shifted to a platform more easily pirated, started losing money hand over fist and was passed from owner to owner until finally being bought by its main rival for a bargain price.

People will pirate whatever is easy to pirate. Copy protection removes the temptation. Instead of complaining about ALL protection, just complain about the ones that are badly implemented.

Sean Kane:

You give a method to remove rootkits:

"...the kernel-mode driver is identified, and a system file-check is run...", "...the majority cannot hide from RootkitRevealer...", "...boot outside of the Windows install, scan around, repair install whatever Windows version you're running...."

Sounds easy.

Which kernel mode driver? How do you find it? Some rootkits modify existing pieces, so there are no new drivers or registry settings to find/remove. They mutate (simple version - find the code to morphine and study it). Now how do you detect if your kernel32.dll is bad? There are many legit versions from various MS patches, but your repair install should get it. How about other drivers that are not from the XP install, but were installed from other apps, like Quicktime, antivirus :), iTunes, etc? These are not repaired nor removed by your method, and will still be loaded upon reboot, reinfecting anything else the rootkit targets

Your method does not address boot sector rootkits (exist) nor BIOS rootkits (exist). Your method does not clear ADS on the filesystem. It does not check slackspace (methods exist), and does not check sections marked bad by NTFS (where things do hide).

Your method does not address RAM only rootkits (exist), which require shutting down all machines simultaneously on the network, making sure none have a persistent carrier, cleaning, and then putting them all back online.

You say that the majority of rootkits cannot hide from RootkitRevealer, but all it takes is one. Most recent rootkits bypass RootkitRevealer since it is a popular tool, and is easily bypassed. Here is a *year old* forum thread and code showing how to do it: http://www.rootkit.com/board.php?did=edge526&closed=0&lastx=15.
Not hard at all. Rootkits also exist that bypass IceSword, Blacklight, and Sophos Anti-Rootkit.

You mention white-hats can fix rootkits. The white-hats with detailed windows internal knowledge I know in the malware field across the board recommend reinstallation.

Oh well, stubborn people continue along :)

Good article! This should be looked at as one more tool/option for the toolkit/notes file. Not all tools are as effective or do as good a job but having the tool/option for your particular situation is valuable.

It's obvious that everyone here has different ideas and using those ideas will result in different outcomes depending on ones situation and circumstances. While throwing out the baby with the bath water may be the answer to one situation it will not be a viable option in answer in another circumstance.

Having choices is what we all are arguing over and I am glad Jeff has given me another choice to put in my took box just as many of the other suggestions that have been added to these posts.

Even the option to switch to Lixux or Mac...just maybe not as many options ;)

An excellent article, I've a couple of comments. For those that want to grab the systinternals software, Microsoft was nice enough to allow you to grab it all as a bundle here:

http://www.microsoft.com/technet/sysinternals/Utilities/SysinternalsSuite.mspx
(8 MB)

For the use of 'more secure' systems... it doesn't always work that way. Sure you can focus on user space / separation, sandboxes, etc, but you can (inadvertently or not) load and unload unix kernel modules, etc. I can do it even to the big Commercial unices like Solaris / AIX. Personally I don't use Linux (would prefer to install Solaris if I was going that route), and I currently don't have a Mac as I don't like BSD'esque O/S's.

My biggest problem with XP is that it is shipped with IE. It's a cart before the horse problem when you're using an unsafe (unpatched) browser to get patches for the browser to make it safe. IMO - Jeff got what he deserved (not that I wish this stuff on anyone). I wish windows would complete it's installation then (as a clean up task), grab you the newest version of IE, then as a final cleanup, grab all security patches by default.

A good read !

-Drew.

I've also used ProcesExplorer to remove unwanted junk from a PC. A little tip for the multi-process stuff that detects when you kill it's sibling app: don't just kill the process - pause the processes before you kill them. Most of these apps arn't smart enough to check for a paused app.

- I thought the thinking went like... Don't log in as admin, ever! If your games won't run as non-admin, make a shortcut and select 'Run as...' to start them. Running as admin + having spyware = told you so, many people told you so.

- Use DaemonTools / DeamonTools for no-cd goodness, that way you can keep out of the dark, shady underbelly of the internets and not have to DJ your game disks. Maybe don't play games that consider DeamonTools a hacker tool.

Use BufferZone (found at www.trustware.com), on a completely clean PC. This is one of the best programs I've found! It will run everything virtually, and nothing is able to access your actual files. If you do get spyware/adware, just empty the "bufferzone" and everything will be back to normal. I have actually tried to get as much spyware, and viruses as I could to test this program, and it removed everything!

Thank you so much for this article. I had 2 dlls hooked with winlogon and explorer for about two weeks now. From other info gained from searches I had already tried using Process Explorer and Autoruns both, and to no avail. Your article clearly showed me what integral step I was missing. I didn't know to kill the threads in the process properties dialog of procxp until I read this. Thank you again for this, you saved me many hours of burning cds and formatting to get rid of my issue.

You can still use administrator account and run IE in a limited account:
http://dotmad.blogspot.com/2007/04/running-internet-explorer-in-secured.html

This really helped me out despite the fact that I didn't have spyware. A lot of legitimate companies leave programs that don't do anything but take up processor time. (i.e. my mouse drivers came with a bunch of "configuration software" that starts every time I log on. Adobe reader has a speed loader that starts even though I hardly use it. goggle update. ect.) Without a program like autoruns you can't keep stuff like that from coming back constantly. Thanks for cluing me in.

Thanks for this guide. I had been struggling to remove the same virus "core.sys" from my machine for a couple of weeks and this has sorted me out.

Great article, the kind that one needs to always have onhand as a hardcopy.

As an independent IT consultant, I have access to and use all the OS's mentioned in the above postings, and more.

My laptop and main personal computer have been happily running WINDOWS 98SE for many many years. Currently, w/o any antivirus protection or antispyware protection. Firefox is mandatory, and I'm a very happy camper -

Current TaskList= net surfing, writing MSAccess code, using RDP to my 2K3 server, VNC from laptop to desktop, RDP to my XP/Knoppix box, listening to music from desktop to laptop via Media Player
Classic, snapshotting desktops for maps edited in MSPaint and printed, Nero disk burning, dual monitors, an (occasional) bunch of (slightly) naughty jpegs. Word and/or Excell open, a Post-It note program, Outlook Express, writing (simple) C programs in the CLI, and even sometimes routing my neighbors wireless through the NIC into my network when my Internet goes down.

All at the same time, all nice and fast.

Any real problems? Reformat, bring back my previous days's
"echo a|xcopy /d /r /i /c /e /h .\here .\there" backup.

(I've not had to restore for any virus issues, but once recently due to impending drive failure)

Thank you, I've been wanting to get this off my chest for a while now.

The reason I hollered the demon 'W' word in the above text is to be the first one to start the inevitable yelling that I've probably started.........

-Paul

I wanted to thank you for this tutorial, not only was it very informative and insighful but it helped me bring an end to my spyware/malware problem on my workstation computer here at the office. Thanks again and I hope you continue youre work as Im sure many of us appreciate your efforts!

to those who said quicktime has an option to disable auto startup.

IT DOES NOT... at least not in its preferences.

the trick only worked for a while, it is again back on every reboot.

that's malware. congrats apple.

Dude, Cant thank you enough. I ran my McAfee system about 100 times. I would take the spyware off but did nothing for the crap that was hidden in other files. It took a while but this website directed me to kill all the BS on my laptop. It feels liberating to be able to shove it up the hineys of these jerkoffs that do this crap. Thanks again bro.

Tom Whiting

Jeff - I followed your instructions, the rogue dll attach itself to winlogon and explorer, when i remove the threads from all 3 of them it comes right back, and i'm still unable to delete the file. anyway to stop them from reloading?

W, start Process Explorer, then kill explorer.exe. Process Explorer will still be running-- use it to kill the threads attached to WinLogon.

I tried your things yesterday night and it works !!

Thanks a bunch.

Chris Lomont is right - there is only one way and that is a clean rebuild

The question I have for Chris Lomont however is HOW THE HELL DO I DO A CLEAN REBUILD when the rootkit I have hides my DVD drive when it detects an installation disk in it, hides DOS windows when it detects scanning software and disallows me to reformat any of my discs

???

Any help would be greatfully received...

HELP!, try booting from a bootable Windows install CD.

Thank you so much for this article. I haven't got a rootkit issue so far(?), but I've been using the other tools for some time now. Using the Process Explorer to kill threads within winlogon and thus freeing the rogue dll was new to me. Thanks for the tip. I used another trick to get around the same problem on my friend's computer. I used the windows explorer to deny read and execute rights to the rogue dlls that loaded themselves into winlogon.exe and lsass.exe (you need ntfs filesystem for this trick to work). Then rebooted the system and did the remaining cleanup as mentioned in the article.

The trick may not work against a spyware that will hook the API itself or monitor the system using a driver, but hopefully most spyware apps aren't that smart.

Awesome article! A must-read for every desktop user out there. Clean, detailed, and based around free software.
I recommend that you make an ebook of this post :-)
For reasons of simplicity, I use 2 windows installations with different security software. This way I can switch from one to another and have a scan from another vendor.
Also, I'd suggest every advanced user have a bootable CD with Avast, Lavasoft and McAfee utilities to run. It does help and is faster than killing nasties from the windows GUI.

Thanks for your great article, it turns out my pc wasn't as bad off as I suspected (I am a pc hypochondriac..) but I did learn a lot about processes and some great free tools. I feel like I have a better understanding about what to look for. Thanks again!

Hey Jeff.

Very helpful article. Just wanted to add a few useful tips.

Sometimes spyware installs services that monitor running processes, and keep firing them up as quick as you kill them. A very handy tip from Mark Russinovich (the Sysinternals guy) is to *suspend* the process rather than kill it. The process appears to be running, but it cannot do anything.

You can simply use software like unhackme :)

Hiya Jeff,

GREAT article. I got nailed by spyware in a bad way (stupidly clicked on something i shouldn't have before installing spybot et-al on a new windows build). I dominated all the spyware thanks to your tips

Cheers!
- Luke

Great article indeed. Adaware & spybot only go so far in cleaning up.

Will add Process Explorer & autorun in my tools map. Tried a similar autorun program before but I had no idea so many things start at boottime.

FWIW I like your approach in that Antimalware software these days is worthless. I agree with whoever said once its infected it cannot be trusted. Here is what I do now that i work in an IT dept and make decisions to the fate of a computer

Initial contact: Run the antimalware software to make the user and management feel warm and fuzzy.
Run MSconfig and Hijack this. Kill weird processes

Second call: It came back. Make arrangement for a format and reinstall. I dont want rogue s*it on my network and if the simple didnt kill it I am not going to run the risk or waste anymore time beating a dead horse.

I have been a malware killing fool since 2003 and it has come to this.

would it be okay if I'll just reformat the pc instead?

Hey Jeff,

Great article, what an excellent guide for removing malware, and a much better alternative than installing (and paying for) multiple spyware removal products which may or may not do the job.

I'd like to ditto the comments above about the code authentication options in PE and Autoruns, and about running rootkit revealer if there are still persistent nasties. I'd reckon this will get anyone out of trouble *just about* 100% of the time.