Cleaning a Pest-Infested Computer

 

PREAMBLE

When I first wrote this piece two years ago (and when I updated it last, about a year ago) I believed it was not only possible but quite likely that a reasonably-intelligent person could get rid of most, if not all, of the spyware/adware/malware programs on their computer with only a little outside help.

Today, I'm not as sanguine about that possibility as I was then.

The folks who write these pests have been using progressively nastier methods of hiding their unwelcome guests on your computer, since if you can find and get rid of it they have effectively wasted their time getting you to install it in the first place.  Some of these folks are using virus-type methods like using two programs to infect your computer - each monitors the other and if one is found and deleted the remaining one simply puts it back again.  Other folks are using rootkit technology where their software loads before Windows does, and can hide from Windows and prevent Windows from seeing it.  Still others use frequent mutations of their software to try to stay ahead of the curve - as soon as version one of their software is spotted they make some changes so it doesn't look quite the same any more and push out version one-point-one.  When that gets difficult enough they just start all over with a new pest.

In some of these cases even the experts first say, "Well, I don't know what that is but you sure do want to get rid of it - but first send me a copy so I can get it analyzed and find out what it is!"  Other cases require a very painstaking process to fully clean the pest off your system that may be specific not only to the type of pest but to your specific computer because the pest has mutated once it got in there.

There are thriving criminal syndicates that want to infest your computer for a much more sinister reason - they aren't satisfied with having control over just your computer, they want to use your computer as an anonymous beachhead from which they can infest other computers, send out their marketing messages (a.k.a. SPAM), or to distribute files that they don't want to get caught with on their computer.  Some of these organizations will even rent out your computer to anyone willing to pay for using it.  Recent stories in the mainstream media have exposed groups that controlled tens of thousands of computers without the knowledge of the owners, buying and selling and trading use of these hijacked computers as a commodity.

For these reason I've modified my standard process yet again - rather than concentrating on specific pests I'm making the process more generalized and suggesting that even if you think your system is clean you should consult with online experts to be sure that you have indeed cleaned the messes up completely.  This seems to me to be the only way that a reasonable person can be sure their computer is clean again, short of wiping it out and installing everything from the ground-up.

A plea for help that I often hear from my friends, co-workers and others is, "I think something bad got onto my computer! I'm not sure when or where, but it's [just not working right] [rebooting frequently] [not connecting to the Internet] [taking me places on the Internet that I don't want to go to] ..."

Over the course of some time I have put together this approach to isolating and cleaning spyware, adware, viruses, worms and Trojans from computers. In order to so so effectively and quickly I prefer to do the following in this order:

1. Isolate the system. Get it off the network/Internet. Stop it from spreading ill will to others and/or being reinfected during the cleaning process.

2. Tackle the most likely suspects. Clean the most common spyware/adware threats, get the most likely viruses and worms off the system.

3. Get a firewall in place. Get positive control over what goes into or out of your computer. Then you can relax a little and clean more thoroughly.

4. Perform in-depth cleaning. Do thorough scans with your spyware/adware removal tools, get your antivirus up to date and scan with a couple different programs. Get as much baggage off your system as you can.

5. Consult with experts on anything left over you're not sure about. I am by no means a computer neophyte, I deal with complex LAN and WAN issues every day. I build my own computers rather than buying them. However, I don't wait a moment to consult with the folks who deal every day with cleaning unwanted guests off computers when I'm faced with something I don't know about. On this subject I bow to their expertise and experience. So should you.

You may wish to modify these steps depending on your particular needs. For example, you may be certain you're not dealing with a virus, worm or Trojan threat. In that case you may wish to concentrate first on dealing with the adware/spyware threats and defer thorough virus scanning until later. Or, you may be certain that you don't have an adware or spyware problem. In that case you may want to start by working the virus/worm/Trojan issues first and delaying any spyware or adware cleaning for after you've cleaned up other messes. It doesn't really matter which you concentrate on first, as long as you make sure that you do a thorough job of it and cover all the bases before you finish.

Tools for Success!

You will need certain tools in order to accomplish the cleaning tasks ahead of you. It would be best to get them using a known-clean computer and directly from the source, then put them on a CD or other media and take them to your computer.

The tools listed below are ones that I have used and am comfortable with. You can substitute other tools in their places if you have them handy and/or have your own preferences. By and large it's more important to be up-to-date than to stick with brand names. The best spyware/adware or antivirus scanner is of no use if it's not the latest version and fully updated.

AdAware SE - http://www.lavasoftusa.com/
Get the latest version of AdAware SE, and also get the latest signature files for that version from their download section.

Spybot Search&Destroy - http://www.spybot.info/
Get the latest version along with the latest signatures. 
(Personally I do not recommend Spybot for the first-time user as it will want to remove items that I don't think it should be removing, and its advanced features can cause problems that are tricky to solve if you don't know how to reverse the changes it makes. But if you prefer it and are comfortable with it, then by all means go ahead.)

HijackThis - http://www.spywareinfo.com/~merijn/downloads.html
Download this tool but do not use it to clean anything unless you are working with an expert.  Many of the items listed in a HijackThis report are normal and removing them may cause your computer to stop working.

Antivirus scanner - Most of the major antivirus manufacturers have a basic version of their program that you can download and use to clean the most common viruses and trojans.  Avast! antivirus, for example, has a basic cleaning tool that can be downloaded.  McAfee has their Stinger cleaner available, and AVG antivirus offers the vcleaner tool.  And, of course, the Microsoft Windows Malicious Software Removal Tool is updated monthly and can remove some common threats.  You may do well to select several of these tools as they tend to catch different threats.  As these are "mini-scanners" they aren't as comprehensive as a full antivirus product that has been installed and maintained with the latest updates.

Got your tools? Printed out a copy of the guide? Then let's begin ...

Before we start, isolate your computer

The first thing you need to do before we start is to disconnect your computer from the Internet or your home network. If you have a dial-up modem, disconnect the telephone line from it, then open Internet Explorer and click Tools on the menu, then Options, then on the Connections tab click the "Never Dial a Connection" box. Click Apply, then OK. If your computer is connected to a cable or DSL modem or any type of network device, disconnect the Ethernet (network cable) from the back of the computer.

Please note that you are going to do a couple of things with the computer disconnected from the Internet. Until you have a fairly good idea that you've isolated or removed most of the threats present on your computer you don't want to connect to the Internet again. Many viruses, adware or spyware programs can "repair" themselves using your Internet connection until they are fully removed, and many of the worms and Trojans in circulation these days are also capable of using the Internet to repair themselves or allow remote access to your computer. So let's stay disconnected until you've cleaned up as many of them as we can. That makes it a little more inconvenient, but much safer.

Next, empty Temporary Internet Files

Not only will it make the scanning and cleaning processes faster, but a number of the pests we want to get rid of will use the Temporary Internet Files folder to hide in.  It would also probably be wise to restart the system after you do this, then locate and delete any files in the \Windows\Temp or \WinNT\Temp folder (depending on what version of Windows you have).  Windows 2000 and Windows XP users will also want to check the \Documents and Settings\<yourname>\Local Settings\Temp folder and delete anything in that folder.  Note that you will need to have the option to view hidden files in Explorer turned on to find and empty this folder.

To eliminate the Temporary Internet Files, right-click the Internet Explorer icon on your desktop and select "Properties" from the pop-up menu (for Windows XP users, if you didn't put the Internet Explorer icon on your desktop click the Start button, right-click the Internet Explorer icon near the top of the Start menu, then select "Internet Properties" from the pop-up menu). Look under the section titled "Temporary Internet files" for the button to delete files, and then click it, and when it brings up the confirmation message be sure you also check the "Delete all offline content" box. This process may take several minutes to complete.

STEP ONE - Find and unload known spyware or adware

Start by installing the AdAware program you downloaded earlier. When the installation is complete you should find the AdAware program files (this will usually be C:\Program Files\Lavasoft\Ad-Aware 6) and copy the file "reflist.ref" from the AdAware update ZIP file into this folder. You should be warned that you are replacing a file - if so, say yes and replace the file; if not you're not in the right place. Copying this file will install the latest AdAware updates.

Start up AdAware and click the 'Start' button. The option to perform a smart computer scan should be selected as the default setting. That's OK for now; it will catch most of the spyware and adware on your computer. Click the 'Begin' button to begin scanning. This may take quite a while. When the scan is done, if any spyware or adware was found AdAware will display an alert and play a sound over your speakers. Click the Next button to see the results. 

If all the items found in the scan were marked as "Tracking Cookies" you are in pretty good shape right now - at least as far as adware and spyware go. You may also see an item marked as "Alexa" - this is a default search setting in Internet Explorer and is marked because the search service does track all searches you perform but DOES NOT install any spyware or adware on your computer. Any other items found are things that you need to be concerned about and we will get rid of them.

Right-click any item in the list and pick "Select all object" from the pop-up menu, then click the "Next" button. This will remove all the items found in the scan from your computer. This process may take some time, especially if more than a few dozen items were found in the scan.

If all the items found were either "Tracking Cookies" or the "Alexa" entry, you are ready to continue to the next step. If any other items were found and cleaned you need to restart your computer and repeat the AdAware scan again as above, then restart the computer and repeat the scan. The idea is to get to the point that no items are found when you run AdAware. 

If two or three scans continue to find items on your computer you need to start your computer in Safe Mode and run a scan and clean cycle. The reason you want to run a scan in Safe Mode because this mode starts only a minimal set of drivers and software - so most of the adware and spyware programs won't be started in Safe Mode. With them out of the way cleaning will be much easier. You may also need to run AdAware in Safe Mode if the computer "hangs" or "freezes up" while AdAware is cleaning the items it found. Some nasty programs prefer to lock your computer up rather than be removed. Safe Mode should get most of them out of the way so you can clean them off.

For most computers you can tap the F8 key every second after restarting but before the Windows startup screen appears, and this should cause the Windows Startup Menu to appear where you can reach Safe Mode. Repeat the AdAware scan in Safe Mode once as above, removing everything found; then restart in Safe Mode and scan again to ensure that the computer is clean.

Once you've cleaned everything off you can with AdAware it's time to move on to the next step.

STEP TWO - Limited Antivirus Clean-Up

Before you proceed, you need to try to eliminate the common viruses from your computer. Most of them can sense antivirus or firewall software and either disable or damage them so they won't work correctly.

Again, I recommend the use of at least two of the antivirus cleaners mentioned above.  I personally would use the Windows Malicious Software removal tool and at least one antivirus company's scanner.  Install and run these tools as instructed by the manufacturer.

When done, reboot if you are told to.

STEP THREE - Install a Firewall

Before you can safely get back onto the Internet, you need a way to stop any remaining adware or spyware programs from getting access to the Internet. If you have a virus, worm or Trojan on your system you definitely don't want them to be able to get onto the Internet. The easiest way to do this is to install a firewall program that will block them from being able to get outside your computer.

Even though you may already be using the firewall built into Windows XP or your Internet access device, you still need a second firewall for at least the time being. The Windows XP firewall and the firewall built into some routers and Cable/DSL modems are only 'one-way' firewalls, designed to prevent access from the Internet to your computer. They won't prevent programs already on your system from getting out, and once these programs reach the Internet the one-way firewall will allow them to bring whatever they want to back onto your system. You need to stop them before they get out and this is what a true firewall will do.

ZoneAlarm has a free personal firewall program you can install, and CA (Computer Associates) also has a free personal firewall program.

If the thought of installing a firewall program concerns you or you aren't sure about this step, it can be skipped.  However, it will leave your system at a higher risk of re-infection or could allow further malicious activity from your system. 

STEP FOUR - Re-enable Internet Access

Now that you've done what you can to clean off the most common threats, let's get connected to the Internet again. If you have a modem, re-connect your phone line and go back into Internet Connections and turn your favorite dialing option (autodial or dial if no connection is present) back on again. If you have an Ethernet network connection, connect it back up and restart the computer.

STEP FIVE - Install SpywareBlaster

SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) is an excellent program to install and keep installed on your computer. It has only one purpose - it blocks known spyware programs from being installed, or if they're already installed, it blocks them from running. It does this by changing the settings in Windows to block these programs from running (in technical terms, it sets a 'kill bit' that prevents the spyware program or spyware installer from running at all).

If it's so good, why didn't we install it before? Oh, because you need to have Internet access to get the latest list of known programs for it to block. It doesn't have a downloadable update like AdAware does.

So let's install it now. When it's installed, start it up and click the "Updates" button. Note that when you tell SpywareBlaster to look for updates, your firewall will alert you that SpywareBlaster is trying to connect to the Internet. Since we trust this program, click the box to remember that you said it's OK to do so, and then click the button to allow it to connect. Once the updates are loaded, click the "Protection" and select to "Enable all protection". This will block all known spyware programs from loading and prevent your browser from going to certain Web sites that install spyware on your computer. You should restart your computer once SpywareBlaster is installed so you start clean with blocking turned on. You should periodically run SpywareBlaster and download and apply the latest updates to be sure that you keep updated on new threats that may appear.

STEP SIX - Remove Viruses

Now that you have blocked all the spyware you can, let's get to work on viruses and such. Since it's possible that any virus software you have now could have been damaged or destroyed by your unwanted guests, let's use some of the free online virus scanners to do a quick scan-and-clean. I would recommend using at least two of these web sites:

http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm 
http://www.bitdefender.com/scan/licence.php 
http://security.symantec.com/sscv6/home.asp
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx 

Remember that you still have our firewall on and active, so you'll see some warnings as these pages load the online scanners and run them. Again, it's OK to trust them, so let's do so.

After you've run the online scans and removed the viruses you can remove, it's time to either install an antivirus program (if you didn't have one already) or uninstall and reinstall your current antivirus program (if the online scans found viruses, then your virus scanner is either outdated or damaged). You can either install the EZ Armor antivirus scanner from the CD, or check out the above web sites since each of them also offer trial/free antivirus scanners for home use.

A WORD OF WARNING - Before, I indicated that having more than one firewall was a good thing if your primary firewall (Windows XP or Internet device) provides only limited protection. With antivirus software this is not the case - you need to pick one antivirus program and have it installed. Installing more than one can cause system instability, lock-ups of your computer, or false alarms that may cause damage to the antivirus software. This is a case where "enough is enough" and one is enough.

STEP SEVEN - What have I missed?

Depending on the nature of the invader you're trying to get rid of, you may still not be done with the process. The steps you've taken to date will get rid of most viruses, worms, Trojans, adware and spyware. But you're not out of the woods yet.

In the introduction above we discussed several types of threats that are capable of hiding from the detection tools we've used to date.  We need to take further steps to be sure that we've caught and cleaned everything that may have crept into your system.

Fortunately there's a very powerful tool, called "HijackThis", that can spot every program that's loading and running on your system and allow you to clean them up. Sounds good, doesn't it? Well, the problem is that it does, literally, show pretty much EVERYTHING that loads and runs. And the vast majority of the things that are loading and running are there for a reason. If you remove them, your computer won't work correctly.

That's why there are people who specialize in reading HijackThis logs. You must consult with them after running the log and before cleaning anything up, so that you don't kill anything necessary. 

You'll find details on how to download and run HijackThis at these sites:

http://www.aumha.org/a/hjttutor.htm
http://www.tomcoyote.org/hjt/

But again - very important! - don't try to clean anything up until you consult with the experts at these Web sites:

http://www.computercops.biz/forums
http://www.tomcoyote.org/forums
http://www.spywareinfo.com/forums
http://forum.aumha.net/viewforum.php?f=30
http://www.lavasoftsupport.com/index.php?s=1570453ec76bc9f7c1f73a9a19440d6f&showforum=44

(From time to time the locations/links to these forums may change.  You'll find the latest support forum lists at Aumha.org or Tomcoyote.org along with the instructions on installing and using HijackThis.)

Note that some of these forums may be difficult to get to. Since the forum operators are outspoken about the threats of spyware, adware and other parasites sometimes the folks who try to infect you with them get a bit nasty and attack their Web sites to make them unavailable.

STEP EIGHT - Okay, what now?

If you've reached this point, I'm hoping that your system is clean and behaving well and you're breathing a sigh of relief. If so, let's take some steps to try to ensure that this is the last time you'll need to go through this!

1. KEEP YOUR ANTIVIRUS PROTECTION UP-TO-DATE. Most have an autoupdate feature. Turn it on and use it. Once a day isn't too often.

2. KEEP YOUR ADWARE/SPYWARE PROTECTION UP-TO-DATE. Run AdAware and/or SpywareBlaster (or Spybot if you have selected that program) on a regular basis and be sure you get the latest updates for each one every time you run them.

3. KEEP THAT FIREWALL ON. Yeah, it gets annoying from time to time, when it keeps popping up every time you run a program that wants to access the Internet. But once you know which programs need Internet access and which ones don't, and use the "Remember" box to keep those settings, the pop-ups will come less and less frequently. Soon it will be only new software that will trigger alerts - and if YOU didn't install that new software, where did it come from?

4. CONSIDER INSTALLING OR TURNING ON AUTOMATIC UPDATES. For Windows 2000 and XP you can have updates downloaded to your computer in the background, when you're not doing other things on the Internet. When they're downloaded and ready to be installed you can either manually install them or set them up to be automatically installed. You'll find the settings for this in your Control Panel. For Windows 98 and Windows Me computers you can install the Critical Update Notification tool, which won't download updates but will tell you when there are updates available. You'll find this tool at the Windows Update site.  Note that as of 11 July 2006 support for Windows 98, Windows 98 Second Edition and Windows Millennium Edition has been discontinued by Microsoft.  No new updates for these operating systems will be released.

If you don't want to use Automatic Updates, then be sure to visit the Windows Update or Microsoft Update web sites on a regular basis to be sure you're up-to-date.  Microsoft releases scheduled patches on the second Tuesday of each month but updates may appear at any time for emerging threats.  Automatic Updates will snag these unscheduled updates for you if you use it.

5. NOTHING SUBSTITUTES FOR COMMON SENSE! Even if you follow all the above steps, you're still not safe. The biggest cause of problems with your computer is YOU (or your family members, if you are as pure as the driven snow). Some handy tips to keep in mind:

"If it seems to good to be true, it probably is." Anyone who offers you something for nothing has something in mind, especially if it's not obvious what it is on its surface. In the case of the free antivirus and firewall tools we're using their goal is clear enough - they hope that once you use their free software that you'll either buy the paid version, or perhaps consider their other products, when you're ready to buy software. On that basis you can trust them. But why does some company you've never heard of want to offer you a free toolbar, or free graphics/smileys for your email, or a free tool for your computer? If you can't see the hook then it probably means that they want to get some spyware or adware onto your computer. So, don't. Just don't.

"What do you mean, you didn't send that picture to me?" Many of the recent viruses and worms use an infected computer to send copies of themselves from the infected computer.  In some cases they make up a fake email address for the "From" address, in others they select a name randomly from the infected computer's email address book and put that name in the "From" address.  Then the virus or worm sends itself to every email address known to the infected computer using the fake "From" address.  They hope that when you see an email from someone you know you will be more likely to open it.  So you should be suspicious of any mail message that contains a file attachment that isn't either explicitly described or that doesn't come with a separate message describing the contents.  When you send email to your friends with a file attached you should either explicitly describe the attachment (not just "Here's a funny joke!", because that doesn't tell anyone a thing about the attachment) or send a second email confirming that you did indeed send the one with the file attached.

"But it said 'I Love You'!" No one in his or her right mind would click on a link or install software that says, "HEY! I'm a VIRUS! Wanna have fun?" So these miscreants instead use what's called "social engineering" to try to trick you into installing their nasty little present. They put someone else's name on the message, or put dire warnings that you're in danger if you don't install it, or claim that it's nekked pictures of some celebrity or another. In other words, they try to exploit your trust of someone else in order to get your guard down. In this case the key is, "Mistrust until verified." If a mail message says Citibank needs information from you right away, call or email Citibank and ask them if it's so. If a message says it's a joke from a friend or pictures from someone you know, ask them if they sent them to you. If a program says it's from Microsoft and is necessary to protect your computer, go to the Windows Updates site and see if Microsoft says you need it or not. (HINT - Microsoft NEVER EVER sends out program updates via email, so you can discard those right away.)

"Wait a minute, that isn't Madonna!" The Internet is a great place to find friends, be educated, be entertained, and generally waste time. Unfortunately it's also a great place to pick up unwanted guests. There are actions that are inherently risky just because of their nature, like the many 'file sharing networks' that share movies, music and software illegally. Some of the files in these networks are actually viruses or worms that have the name of a hot new movie or hit single or album, and until you let it in it may be too late to know the difference. To avoid these traps, avoid them. Don't traffic in file sharing networks.

"How did I get HERE?!?" Porn sites are also notorious flytraps, since they often hide behind names that are almost the same as other popular sites. For a long time, if you went to www.whitehouse.com instead of www.whitehouse.gov, you would wind up with free porno 'gifts' on your computer. If you encounter one of these pits, you may be better off just turning your computer off immediately before they can get you to click on anything. Some of those message windows that look like you can close them are a trap - no matter what you click you wind up with their junk on your computer.

"Education is the key to a happy, fulfilling life." If you're the only person who uses your computer then we're almost there. But if family members or friends share your computer, you need to let THEM know what you've learned here today. Explain why some actions they may be taking are risky and propose safe alternatives. For example, instead of downloading music from file-sharing sites get them a subscription to a legal music site. If they like playing free online games, encourage them to stay with known-safe online game sites run by reputable companies like Yahoo, MSN, Disney and others.

EPILOGUE:

There are many places you can learn more about security threats and safe computing. The list below is culled from just a few of the many sites I've found recently.

http://windowsupdate.microsoft.com/ (did I mention, free Windows Updates here?)

http://www.microsoft.com/downloads (download Microsoft cleaners/patches)


http://www.microsoft.com/technet/security/default.mspx (business and technical security information)
http://www.microsoft.com/athome/security/default.mspx (home security information)


http://www.antiphishing.org/ (tips to avoid identity theft and fraud, alerts on widespread scams)
http://www.ftc.gov/infosecurity/ (Federal Trade Commission, more tips on theft/fraud)
http://www.cert.org/homeusers/HomeComputerSecurity/ (lots of in-depth stuff)
http://www.staysafeonline.info/ (part of the National Cyberspace Security Alliance)

POSTSCRIPT:

Currently, Microsoft has the Windows Defender product in beta testing.  It is based on the Giant Anti-Spyware product and even though it hasn't officially been released yet it could well be a valuable addition to your toolkit.  Some folks love it, some folks hate it.  It may well be worth a try for you.

Questions, Comments, Thoughts?  EMail me!