Click here to Skip to main content
Click here to Skip to main content

Methods, products and tactics for removing spyware from infected systems.

, 20 Aug 2006
Rate this:
Please Sign up or sign in to vote.
This article will take you into the depths of fighting spyware and tell you about several useful tools both free and commercial for removing spyware.

Introduction

If you are here and reading this article, there may not be much of a need for an introduction you probably just need some help really bad. Having said that, let me describe what I'll be discussing in this article. Spyware is a problem that plagues most of us at some time or another. There is no easy way around it and if you do get an infection you might just have to reload. But if you are like me at all, you'd rather have your teeth drilled than reload your system. So if you think it's worth the fight let's get moving.

Prerequisites

I think that you really need to understand what you are dealing with here and you need to know which products out there can help you. I'm going to assume that you have tried the following products with no success. If you have not, please try all of them. Some of them cost $30 or $60 but are well worth it if they fix your problem. Please make sure you read and fully understand the licenses governing the use of these products.

  • Spybot Search & Destroy
  • Spyware Blaster (more of a preventive measure by JavaCool Software).
  • Webroot Spysweeper. In my opinion a "Best Of Breed" product.
  • Zone Alarm Security Suite Professional with Anti-Virus and Anti-Spyware a triple-protection firewall. The 15 day trial might just save your bacon.
  • Microsoft Windows Defender
  • MVP Hosts File Promise me you'll go and read this. A great page full of a lot of great information and tools.
  • Bart PE A very useful tool that will allow you to create a CD bootable version of Windows. You really need to check it out.
  • KNOPPIX Either a CD or DVD bootable version of Linux that can come in quite handy. Google for "spyware knoppix" to get some ideas.

If you consider using the above products I'm going to leave their actual use up to you. All of them are quite good but you need to read FAQ's or How-To's to make sure you are using them correctly.

Methods for Fighting Spyware

This is probably a tip sheet for those who get infected, are helping the infected, or just want something complex to read to glaze the eyes. Either way, if you are like me and would rather do anything than reformat (even though common sense might suggest otherwise) then I'll share some experiences with you.

To be able to kill spyware/trojans/viruses you have to have a basic knowledge of how they work. Being a developer my understanding of this stuff goes a bit beyond what most system administrators may know. Some of the details I get into won't make any sense until you are standing in front of the fan that the brown wet cow substance just hit. Then you'll come back here read this and you'll begin to understand what lies in front of you.

From this point forward I'm going to refer to spyware/viruses/trojans as "badguys" and I think badguys sums it up well enough. Let's start by giving a brief explanation for how badguys work. In order for the badguy to work the way he wants, he needs to get Windows to believe he's good and he needs to get Windows to run him either when Windows starts up or when you log in. To do this there are some common tactics a badguy will use to begin his work. (I'm completely going to ignore rootkits. They are way beyond this discussion and I wish you well if you have one.)

Most commonly bad guys will be found in:

  • HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Load
  • HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run(The above key will execute for whoever logs in, it always gets run.)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    (This key is different as you can see it had CURRENT_USER where the one above it has LOCAL_MACHINE obviously one is related to the machine and one to a specific user.
  • C:\Documents and Settings\{UserX}\Start Menu\Programs\Startup\
    -- Startup is a folder on your computer where shortcuts or even running executables get placed to run when you log in. Now many programs in this directory are valid but sometimes they can be bad. (I'll cover separating the good from the bad in a bit.)

The Registry and the Startup folder are the most common places. However these infections can actually appear in about 6 different places. If you wish to view everything I absolutely recommend you visit SysInternals and grab the following priceless programs http://www.sysinternals.com/Utilities/Autoruns.html which will show you all your autorun programs from all over your system and also http://www.sysinternals.com/Utilities/ProcessExplorer.html. There just isn't enough I could say about Process Explorer it's so useful. I also really like to use Filemon and Regmon also from SysInternals. I think handle is easier to search for stuff in but Filemon is the graphical version of handle. Try both and see what you prefer. http://www.sysinternals.com/Utilities/Filemon.html and http://www.sysinternals.com/Utilities/Regmon.html. While I'm at it let me also promote PSTOOLS from SysInternals it's a nifty let set of products that go a long way towards helping you.
http://www.sysinternals.com/Utilities/PsTools.html

Now, HiJackThis, RegEdit (System Registry Editor) and Startup folder are going to show you several programs and (unless you do this stuff every day) you will not have any idea what these programs do and which ones are good and which ones are bad. For the casual user (and even me when I'm not sure) I recommend using Mozilla Firefox (I'll explain why in a bit) which you can get from http://www.mozilla.org and searching for each program listed and finding out what it is. So for example HiJackThis will show you a program called "rundll32.exe" and most of you will wonder what the heck that is. Well rundll32.exe is a cool part of every Windows platform and we'll leave it at that. But you won't know that so I recommend you open Firefox and type in "rundll32.exe" and do a search using http://www.google.com now I recommend Firefox for a few reasons. The biggest is that spyware authors know you are going to go search for their spyware program called "Nail.exe" and they will create a phoney web page that will rank very high in google and this phoney web page will probably give you false information and a link to a program to remove the infection nail.exe. That phoney program will infect you with something else or even the web page you go to will. Firefox will offer a lot more protection than Internet Explorer so please use FireFox when you search. Okay now we know the bad guys are going to try to hit us when we search how do we know where to go to get trusted information?

Here's a list of the sites that I use and only these sites (though there are certainly other good sites).

The above sites should be able to tell you everything you need in order to know which executables and DLL's on your system are good/bad.

Now from this point forward I'm going to leave the general discussion and focus on actual methods for removing spyware. I am going to assume that Spybot Search & Destroy did not work, Ad-Aware SE Pro/Personal did not work, Microsoft Windows Defender Beta did not work. I am going to assume that every program you have tried including WebRoot Spysweeper has not worked and that you have a very stubborn and persistent infection that is a combination of running executable files and Dynamic Link Libraries (filename.dll). To put it bluntly, you are in the weeds and it's time for hand to hand combat. I'm also assuming that your attempt to boot into safe mode and run all your programs did not work either. If you have not yet booted into safe mode and run your anti-spyware programs then do it now. That step alone might win the battle for you.

If you have not installed the Zone Alarm Free Version yet, and blocked all outbound traffic, now would be a very good time to do so. You need to make all this junk quit calling home first.

Let's also assume that you know the executables and dynamic link libraries you are going after. You have that list and let's say it's got 6 total files you need to kill.

Nail.exe, n6jxnp.dll, nddk.exe, excita.exe, excita.dll, rvvk.exe
Okay, we have our hit list. We've logged on to the box with administrative permissions and we are now going to search for these files to find out where they are so we can work on them. I've got bad news for you. Windows Explorer, Windows Search and Find will not show you these files at all. You will see the executables in task manager but you will not see them on the hard disk anywhere. So how do you find them? Well let me explain your first tool.

In the DOS subsystem there is a program called at.exe which is so dang powerful it will blow your mind. At.exe is a scheduler and with it you can schedule programs to start with SYSTEM SHUTDOWN LEVEL PERMISSIONS, yes you read that right. System level permissions. You access at.exe by using the command line and doing the following. (I will now describe the steps that I take when beginning the spyware battle.)

Let's assume that it's 3:30 in the afternoon and I've got a command Window open.

At the command Window type at 15:30 /interactive taskmgr.exe and hit enter. The 15:30 is 24 hour time for 3:30 PM the at executable only takes 24 hour time as an argument. So for example 12:30 AM is 00:30 and so on. The /interactive tells the operating system that we want this program to load where it's visible and we can use it. The taskmgr.exe loads the Windows task manager with system level authority.

Next we want to open a command Window with system authority. We do that with a at 15:31 /interactive cmd.exe and press enter.

Note when using at you need to look at the current time in the system tray and then give at.exe a time argument about 1 or 2 minutes ahead of the current system time.

Okay, we now have task manager and a command Window open with system level authority. Let's go ahead and do this on the command line as well.

at 15:32 /interactive explorer.exe and hit enter
at 15:33 /interactive regedit.exe and hit enter

We now have Windows Explorer, RegEdit, Task Manager and a command Window open and running with system permissions. What next?

Let's use my tool of choice. If you don't already have it then get HiJackThis.exe from http://www.merijn.org/files/hijackthis.zip and run a system scan. It should tell you where a few of these files are (most likely C:\Windows\System32\ or C:\Windows) but it won't show you all of them. Let's keep HiJackThis open and go to C:\Windows\System32\ using the command Window we opened using at.exe.

We do this by typing cd C:\Windows\System32 and hitting enter. We are now in the command Window and we are in the System32 directory.

Let's pretend that excita.exe did not show up anywhere. We have no idea where this file is. Guess what? The command line will show it even though nothing else will. (Even if you have "Show Hidden Files/Show System Files" checked in Explorer you still won't see these files). Inside of System32 at the DOS prompt type dir ex* and hit enter. If excita.exe is there it will show up even though NT Explorer will not see it. Using this tactic inside of C:\Windows\ and C:\Windows\System32\ and C:\ along with any suspect directories on C:\ or in C:\Program Files\ by doing a dir filename* you can see the contents of any current directory that start with "nd" by using "nd*" that start with "ex" using "ex*" or any other portion of a file name. (Please note there are some cases where the above will not work either.)

Now, let's assume that we now know where every file is. We found them all either in task manager or the command window and possibly explorer. We know where all the bad guys are. Now we need to eradicate them. How do we do this?

(Note: Often with spyware, viruses and trojans these programs are poorly written and you can kill them using task manager and then delete them using Explorer or the command windows. With the better more advanced spyware/viruses there are in most cases 2 or 3 programs all related. Usually Program1 is a DLL file that is the brain-center and progam2 and program3 are executable files that bind to program1.dll and lock it so you cannot delete it. Usually program2 and program3 bind to each other and you just have a real mess. What you have to do is kill program3 and program2 so that you can then delete program1 from the disk. Once you delete program1 then program2 and program3 should become stupid and you can find them and delete them as well. We'll now discuss how to accomplish all of this.)

Let's assume that using the TaskManager and the command Window we've tried to kill (using task manager) then quickly delete using the command Window these files but we keep getting errors that the file is in use. How do we overcome that? How do we even know which file might be using the file we want to delete? Well systernals to the rescue. Go to http://www.systernals.com and find and download "handle.exe" it will be a zipped program on their site that's less than 200Kb in size. Extract handle.zip to C:\Handle then using the command Window with System Permissions type:
cd C:\handle and hit return
handle.exe > C:\handle.txt
This will run handle and write the output to C:\handle.txt that we can then open with Notepad. Once we have that file in Notepad we can do a find for the file we want to delete say for example "n6jxnp.dll" we can use the find command in Notepad to find where that file is in the text. Once we see it we just need to scroll up to see which program has it in use. You then use the System Permissioned task manager to kill that program and quickly delete the file being locked by it.

So, let's say that n6jxnp.dll cannot be deleted because nddk.exe has it locked. What we do is use the System level task manager to find the process entry for "nddk.exe" and select it. We don't "End Task" yet. We get ready to though. So n6jxnp.dll is locked by nddk.exe we have "nddk.exe" in our sites and ready to die. Let's use our system level command Window to go to the directory we found n6jxnp.dll hiding in. It will most likely be C:\Windows\System32 so let's do this in the command window.

cd C:\Windows\System32\ and hit enter.
dir n6jxnp* hit enter (Just to make sure it's really there.)
del n6jxnp.dll but don't hit enter yet, type it in so that when you hit enter and that command will execute and delete n6jxnp.dll for you.

Now go back to task manager, click the "End Task" button, confirm that you want to kill it then quickly toggle back to the command window. As soon as you see nddk.exe disappear from the Task Manager hit enter in the command window and n6jxnp.dll should get deleted. If it doesn't then another program is locking it and we have to go back to our handle.txt and find out. We repeat this process until we get the n6jxnp.dll deleted.

Now we may encounter (as I did) a bad situation. n6jxnp.dll is not deletable at all no matter what. This happened because CoolWebSearch has convinced Windows to make n6jxnp.dll a dependency of WinLogon.exe. Uh OH! Yup, we're screwed there's no way to delete that file. Crap. Well being resourceful (as you are) do a search of the system registry using "RegEdit" search for "n6jxnp.dll" and find the key-value pair where that is entered. Remember that you are running regedit with System permissions right? Well find the key (it's actually a folder) and right click it and select permissions. Then click the security tab and select "Administrators" make that key "Read Only" for Administrators and apply your changes. Yes, this can be risky but if you have WinLogon sitting on the DLL it's either this or reformat. So make that key read only. Now using regedit, and the file menu export a copy of that key to a directory for safe keeping. Then delete the key using RegEdit. You just clobbered n6jxnp.dll by kicking it right in the groin. It won't load now. Shut down Windows and restart. If you still find n6jxnp.dll in C:\Windows\System32\ you can delete it and be done. It more than likely disappeared at shut down when it could not write itself into the registry because you made the permissions read only.

There you have it. There's the winning methods for beating CoolWebSearch and all the other *NASTY* bad-guys out there. Using these methods I've removed spyware completely from over 100 machines I didn't want to reformat.

Points Of Interest

In the course of my battles with Spyware I've encountered a few other things worth knowing. One is Data Execution Prevention is enabled in the Operating Systems of Windows XP Service Pack 2 and Windows 2003 Service Pack 1. It also has a partner in the BIOS. It can be very helpful for defeating spyware especially on the BIOS side. If you are infected and need lots of help go to the manufacturer of your motherboard and see if it supports DEP. If it does, turn it on and hope for the best.

My final comment on all of this is that sometimes you just cannot fight this stuff in a booted instance of Windows. It can be the shortest and most direct path to success to just pull the drive and put it in a USB drive enclosure (they make them for Laptop and Desktop sized drives) and then to plug that drive into a machine that is already up and running. Then use the above tools I've recommended on that machine to scan the attached drive for viruses and spyware. It sometimes is a very direct and easy way to clean a box up.

History

  • August 21st, 2006. First release.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

code-frog

United States United States
No Biography provided

Comments and Discussions

 
GeneralAnother good article PinmemberJon Sagara26-Jul-07 6:04 
Generalat in Vista PinsitebuilderMichael Dunn5-Oct-06 12:20 
GeneralRe: at in Vista Pinmembercode-frog9-Jan-07 9:19 
GeneralGhost file PinmemberMonty222-Sep-06 20:33 
GeneralRe: Ghost file Pinmembercode-frog22-Sep-06 20:47 
GeneralRe: Ghost file PinmemberMonty222-Sep-06 20:54 
GeneralKilling system processes PinmemberAndrewSmirnov8-Sep-06 3:56 
GeneralVer Good Article PinmemberAamir Butt4-Sep-06 23:50 
Generalvery educational! Pinmemberfeline_dracoform24-Aug-06 9:34 
GeneralAutoruns PinmemberSilentSilent21-Aug-06 6:19 
GeneralRe: Autoruns Pinmemberfeline_dracoform24-Aug-06 9:26 
GeneralGets my five PinmemberGarth J Lancaster21-Aug-06 1:06 
GeneralRe: Gets my five PinmemberPaulC197221-Aug-06 20:10 
GeneralRe: Gets my five Pinmembercode-frog21-Aug-06 20:23 
GeneralRe: Gets my five Pinmembercode-frog21-Aug-06 20:21 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.141015.1 | Last Updated 21 Aug 2006
Article Copyright 2006 by code-frog
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid