Thursday, July 06, 2006

Malware/Spyware Detection and Removal

"Why is my computer running so slow?" This is probably the single most common question asked of me and one that is typically very easy to diagnose, however the procedure for fixing the problem cleanly is not nearly as simple as those asking for help will typically understand. Admittedly a computer can find itself running slow for a number of reasons, but most typically this is brought to my attention when a user's system has slowed to such a crawl that a simple task such as opening Microsoft Word or their favorite web browser (sadly this is often Internet Explorer) takes several minutes to complete. By this point the most likely problem - throwing all hardware issues aside - is that there are one or (typically) more processes running in the background sucking up precious memory and CPU clock cycles.

Assuming a software issue, which such computer slowdown most often is, the procedure for finding the offending programs (which may or may not include a variety of viruses or malware) is typically the same. Although the directions for setting out on this quest to clean a computer may begin in a straightforward manner, it is a task which will ultimately prove to be extremely time consuming, frustrating, and very often not completely effective.

A great many people erroneously make the assumption that because I spend such a large portion of my life in front of a computer that cleaning up the multitude of viruses and malicious spyware they have contracted and now house within their typically under-powered PC's is something that I, for some reason, enjoy. The truth is that it is by no means more fun for me to do than it would be for them to do it. In fact this is probably one of the more boring tasks I can think of to torture myself with.

Through this throught process and the obvious frustration this guide was born, and if you have been referred here personally please don't take offense, but please do follow the instructions within and learn to solve these problems for yourself as myself, and all those you might ask for such help, have already done and have little or no interest in doing for you (particularly more than once).

Without further ranting and raving I will proceed with my "essential guide" to spyware removal. Please keep in mind that this is only a guide and will not specifically outline every possible keystroke or even every possible approach to solving the many problems you may encounter. This guide will instead provide you with the basic approach to diagnosing and repairing a variety of issues caused by viruses and malware.

Contents
1. Overview
2. Safe Browsing Techniques
3. Essential Software
4. Process Identification
5. Browser Hijacking
6. Spyware Identification and Removal
7. Virus Identification and Removal
8. The Final Touches
9. Continued System Maintenance
10. Conclusion

1. Overview
Please note that this guide is intended for those using a Windows based operating system, in particular this guide focuses specifically on Windows 95, 98, ME, and XP systems.

It is important to recognize up front that the procedure for diagnosing and repairing any software problem on your computer relating to a virus or other malware will most likely not be brief. Please be prepared and allow enough time to follow through with the cleanup process completely or you will find your computer back in equally bad shape (or worse) in just a short time. How much time, you ask? "Enough" time. This could take many, many hours or even days depending on how far you have let the problem slip, so don't bother even getting started unless you plan on finishing or you will just have to start from square one again later.

2. Safe Browsing Techniques
Before delving into the procedure for correcting any problems you may have, I feel it is important to first discuss how to prevent such problems from ever happening in the first place. With proper browsing techniques and e-mail management you should be able to avoid almost every possibility of infection in the first place and be able to quickly and easily deal with any minor problems that might come up.

The selection of a decent web browser should be your first concern. I strongly recommend Mozilla Firefox (see Essential Software below). Firefox is an outstanding web browser with all the bells and whistles you'll find with Internet Explorer (IE) but without any real risk of browser hijacking or the other countless security issues with IE. Whether you have any problems or not you should switch to Firefox (and this is even more true if you already have problems).

Obviously another obvious risk to your computer comes from the many e-mails you receive every day. These e-mails (even those from people you know and trust!) present a risk of causing great harm to your computer if they are allowed to run scripts or execute programs sent as attachments. You should always configure your e-mail client to disable images, javascript, activex, or any other possible automatic code execution and it is also highly recommended that you disable the extra viewing pane in the lower half of most e-mail clients (the pane that lets you view a preview of the e-mail before opening it). You should configure your client so you can delete or filter unwanted messages without ever having to view them in the preview pane.

Finally, all the correct browser and mail client software in the world will be helpless to protect you if you insist on ridiculously poor browsing habits. You should NEVER download or execute an e-mail attachment from an unknown source. Also, you should almost NEVER download one from a known source unless you know exactly what you are receiving and were expecting it. All too often people open e-mail attachments from known friends and quickly find themselves infected with a virus. Even e-mail attachments that look harmless should be avoided at all costs. It simply is not worth the risk to your computer to open some stupid little attachment a friend may or may not have intended to send you (remember, many viruses spread themselves by automatically generating e-mails from an infected host to everyone in their contact list!).

The same rules of common sense apply to browsing the web. If something looks unsafe or too good to be true, it probably is. Don't click on stupid advertisements within web pages or pop-ups! There is simply NO REASON to do so! Don't browse within websites that contain questionable or blatantly illegal content. Doing so will almost guarantee an encounter with some form of malware and no one is going to feel sorry for you or be interested in helping you with your problem when it was your own obvious lack of concern that caused the problem in the first place.

Just remember that you were warned... Use common sense or don't, but don't come crying to me or anyone else when you find yourself up shit creek without a paddle.

3. Essential Software
This section will identify what I consider the essential software for diagnosing and repairing problems with your system in relation to any sort of malware infection. This list is by no means comprehensive, but it is expected throughout the following sections that every piece of software listed here has been properly installed and updated before proceeding. I won't go into great detail about the function of each program here as this information will be presented as needed throughout the following sections.

* AVG Anti-Virus (FREE EDITION)
This is a totally free virus scanning program. It is excellent (you'll find it is superior to Norton or McAfee).
http://free.grisoft.com/freeweb.php/doc/2/

* Mozilla Firefox
A better solution than Internet Explorer for web browsing (in most situations).
http://www.mozilla.org/products/firefox/

* HijackThis
Used to detect/remove browser hijackers.
http://www.merijn.org/files/hijackthis.zip

* CWShredder
A utility for removing CoolWebSearch (a nasty bit of spyware/adware)
http://www.intermute.com/spysubtract/cwshredder_download.html

* Lavasoft Ad-Aware
Use this (free version) of Ad-Aware to detect/remove a LARGE number of spyware apps.
http://download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button
That link is for downloading directly, if you have trouble the home page is:
http://www.lavasoftusa.com/

* Spybot Search & Destroy
Use this to detect/remove another large amount of spyware apps, and keep in mind that this and Lavasoft Ad-Aware target DIFFERENT things, so BOTH are needed to stay as clean and safe as possible. Also note that Spybot has other features like "Immunization" that should be used to detect and prevent future infections of various malware.
http://www.safer-networking.org/en/mirrors/index.html

* Merijn.org
Although every app on this page is not required, this website has MANY utilities for cleaning up your computer (removing spyware, etc.). I won't go into tons of detail about it because the page itself is detailed enough, but the most important applications to get have already been listed above.

4. Process Identification
The first step in identifying your problem is to identify all processes currently running on your machine and determine which of those are required, optional, and outright malicious. To see what processes are currently running you need to bring up the Windows Task Manager. This can be done either by pressing CTRL-ALT-DEL (and, in some cases then selecting "Task Manager" from the pop up) or by clicking "Start >> Run" and entering "taskmgr" (without the quotes, of course).

From the "Processes" tab within the task manager you will see a list of every visible process running on your system. Your first task will be to take each and every "Image name" (process name) and perform a Google search on it. Keep a text file or piece of notebook paper handy to write down every single process (EXACTLY as it appears in the process list), it's function, and whether or not it is essential for proper operation of your computer. You will be much happier in the long run if you do not skip this step as any future examination of your process list will only require research on those processes which are new to the list.

I realize the instruction here is vague, so I will give an example of a process that everyone should find in their list: "svchost.exe". A quick Google search of this brings up a very long list of results, one of which being "svchost.exe Windows process - What is it?". I would strongly suggest if the search for a given process returns many results that you check a few pages for information on the process to get a good understanding of what it really does and whether or not you need it. Don't be tricked into paying money to these sites to download software to remove any problems, we'll get into fixing these problems later, for now the goal is to merely identify them.

Anyway, back to svchost.exe... you'll see from many of the Google results that svchost.exe is a "Generic Host Process for Win32 Services" and is integral to the functionality of your computer. This is a safe process and most likely is not malicious unless, as you will see from some of your results, the file "svchost.exe" is found anywhere on your computer OTHER than your windows system32 folder (typically "C:\Windows\System32\"). Found elsewhere in your directory structure this file is very likely a virus. Typically this file will be the legitimate copy (from your System32 directory), but if ever you're not sure about a process take the time and look into it, but don't be in too much of a hurry to start deleting anything or killing processes until you understand their function within your system.

As you're probably beginning to see, identifying true problems may take a few steps and involve a bit of research. You will probably spend a fair amount of time researching every single active process running on your system and this is exactly why I suggested taking notes. Research, research, and then research some more and when you think you have found a process that is a problem do even more research on that particular process using Google searches and I can guarantee a solution will be found. You may get the feeling that this is a lot of work and want to call someone more knowledgeable to come help with your problem but keep in mind it is going to take them just as long to research it and they are going to care far less than you do if a solution is ever reached (or they will be charging you for the time, either way you should really try to solve it yourself).

Once you have identified all malicious processes you should continue your searching to find methods for killing and deleting these specific processes (many will restart automatically when you kill them!). Some of these processes may be best dealt with at this point, however if some are common enough viruses they will be removed by the steps below. Simply keep in mind which processes you took care of here and which still remain and return to this step following step 8 below and continue researching and hunting for removal methods at that point. Please also note that if you do ultimately finish removing some of these processes and their root causes after returning here from step 8 then it is best to again run through all the other steps to ensure a true cleaning is performed (don't worry, it will be much faster the second time around).

5. Browser Hijacking
Browser Hijacking refers to any malicious attempt to disable, take control of, or to otherwise cause your web browser to function in an unintended way, usually in a very destructive fashion. Symptoms of browser hijacking are additional icons on your toolbar that you do not recognize, automatic opening of a web page or pages that you do not recognize or have never intentionally set as your home page, popping up of additional browser windows without prompting from you, or any other strange or unusual browser behavior that seems unexpected and happens repeatedly.

The first solution to solving most browser hijacking problems is to stop using Internet Explorer (IE). IE has so many security flaws it really isn't worth my time to get into any specifics here, so simply do yourself a favor and use Mozilla Firefox.

Once your browser (IE) has been hijacked this may begin to cause other system problems due to the way IE is integrated with the OS. Read up on and use the tool entitled "HijackThis" (above) to perform a scan of everything associated with your browser. This tool can be used to remove entries that are found to be malicious and, if they return, can at least be used to identify them for further study.

Using HijackThis you should go about researching everything hooked into your browser in the same manner as you researched processes with the task manager above. As you build up your knowledge base and understanding of these things this will take less time and you will become more confident in your ability to understand your computer and how to keep these things from taking hold in the first place.

6. Spyware Identification and Removal
Spyware comes in many forms and it is difficult to provide a complete comprehensive guide to the removal of every possible variant. I can, however, point you towards the tools and applications that will have the most effect at removing such unwanted software.

Before you even begin to attack the spyware situation on your computer it is extremely important that you first disconnect yourself from the internet. Of course, you should be sure you have downloaded all the recommended software above. If you're not exactly sure how to disconnect (i.e. you're using cable internet or DSL through a router which keeps the connection alive always) then you should just reach down and disconnect the network cable from the back of your computer. It's the cable that resembles a phone coord except the connector is slightly wider. If you're really not sure which one to pull, read this for a description of what an RJ-45 cable looks like. Once you are safely disconnected from the Internet you may proceed.

The first application to run is Lavasoft Ad-Aware. This is a program that does an excellent job of removing a large variety of spyware from your computer. The first time you run this it may find and attempt to clean a fairly large list of problems, however subsequent runs of the program should find far less. This should be run at least once before moving on. It should also be mentioned (and will be discussed in more detail later in this document) that this application should be kept up to date and run weekly or, at the very least, monthly following the complete cleanup of your system to ensure that future problems are kept under control.

After you have finished with Ad-Aware you should run Spybot Search and Destroy. This program can be used to detect and remove a different subset of spyware tools that may be installed on your system. This may seem like a redundant step but I assure you it is not. Many of the spyware applications out there will be detected only by Spybot and not Ad-Aware and vice versa.

Having run both of those applications a few times each (twice will do) you may notice a few lingering problems that simply will not go away. You have two options, the first of which is to reboot your computer in safe mode (Google this if you aren't sure how to do it, it isn't very hard) and run both programs again. If you still can't seem to get the problems resolved in safe mode then you need to take the second option which is to make a very detailed note about the spyware that was irremovable to research again later when you have reconnected to the internet. It is very likely (almost guaranteed) that others have had the same problem you had and a quick Google search will bring up the desired answer.

I strongly suggest you continue on with the following sections before opting to reconnect to the internet as there are other important things to be done before you expose your computer (and whatever Trojans might be installed) to the Internet again.

7. Virus Identification and Removal
Like spyware, it is always best to attempt to remove all viruses on your computer while still disconnected from the Internet. After you have confirmed you are no longer connected you should fire up your copy of AVG Anti Virus. Given that this program comes in a version that is completely free to use and the fact that it provides better virus scanning than Norton or McAfee I can say without hesitation that it is truly outstanding and you'd be a fool not to use it. If you have other virus software that you prefer, feel free to use it, however I simply don't see much use for other virus software (especially if you have to pay for it).

I won't go into the details of how to use AVG since there is enough information out there (and with the program) that it should be fairly self-explanatory or at least easily accessible. Your main goal at this step of the cleanup process is to perform a complete system scan. This will take a long time and, depending on your system specifications, could take so long that it's probably best to go read a book, have dinner, watch some TV, sleep for 8 hours (slower systems only), and come back to see the results. Ultimately this will scour your computer for any known viruses and attempt to clean them or quarantine them. All joking aside, this step will take anywhere from 20 minutes to several hours depending on the size of your hard drive(s) and your CPU clock speed.

As with spyware removal, I strongly suggest running this twice before proceeding. If stubborn viruses cannot be removed this should also be run from safe mode. Following your final run of the program you should again make very detailed notes about viruses that simply could not be removed for whatever reason. This information will be what you need to find out how to perform manual removal of these viruses after you reconnect to the Internet again.

8. The Final Touches
Okay, you've examined and cleaned up your process list, removed any browser hijackers, found and removed as much spyware as possible, and also removed most or all of the viruses present on your machine. You are now ready to once again reconnect to the Internet. Keep in mind when you get back onto the Internet any problems that you had before starting this expedition. Probably the worst thing you can do at this point is fire up IE. Since IE was probably the start of your problems anyway, do yourself a favor and do any further research that needs to be done using Mozilla Firefox.

Before going back to your lifetime of web browsing and checking e-mail you should first take your lists of both remaining spyware and remaining viruses and begin (using Firefox!) to search Google for information on manual removal. Unfortunately this is another area where you will be on your own since there are so many possibilities I couldn't possibly cover them all here, but rest assured that all your questions will be answered in some form somewhere out there. It is highly unlikely that you will happen to stumble upon a virus that has never been seen before. Someone out there has been or is still in the same boat you are and the incredible knowledge base that is the Internet will have the information you need.

9. Continued System Maintenance
By the time you reach this point you should have your system pretty well cleaned up. I can safely say that the single most frustrating aspect of helping friends and family clean their computers of all the problems mentioned within this document is that they have nearly no appreciation for what a gigantic pain in the ass it was to get the job done. Within weeks (sometimes even days!) of completing this cleanup process I'll come to find out that the system is back in the same state of disrepair as it was before I wasted hours fixing it.

Since you have now struggled on your own through all the trials and tribulations of doing this all yourself I probably don't need to tell you why a little continued maintenance is worthwhile. If you're like me you will have arrived at this point and now find yourself hoping you will never have to go through anything so horrible again. Rest easy, with the correct maintenance routine you never will.

The same software you used to get yourself here is the same software that will keep you from having to do this again. Ensure that you keep both your spyware removal tools up to date and run them weekly (or monthly, depending on need). The same goes for your virus scan. This should be performed at least weekly and can even be scheduled to run when you are sleeping.

Keep all of the safe browsing and other common sense Internet usage information mentioned above in mind when you are using the Internet. Sure, it may be funny to open that stupid attachment from your friend, but after having gone through the hell of cleaning your system hopefully you now realize that the attachment certainly wasn't worth the hassle.

Finally, you really should take a look at the Tweaking Companion at tweakguides.com. This document provides the most comprehensive information on the cleaning, tweaking, and overall understanding of your system than any other source I have ever encountered. I could write an entire article on how excellent that guide is (but why don't you just go read it for yourself?). While I guarantee that few that glance at it actually take the time and effort to put it to use, those that do will learn quite a bit and have the added benefit of being able to get the most out of their computer.

10. Conclusion
If you have read this in whole then there is little else I can do to help you. In truth, you don't even need this guide to find the answers you seek and to get everything that doesn't belong in your computer out of it. You only really need a safe browser (hopefully on a clean computer) and a connection to the Internet. Everything that is presented here can be found in even greater detail elsewhere. Use this as sort of roadmap to begin your journey towards scouring the garbage from your computer, it is only intended as such.

Good luck!

Welcome

Welcome everyone. I plan to utilize this space to provide those of you out there that care a little bit of information relating to various general computer issues and how to solve these issues on your own. Please be patient while this information is compiled.